feat: migrate secrets to kubernetes-reflector

2025-10-01 16:05:55 +02:00 · 2021-05-19 09:35:16 +02:00
parent 1171df0cde
commit 0263bb4c22
8 changed files with 43 additions and 137 deletions
--- a/cluster/apps/networking/kustomization.yaml
+++ b/cluster/apps/networking/kustomization.yaml
@@ -5,5 +5,4 @@ resources:
  - certificate
  - ingress-nginx
  - k8s-gateway
-  - secret-reflector
  - unifi
--- a/cluster/apps/networking/secret-reflector/cronjob.yaml
+++ b/cluster/apps/networking/secret-reflector/cronjob.yaml
@@ -1,48 +0,0 @@
---
-apiVersion: batch/v1beta1
-kind: CronJob
-metadata:
-  name: secret-reflector
-  namespace: networking
-spec:
-  schedule: "0 0 */2 * *"
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          serviceAccountName: sa-secret-reflector
-          containers:
-            - name: secret-reflector
-              image: bitnami/kubectl:1.21.1
-              command:
-                - "/bin/sh"
-                - "-ec"
-                - |
-                  set -o nounset
-                  set -o errexit
-                  # space delimited secrets to copy
-                  SECRETS=$(kubectl get secrets -n networking | grep -i tls | awk '{print $1}')
-                  # source namespace to reflect secret from
-                  NAMESPACE_SOURCE="networking"
-                  # space delimited namespace where to reflect the secrets to
-                  NAMESPACE_DEST="kasten-io"
-                  for secret in ${SECRETS}; do
-                      secret_source_content="$(kubectl get secret "${secret}" -n "${NAMESPACE_SOURCE}" -o json | jq 'del(.metadata.managedFields, .metadata.creationTimestamp, .metadata.resourceVersion, .metadata.uid)')"
-                      secret_source_checksum="$(echo "${secret_source_content}" | jq 'del(.metadata.namespace)' | md5sum | awk '{ print $1 }')"
-                      for namespace in ${NAMESPACE_DEST}; do
-                          if kubectl get secret "${secret}" -n "${namespace}" >/dev/null 2>&1; then
-                              secret_dest_content="$(kubectl get secret "${secret}" -n "${namespace}" -o json | jq 'del(.metadata.managedFields, .metadata.creationTimestamp, .metadata.resourceVersion, .metadata.uid)')"
-                              secret_dest_checksum="$(echo "${secret_dest_content}" | jq 'del(.metadata.namespace)' | md5sum | awk '{ print $1 }')"
-                              if [ "${secret_source_checksum}" != "${secret_dest_checksum}" ]; then
-                                  echo "${secret_source_content}" | \
-                                      jq -r --arg namespace "$namespace" '.metadata.namespace = $namespace' | \
-                                      kubectl replace -n "${namespace}" -f -
-                              fi
-                          else
-                              echo "${secret_source_content}" | \
-                                  jq -r --arg namespace "$namespace" '.metadata.namespace = $namespace' | \
-                                  kubectl apply -n "${namespace}" -f -
-                          fi
-                      done
-                  done
-          restartPolicy: OnFailure
--- a/cluster/apps/networking/secret-reflector/kustomization.yaml
+++ b/cluster/apps/networking/secret-reflector/kustomization.yaml
@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - cronjob.yaml
-  - rbac.yaml
--- a/cluster/apps/networking/secret-reflector/rbac.yaml
+++ b/cluster/apps/networking/secret-reflector/rbac.yaml
@@ -1,40 +0,0 @@
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: sa-secret-reflector
-  namespace: networking
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: secret-reflector
-rules:
-  - apiGroups: [""]
-    resources: ["configmaps", "secrets"]
-    verbs: ["*"]
-  - apiGroups: [""]
-    resources: ["namespaces"]
-    verbs: ["watch", "list"]
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["watch", "list"]
-  - apiGroups: ["certmanager.k8s.io"]
-    resources: ["certificates", "certificates/finalizers"]
-    verbs: ["watch", "list"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "certificates/finalizers"]
-    verbs: ["watch", "list"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: secret-reflector
-roleRef:
-  kind: ClusterRole
-  name: secret-reflector
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    name: sa-secret-reflector
-    namespace: networking
--- a/cluster/base-custom/secrets/ingress-tls.yaml
+++ b/cluster/base-custom/secrets/ingress-tls.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    replicator.v1.mittwald.de/replication-allowed: "true"
+    replicator.v1.mittwald.de/replication-allowed-namespaces: networking
+  name: k3s-xpander-ovh-tls
+  namespace: networking
+data: {}
--- a/cluster/base-custom/secrets/kustomization.yaml
+++ b/cluster/base-custom/secrets/kustomization.yaml
@@ -3,5 +3,6 @@ kind: Kustomization
 resources:
  - cluster-secrets.yaml
  - drone-pipelines.yaml
+  - ingress-tls.yaml
  - regcred.yaml
  - replicated.yaml
--- a/cluster/base-custom/secrets/regcred.yaml
+++ b/cluster/base-custom/secrets/regcred.yaml
@@ -1,57 +1,22 @@
 kind: Secret
 apiVersion: v1
-metadata:
-    name: regcred
-    namespace: media
-data:
-    .dockerconfigjson: ENC[AES256_GCM,data:Ea4JKvWLypyXjRkT1Fro7OM6WVdmfZ7J9Iy7Rrh4nJ63H49rAkeyaPoxSPJ1XlO//PJ7daOeYC1QqAmfqDW58VmYgWjaEaz6NNfXNNNuI+ibE4Z+5a7GdzOpXuAj66cHJ5w7GzOO05iH0QEZ4DuKDEyhO5OxtkdNYtE35QMT5NtrXVTqDSdHYEO9YRGhZH3jScSfIz7u+c68Ns0Z5vTP4QQbF2JvqOoC5wSG6VHEs5g5vzYdY4LdBNeDOQXzPStMtEu7QraCfAQcBvoxgtvugM2CWv/XfdSb0kylQwvvRAw=,iv:Tu+8/76zYmaR6ItGwHjR3CjSCbrHnS9RYp2XbenXJng=,tag:QxTnuEGejoP6jqmbhS5uoA==,type:str]
-type: kubernetes.io/dockerconfigjson
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2021-05-01T21:34:06Z"
-    mac: ENC[AES256_GCM,data:Igh15GsGGSvBc4AkErY0210N2yWS8CiMLad4Q9dkt+qxNIksDxpNBhBIq59fNsqh3qrXMkeOC3xORVTVB7/7yhIHjMHtsFu8d7mdMIcT948EtloH0uivo/6jThs32BE1J6WS5ifBfIh8UCTaCPZr1zCnweOzut+xfDNlDjMW5ZQ=,iv:Q/cCruxcO2d6/RILvlNCgyy7YlbKz2wfKKOqwDucRow=,tag:xoL7ztc3bQv0kxDl38fz3g==,type:str]
-    pgp:
-        - created_at: "2021-04-15T00:19:38Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQGMA/JorPHm1g9XAQv/YR1Bb5mYrJy9ZiyBJvWtQuGIWv0bB5DqhawfDwLKnbMa
-            vk3G7FNzjePv9r2iiuQVmFFgk/afmegUou/ah4HbrjaMGEYSyuA5FbsfIZsyWIOG
-            Ho1QcrwT39vWleiP5rTowmseoyAlf97GZQHeElWTIg9l00iHxr8Gi/hwdwFws1xq
-            EkC1sYhxg5DZFERmWHSwfdHjGOPtSfgR9rp/Zhm3lp7h2G7ShGAj4uJHdT+gzScL
-            5dpHPccKptgno5b83bIj+thUlVOw6LmJYe/HnxP6lB3il2SWNDQQlYHYm+E7WNCI
-            Ubn8aTAvbIV5UZSsBGPAzLJp2Z66BSCNuLg3INt4HWeN6Eqnkzfm1XG5nuyTl6uT
-            gzbiDjTlHjqOGBoP41+1D53BkDUg7KA2woqGPhxFtSFvWLHS2640GiaGN49UAs7X
-            XaJjlR4HRR+LVUPfkxUJ1v+JnxbbUyA+3LI6x6RHsJHc+mI7lPlj+NmommAHH95K
-            qzuThqdj7WNKszPreVRT0lwBVroqOIGHbaj+o9lbR0hZm+pcFWU5CcHVAULRFiIV
-            Che9Dz2rCoOhQGd368/QtXzefPdbhDp1NK0yzunTAFlQZZkCVf0NFeoiR0YVBQMU
-            Q3qaTGYnh8Udp7OoOw==
-            =T0LX
-            -----END PGP MESSAGE-----
-          fp: C8F8A49D04A1AB639F8EA21CDBA4B1DCB1FA5BDD
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.1
---
-kind: Secret
-apiVersion: v1
 metadata:
    name: regcred
    namespace: data
+    annotations:
+        replicator.v1.mittwald.de/replication-allowed: "true"
+        replicator.v1.mittwald.de/replication-allowed-namespaces: media
+type: kubernetes.io/dockerconfigjson
 data:
    .dockerconfigjson: ENC[AES256_GCM,data:Ea4JKvWLypyXjRkT1Fro7OM6WVdmfZ7J9Iy7Rrh4nJ63H49rAkeyaPoxSPJ1XlO//PJ7daOeYC1QqAmfqDW58VmYgWjaEaz6NNfXNNNuI+ibE4Z+5a7GdzOpXuAj66cHJ5w7GzOO05iH0QEZ4DuKDEyhO5OxtkdNYtE35QMT5NtrXVTqDSdHYEO9YRGhZH3jScSfIz7u+c68Ns0Z5vTP4QQbF2JvqOoC5wSG6VHEs5g5vzYdY4LdBNeDOQXzPStMtEu7QraCfAQcBvoxgtvugM2CWv/XfdSb0kylQwvvRAw=,iv:Tu+8/76zYmaR6ItGwHjR3CjSCbrHnS9RYp2XbenXJng=,tag:QxTnuEGejoP6jqmbhS5uoA==,type:str]
-type: kubernetes.io/dockerconfigjson
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2021-05-01T21:34:06Z"
-    mac: ENC[AES256_GCM,data:Igh15GsGGSvBc4AkErY0210N2yWS8CiMLad4Q9dkt+qxNIksDxpNBhBIq59fNsqh3qrXMkeOC3xORVTVB7/7yhIHjMHtsFu8d7mdMIcT948EtloH0uivo/6jThs32BE1J6WS5ifBfIh8UCTaCPZr1zCnweOzut+xfDNlDjMW5ZQ=,iv:Q/cCruxcO2d6/RILvlNCgyy7YlbKz2wfKKOqwDucRow=,tag:xoL7ztc3bQv0kxDl38fz3g==,type:str]
+    lastmodified: "2021-05-19T08:57:10Z"
+    mac: ENC[AES256_GCM,data:8ln8kqt2n5OgsyUJmNh3zFZ7oWay2MjvKueETMLiVeVLfin6tKiAGRtbpy1rahXlmB/FXiUKO5+KBIqqdlo1a7nBWzNqqfHE5edUItba0tk2CP9m/rxyANEU0xB44TaLSct5suP1EgXE9emnasH1A83B9jfpiM7QdUUVPJBCADI=,iv:sDLAJISkscISAO7973BCK+po5DjXekDO9hH0f7CHraU=,tag:bw+1ASqFIY7/8M32qMj3Eg==,type:str]
    pgp:
        - created_at: "2021-04-15T00:19:38Z"
          enc: |
--- a/cluster/base-custom/secrets/replicated.yaml
+++ b/cluster/base-custom/secrets/replicated.yaml
@@ -2,8 +2,32 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  annotations:
-    replicator.v1.mittwald.de/replicate-from: flux-system/cluster-secrets
  name: cluster-secrets
  namespace: development
+  annotations:
+    replicator.v1.mittwald.de/replicate-from: flux-system/cluster-secrets
 data: {}
+type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: k3s-xpander-ovh-tls
+  namespace: kasten-io
+  annotations:
+    replicator.v1.mittwald.de/replicate-from: networking/k3s-xpander-ovh-tls
+data:
+  tls.crt: ""
+  tls.key: ""
+type: kubernetes.io/tls
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: regcred
+  namespace: media
+  annotations:
+    replicator.v1.mittwald.de/replicate-from: data/regcred
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: e30K