Skip to content

Commit 159d27c

Browse files
committed
CNF-22724: Add External Secrets Operator reference configuration
Add ESO as an optional operator for the telco-hub and telco-core RDS, providing secure secret management via external stores (Vault example). Hub configuration includes: - Namespace, OperatorGroup, Subscription, ExternalSecretsConfig, ClusterSecretStore (ztp-secret-provider) - ClusterInstance template ConfigMaps for pull secret and BMC credentials ExternalSecrets - kube-compare metadata (allOrNoneOf, optional) - example-overlays-config with ClusterSecretStore patch - README documenting usage, vault path conventions, and templateRefs integration Core configuration includes ESO in the PolicyGenerator baseline (included by default, not commented out). Co-authored-by: Claude
1 parent 42512d6 commit 159d27c

38 files changed

Lines changed: 788 additions & 0 deletions

telco-core/configuration/core-baseline.yaml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,14 @@ policies:
5252
# - path: reference-crs/optional/cert-manager/certManagerOperatorgroup.yaml
5353
# - path: reference-crs/optional/cert-manager/certManagerSubscription.yaml
5454

55+
# External Secrets Operator (optional component - included by default)
56+
- path: reference-crs/optional/external-secrets/esoNS.yaml
57+
- path: reference-crs/optional/external-secrets/esoOperatorgroup.yaml
58+
- path: reference-crs/optional/external-secrets/esoSubscription.yaml
59+
patches:
60+
- spec:
61+
installPlanApproval: Manual
62+
5563
- path: reference-crs/required/networking/sriov/SriovSubscriptionNS.yaml
5664
- path: reference-crs/required/networking/sriov/SriovSubscriptionOperGroup.yaml
5765
- path: reference-crs/required/networking/sriov/SriovSubscription.yaml
@@ -89,6 +97,11 @@ policies:
8997
policyAnnotations:
9098
ran.openshift.io/ztp-deploy-wave: "6"
9199
manifests:
100+
# External Secrets Operator configuration (optional component - included by default)
101+
- path: reference-crs/optional/external-secrets/esoExternalSecretsConfig.yaml
102+
- path: reference-crs/optional/external-secrets/esoClusterSecretStore.yaml
103+
- path: reference-crs/optional/external-secrets/esoNetworkPolicy.yaml
104+
92105
- path: reference-crs/optional/logging/ClusterLogServiceAccount.yaml
93106
- path: reference-crs/optional/logging/ClusterLogServiceAccountAuditBinding.yaml
94107
- path: reference-crs/optional/logging/ClusterLogServiceAccountInfrastructureBinding.yaml

telco-core/configuration/reference-crs-kube-compare/metadata.yaml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -206,6 +206,22 @@ parts:
206206
allOf:
207207
- path: optional/other/mount_namespace_config_master.yaml
208208
- path: optional/other/mount_namespace_config_worker.yaml
209+
- name: optional-external-secrets
210+
description: |-
211+
External Secrets Operator for secure secret management via external stores
212+
components:
213+
- name: external-secrets-operator
214+
allOrNoneOf:
215+
- path: optional/external-secrets/esoNS.yaml
216+
- path: optional/external-secrets/esoOperatorgroup.yaml
217+
- path: optional/external-secrets/esoSubscription.yaml
218+
- path: optional/external-secrets/esoExternalSecretsConfig.yaml
219+
- path: optional/external-secrets/esoClusterSecretStore.yaml
220+
config:
221+
ignore-unspecified-fields: true
222+
- path: optional/external-secrets/esoNetworkPolicy.yaml
223+
config:
224+
ignore-unspecified-fields: true
209225
- name: optional-cert-manager
210226
description: |-
211227
Cert-manager operator for automated certificate management
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
---
2+
apiVersion: external-secrets.io/v1
3+
kind: ClusterSecretStore
4+
metadata:
5+
name: ztp-secret-provider
6+
spec:
7+
conditions:
8+
- namespaceSelector:
9+
matchExpressions:
10+
- key: cluster.open-cluster-management.io/managedCluster
11+
operator: Exists
12+
provider:
13+
vault:
14+
server: {{ .spec.provider.vault.server | quote }}
15+
path: {{ .spec.provider.vault.path | quote }}
16+
version: {{ .spec.provider.vault.version | quote }}
17+
auth:
18+
tokenSecretRef:
19+
name: {{ .spec.provider.vault.auth.tokenSecretRef.name }}
20+
key: {{ .spec.provider.vault.auth.tokenSecretRef.key }}
21+
namespace: {{ .spec.provider.vault.auth.tokenSecretRef.namespace }}
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
---
2+
apiVersion: operator.openshift.io/v1alpha1
3+
kind: ExternalSecretsConfig
4+
metadata:
5+
name: cluster
6+
spec: {}
Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
---
2+
apiVersion: v1
3+
kind: Namespace
4+
metadata:
5+
annotations:
6+
workload.openshift.io/allowed: management
7+
name: external-secrets-operator
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
---
2+
apiVersion: networking.k8s.io/v1
3+
kind: NetworkPolicy
4+
metadata:
5+
name: allow-secret-store-egress
6+
namespace: external-secrets
7+
spec:
8+
podSelector:
9+
matchLabels:
10+
app.kubernetes.io/name: external-secrets
11+
policyTypes:
12+
- Egress
13+
egress:
14+
- to:
15+
- namespaceSelector:
16+
matchLabels:
17+
kubernetes.io/metadata.name: vault
18+
ports:
19+
- port: 8200
20+
protocol: TCP
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
---
2+
apiVersion: operators.coreos.com/v1
3+
kind: OperatorGroup
4+
metadata:
5+
annotations:
6+
operatorframework.io/bundle-unpack-timeout: "10m"
7+
operatorframework.io/bundle-unpack-min-retry-interval: 10m
8+
name: external-secrets-operator
9+
namespace: external-secrets-operator
10+
spec:
11+
upgradeStrategy: Default
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
---
2+
apiVersion: operators.coreos.com/v1alpha1
3+
kind: Subscription
4+
metadata:
5+
name: openshift-external-secrets-operator
6+
namespace: external-secrets-operator
7+
spec:
8+
channel: stable-v1
9+
name: openshift-external-secrets-operator
10+
source: redhat-operators-disconnected
11+
sourceNamespace: openshift-marketplace
12+
installPlanApproval: Manual
13+
status:
14+
state: AtLatestKnown
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
---
2+
apiVersion: external-secrets.io/v1
3+
kind: ClusterSecretStore
4+
metadata:
5+
name: ztp-secret-provider
6+
spec:
7+
# Restrict store usage to RHACM managed-cluster namespaces only
8+
conditions:
9+
- namespaceSelector:
10+
matchExpressions:
11+
- key: cluster.open-cluster-management.io/managedCluster
12+
operator: Exists
13+
provider:
14+
vault:
15+
server: "https://vault.example.com:8200"
16+
path: "secret"
17+
version: "v2"
18+
auth:
19+
tokenSecretRef:
20+
name: vault-token
21+
key: token
22+
namespace: external-secrets-operator
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
---
2+
apiVersion: operator.openshift.io/v1alpha1
3+
kind: ExternalSecretsConfig
4+
metadata:
5+
name: cluster
6+
spec: {}

0 commit comments

Comments
 (0)