Defininig ES users in vault. Avoiding ArgoCD issues with random gener…

…ated passwords in helm templates
ricsanfre · Apr 21, 2023 · d98e5e2 · d98e5e2
1 parent 53dbbe5
commit d98e5e2
Show file tree

Hide file tree

Showing 8 changed files with 82 additions and 26 deletions.
diff --git a/ansible/create_vault_credentials.yml b/ansible/create_vault_credentials.yml
@@ -51,6 +51,8 @@
         - fluentd_shared_key
         - grafana_admin_password
         - elasticsearch_admin_password
+        - elasticsearch_fluentd_password
+        - elasticsearch_prometheus_password
 
     - name: Generate vault file
       ansible.builtin.template:

diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml
@@ -36,9 +36,15 @@ vault:
       key: supers1cret0
   # elastic search
   elasticsearch:
-    elastic:
+    es-admin:
       user: admin
       password: s1cret0
+    es-fluentd:
+      user: fluentd
+      password: s1cret0
+    es-prometheus:
+      user: prometheus
+      password: s1cret0
   # Fluentd
   fluentd:
     shared_key: s1cret0

diff --git a/ansible/vars/vault.yml.j2 b/ansible/vars/vault.yml.j2
@@ -37,9 +37,15 @@ vault:
       key: {{ minio_tempo_password }}
   # elasticsearch and fluentd
   logging:
-    elastic:
+    es-admin:
       user: admin
       password: {{ elasticsearch_admin_password }}
+    es-fluentd:
+      user: fluentd
+      password: {{ elasticsearch_fluentd_password }}
+    es-prometheus:
+      user: prometheus
+      password: {{ elasticsearch_prometheus_password }}
     fluentd:
       shared_key: {{ fluentd_shared_key }}
   # Grafana

diff --git a/argocd/system/logging/templates/elasticsearch-admin-externalsecret.yaml b/argocd/system/logging/templates/elasticsearch-admin-externalsecret.yaml
@@ -20,13 +20,13 @@ spec:
   data:
   - secretKey: username
     remoteRef:
-      key: logging/elastic
+      key: logging/es-admin
       property: user
       conversionStrategy: Default # ArgoCD sync issue
       decodingStrategy: None # ArgoCD sync issue
   - secretKey: password
     remoteRef:
-      key: logging/elastic
+      key: logging/es-admin
       property: password
       conversionStrategy: Default # ArgoCD sync issue
       decodingStrategy: None # ArgoCD sync issue
diff --git a/argocd/system/logging/templates/elasticsearch-fluentd-externalsecret.yaml b/argocd/system/logging/templates/elasticsearch-fluentd-externalsecret.yaml
@@ -0,0 +1,32 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: elasticsearch-fluentd-externalsecret
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: es-fluentd-user-file-realm
+    template:
+      type: kubernetes.io/basic-auth
+      data:
+        username: |-
+          {{ `{{ .username | toString }}` }}
+        password: |-
+          {{ `{{ .password | toString }}` }}
+        roles: fluentd_role
+  data:
+  - secretKey: username
+    remoteRef:
+      key: logging/es-fluentd
+      property: user
+      conversionStrategy: Default # ArgoCD sync issue
+      decodingStrategy: None # ArgoCD sync issue
+  - secretKey: password
+    remoteRef:
+      key: logging/es-fluentd
+      property: password
+      conversionStrategy: Default # ArgoCD sync issue
+      decodingStrategy: None # ArgoCD sync issue
diff --git a/argocd/system/logging/templates/elasticsearch-fluentd-secret.yaml b/argocd/system/logging/templates/elasticsearch-fluentd-secret.yaml
diff --git a/argocd/system/logging/templates/elasticsearch-prometheus-externalsecret.yaml b/argocd/system/logging/templates/elasticsearch-prometheus-externalsecret.yaml
@@ -0,0 +1,32 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: elasticsearch-fluentd-externalsecret
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: es-fluentd-user-file-realm
+    template:
+      type: kubernetes.io/basic-auth
+      data:
+        username: |-
+          {{ `{{ .username | toString }}` }}
+        password: |-
+          {{ `{{ .password | toString }}` }}
+        roles: prometheus_role
+  data:
+  - secretKey: username
+    remoteRef:
+      key: logging/es-prometheus
+      property: user
+      conversionStrategy: Default # ArgoCD sync issue
+      decodingStrategy: None # ArgoCD sync issue
+  - secretKey: password
+    remoteRef:
+      key: logging/es-prometheus
+      property: password
+      conversionStrategy: Default # ArgoCD sync issue
+      decodingStrategy: None # ArgoCD sync issue
diff --git a/argocd/system/logging/templates/elasticsearch-prometheus-secret.yaml b/argocd/system/logging/templates/elasticsearch-prometheus-secret.yaml