chore(k8s-wheatley): Use Vault SecretStore

2026-01-27 22:05:09 +01:00 · 2026-01-27 22:05:09 +01:00 · 22ae1a5f7f
commit 22ae1a5f7f
parent 764d642e9f
6 changed files with 44 additions and 38 deletions
--- a/k8s-wheatley/external-secrets-operator/clustersecrets.yaml
+++ b/k8s-wheatley/external-secrets-operator/clustersecrets.yaml
@ -10,7 +10,7 @@ spec:
        kubernetes.io/metadata.name: kube-system
  externalSecretSpec:
    secretStoreRef:
-      name: 1password-wheatley
+      name: vault-wheatley
      kind: ClusterSecretStore
    target:
      name: tls-wildcard-wheatley-in
@ -20,15 +20,17 @@ spec:
          tls.crt: "{{ .crt }}"
          tls.key: "{{ .key }}"
    data:
-      - secretKey: key
-        remoteRef:
-          key: tls-wildcard-wheatley-in/key
-          metadataPolicy: None
-          conversionStrategy: Default
-          decodingStrategy: None
      - secretKey: crt
        remoteRef:
-          key: tls-wildcard-wheatley-in/crt
-          metadataPolicy: None
+          key: secrets/provisioned/tls-wildcard-wheatley-in
+          property: crt
          conversionStrategy: Default
          decodingStrategy: None
+          metadataPolicy: None
+      - secretKey: key
+        remoteRef:
+          key: secrets/provisioned/tls-wildcard-wheatley-in
+          property: key
+          conversionStrategy: Default
+          decodingStrategy: None
+          metadataPolicy: None
--- a/k8s-wheatley/external-secrets-operator/kustomization.yaml
+++ b/k8s-wheatley/external-secrets-operator/kustomization.yaml
@ -3,5 +3,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
-  - ../../kustomize-bases/external-secrets-operator
+  - namespace.yaml
+  - secretstore.yaml
  - clustersecrets.yaml
+
+helmCharts:
+  - name: external-secrets
+    repo: https://charts.external-secrets.io
+    namespace: external-secrets
+    releaseName: external-secrets
+    version: 1.0.0
--- a/k8s-wheatley/external-secrets-operator/namespace.yaml
+++ b/k8s-wheatley/external-secrets-operator/namespace.yaml
@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external-secrets
--- a/k8s-wheatley/external-secrets-operator/secretstore.yaml
+++ b/k8s-wheatley/external-secrets-operator/secretstore.yaml
@ -0,0 +1,24 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: vault-wheatley
+  namespace: external-secrets
+spec:
+  provider:
+    vault:
+      server: "https://vault.wheatley.in"
+      namespace: "wheatley"
+      path: "kv/k8s_wheatley"
+      version: "v2"
+      auth:
+        appRole:
+          path: approle
+          roleRef:
+            namespace: external-secrets
+            name: vault-wheatley-approle
+            key: approle_id
+          secretRef:
+            namespace: external-secrets
+            name: vault-wheatley-approle
+            key: approle_secret