Skip to content

Commit d10c38f

Browse files
sabre1041sabre1041
committed
Lifecycle management for ExternalSecrets
Signed-off-by: Andrew Block <andy.block@gmail.com>
1 parent b82a485 commit d10c38f

8 files changed

Lines changed: 518 additions & 459 deletions

Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ keywords:
44
- pattern
55
name: rhbk
66
type: application
7-
version: 0.0.10
7+
version: 0.0.11
88
home: https://github.com/validatedpatterns/rhbk-chart
99
maintainers:
1010
- name: Validated Patterns Team

README.md

Lines changed: 426 additions & 433 deletions
Large diffs are not rendered by default.

templates/acs-oidc-client-secret-external-secret.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,24 @@ kind: ExternalSecret
55
metadata:
66
name: acs-oidc-client-secret
77
namespace: {{ .Release.Namespace }}
8+
{{- if .Values.externalSecrets.acs.annotations }}
9+
annotations:
10+
{{- toYaml .Values.externalSecrets.acs.annotations | nindent 4 }}
11+
{{- end }}
12+
{{- if .Values.externalSecrets.acs.labels }}
13+
labels:
14+
{{- toYaml .Values.externalSecrets.acs.labels | nindent 4 }}
15+
{{- end }}
816
spec:
917
refreshInterval: 15s
1018
secretStoreRef:
1119
name: {{ .Values.global.secretStore.name }}
1220
kind: {{ .Values.global.secretStore.kind }}
1321
target:
1422
name: acs-oidc-client-secret
23+
creationPolicy: {{ .Values.externalSecrets.acs.creationPolicy }}
24+
deletionPolicy: {{ .Values.externalSecrets.acs.deletionPolicy }}
25+
refreshPolicy: {{ .Values.externalSecrets.acs.refreshPolicy }}
1526
template:
1627
type: Opaque
1728
data:

templates/keycloak-users-external-secret.yaml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,13 @@ kind: ExternalSecret
44
metadata:
55
name: keycloak-users
66
namespace: {{ .Release.Namespace }}
7-
{{- if .Values.externalSecrets.oneShot }}
7+
{{- if .Values.externalSecrets.keycloakUsers.annotations }}
88
annotations:
9-
argocd.argoproj.io/hook: Sync
10-
argocd.argoproj.io/hook-delete-policy: HookSucceeded
11-
argocd.argoproj.io/sync-options: PrunePropagationPolicy=orphan
9+
{{- toYaml .Values.externalSecrets.keycloakUsers.annotations | nindent 4 }}
10+
{{- end }}
11+
{{- if .Values.externalSecrets.keycloakUsers.labels }}
12+
labels:
13+
{{- toYaml .Values.externalSecrets.keycloakUsers.labels | nindent 4 }}
1214
{{- end }}
1315
spec:
1416
refreshInterval: 15s
@@ -17,11 +19,9 @@ spec:
1719
kind: {{ .Values.global.secretStore.kind }}
1820
target:
1921
name: keycloak-users
20-
{{- if .Values.externalSecrets.oneShot }}
21-
creationPolicy: Orphan
22-
{{- else }}
23-
creationPolicy: {{ .Values.externalSecrets.creationPolicy }}
24-
{{- end }}
22+
creationPolicy: {{ .Values.externalSecrets.keycloakUsers.creationPolicy }}
23+
deletionPolicy: {{ .Values.externalSecrets.keycloakUsers.deletionPolicy }}
24+
refreshPolicy: {{ .Values.externalSecrets.keycloakUsers.refreshPolicy }}
2525
template:
2626
{{- if .Values.externalSecrets.oneShot }}
2727
metadata:

templates/oidc-client-secret-external-secret.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,24 @@ kind: ExternalSecret
44
metadata:
55
name: oidc-client-secret
66
namespace: {{ .Release.Namespace }}
7+
{{- if .Values.externalSecrets.oidcClientSecret.annotations }}
8+
annotations:
9+
{{- toYaml .Values.externalSecrets.oidcClientSecret.annotations | nindent 4 }}
10+
{{- end }}
11+
{{- if .Values.externalSecrets.oidcClientSecret.labels }}
12+
labels:
13+
{{- toYaml .Values.externalSecrets.oidcClientSecret.labels | nindent 4 }}
14+
{{- end }}
715
spec:
816
refreshInterval: 15s
917
secretStoreRef:
1018
name: {{ .Values.global.secretStore.name }}
1119
kind: {{ .Values.global.secretStore.kind }}
1220
target:
1321
name: oidc-client-secret
22+
creationPolicy: {{ .Values.externalSecrets.oidcClientSecret.creationPolicy }}
23+
deletionPolicy: {{ .Values.externalSecrets.oidcClientSecret.deletionPolicy }}
24+
refreshPolicy: {{ .Values.externalSecrets.oidcClientSecret.refreshPolicy }}
1425
template:
1526
type: Opaque
1627
data:

templates/postgresql-db-external-secret.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,13 +3,24 @@ kind: ExternalSecret
33
metadata:
44
name: postgresql-db
55
namespace: {{ .Release.Namespace }}
6+
{{- if .Values.externalSecrets.postgresqlDb.annotations }}
7+
annotations:
8+
{{- toYaml .Values.externalSecrets.postgresqlDb.annotations | nindent 4 }}
9+
{{- end }}
10+
{{- if .Values.externalSecrets.postgresqlDb.labels }}
11+
labels:
12+
{{- toYaml .Values.externalSecrets.postgresqlDb.labels | nindent 4 }}
13+
{{- end }}
614
spec:
715
refreshInterval: 15s
816
secretStoreRef:
917
name: {{ .Values.global.secretStore.name }}
1018
kind: {{ .Values.global.secretStore.kind }}
1119
target:
1220
name: {{ .Values.keycloak.postgresqlDb.secretName }}
21+
creationPolicy: {{ .Values.externalSecrets.postgresqlDb.creationPolicy }}
22+
deletionPolicy: {{ .Values.externalSecrets.postgresqlDb.deletionPolicy }}
23+
refreshPolicy: {{ .Values.externalSecrets.postgresqlDb.refreshPolicy }}
1324
template:
1425
type: Opaque
1526
data:

templates/rhtpa-oidc-cli-secret-external-secret.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,25 @@ kind: ExternalSecret
55
metadata:
66
name: rhtpa-oidc-cli-secret
77
namespace: {{ .Release.Namespace }}
8+
{{- if .Values.externalSecrets.rhtpa.annotations }}
9+
annotations:
10+
{{- toYaml .Values.externalSecrets.rhtpa.annotations | nindent 4 }}
11+
{{- end }}
12+
{{- if .Values.externalSecrets.rhtpa.labels }}
13+
labels:
14+
{{- toYaml .Values.externalSecrets.rhtpa.labels | nindent 4 }}
15+
{{- end }}
16+
817
spec:
918
refreshInterval: 15s
1019
secretStoreRef:
1120
name: {{ .Values.global.secretStore.name }}
1221
kind: {{ .Values.global.secretStore.kind }}
1322
target:
1423
name: rhtpa-oidc-cli-secret
24+
creationPolicy: {{ .Values.externalSecrets.rhtpa.creationPolicy }}
25+
deletionPolicy: {{ .Values.externalSecrets.rhtpa.deletionPolicy }}
26+
refreshPolicy: {{ .Values.externalSecrets.rhtpa.refreshPolicy }}
1527
template:
1628
type: Opaque
1729
data:

values.yaml

Lines changed: 37 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -4,23 +4,44 @@ global:
44
kind: ClusterSecretStore
55
name: vault-backend
66

7-
# -- One-shot ExternalSecret provisioning for keycloak-users.
8-
# When oneShot is true, the keycloak-users ExternalSecret becomes an
9-
# ArgoCD Sync hook with HookSucceeded and creationPolicy: Orphan.
10-
# Orphan prevents ESO from setting an ownerReference on the Secret,
11-
# so k8s GC will not cascade-delete the Secret when ArgoCD removes
12-
# the ExternalSecret hook after sync.
13-
# A PostSync Job in the wrapper chart (e.g. rh-keycloak in
14-
# layered-zero-trust) then cleans up Secrets labeled
15-
# secretCleanupLabel=delete.
16-
# When oneShot is false (default), keycloak-users is a regular
17-
# ExternalSecret with no hook annotations — the Secret and
18-
# ExternalSecret persist.
19-
# @default -- disabled (regular ExternalSecret, no hooks)
7+
# -- Properties associated with ExternalSecret resources.
208
externalSecrets:
21-
oneShot: false
22-
creationPolicy: Owner
23-
secretCleanupLabel: "validatedpatterns.io/cleanup"
9+
acs:
10+
creationPolicy: Owner
11+
deletionPolicy: Retain
12+
refreshPolicy: Periodic
13+
annotations: {}
14+
labels: {}
15+
adminUser:
16+
creationPolicy: Owner
17+
deletionPolicy: Retain
18+
refreshPolicy: Periodic
19+
annotations: {}
20+
labels: {}
21+
keycloakUsers:
22+
creationPolicy: Owner
23+
deletionPolicy: Retain
24+
refreshPolicy: Periodic
25+
annotations: {}
26+
labels: {}
27+
oidcClientSecret:
28+
creationPolicy: Owner
29+
deletionPolicy: Retain
30+
refreshPolicy: Periodic
31+
annotations: {}
32+
labels: {}
33+
postgresqlDb:
34+
creationPolicy: Owner
35+
deletionPolicy: Retain
36+
refreshPolicy: Periodic
37+
annotations: {}
38+
labels: {}
39+
rhtpa:
40+
creationPolicy: Owner
41+
deletionPolicy: Retain
42+
refreshPolicy: Periodic
43+
annotations: {}
44+
labels: {}
2445

2546
# -- Default-deny NetworkPolicy for the keycloak namespace.
2647
# When enabled, deploys a namespace-wide NetworkPolicy that blocks all ingress and egress

0 commit comments

Comments
 (0)