feat: include SecretStore

Taskfile.yml

@@ -38,3 +38,5 @@ tasks:
           REPO_NAME: vcluster
           REPO_URL: https://charts.loft.sh
           CHART_NAME: vcluster
+      - >-
+        echo "sulfoxide-bromine: $(skopeo list-tags docker://ghcr.io/atomicloud/sulfoxide.bromine/sulfoxide-bromine | jq -r '.Tags[]' | sort -V | tail -n 1)"

chart/Chart.lock

@@ -1,6 +1,9 @@
 dependencies:
 - name: vcluster
   repository: https://charts.loft.sh
-  version: 0.16.2
-digest: sha256:98b550050b569842f5e54984d27ff11f1ee2840c6e8828bd54c473c534b2c86a
-generated: "2023-10-08T13:03:03.164331+08:00"
+  version: 0.16.3
+- name: sulfoxide-bromine
+  repository: oci://ghcr.io/atomicloud/sulfoxide.bromine
+  version: 1.1.1
+digest: sha256:98b58f99cc66289c9f79105f55266c746cfc0574b1b27ada70da30bc2affcf7b
+generated: "2023-10-13T17:54:39.921913+08:00"

chart/Chart.yaml

@@ -3,8 +3,11 @@ name: sulfoxide-iodine
 description: Helm chart to install virtual cluster on a physical cluster
 type: application
 version: 1.4.0
-appVersion: "v0.16.2"
+appVersion: "v0.16.3"
 dependencies:
   - name: vcluster
-    version: v0.16.2
+    version: v0.16.3
     repository: https://charts.loft.sh
+  - name: sulfoxide-bromine
+    version: 1.1.1
+    repository: oci://ghcr.io/atomicloud/sulfoxide.bromine

chart/README.md

@@ -1,14 +1,15 @@
 # sulfoxide-iodine
 
-![Version: 1.4.0](https://img.shields.io/badge/Version-1.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.16.2](https://img.shields.io/badge/AppVersion-v0.16.2-informational?style=flat-square)
+![Version: 1.4.0](https://img.shields.io/badge/Version-1.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.16.3](https://img.shields.io/badge/AppVersion-v0.16.3-informational?style=flat-square)
 
 Helm chart to install virtual cluster on a physical cluster
 
 ## Requirements
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://charts.loft.sh | vcluster | v0.16.2 |
+| https://charts.loft.sh | vcluster | v0.16.3 |
+| oci://ghcr.io/atomicloud/sulfoxide.bromine | sulfoxide-bromine | 1.1.1 |
 
 ## Values
 
@@ -25,9 +26,23 @@ Helm chart to install virtual cluster on a physical cluster
 | auth.secretStore.kind | string | `"ClusterSecretStore"` | kind of the secret store to reference |
 | auth.secretStore.name | string | `"doppler"` | name of the secret store to reference |
 | auth.upsyncNamespace | string | `"default"` | upsync namespace |
+| datastore | object | `{"name":"pichu-root-token","policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteName":"PICHU_K3S_DATASTORE_ENDPOINT","secretKey":"K3S_DATASTORE_ENDPOINT","secretStore":{"kind":"SecretStore","name":"doppler-iodine"}}` | K3S state (postgresql) auth |
+| datastore.name | string | `"pichu-root-token"` | name of the secret to be created |
+| datastore.policy.creation | string | `"Owner"` | External Secret creation policy |
+| datastore.policy.deletion | string | `"Retain"` | External Secret deletion policy |
+| datastore.refreshInterval | string | `"1h"` | external secret refresh interval |
+| datastore.remoteName | string | `"PICHU_K3S_DATASTORE_ENDPOINT"` | name of the remote secret name |
+| datastore.secretKey | string | `"K3S_DATASTORE_ENDPOINT"` | secret key to store the connection string secret |
+| datastore.secretStore | object | `{"kind":"SecretStore","name":"doppler-iodine"}` | Secret store to reference |
+| datastore.secretStore.kind | string | `"SecretStore"` | kind of the secret store to reference |
+| datastore.secretStore.name | string | `"doppler-iodine"` | name of the secret store to reference |
 | serviceTree | object | `{"layer":"1","platform":"sulfoxide","service":"iodine"}` | AtomiCloud Service Tree. See [ServiceTree](https://atomicloud.larksuite.com/wiki/OkfJwTXGFiMJkrk6W3RuwRrZs64?theme=DARK&contentTheme=DARK#MHw5d76uDo2tBLx86cduFQMRsBb) |
+| sulfoxide-bromine | object | `{"rootSecret":{"ref":"SULFOXIDE_IODINE"},"storeName":"doppler-boron"}` | Create SecretStore via secret of secrets pattern |
+| sulfoxide-bromine.rootSecret | object | `{"ref":"SULFOXIDE_IODINE"}` | Secret of Secrets reference |
+| sulfoxide-bromine.rootSecret.ref | string | `"SULFOXIDE_IODINE"` | DOPPLER Token Reference |
+| sulfoxide-bromine.storeName | string | `"doppler-boron"` | Store name to create |
 | tags | object | `{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"iodine"}` | Kubernetes labels and annotations, following Service Tree |
-| vcluster | object | `{"annotations":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"iodine"}},"ingress":{"enabled":true,"host":"kubernetes.atomi.cloud","ingressClassName":"nginx"},"init":{"manifests":"apiVersion: v1\nkind: Namespace\nmetadata:\n  labels:\n    kubernetes.io/metadata.name: sulfoxide\n  name: sulfoxide\n"},"labels":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"iodine"}},"plugin":{"secret-syncer":{"image":"ghcr.io/kirinnee/vcluster-secret-syncer/secret-syncer-amd:1.0.0","imagePullPolicy":"IfNotPresent"}},"proxy":{"metricsServer":{"nodes":{"enabled":true},"pods":{"enabled":true}}},"sync":{"configmaps":{"all":true},"ingresses":{"enabled":true},"nodes":{"enableScheduler":true,"enabled":true,"fakeKubeletIPs":true,"syncAllNodes":true,"syncNodeChanges":true},"pods":{"enabled":true,"ephemeralContainers":true,"status":true},"secrets":{"all":true}},"syncer":{"extraArgs":["--tls-san=https://kubernetes.atomi.cloud"]},"telemetry":{"disabled":true}}` | Virtual Cluster Configuration. See [vcluster documentation](https://artifacthub.io/packages/helm/loft/vcluster) |
+| vcluster | object | `{"annotations":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"iodine"}},"coredns":{"replicas":3},"enableHA":true,"ingress":{"enabled":true,"host":"kubernetes.atomi.cloud","ingressClassName":"nginx"},"init":{"manifests":"apiVersion: v1\nkind: Namespace\nmetadata:\n  labels:\n    kubernetes.io/metadata.name: sulfoxide\n  name: sulfoxide\n"},"labels":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"iodine"}},"plugin":{"secret-syncer":{"image":"ghcr.io/kirinnee/vcluster-secret-syncer/secret-syncer-amd:1.0.0","imagePullPolicy":"IfNotPresent"}},"proxy":{"metricsServer":{"nodes":{"enabled":true},"pods":{"enabled":true}}},"replicas":3,"storage":{"persistence":false},"sync":{"configmaps":{"all":true},"ingresses":{"enabled":true},"nodes":{"enableScheduler":true,"enabled":true,"fakeKubeletIPs":true,"syncAllNodes":true,"syncNodeChanges":true},"pods":{"enabled":true,"ephemeralContainers":true,"status":true},"secrets":{"all":true}},"syncer":{"extraArgs":["--tls-san=https://kubernetes.atomi.cloud"]},"telemetry":{"disabled":true},"vcluster":{"env":[{"name":"K3S_DATASTORE_ENDPOINT","secretKeyRef":{"key":"K3S_DATASTORE_ENDPOINT","name":"pichu-root-token"},"valueFrom":null}]}}` | Virtual Cluster Configuration. See [vcluster documentation](https://artifacthub.io/packages/helm/loft/vcluster) |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.1](https://github.com/norwoodj/helm-docs/releases/v1.11.1)

chart/templates/datastore-secret.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ .Release.Name -}}-datastore-external-secret
+  annotations: {{- include "sulfoxide-iodine.annotations" . | nindent 4 }}
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-1"
+  labels: {{- include "sulfoxide-iodine.labels" . | nindent 4 }}
+spec:
+  refreshInterval: {{ .Values.datastore.refreshInterval }}
+  secretStoreRef:
+    name: {{ .Values.datastore.secretStore.name }}
+    kind: {{ .Values.datastore.secretStore.kind }}
+  target:
+    name: {{ .Values.datastore.name }}
+    creationPolicy: {{ .Values.datastore.policy.creation }}
+    deletionPolicy: {{ .Values.datastore.policy.deletion }}
+  data:
+    - secretKey: "{{ .Values.datastore.secretKey }}"
+      remoteRef:
+        key: "{{ .Values.datastore.remoteName }}"

chart/values.example.yaml

@@ -1,36 +1,41 @@
-# -- Virtual Cluster Configuration. See [vcluster documentation](https://artifacthub.io/packages/helm/loft/vcluster)
-vcluster:
+serviceTree:
+  landscape: &landscape pichu
+  cluster: &cluster opal
 
-  sync:
-    configmaps:
-      all: true
-    secrets:
-      all: true
-    ingresses:
-      enabled: true
-    pods:
-      enabled: true
-      ephemeralContainers: true
-      status: true
-    nodes:
-      enabled: true
-      syncAllNodes: true
-      syncNodeChanges: true
-      enableScheduler: true
-      fakeKubeletIPs: false
-  rbac:
-    role:
-      create: true
-  proxy:
-    metricsServer:
-      nodes:
-        enabled: true
-      pods:
-        enabled: true
-  ingress:
-    enabled: false
-  telemetry:
-    disabled: true
+tags: &tags
+  atomi.cloud/landscape: *landscape
+  atomi.cloud/cluster: *cluster
+
+auth:
+  name: pichu-root-token
+  remoteName: PICHU_SULFOXIDE_SOS
+  upsyncNamespace: sulfoxide
 
+sulfoxide-bromine:
+  storeName: &storeName doppler-pichu-iodine
 
+datastore:
+  secretStore:
+    name: *storeName
+  name: &k3sDatastoreEndpoint pichu-datastore-endpoint
+  remoteName: PICHU_K3S_DATASTORE_ENDPOINT
+  secretKey: &k3sSecretKey K3S_DATASTORE_ENDPOINT
 
+vcluster:
+  vcluster:
+    env:
+      - name: K3S_DATASTORE_ENDPOINT
+        valueFrom:
+        secretKeyRef:
+          name: *k3sDatastoreEndpoint
+          key: *k3sSecretKey
+  labels:
+    <<: *tags
+  annotations:
+    <<: *tags
+  syncer:
+    extraArgs:
+      - --kube-config-context-name=pichu-opal
+      - --out-kube-config-server=https://pichu.opal.kubernetes.cluster.atomi.cloud
+  ingress:
+    host: pichu.opal.kubernetes.cluster.atomi.cloud

chart/values.pichu.opal.yaml

@@ -11,8 +11,24 @@ auth:
   remoteName: PICHU_SULFOXIDE_SOS
   upsyncNamespace: sulfoxide
 
+sulfoxide-bromine:
+  storeName: &storeName doppler-pichu-iodine
+
+datastore:
+  secretStore:
+    name: *storeName
+  name: &k3sDatastoreEndpoint pichu-datastore-endpoint
+  remoteName: PICHU_K3S_DATASTORE_ENDPOINT
+  secretKey: &k3sSecretKey K3S_DATASTORE_ENDPOINT
 
 vcluster:
+  vcluster:
+    env:
+      - name: K3S_DATASTORE_ENDPOINT
+        valueFrom:
+        secretKeyRef:
+          name: *k3sDatastoreEndpoint
+          key: *k3sSecretKey
   labels:
     <<: *tags
   annotations:

chart/values.pikachu.opal.yaml

@@ -11,8 +11,24 @@ auth:
   remoteName: PIKACHU_SULFOXIDE_SOS
   upsyncNamespace: sulfoxide
 
+sulfoxide-bromine:
+  storeName: &storeName doppler-pikachu-iodine
+
+datastore:
+  secretStore:
+    name: *storeName
+  name: &k3sDatastoreEndpoint pikachu-datastore-endpoint
+  remoteName: PIKACHU_K3S_DATASTORE_ENDPOINT
+  secretKey: &k3sSecretKey K3S_DATASTORE_ENDPOINT
 
 vcluster:
+  vcluster:
+    env:
+      - name: K3S_DATASTORE_ENDPOINT
+        valueFrom:
+        secretKeyRef:
+          name: *k3sDatastoreEndpoint
+          key: *k3sSecretKey
   labels:
     <<: *tags
   annotations:

chart/values.raichu.opal.yaml

@@ -11,7 +11,24 @@ auth:
   remoteName: RAICHU_SULFOXIDE_SOS
   upsyncNamespace: sulfoxide
 
+sulfoxide-bromine:
+  storeName: &storeName doppler-raichu-iodine
+
+datastore:
+  secretStore:
+    name: *storeName
+  name: &k3sDatastoreEndpoint raichu-datastore-endpoint
+  remoteName: RAICHU_K3S_DATASTORE_ENDPOINT
+  secretKey: &k3sSecretKey K3S_DATASTORE_ENDPOINT
+
 vcluster:
+  vcluster:
+    env:
+      - name: K3S_DATASTORE_ENDPOINT
+        valueFrom:
+        secretKeyRef:
+          name: *k3sDatastoreEndpoint
+          key: *k3sSecretKey
   labels:
     <<: *tags
   annotations:

chart/values.yaml

@@ -10,6 +10,15 @@ tags: &tags
   atomi.cloud/service: *service
   atomi.cloud/layer: *layer
 
+# -- Create SecretStore via secret of secrets pattern
+sulfoxide-bromine:
+  # -- Store name to create
+  storeName: doppler-boron
+  # -- Secret of Secrets reference
+  rootSecret:
+    # -- DOPPLER Token Reference
+    ref: "SULFOXIDE_IODINE"
+
 # -- Root Doppler token
 auth:
   # -- external secret refresh interval
@@ -34,8 +43,43 @@ auth:
   # -- secret key to store DOPPLER_TOKEN
   secretKey: DOPPLER_TOKEN
 
+# -- K3S state (postgresql) auth
+datastore:
+  # -- external secret refresh interval
+  refreshInterval: 1h
+  # -- Secret store to reference
+  secretStore:
+    # -- name of the secret store to reference
+    name: doppler-iodine
+    # -- kind of the secret store to reference
+    kind: SecretStore
+  policy:
+    # -- External Secret creation policy
+    creation: Owner
+    # -- External Secret deletion policy
+    deletion: Retain
+  # -- name of the secret to be created
+  name: pichu-root-token
+  # -- name of the remote secret name
+  remoteName: PICHU_K3S_DATASTORE_ENDPOINT
+  # -- secret key to store the connection string secret
+  secretKey: K3S_DATASTORE_ENDPOINT
+
 # -- Virtual Cluster Configuration. See [vcluster documentation](https://artifacthub.io/packages/helm/loft/vcluster)
 vcluster:
+  enableHA: true
+  replicas: 3
+  storage:
+    persistence: false
+  coredns:
+    replicas: 3
+  vcluster:
+    env:
+      - name: K3S_DATASTORE_ENDPOINT
+        valueFrom:
+        secretKeyRef:
+          name: pichu-root-token
+          key: K3S_DATASTORE_ENDPOINT
   labels:
     <<: *tags
   annotations:

nix/env.nix

@@ -22,8 +22,10 @@ with packages;
 
   main = [
     vcluster
+    skopeo
   ];
 
+
   lint = [
     # core
     treefmt

nix/packages.nix

@@ -40,6 +40,7 @@ let
           kubectl
           gitlint
           shellcheck
+          skopeo
           ;
         helm = kubernetes-helm;