scubbo/helm-charts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add vault-sourced secret in Drone setup

Browse Source
This commit is contained in:
Jack Jackson 2024-04-21 13:40:11 -07:00
parent 1926560274
commit 4c82c014f8
3 changed files with 51 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -24,6 +24,12 @@ Note that you need to have manually connected the source Repository _in_ ArgoCD
TODO - when we have a better secrets management system, export Gitea user password so that it can be used by ArgoCD to initialize that repository directly (https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories) TODO - when we have a better secrets management system, export Gitea user password so that it can be used by ArgoCD to initialize that repository directly (https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories)
## Jsonnet
As of 2024, I started using Jsonnet to define apps in a less repetitious way.
To check the output before submitting, use `jsonnet -J app-of-apps app-of-apps/<filename>.jsonnet`
## Other links ## Other links
* [General documentation on repositories](https://helm.sh/docs/topics/chart_repository/) * [General documentation on repositories](https://helm.sh/docs/topics/chart_repository/)

45
app-of-apps/drone.jsonnet
View File

@ -1,3 +1,46 @@
local appDef = import './app-definitions.libsonnet'; local appDef = import './app-definitions.libsonnet';
appDef.localApplication(name="drone") [
appDef.localApplication(name="drone"),
// TODO - maybe extract this, too?
{
apiVersion: "secrets.hashicorp.com/v1beta1",
kind: "VaultAuth",
metadata: {
name: "static-auth",
namespace: "drone"
},
spec: {
method: "kubernetes",
mount: "kubernetes",
kubernetes: {
role: "vault-secrets-operator",
serviceAccount: "default",
audiences: ["vault"]
}
}
},
// Note that currently this secret is created manually and statically. It'd be really cool for cold-start setup if OAuth
// App creation could be triggered at Gitea startup, and a secret automatically created!
{
apiVersion: "secrets.hashicorp.com/v1beta1",
kind: "VaultStaticSecret",
metadata: {
name: "gitea-oauth-creds",
namespace: "drone"
},
spec: {
type: "kv-v2",
mount: "shared-secrets",
path: "gitea/oauth-creds",
destination: {
name: "gitea-oauth-creds",
create: true
},
refreshAfter: "30s",
vaultAuthRef: "static-auth"
}
}
]

2
charts/drone/README.md
View File

@ -4,7 +4,7 @@ TODO:
* The Prometheus user (https://cogarius.medium.com/3-3-complete-guide-to-ci-cd-pipelines-with-drone-io-on-kubernetes-drone-metrics-with-prometheus-c2668e42b03f) - probably by mounting the volume, using sqlite3 to parse out admin password, then using that to make API call * The Prometheus user (https://cogarius.medium.com/3-3-complete-guide-to-ci-cd-pipelines-with-drone-io-on-kubernetes-drone-metrics-with-prometheus-c2668e42b03f) - probably by mounting the volume, using sqlite3 to parse out admin password, then using that to make API call
* Create `gitea_password` Organization Secret at init. * Create `gitea_password` Organization Secret at init.
Create secret named `gitea-oauth-creds`, with keys `DRONE_GITEA_CLIENT_ID` and `DRONE_GITEA_CLIENT_SECRET`. Remember also to create an Organization Secret named `gitea_password` for pulling. Ensure that Vault has a secret at `shared-secrets/gitea/oauth-creds` with keys `DRONE_GITEA_CLIENT_ID` and `DRONE_GITEA_CLIENT_SECRET` (see the application definition in `app-of-apps/drone.jsonnet` to see how the secret is injected from Vault into k8s). Remember also to create an Organization Secret named `gitea_password` for pulling.
For MTU problem diagnosis: For MTU problem diagnosis: