diff --git a/argocd/apps/external-secrets-config-ringtail.yaml b/argocd/apps/external-secrets-config-ringtail.yaml deleted file mode 100644 index d3f9e58..0000000 --- a/argocd/apps/external-secrets-config-ringtail.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# External Secrets Configuration for ringtail k3s cluster -# Same ClusterSecretStore manifests as indri, different destination -# -# Prerequisites: -# - 1password-connect-ringtail is deployed and healthy -# - external-secrets-ringtail operator is deployed and CRDs are installed -# -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: external-secrets-config-ringtail - namespace: argocd -spec: - project: default - source: - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git - targetRevision: main - path: argocd/manifests/external-secrets - destination: - server: https://ringtail.tail8d86e.ts.net:6443 - namespace: external-secrets - syncPolicy: - syncOptions: - - CreateNamespace=true diff --git a/argocd/apps/external-secrets-config.yaml b/argocd/apps/external-secrets-config.yaml deleted file mode 100644 index e741d22..0000000 --- a/argocd/apps/external-secrets-config.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# External Secrets Configuration - ClusterSecretStore for 1Password -# -# Deploys the ClusterSecretStore that connects ESO to 1Password Connect. -# Must be synced AFTER external-secrets operator is running. -# -# Prerequisites: -# - 1password-connect is deployed and healthy -# - external-secrets operator is deployed and CRDs are installed -# -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: external-secrets-config - namespace: argocd -spec: - project: default - source: - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git - targetRevision: main - path: argocd/manifests/external-secrets - destination: - server: https://kubernetes.default.svc - namespace: external-secrets - syncPolicy: - syncOptions: - - CreateNamespace=true diff --git a/argocd/apps/external-secrets-crds-ringtail.yaml b/argocd/apps/external-secrets-crds-ringtail.yaml index 8fbc304..00d7fec 100644 --- a/argocd/apps/external-secrets-crds-ringtail.yaml +++ b/argocd/apps/external-secrets-crds-ringtail.yaml @@ -12,7 +12,7 @@ spec: project: default source: repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git - targetRevision: helm-chart-2.0.0 + targetRevision: helm-chart-2.2.0 path: config/crds/bases directory: exclude: 'kustomization.yaml' diff --git a/argocd/apps/external-secrets-crds.yaml b/argocd/apps/external-secrets-crds.yaml index 2b2178d..d822960 100644 --- a/argocd/apps/external-secrets-crds.yaml +++ b/argocd/apps/external-secrets-crds.yaml @@ -16,7 +16,7 @@ spec: project: default source: repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git - targetRevision: helm-chart-2.0.0 + targetRevision: helm-chart-2.2.0 path: config/crds/bases directory: exclude: 'kustomization.yaml' diff --git a/argocd/apps/external-secrets-ringtail.yaml b/argocd/apps/external-secrets-ringtail.yaml index c7cacec..e2f5898 100644 --- a/argocd/apps/external-secrets-ringtail.yaml +++ b/argocd/apps/external-secrets-ringtail.yaml @@ -1,5 +1,5 @@ # External Secrets Operator for ringtail k3s cluster -# Same chart/values as indri, different destination +# Same manifests as indri, different destination # # Prerequisites: # - 1password-connect-ringtail must be deployed and healthy @@ -12,17 +12,10 @@ metadata: namespace: argocd spec: project: default - sources: - - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git - targetRevision: helm-chart-2.0.0 - path: deploy/charts/external-secrets - helm: - releaseName: external-secrets - valueFiles: - - $values/argocd/manifests/external-secrets/values.yaml - - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git - targetRevision: main - ref: values + source: + repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git + targetRevision: main + path: argocd/manifests/external-secrets destination: server: https://ringtail.tail8d86e.ts.net:6443 namespace: external-secrets diff --git a/argocd/apps/external-secrets.yaml b/argocd/apps/external-secrets.yaml index 369bef5..85ac21d 100644 --- a/argocd/apps/external-secrets.yaml +++ b/argocd/apps/external-secrets.yaml @@ -1,10 +1,12 @@ # External Secrets Operator - Kubernetes secret sync from external providers # Syncs secrets from 1Password Connect to native Kubernetes Secrets # -# Chart mirrored from https://github.com/external-secrets/external-secrets +# Static manifests rendered from upstream Helm chart v2.2.0 +# Upstream: https://github.com/external-secrets/external-secrets # # Prerequisites: # - 1password-connect must be deployed and healthy +# - external-secrets-crds must be synced first # apiVersion: argoproj.io/v1alpha1 kind: Application @@ -13,17 +15,10 @@ metadata: namespace: argocd spec: project: default - sources: - - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git - targetRevision: helm-chart-2.0.0 - path: deploy/charts/external-secrets - helm: - releaseName: external-secrets - valueFiles: - - $values/argocd/manifests/external-secrets/values.yaml - - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git - targetRevision: main - ref: values + source: + repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git + targetRevision: main + path: argocd/manifests/external-secrets destination: server: https://kubernetes.default.svc namespace: external-secrets diff --git a/argocd/manifests/external-secrets/README.md b/argocd/manifests/external-secrets/README.md index 71d9e90..abf1c14 100644 --- a/argocd/manifests/external-secrets/README.md +++ b/argocd/manifests/external-secrets/README.md @@ -35,7 +35,7 @@ kubectl --context=minikube-indri get externalsecret -A To sync a secret from 1Password, create an ExternalSecret in the target namespace: ```yaml -apiVersion: external-secrets.io/v1beta1 +apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: my-secret diff --git a/argocd/manifests/external-secrets/deployment.yaml b/argocd/manifests/external-secrets/deployment.yaml new file mode 100644 index 0000000..993d8df --- /dev/null +++ b/argocd/manifests/external-secrets/deployment.yaml @@ -0,0 +1,218 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: external-secrets-cert-controller + namespace: external-secrets + labels: + app.kubernetes.io/name: external-secrets-cert-controller + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/name: external-secrets-cert-controller + app.kubernetes.io/instance: external-secrets + template: + metadata: + labels: + app.kubernetes.io/name: external-secrets-cert-controller + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize + spec: + serviceAccountName: external-secrets-cert-controller + automountServiceAccountToken: true + hostNetwork: false + containers: + - name: cert-controller + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + image: ghcr.io/external-secrets/external-secrets:kustomized + imagePullPolicy: IfNotPresent + args: + - certcontroller + - --crd-requeue-interval=5m + - --service-name=external-secrets-webhook + - --service-namespace=external-secrets + - --secret-name=external-secrets-webhook + - --secret-namespace=external-secrets + - --metrics-addr=:8080 + - --healthz-addr=:8081 + - --loglevel=info + - --zap-time-encoding=epoch + ports: + - containerPort: 8080 + protocol: TCP + name: metrics + - containerPort: 8081 + protocol: TCP + name: ready + readinessProbe: + httpGet: + port: ready + path: /readyz + initialDelaySeconds: 20 + periodSeconds: 5 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 25m + memory: 32Mi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: external-secrets + namespace: external-secrets + labels: + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: external-secrets + template: + metadata: + labels: + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize + spec: + serviceAccountName: external-secrets + automountServiceAccountToken: true + hostNetwork: false + containers: + - name: external-secrets + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + image: ghcr.io/external-secrets/external-secrets:kustomized + imagePullPolicy: IfNotPresent + args: + - --concurrent=1 + - --metrics-addr=:8080 + - --loglevel=info + - --zap-time-encoding=epoch + ports: + - containerPort: 8080 + protocol: TCP + name: metrics + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 64Mi + dnsPolicy: ClusterFirst +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: external-secrets-webhook + namespace: external-secrets + labels: + app.kubernetes.io/name: external-secrets-webhook + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/name: external-secrets-webhook + app.kubernetes.io/instance: external-secrets + template: + metadata: + labels: + app.kubernetes.io/name: external-secrets-webhook + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize + spec: + hostNetwork: false + serviceAccountName: external-secrets-webhook + automountServiceAccountToken: true + containers: + - name: webhook + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + image: ghcr.io/external-secrets/external-secrets:kustomized + imagePullPolicy: IfNotPresent + args: + - webhook + - --port=10250 + - --dns-name=external-secrets-webhook.external-secrets.svc + - --cert-dir=/tmp/certs + - --check-interval=5m + - --metrics-addr=:8080 + - --healthz-addr=:8081 + - --loglevel=info + - --zap-time-encoding=epoch + ports: + - containerPort: 8080 + protocol: TCP + name: metrics + - containerPort: 10250 + protocol: TCP + name: webhook + - containerPort: 8081 + protocol: TCP + name: ready + readinessProbe: + httpGet: + port: ready + path: /readyz + initialDelaySeconds: 20 + periodSeconds: 5 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 25m + memory: 32Mi + volumeMounts: + - name: certs + mountPath: /tmp/certs + readOnly: true + volumes: + - name: certs + secret: + secretName: external-secrets-webhook diff --git a/argocd/manifests/external-secrets/kustomization.yaml b/argocd/manifests/external-secrets/kustomization.yaml index bf834d1..574aaa7 100644 --- a/argocd/manifests/external-secrets/kustomization.yaml +++ b/argocd/manifests/external-secrets/kustomization.yaml @@ -1,5 +1,15 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - serviceaccount.yaml + - rbac.yaml + - service.yaml + - webhook.yaml + - deployment.yaml - cluster-secret-store.yaml + +images: + - name: ghcr.io/external-secrets/external-secrets + newTag: v2.2.0 diff --git a/argocd/manifests/external-secrets/rbac.yaml b/argocd/manifests/external-secrets/rbac.yaml new file mode 100644 index 0000000..0e68cd2 --- /dev/null +++ b/argocd/manifests/external-secrets/rbac.yaml @@ -0,0 +1,445 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: external-secrets-cert-controller + labels: + app.kubernetes.io/name: external-secrets-cert-controller + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize +rules: + - apiGroups: + - "apiextensions.k8s.io" + resources: + - "customresourcedefinitions" + verbs: + - "get" + - "list" + - "watch" + - "update" + - "patch" + - apiGroups: + - "admissionregistration.k8s.io" + resources: + - "validatingwebhookconfigurations" + verbs: + - "list" + - "watch" + - "get" + - apiGroups: + - "admissionregistration.k8s.io" + resources: + - "validatingwebhookconfigurations" + resourceNames: + - "secretstore-validate" + - "externalsecret-validate" + verbs: + - "update" + - "patch" + - apiGroups: + - "" + resources: + - "endpoints" + verbs: + - "list" + - "get" + - "watch" + - apiGroups: + - "discovery.k8s.io" + resources: + - "endpointslices" + verbs: + - "list" + - "get" + - "watch" + - apiGroups: + - "" + resources: + - "events" + verbs: + - "create" + - "patch" + - apiGroups: + - "" + resources: + - "secrets" + verbs: + - "get" + - "list" + - "watch" + - "update" + - "patch" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: external-secrets-controller + labels: + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "secretstores" + - "clustersecretstores" + - "externalsecrets" + - "clusterexternalsecrets" + - "pushsecrets" + - "clusterpushsecrets" + verbs: + - "get" + - "list" + - "watch" + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + - "externalsecrets/status" + - "externalsecrets/finalizers" + - "secretstores" + - "secretstores/status" + - "secretstores/finalizers" + - "clustersecretstores" + - "clustersecretstores/status" + - "clustersecretstores/finalizers" + - "clusterexternalsecrets" + - "clusterexternalsecrets/status" + - "clusterexternalsecrets/finalizers" + - "pushsecrets" + - "pushsecrets/status" + - "pushsecrets/finalizers" + - "clusterpushsecrets" + - "clusterpushsecrets/status" + - "clusterpushsecrets/finalizers" + verbs: + - "get" + - "update" + - "patch" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "generatorstates" + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "patch" + - "delete" + - "deletecollection" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "cloudsmithaccesstokens" + - "clustergenerators" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "githubaccesstokens" + - "quayaccesstokens" + - "passwords" + - "sshkeys" + - "stssessiontokens" + - "uuids" + - "vaultdynamicsecrets" + - "webhooks" + - "grafanas" + - "mfas" + verbs: + - "get" + - "list" + - "watch" + - apiGroups: + - "" + resources: + - "serviceaccounts" + - "namespaces" + verbs: + - "get" + - "list" + - "watch" + - apiGroups: + - "" + resources: + - "namespaces" + verbs: + - "update" + - "patch" + - apiGroups: + - "" + resources: + - "configmaps" + verbs: + - "get" + - "list" + - "watch" + - apiGroups: + - "" + resources: + - "secrets" + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" + - "patch" + - apiGroups: + - "" + resources: + - "serviceaccounts/token" + verbs: + - "create" + - apiGroups: + - "" + resources: + - "events" + verbs: + - "create" + - "patch" + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + verbs: + - "create" + - "update" + - "delete" + - apiGroups: + - "external-secrets.io" + resources: + - "pushsecrets" + verbs: + - "create" + - "update" + - "delete" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: external-secrets-view + labels: + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + - "secretstores" + - "clustersecretstores" + - "pushsecrets" + - "clusterpushsecrets" + verbs: + - "get" + - "watch" + - "list" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "cloudsmithaccesstokens" + - "clustergenerators" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "githubaccesstokens" + - "quayaccesstokens" + - "passwords" + - "sshkeys" + - "vaultdynamicsecrets" + - "webhooks" + - "grafanas" + - "generatorstates" + - "mfas" + - "uuids" + verbs: + - "get" + - "watch" + - "list" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: external-secrets-edit + labels: + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + - "secretstores" + - "clustersecretstores" + - "pushsecrets" + - "clusterpushsecrets" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" + - apiGroups: + - "generators.external-secrets.io" + resources: + - "acraccesstokens" + - "cloudsmithaccesstokens" + - "clustergenerators" + - "ecrauthorizationtokens" + - "fakes" + - "gcraccesstokens" + - "githubaccesstokens" + - "quayaccesstokens" + - "passwords" + - "sshkeys" + - "vaultdynamicsecrets" + - "webhooks" + - "grafanas" + - "generatorstates" + - "mfas" + - "uuids" + verbs: + - "create" + - "delete" + - "deletecollection" + - "patch" + - "update" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: external-secrets-servicebindings + labels: + servicebinding.io/controller: "true" + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize +rules: + - apiGroups: + - "external-secrets.io" + resources: + - "externalsecrets" + - "pushsecrets" + verbs: + - "get" + - "list" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: external-secrets-cert-controller + labels: + app.kubernetes.io/name: external-secrets-cert-controller + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-secrets-cert-controller +subjects: + - name: external-secrets-cert-controller + namespace: external-secrets + kind: ServiceAccount +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: external-secrets-controller + labels: + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-secrets-controller +subjects: + - name: external-secrets + namespace: external-secrets + kind: ServiceAccount +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: external-secrets-leaderelection + namespace: external-secrets + labels: + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize +rules: + - apiGroups: + - "" + resources: + - "configmaps" + resourceNames: + - "external-secrets-controller" + verbs: + - "get" + - "update" + - "patch" + - apiGroups: + - "" + resources: + - "configmaps" + verbs: + - "create" + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "create" + - "update" + - "patch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: external-secrets-leaderelection + namespace: external-secrets + labels: + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: external-secrets-leaderelection +subjects: + - kind: ServiceAccount + name: external-secrets + namespace: external-secrets diff --git a/argocd/manifests/external-secrets/service.yaml b/argocd/manifests/external-secrets/service.yaml new file mode 100644 index 0000000..3b019d7 --- /dev/null +++ b/argocd/manifests/external-secrets/service.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: external-secrets-webhook + namespace: external-secrets + labels: + app.kubernetes.io/name: external-secrets-webhook + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize + external-secrets.io/component: webhook +spec: + type: ClusterIP + ports: + - port: 443 + targetPort: webhook + protocol: TCP + name: webhook + selector: + app.kubernetes.io/name: external-secrets-webhook + app.kubernetes.io/instance: external-secrets diff --git a/argocd/manifests/external-secrets/serviceaccount.yaml b/argocd/manifests/external-secrets/serviceaccount.yaml new file mode 100644 index 0000000..6bd412d --- /dev/null +++ b/argocd/manifests/external-secrets/serviceaccount.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: external-secrets-cert-controller + namespace: external-secrets + labels: + app.kubernetes.io/name: external-secrets-cert-controller + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: external-secrets + namespace: external-secrets + labels: + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: external-secrets-webhook + namespace: external-secrets + labels: + app.kubernetes.io/name: external-secrets-webhook + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize diff --git a/argocd/manifests/external-secrets/values.yaml b/argocd/manifests/external-secrets/values.yaml deleted file mode 100644 index c5bffbc..0000000 --- a/argocd/manifests/external-secrets/values.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# External Secrets Operator Helm values for blumeops -# Chart: https://github.com/external-secrets/external-secrets - -installCRDs: true - -# Resource limits for minikube -resources: - requests: - memory: "64Mi" - cpu: "50m" - limits: - memory: "256Mi" - cpu: "200m" - -webhook: - resources: - requests: - memory: "32Mi" - cpu: "25m" - limits: - memory: "128Mi" - cpu: "100m" - -certController: - resources: - requests: - memory: "32Mi" - cpu: "25m" - limits: - memory: "128Mi" - cpu: "100m" diff --git a/argocd/manifests/external-secrets/webhook.yaml b/argocd/manifests/external-secrets/webhook.yaml new file mode 100644 index 0000000..d53fa60 --- /dev/null +++ b/argocd/manifests/external-secrets/webhook.yaml @@ -0,0 +1,83 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: external-secrets-webhook + namespace: external-secrets + labels: + app.kubernetes.io/name: external-secrets-webhook + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize + external-secrets.io/component: webhook +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: secretstore-validate + labels: + app.kubernetes.io/name: external-secrets-webhook + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize + external-secrets.io/component: webhook +webhooks: + - name: "validate.secretstore.external-secrets.io" + rules: + - apiGroups: ["external-secrets.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE", "DELETE"] + resources: ["secretstores"] + scope: "Namespaced" + clientConfig: + service: + namespace: external-secrets + name: external-secrets-webhook + path: /validate-external-secrets-io-v1-secretstore + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + failurePolicy: Fail + - name: "validate.clustersecretstore.external-secrets.io" + rules: + - apiGroups: ["external-secrets.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE", "DELETE"] + resources: ["clustersecretstores"] + scope: "Cluster" + clientConfig: + service: + namespace: external-secrets + name: external-secrets-webhook + path: /validate-external-secrets-io-v1-clustersecretstore + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: externalsecret-validate + labels: + app.kubernetes.io/name: external-secrets-webhook + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: kustomize + external-secrets.io/component: webhook +webhooks: + - name: "validate.externalsecret.external-secrets.io" + rules: + - apiGroups: ["external-secrets.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE", "DELETE"] + resources: ["externalsecrets"] + scope: "Namespaced" + clientConfig: + service: + namespace: external-secrets + name: external-secrets-webhook + path: /validate-external-secrets-io-v1-externalsecret + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + failurePolicy: Fail diff --git a/docs/changelog.d/upgrade-external-secrets-v2.infra.md b/docs/changelog.d/upgrade-external-secrets-v2.infra.md new file mode 100644 index 0000000..606a937 --- /dev/null +++ b/docs/changelog.d/upgrade-external-secrets-v2.infra.md @@ -0,0 +1 @@ +Upgrade External Secrets Operator from v1.3.2 to v2.2.0 and migrate from Helm chart to static kustomize manifests. diff --git a/service-versions.yaml b/service-versions.yaml index 26c1d08..bb42903 100644 --- a/service-versions.yaml +++ b/service-versions.yaml @@ -126,10 +126,10 @@ services: - name: external-secrets type: argocd - last-reviewed: 2026-02-17 - current-version: "helm-chart-2.0.0" + last-reviewed: 2026-03-25 + current-version: "v2.2.0" upstream-source: https://github.com/external-secrets/external-secrets/releases - notes: Deployed via Helm chart (operator v1.3.2) + notes: Static kustomize manifests rendered from upstream Helm chart - name: 1password-connect type: argocd