(fleet/external-secret-conf) add onepassword-oods ClusterSecretStore

To these clusters: - chonchon - elqui - konkong - manke - pillan - ruka - yagan
lsst-it · Oct 7, 2024 · 31882de · 31882de
1 parent 7f9f852
commit 31882de
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 7 deletions.
diff --git a/fleet/lib/external-secrets-conf/fleet.yaml b/fleet/lib/external-secrets-conf/fleet.yaml
@@ -10,10 +10,12 @@ helm:
   waitForJobs: true
   values:
     site: ${ .ClusterLabels.site }
-    vaults:
-      ${ .ClusterName }.${ .ClusterLabels.site }: 1
-      k8s-${ .ClusterLabels.site }: 2
-      k8s-common: 3
+    clusterSecretStores:
+      onepassword:
+        vaults:
+          ${ .ClusterName }.${ .ClusterLabels.site }: 1
+          k8s-${ .ClusterLabels.site }: 2
+          k8s-common: 3
 dependsOn:
   - selector:
       matchLabels:
@@ -34,3 +36,22 @@ targetCustomizations:
           ${ .ClusterName }.${ .ClusterLabels.site }: ~
           # it probaly would have been easier to name the vaults local.<site>...
           rancher.${ .ClusterLabels.site }: 1
+  - name: oods-cluster
+    clusterSelector:
+      matchExpressions:
+        - key: management.cattle.io/cluster-display-name
+          operator: In
+          values:
+            - chonchon
+            - elqui
+            - konkong
+            - manke
+            - pillan
+            - ruka
+            - yagan
+    helm:
+      values:
+        clusterSecretStores:
+          onepassword-oods:
+            vaults:
+              oods-${ .ClusterLabels.site }: 1
diff --git a/fleet/lib/external-secrets-conf/templates/clustersecretstore-onepassword.yaml b/fleet/lib/external-secrets-conf/templates/clustersecretstore-onepassword.yaml
@@ -1,19 +1,21 @@
 # yamllint disable-file
+{{- range $name, $v := .Values.clusterSecretStores }}
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
-  name: onepassword
+  name: {{ $name }}
   namespace: external-secrets
 spec:
   provider:
     onepassword:
-      connectHost: https://connect.{{ .Values.site }}.lsst.org
+      connectHost: https://connect.{{ $.Values.site }}.lsst.org
       vaults:
-{{ toYaml .Values.vaults | indent 8 }}
+{{ toYaml $v.vaults | indent 8 }}
       auth:
         secretRef:
           connectTokenSecretRef:
             name: onepassword-connect-token
             key: token
             namespace: external-secrets
+{{- end }}