diff --git a/charts/steampipe/Chart.lock b/charts/steampipe/Chart.lock deleted file mode 100644 index 59015c2..0000000 --- a/charts/steampipe/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: oauth2-proxy - repository: https://oauth2-proxy.github.io/manifests/ - version: 6.18.0 -digest: sha256:1cc69f74fdc07bdc0bf0264264eb774e0aeeb6bb5ed0d68507a3c6539a038a71 -generated: "2023-10-26T14:33:22.282782756+02:00" diff --git a/charts/steampipe/Chart.yaml b/charts/steampipe/Chart.yaml index 5811621..d603ee0 100644 --- a/charts/steampipe/Chart.yaml +++ b/charts/steampipe/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: steampipe description: A Helm chart for Kubernetes to deploy Steampipe type: application -version: 1.4.0 +version: 1.5.0 appVersion: "0.20.12" home: https://github.com/devops-ia/helm-charts/tree/main/charts/steampipe sources: @@ -13,6 +13,6 @@ maintainers: dependencies: - name: oauth2-proxy - version: "6.18.0" + version: "6.18.*" repository: https://oauth2-proxy.github.io/manifests/ condition: oauth2Proxy.enabled diff --git a/charts/steampipe/templates/cluster-external-secret.yaml b/charts/steampipe/templates/cluster-external-secret.yaml new file mode 100644 index 0000000..0d679a7 --- /dev/null +++ b/charts/steampipe/templates/cluster-external-secret.yaml @@ -0,0 +1,21 @@ +{{- if .Values.externalSecrets.clusterExternalSecret.enabled }} +{{ range $data := .Values.externalSecrets.clusterExternalSecret.config }} +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterExternalSecret +metadata: + name: {{ .name }} +{{- with $data.annotations }} + labels: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with $data.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with $data.spec }} +spec: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/steampipe/templates/cluster-secret-store.yaml b/charts/steampipe/templates/cluster-secret-store.yaml new file mode 100644 index 0000000..3ce6fb8 --- /dev/null +++ b/charts/steampipe/templates/cluster-secret-store.yaml @@ -0,0 +1,21 @@ +{{- if .Values.externalSecrets.clusterSecretStore.enabled }} +{{ range $data := .Values.externalSecrets.clusterSecretStore.config }} +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: {{ .name }} +{{- with $data.annotations }} + labels: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with $data.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with $data.spec }} +spec: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/steampipe/templates/external-secret.yaml b/charts/steampipe/templates/external-secret.yaml new file mode 100644 index 0000000..3b9cb96 --- /dev/null +++ b/charts/steampipe/templates/external-secret.yaml @@ -0,0 +1,21 @@ +{{- if .Values.externalSecrets.externalSecret.enabled }} +{{ range $data := .Values.externalSecrets.externalSecret.config }} +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: {{ .name }} +{{- with $data.annotations }} + labels: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with $data.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with $data.spec }} +spec: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/steampipe/templates/push-secret.yaml b/charts/steampipe/templates/push-secret.yaml new file mode 100644 index 0000000..9b1feb7 --- /dev/null +++ b/charts/steampipe/templates/push-secret.yaml @@ -0,0 +1,21 @@ +{{- if .Values.externalSecrets.pushSecret.enabled }} +{{ range $data := .Values.externalSecrets.pushSecret.config }} +--- +apiVersion: external-secrets.io/v1alpha1 +kind: PushSecret +metadata: + name: {{ .name }} +{{- with $data.annotations }} + labels: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with $data.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with $data.spec }} +spec: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/steampipe/templates/secret-store.yaml b/charts/steampipe/templates/secret-store.yaml new file mode 100644 index 0000000..4df9819 --- /dev/null +++ b/charts/steampipe/templates/secret-store.yaml @@ -0,0 +1,21 @@ +{{- if .Values.externalSecrets.secretStore.enabled }} +{{ range $data := .Values.externalSecrets.secretStore.config }} +--- +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: {{ .name }} +{{- with $data.annotations }} + labels: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with $data.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with $data.spec }} +spec: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/steampipe/values.yaml b/charts/steampipe/values.yaml index 02f03fe..d0f3ce0 100644 --- a/charts/steampipe/values.yaml +++ b/charts/steampipe/values.yaml @@ -238,6 +238,199 @@ initContainer: extraContainers: [] +## Configuration for External Secrets +## Ref: https://external-secrets.io/ +# +externalSecrets: + clusterSecretStore: + enabled: false + config: + - name: openshift-connection + labels: {} + annotations: {} + spec: + # Ref: https://external-secrets.io/main/api/clustersecretstore/ + controller: dev + provider: + vault: + server: "https://vault.acme.org" + path: "secret" + version: "v2" + namespace: "a-team" + caBundle: "..." + caProvider: + type: "Secret" + namespace: "my-cert-secret-namespace" + name: "my-cert-secret" + key: "cert-key" + auth: + tokenSecretRef: + name: "my-secret" + namespace: "secret-admin" + key: "vault-token" + + clusterExternalSecret: + enabled: false + config: + - name: openshift-connection + labels: {} + annotations: {} + spec: + # Ref: https://external-secrets.io/main/api/clusterexternalsecret/ + externalSecretName: "hello-world-es" + namespaceSelector: + matchLabels: + cool: label + refreshTime: "1m" + externalSecretSpec: + secretStoreRef: + name: secret-store-name + kind: SecretStore + refreshInterval: "1h" + target: + name: my-secret + creationPolicy: 'Merge' + template: + type: kubernetes.io/dockerconfigjson + metadata: + annotations: {} + labels: {} + data: + config.yml: | + endpoints: + - https://{{ .data.user }}:{{ .data.password }}@api.exmaple.com + templateFrom: + - configMap: + name: alertmanager + items: + - key: alertmanager.yaml + data: + - secretKey: secret-key-to-be-managed + remoteRef: + key: provider-key + version: provider-key-version + property: provider-key-property + dataFrom: + - key: provider-key + version: provider-key-version + property: provider-key-property + + secretStore: + enabled: false + config: + - name: openshift-connection + labels: {} + annotations: {} + spec: + # Ref: https://external-secrets.io/main/api/secretstore/ + retrySettings: + maxRetries: 5 + retryInterval: "10s" + provider: + vault: + server: "https://vault.acme.org" + path: "secret" + version: "v2" + namespace: "a-team" + caBundle: "..." + caProvider: + type: "Secret" + name: "my-cert-secret" + key: "cert-key" + + externalSecret: + enabled: false + config: + - name: openshift-connection + labels: {} + annotations: {} + spec: + # Ref: https://external-secrets.io/main/api/externalsecret/ + secretStoreRef: + name: aws-store + kind: SecretStore + refreshInterval: "1h" + target: + name: application-config + creationPolicy: 'Merge' + deletionPolicy: "Retain" + template: + type: kubernetes.io/dockerconfigjson + metadata: + annotations: {} + labels: {} + data: + config.yml: | + database: + connection: postgres://{{ .username }}:{{ .password }}@{{ .database_host }}:5432/payments + templateFrom: + - configMap: + name: application-config-tmpl + items: + - key: config.yml + data: + - secretKey: username + remoteRef: + key: database-credentials + version: v1 + property: username + decodingStrategy: None + sourceRef: + storeRef: + name: aws-secretstore + kind: ClusterSecretStore + generatorRef: + apiVersion: generators.external-secrets.io/v1alpha1 + kind: Password + name: db-password + dataFrom: + - extract: + key: database-credentials + version: v1 + property: data + conversionStrategy: Default + decodingStrategy: Auto + rewrite: + - regexp: + source: "exp-(.*?)-ression" + target: "rewriting-${1}-with-groups" + - find: + path: "path-to-filter" + source: "exp-(.*?)-ression" + target: "rewriting-${1}-with-groups" + name: + regexp: ".*foobar.*" + tags: + foo: bar + conversionStrategy: Unicode + decodingStrategy: Base64 + rewrite: + - regexp: + source: "foo" + target: "bar" + + pushSecret: + enabled: false + config: + - name: openshift-connection + labels: {} + annotations: {} + spec: + # Ref: https://external-secrets.io/main/api/pushsecret/ + deletionPolicy: Delete + refreshInterval: 10s + secretStoreRefs: + - name: aws-parameterstore + kind: SecretStore + selector: + secret: + name: pokedex-credentials + data: + - match: + secretKey: best-pokemon + remoteRef: + remoteKey: my-first-parameter + oauth2Proxy: ## Deploys oauth2-proxy, a reverse proxy that provides authentication with Google, Github or other providers enabled: false