From 1f55147125e0347dde1c68a93399840637b954fc Mon Sep 17 00:00:00 2001 From: Aumer Date: Mon, 24 Jul 2023 22:32:33 +0200 Subject: [PATCH] feat: add support for cluster user secrets and settings (#858) Co-authored-by: Devin Buhl Co-authored-by: Devin Buhl --- .taskfiles/ClusterTasks.yaml | 2 + bootstrap/tasks/kubernetes/main.yaml | 39 ++++++++++++++++++- .../templates/kubernetes/flux/apps.yaml.j2 | 8 ++++ .../vars/cluster-secrets-user.sops.yaml.j2 | 8 ++++ .../flux/vars/cluster-settings-user.yaml.j2 | 8 ++++ .../flux/vars/kustomization.yaml.j2 | 2 + 6 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 bootstrap/templates/kubernetes/flux/vars/cluster-secrets-user.sops.yaml.j2 create mode 100644 bootstrap/templates/kubernetes/flux/vars/cluster-settings-user.yaml.j2 diff --git a/.taskfiles/ClusterTasks.yaml b/.taskfiles/ClusterTasks.yaml index c8df7282601..b9a3a19f414 100644 --- a/.taskfiles/ClusterTasks.yaml +++ b/.taskfiles/ClusterTasks.yaml @@ -13,7 +13,9 @@ tasks: - kubectl apply --kustomize {{.KUBERNETES_DIR}}/bootstrap - cat {{.SOPS_AGE_KEY_FILE}} | kubectl -n flux-system create secret generic sops-age --from-file=age.agekey=/dev/stdin - sops --decrypt {{.KUBERNETES_DIR}}/flux/vars/cluster-secrets.sops.yaml | kubectl apply -f - + - sops --decrypt {{.KUBERNETES_DIR}}/flux/vars/cluster-secrets-user.sops.yaml | kubectl apply -f - - kubectl apply -f {{.KUBERNETES_DIR}}/flux/vars/cluster-settings.yaml + - kubectl apply -f {{.KUBERNETES_DIR}}/flux/vars/cluster-settings-user.yaml - kubectl apply --kustomize {{.KUBERNETES_DIR}}/flux/config preconditions: - sh: test -f {{.SOPS_AGE_KEY_FILE}} diff --git a/bootstrap/tasks/kubernetes/main.yaml b/bootstrap/tasks/kubernetes/main.yaml index c42af4a2586..8ebb1a1d656 100644 --- a/bootstrap/tasks/kubernetes/main.yaml +++ b/bootstrap/tasks/kubernetes/main.yaml @@ -8,7 +8,44 @@ with_community.general.filetree: ["../templates/kubernetes/"] - name: Template Kubernetes unencrypted files - when: item.state == 'file' and 'sops' not in item.path and '.DS_Store' not in item.path + when: + - item.state == 'file' + - "'.DS_Store' not in item.path" + - "'sops' not in item.path" + - "'cluster-settings-user.yaml.j2' not in item.path" + - "'cluster-secrets-user.yaml.j2' not in item.path" + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ repository_path }}/kubernetes/{{ item.path | regex_replace('.j2$', '') }}" + mode: "0644" + with_community.general.filetree: ["../templates/kubernetes/"] + +- name: Check if the cluster user settings file already exists + stat: + path: "{{ repository_path }}/kubernetes/flux/vars/cluster-settings-user.yaml" + register: cluster_settings_user + +- name: Template Kubernetes user cluster settings + when: + - item.state == 'file' + - "'cluster-settings-user.yaml' in item.path" + - not cluster_settings_user.stat.exists + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ repository_path }}/kubernetes/{{ item.path | regex_replace('.j2$', '') }}" + mode: "0644" + with_community.general.filetree: ["../templates/kubernetes/"] + +- name: Check if the cluster user secrets file already exists + stat: + path: "{{ repository_path }}/kubernetes/flux/vars/cluster-secrets-user.yaml" + register: cluster_secrets_user + +- name: Template Kubernetes user cluster secrets + when: + - item.state == 'file' + - "'cluster-secrets-user.yaml' in item.path" + - not cluster_secrets_user.stat.exists ansible.builtin.template: src: "{{ item.src }}" dest: "{{ repository_path }}/kubernetes/{{ item.path | regex_replace('.j2$', '') }}" diff --git a/bootstrap/templates/kubernetes/flux/apps.yaml.j2 b/bootstrap/templates/kubernetes/flux/apps.yaml.j2 index 43c3a05d689..d557f82867c 100644 --- a/bootstrap/templates/kubernetes/flux/apps.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/apps.yaml.j2 @@ -21,6 +21,10 @@ spec: name: cluster-settings - kind: Secret name: cluster-secrets + - kind: ConfigMap + name: cluster-settings-user + - kind: Secret + name: cluster-secrets-user patches: - patch: |- apiVersion: kustomize.toolkit.fluxcd.io/v1 @@ -38,6 +42,10 @@ spec: name: cluster-settings - kind: Secret name: cluster-secrets + - kind: ConfigMap + name: cluster-settings-user + - kind: Secret + name: cluster-secrets-user target: group: kustomize.toolkit.fluxcd.io kind: Kustomization diff --git a/bootstrap/templates/kubernetes/flux/vars/cluster-secrets-user.sops.yaml.j2 b/bootstrap/templates/kubernetes/flux/vars/cluster-secrets-user.sops.yaml.j2 new file mode 100644 index 00000000000..281accfb43d --- /dev/null +++ b/bootstrap/templates/kubernetes/flux/vars/cluster-secrets-user.sops.yaml.j2 @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: cluster-secrets-user + namespace: flux-system +stringData: + SECRET_PLACEHOLDER: "secret-value" diff --git a/bootstrap/templates/kubernetes/flux/vars/cluster-settings-user.yaml.j2 b/bootstrap/templates/kubernetes/flux/vars/cluster-settings-user.yaml.j2 new file mode 100644 index 00000000000..7b8176166d5 --- /dev/null +++ b/bootstrap/templates/kubernetes/flux/vars/cluster-settings-user.yaml.j2 @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cluster-settings-user + namespace: flux-system +data: + SETTINGS_PLACEHOLDER: "settings-value" diff --git a/bootstrap/templates/kubernetes/flux/vars/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/flux/vars/kustomization.yaml.j2 index 8db2fe91197..dd93387aeed 100644 --- a/bootstrap/templates/kubernetes/flux/vars/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/vars/kustomization.yaml.j2 @@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./cluster-settings.yaml + - ./cluster-settings-user.yaml - ./cluster-secrets.sops.yaml + - ./cluster-secrets-user.sops.yaml