chore(k8s-peterg): Switch to Vault secretstore

k8s-peterg/argocd/clusters.yaml

@@ -5,8 +5,8 @@ metadata:
   name: k8s-wheatley-cluster
 spec:
   secretStoreRef:
+    name: vault-wheatley
     kind: ClusterSecretStore
-    name: 1password-wheatley
   target:
     name: k8s-wheatley-cluster
     creationPolicy: Owner
@@ -24,7 +24,9 @@ spec:
   data:
     - secretKey: endpoint
       remoteRef:
-        key: k8s-wheatley_clusterdefinition/endpoint
+        key: secrets/managed/argocd/clusters/k8s-wheatley
+        property: endpoint
     - secretKey: config
       remoteRef:
-        key: k8s-wheatley_clusterdefinition/config
+        key: secrets/managed/argocd/clusters/k8s-wheatley
+        property: config

k8s-peterg/argocd/oidc.yaml

@@ -6,11 +6,10 @@ metadata:
   namespace: argocd
 spec:
   secretStoreRef:
+    name: vault-wheatley
     kind: ClusterSecretStore
-    name: 1password-wheatley
   target:
     name: argocd-authentik-provider
-    creationPolicy: Owner
     template:
       metadata:
         labels:
@@ -18,10 +17,13 @@ spec:
   data:
     - secretKey: dex.authentik.issuer
       remoteRef:
-        key: authentik-argocd-provider/issuer
+        key: secrets/managed/argocd/authentik-oidc-credentials
+        property: issuer
     - secretKey: dex.authentik.clientID
       remoteRef:
-        key: authentik-argocd-provider/client_id
+        key: secrets/managed/argocd/authentik-oidc-credentials
+        property: clientID
     - secretKey: dex.authentik.clientSecret
       remoteRef:
-        key: authentik-argocd-provider/client_secret
+        key: secrets/managed/argocd/authentik-oidc-credentials
+        property: clientSecret

k8s-peterg/external-secrets-operator/clustersecrets.yaml

@@ -10,7 +10,7 @@ spec:
         kubernetes.io/metadata.name: kube-system
   externalSecretSpec:
     secretStoreRef:
-      name: 1password-wheatley
+      name: vault-wheatley
       kind: ClusterSecretStore
     target:
       name: tls-wildcard-peterg-nl
@@ -20,15 +20,11 @@ spec:
           tls.crt: "{{ .crt }}"
           tls.key: "{{ .key }}"
     data:
-      - secretKey: key
-        remoteRef:
-          key: tls-wildcard-peterg-nl/key
-          metadataPolicy: None
-          conversionStrategy: Default
-          decodingStrategy: None
       - secretKey: crt
         remoteRef:
-          key: tls-wildcard-peterg-nl/crt
+          key: secrets/provisioned/tls-wildcard-peterg-nl
-          metadataPolicy: None
+          property: crt
-          conversionStrategy: Default
+      - secretKey: key
-          decodingStrategy: None
+        remoteRef:
+          key: secrets/provisioned/tls-wildcard-peterg-nl
+          property: key

k8s-peterg/external-secrets-operator/kustomization.yaml

@@ -3,5 +3,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../kustomize-bases/external-secrets-operator
+  - namespace.yaml
-  - clustersecrets.yaml
+  - secretstore.yaml
+
+helmCharts:
+  - name: external-secrets
+    repo: https://charts.external-secrets.io
+    namespace: external-secrets
+    releaseName: external-secrets
+    version: 1.0.0

k8s-peterg/external-secrets-operator/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external-secrets

k8s-peterg/external-secrets-operator/secretstore.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-wheatley
+spec:
+  provider:
+    vault:
+      server: "https://vault.wheatley.in"
+      namespace: "wheatley"
+      path: "kv/k8s-peterg"
+      version: "v2"
+      auth:
+        appRole:
+          path: approle
+          roleRef:
+            namespace: secret-operator
+            name: vault-wheatley-approle
+            key: approle_id
+          secretRef:
+            namespace: secret-operator
+            name: vault-wheatley-approle
+            key: approle_secret