From f0bdc0231a5e75ecdf1b1f44a4d45a72aa988c29 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 7 Apr 2026 19:33:50 +1000 Subject: [PATCH] feat: migrate vso-system to ArgoCD (#81) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Migrate Vault Secrets Operator from Terragrunt to ArgoCD/Kustomize. Deploys vault-secrets-operator v1.2.0 with 3 replicas, plus ClusterRole, ClusterRoleBindings, and vault-admin ServiceAccount. Note: static service account tokens (kubernetes.io/service-account-token) cannot be stored in git; create manually or via Vault after deployment. 💘 Generated with Crush Assisted-by: Claude Sonnet 4.6 via Crush Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/81 --- ...usterrole_vault-service-account-admin.yaml | 12 +++++++ apps/base/vso-system/clusterrolebindings.yaml | 32 +++++++++++++++++++ apps/base/vso-system/kustomization.yaml | 9 ++++++ apps/base/vso-system/namespace.yaml | 7 ++++ .../serviceaccount_vault-admin.yaml | 9 ++++++ .../au-syd1/vso-system/kustomization.yaml | 24 ++++++++++++++ .../patch_vaultauth-remove-namespace.yaml | 2 ++ apps/overlays/au-syd1/vso-system/values.yaml | 28 ++++++++++++++++ argocd/applicationsets/platform.yaml | 1 + argocd/projects/platform.yaml | 1 + 10 files changed, 125 insertions(+) create mode 100644 apps/base/vso-system/clusterrole_vault-service-account-admin.yaml create mode 100644 apps/base/vso-system/clusterrolebindings.yaml create mode 100644 apps/base/vso-system/kustomization.yaml create mode 100644 apps/base/vso-system/namespace.yaml create mode 100644 apps/base/vso-system/serviceaccount_vault-admin.yaml create mode 100644 apps/overlays/au-syd1/vso-system/kustomization.yaml create mode 100644 apps/overlays/au-syd1/vso-system/patch_vaultauth-remove-namespace.yaml create mode 100644 apps/overlays/au-syd1/vso-system/values.yaml diff --git a/apps/base/vso-system/clusterrole_vault-service-account-admin.yaml b/apps/base/vso-system/clusterrole_vault-service-account-admin.yaml new file mode 100644 index 0000000..f5dca6a --- /dev/null +++ b/apps/base/vso-system/clusterrole_vault-service-account-admin.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: vault-service-account-admin + app.kubernetes.io/part-of: vault-secrets-system + name: vso-system-vault-service-account-admin +rules: + - apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] diff --git a/apps/base/vso-system/clusterrolebindings.yaml b/apps/base/vso-system/clusterrolebindings.yaml new file mode 100644 index 0000000..06d3ef9 --- /dev/null +++ b/apps/base/vso-system/clusterrolebindings.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/part-of: vault-secrets-operator + name: vso-system-vault-secrets-operator-auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: vault-secrets-operator-controller-manager + namespace: vso-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: vso-system-vault-admin-binding + app.kubernetes.io/part-of: vault-secrets-system + name: vso-system-vault-admin-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vso-system-vault-service-account-admin +subjects: + - kind: ServiceAccount + name: vso-system-vault-admin + namespace: vso-system diff --git a/apps/base/vso-system/kustomization.yaml b/apps/base/vso-system/kustomization.yaml new file mode 100644 index 0000000..77fa903 --- /dev/null +++ b/apps/base/vso-system/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - serviceaccount_vault-admin.yaml + - clusterrole_vault-service-account-admin.yaml + - clusterrolebindings.yaml diff --git a/apps/base/vso-system/namespace.yaml b/apps/base/vso-system/namespace.yaml new file mode 100644 index 0000000..e7aeb24 --- /dev/null +++ b/apps/base/vso-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/name: vso-system + name: vso-system diff --git a/apps/base/vso-system/serviceaccount_vault-admin.yaml b/apps/base/vso-system/serviceaccount_vault-admin.yaml new file mode 100644 index 0000000..c7ad609 --- /dev/null +++ b/apps/base/vso-system/serviceaccount_vault-admin.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: vault-admin + app.kubernetes.io/part-of: vault-secrets-system + name: vso-system-vault-admin + namespace: vso-system diff --git a/apps/overlays/au-syd1/vso-system/kustomization.yaml b/apps/overlays/au-syd1/vso-system/kustomization.yaml new file mode 100644 index 0000000..83aceaa --- /dev/null +++ b/apps/overlays/au-syd1/vso-system/kustomization.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: vso-system + +resources: + - ../../../base/vso-system + +helmCharts: + - name: vault-secrets-operator + repo: https://helm.releases.hashicorp.com + version: "1.2.0" + releaseName: vault-secrets-operator + namespace: vso-system + valuesFile: values.yaml + +patches: + - path: patch_vaultauth-remove-namespace.yaml + target: + group: secrets.hashicorp.com + version: v1beta1 + kind: VaultAuth + name: default diff --git a/apps/overlays/au-syd1/vso-system/patch_vaultauth-remove-namespace.yaml b/apps/overlays/au-syd1/vso-system/patch_vaultauth-remove-namespace.yaml new file mode 100644 index 0000000..77cc952 --- /dev/null +++ b/apps/overlays/au-syd1/vso-system/patch_vaultauth-remove-namespace.yaml @@ -0,0 +1,2 @@ +- op: remove + path: /spec/namespace diff --git a/apps/overlays/au-syd1/vso-system/values.yaml b/apps/overlays/au-syd1/vso-system/values.yaml new file mode 100644 index 0000000..ac9ca57 --- /dev/null +++ b/apps/overlays/au-syd1/vso-system/values.yaml @@ -0,0 +1,28 @@ +defaultVaultConnection: + enabled: true + address: "https://vault.service.consul:8200" + skipTLSVerify: false + caCertSecret: "vault-ca-cert" + +defaultAuthMethod: + enabled: true + method: "kubernetes" + mount: "k8s/au/syd1" + namespace: "" + kubernetes: + role: "default" + serviceAccount: "vault-secrets-operator-controller-manager" + tokenAudiences: ["vault"] + +controller: + replicas: 3 + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + +globalVaultAuth: + enabled: true diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 85813a2..ad9b3b0 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -25,6 +25,7 @@ spec: - path: apps/overlays/*/reloader-system - path: apps/overlays/*/reposync - path: apps/overlays/*/vm-system + - path: apps/overlays/*/vso-system - path: apps/overlays/*/woodpecker template: metadata: diff --git a/argocd/projects/platform.yaml b/argocd/projects/platform.yaml index d427bbe..97e0bb9 100644 --- a/argocd/projects/platform.yaml +++ b/argocd/projects/platform.yaml @@ -11,6 +11,7 @@ spec: - https://charts.jetstack.io - https://cloudnative-pg.github.io/charts - https://helm.elastic.co + - https://helm.releases.hashicorp.com - https://intel.github.io/helm-charts/ - https://kubernetes-sigs.github.io/external-dns/ - https://releases.rancher.com/server-charts/stable