From 31882ded27c93f5687ec8dfbac231c9d67325cfa Mon Sep 17 00:00:00 2001
From: Joshua Hoblitt <josh@hoblitt.com>
Date: Mon, 7 Oct 2024 09:46:23 -0700
Subject: [PATCH] (fleet/external-secret-conf) add onepassword-oods
 ClusterSecretStore

To these clusters:

- chonchon
- elqui
- konkong
- manke
- pillan
- ruka
- yagan
---
 fleet/lib/external-secrets-conf/fleet.yaml    | 29 ++++++++++++++++---
 .../clustersecretstore-onepassword.yaml       |  8 +++--
 2 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/fleet/lib/external-secrets-conf/fleet.yaml b/fleet/lib/external-secrets-conf/fleet.yaml
index f6a6545b1..f68bbe3f6 100644
--- a/fleet/lib/external-secrets-conf/fleet.yaml
+++ b/fleet/lib/external-secrets-conf/fleet.yaml
@@ -10,10 +10,12 @@ helm:
   waitForJobs: true
   values:
     site: ${ .ClusterLabels.site }
-    vaults:
-      ${ .ClusterName }.${ .ClusterLabels.site }: 1
-      k8s-${ .ClusterLabels.site }: 2
-      k8s-common: 3
+    clusterSecretStores:
+      onepassword:
+        vaults:
+          ${ .ClusterName }.${ .ClusterLabels.site }: 1
+          k8s-${ .ClusterLabels.site }: 2
+          k8s-common: 3
 dependsOn:
   - selector:
       matchLabels:
@@ -34,3 +36,22 @@ targetCustomizations:
           ${ .ClusterName }.${ .ClusterLabels.site }: ~
           # it probaly would have been easier to name the vaults local.<site>...
           rancher.${ .ClusterLabels.site }: 1
+  - name: oods-cluster
+    clusterSelector:
+      matchExpressions:
+        - key: management.cattle.io/cluster-display-name
+          operator: In
+          values:
+            - chonchon
+            - elqui
+            - konkong
+            - manke
+            - pillan
+            - ruka
+            - yagan
+    helm:
+      values:
+        clusterSecretStores:
+          onepassword-oods:
+            vaults:
+              oods-${ .ClusterLabels.site }: 1
diff --git a/fleet/lib/external-secrets-conf/templates/clustersecretstore-onepassword.yaml b/fleet/lib/external-secrets-conf/templates/clustersecretstore-onepassword.yaml
index 7dcca9b83..09b0c0db1 100644
--- a/fleet/lib/external-secrets-conf/templates/clustersecretstore-onepassword.yaml
+++ b/fleet/lib/external-secrets-conf/templates/clustersecretstore-onepassword.yaml
@@ -1,19 +1,21 @@
 # yamllint disable-file
+{{- range $name, $v := .Values.clusterSecretStores }}
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
-  name: onepassword
+  name: {{ $name }}
   namespace: external-secrets
 spec:
   provider:
     onepassword:
-      connectHost: https://connect.{{ .Values.site }}.lsst.org
+      connectHost: https://connect.{{ $.Values.site }}.lsst.org
       vaults:
-{{ toYaml .Values.vaults | indent 8 }}
+{{ toYaml $v.vaults | indent 8 }}
       auth:
         secretRef:
           connectTokenSecretRef:
             name: onepassword-connect-token
             key: token
             namespace: external-secrets
+{{- end }}