feat: add support for cluster user secrets and settings (#858)

Co-authored-by: Devin Buhl <onedr0p@users.noreply.github.com> Co-authored-by: Devin Buhl <devin@buhl.casa>
onedr0p · Jul 24, 2023 · 1f55147 · 1f55147
1 parent 1a616bc
commit 1f55147
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 1 deletion.
diff --git a/.taskfiles/ClusterTasks.yaml b/.taskfiles/ClusterTasks.yaml
@@ -13,7 +13,9 @@ tasks:
       - kubectl apply --kustomize {{.KUBERNETES_DIR}}/bootstrap
       - cat {{.SOPS_AGE_KEY_FILE}} | kubectl -n flux-system create secret generic sops-age --from-file=age.agekey=/dev/stdin
       - sops --decrypt {{.KUBERNETES_DIR}}/flux/vars/cluster-secrets.sops.yaml | kubectl apply -f -
+      - sops --decrypt {{.KUBERNETES_DIR}}/flux/vars/cluster-secrets-user.sops.yaml | kubectl apply -f -
       - kubectl apply -f {{.KUBERNETES_DIR}}/flux/vars/cluster-settings.yaml
+      - kubectl apply -f {{.KUBERNETES_DIR}}/flux/vars/cluster-settings-user.yaml
       - kubectl apply --kustomize {{.KUBERNETES_DIR}}/flux/config
     preconditions:
       - sh: test -f {{.SOPS_AGE_KEY_FILE}}

diff --git a/bootstrap/tasks/kubernetes/main.yaml b/bootstrap/tasks/kubernetes/main.yaml
@@ -8,7 +8,44 @@
   with_community.general.filetree: ["../templates/kubernetes/"]
 
 - name: Template Kubernetes unencrypted files
-  when: item.state == 'file' and 'sops' not in item.path and '.DS_Store' not in item.path
+  when:
+    - item.state == 'file'
+    - "'.DS_Store' not in item.path"
+    - "'sops' not in item.path"
+    - "'cluster-settings-user.yaml.j2' not in item.path"
+    - "'cluster-secrets-user.yaml.j2' not in item.path"
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ repository_path }}/kubernetes/{{ item.path | regex_replace('.j2$', '') }}"
+    mode: "0644"
+  with_community.general.filetree: ["../templates/kubernetes/"]
+
+- name: Check if the cluster user settings file already exists
+  stat:
+    path: "{{ repository_path }}/kubernetes/flux/vars/cluster-settings-user.yaml"
+  register: cluster_settings_user
+
+- name: Template Kubernetes user cluster settings
+  when:
+    - item.state == 'file'
+    - "'cluster-settings-user.yaml' in item.path"
+    - not cluster_settings_user.stat.exists
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ repository_path }}/kubernetes/{{ item.path | regex_replace('.j2$', '') }}"
+    mode: "0644"
+  with_community.general.filetree: ["../templates/kubernetes/"]
+
+- name: Check if the cluster user secrets file already exists
+  stat:
+    path: "{{ repository_path }}/kubernetes/flux/vars/cluster-secrets-user.yaml"
+  register: cluster_secrets_user
+
+- name: Template Kubernetes user cluster secrets
+  when:
+    - item.state == 'file'
+    - "'cluster-secrets-user.yaml' in item.path"
+    - not cluster_secrets_user.stat.exists
   ansible.builtin.template:
     src: "{{ item.src }}"
     dest: "{{ repository_path }}/kubernetes/{{ item.path | regex_replace('.j2$', '') }}"

diff --git a/bootstrap/templates/kubernetes/flux/apps.yaml.j2 b/bootstrap/templates/kubernetes/flux/apps.yaml.j2
@@ -21,6 +21,10 @@ spec:
         name: cluster-settings
       - kind: Secret
         name: cluster-secrets
+      - kind: ConfigMap
+        name: cluster-settings-user
+      - kind: Secret
+        name: cluster-secrets-user
   patches:
     - patch: |-
         apiVersion: kustomize.toolkit.fluxcd.io/v1
@@ -38,6 +42,10 @@ spec:
                 name: cluster-settings
               - kind: Secret
                 name: cluster-secrets
+              - kind: ConfigMap
+                name: cluster-settings-user
+              - kind: Secret
+                name: cluster-secrets-user
       target:
         group: kustomize.toolkit.fluxcd.io
         kind: Kustomization

diff --git a/bootstrap/templates/kubernetes/flux/vars/cluster-secrets-user.sops.yaml.j2 b/bootstrap/templates/kubernetes/flux/vars/cluster-secrets-user.sops.yaml.j2
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cluster-secrets-user
+  namespace: flux-system
+stringData:
+  SECRET_PLACEHOLDER: "secret-value"
diff --git a/bootstrap/templates/kubernetes/flux/vars/cluster-settings-user.yaml.j2 b/bootstrap/templates/kubernetes/flux/vars/cluster-settings-user.yaml.j2
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cluster-settings-user
+  namespace: flux-system
+data:
+  SETTINGS_PLACEHOLDER: "settings-value"
diff --git a/bootstrap/templates/kubernetes/flux/vars/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/flux/vars/kustomization.yaml.j2
@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./cluster-settings.yaml
+  - ./cluster-settings-user.yaml
   - ./cluster-secrets.sops.yaml
+  - ./cluster-secrets-user.sops.yaml