From 3b553efe11f718b37955adfb219c9fb805ef5ba6 Mon Sep 17 00:00:00 2001 From: Tyler Perkins Date: Sun, 1 Oct 2023 18:12:53 -0400 Subject: [PATCH] Add sealed secrets --- .../config-map-overrides.yaml | 456 ++++++++++++++++++ .../helmrelease-sealed-secrets.yaml | 22 + .../sealed-secrets-kustomization.yaml | 2 +- 3 files changed, 479 insertions(+), 1 deletion(-) create mode 100644 sealed-secrets-system/config-map-overrides.yaml create mode 100644 sealed-secrets-system/helmrelease-sealed-secrets.yaml diff --git a/sealed-secrets-system/config-map-overrides.yaml b/sealed-secrets-system/config-map-overrides.yaml new file mode 100644 index 0000000..2552256 --- /dev/null +++ b/sealed-secrets-system/config-map-overrides.yaml @@ -0,0 +1,456 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: sealed-secrets-helm-chart-value-overrides + namespace: sealed-secrets +data: + values.yaml: |- + ## @section Common parameters + + ## @param kubeVersion Override Kubernetes version + ## + kubeVersion: "" + ## @param nameOverride String to partially override sealed-secrets.fullname + ## + nameOverride: "" + ## @param fullnameOverride String to fully override sealed-secrets.fullname + ## + fullnameOverride: "" + ## @param namespace Namespace where to deploy the Sealed Secrets controller + ## + namespace: "" + + ## @param extraDeploy [array] Array of extra objects to deploy with the release + ## + extraDeploy: [] + ## @param commonAnnotations [object] Annotations to add to all deployed resources + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + commonAnnotations: {} + + ## @section Sealed Secrets Parameters + + ## Sealed Secrets image + ## ref: https://hub.docker.com/r/bitnami/sealed-secrets-controller/tags + ## @param image.registry Sealed Secrets image registry + ## @param image.repository Sealed Secrets image repository + ## @param image.tag Sealed Secrets image tag (immutable tags are recommended) + ## @param image.pullPolicy Sealed Secrets image pull policy + ## @param image.pullSecrets [array] Sealed Secrets image pull secrets + ## + image: + registry: docker.io + repository: bitnami/sealed-secrets-controller + tag: v0.24.0 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param revisionHistoryLimit Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) + ## e.g: + revisionHistoryLimit: "" + ## @param createController Specifies whether the Sealed Secrets controller should be created + ## + createController: true + ## @param secretName The name of an existing TLS secret containing the key used to encrypt secrets + ## + secretName: "sealed-secrets-key" + ## @param updateStatus Specifies whether the Sealed Secrets controller should update the status subresource + ## + updateStatus: true + ## @param skipRecreate Specifies whether the Sealed Secrets controller should skip recreating removed secrets + ## Setting it to false allows to optionally restore backward compatibility in low priviledge + ## environments when old versions of the controller did not require watch permissions on secrets + ## for secret re-creation. + ## + skipRecreate: false + ## @param keyrenewperiod Specifies key renewal period. Default 30 days + ## e.g + ## keyrenewperiod: "720h30m" + ## + keyrenewperiod: "" + ## @param rateLimit Number of allowed sustained request per second for verify endpoint + ## + rateLimit: "" + ## @param rateLimitBurst Number of requests allowed to exceed the rate limit per second for verify endpoint + ## + rateLimitBurst: "" + ## @param additionalNamespaces List of namespaces used to manage the Sealed Secrets + ## + additionalNamespaces: [] + ## @param privateKeyAnnotations Map of annotations to be set on the sealing keypairs + ## + privateKeyAnnotations: {} + ## @param privateKeyLabels Map of labels to be set on the sealing keypairs + ## + privateKeyLabels: {} + ## @param logInfoStdout Specifies whether the Sealed Secrets controller will log info to stdout + ## + logInfoStdout: false + ## @param command Override default container command + ## + command: [] + ## @param args Override default container args + ## + args: [] + ## Configure extra options for Sealed Secret containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param livenessProbe.enabled Enable livenessProbe on Sealed Secret containers + ## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param readinessProbe.enabled Enable readinessProbe on Sealed Secret containers + ## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param startupProbe.enabled Enable startupProbe on Sealed Secret containers + ## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param startupProbe.periodSeconds Period seconds for startupProbe + ## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param startupProbe.failureThreshold Failure threshold for startupProbe + ## @param startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## Sealed Secret resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## @param resources.limits [object] The resources limits for the Sealed Secret containers + ## @param resources.requests [object] The requested resources for the Sealed Secret containers + ## + resources: + limits: {} + requests: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param podSecurityContext.enabled Enabled Sealed Secret pods' Security Context + ## @param podSecurityContext.fsGroup Set Sealed Secret pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 65534 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param containerSecurityContext.enabled Enabled Sealed Secret containers' Security Context + ## @param containerSecurityContext.readOnlyRootFilesystem Whether the Sealed Secret container has a read-only root filesystem + ## @param containerSecurityContext.runAsNonRoot Indicates that the Sealed Secret container must run as a non-root user + ## @param containerSecurityContext.runAsUser Set Sealed Secret containers' Security Context runAsUser + ## @extra containerSecurityContext.capabilities Adds and removes POSIX capabilities from running containers (see `values.yaml`) + ## @skip containerSecurityContext.capabilities.drop + ## + containerSecurityContext: + enabled: true + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + + ## @param podLabels [object] Extra labels for Sealed Secret pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param podAnnotations [object] Annotations for Sealed Secret pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param priorityClassName Sealed Secret pods' priorityClassName + ## + priorityClassName: "" + ## @param runtimeClassName Sealed Secret pods' runtimeClassName + ## + runtimeClassName: "" + ## @param affinity [object] Affinity for Sealed Secret pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + ## @param nodeSelector [object] Node labels for Sealed Secret pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param tolerations [array] Tolerations for Sealed Secret pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param additionalVolumes [object] Extra Volumes for the Sealed Secrets Controller Deployment + ## ref: https://kubernetes.io/docs/concepts/storage/volumes/ + ## + additionalVolumes: [] + ## @param additionalVolumeMounts [object] Extra volumeMounts for the Sealed Secrets Controller container + ## ref: https://kubernetes.io/docs/concepts/storage/volumes/ + ## + additionalVolumeMounts: [] + ## @param hostNetwork Sealed Secrets pods' hostNetwork + hostNetwork: false + ## @param dnsPolicy Sealed Secrets pods' dnsPolicy + dnsPolicy: "" + + ## @section Traffic Exposure Parameters + + ## Sealed Secret service parameters + ## + service: + ## @param service.type Sealed Secret service type + ## + type: ClusterIP + ## @param service.port Sealed Secret service HTTP port + ## + port: 8080 + ## @param service.nodePort Node port for HTTP + ## Specify the nodePort value for the LoadBalancer and NodePort service types + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePort: "" + ## @param service.annotations [object] Additional custom annotations for Sealed Secret service + ## + annotations: {} + ## Sealed Secret ingress parameters + ## ref: http://kubernetes.io/docs/user-guide/ingress/ + ## + ingress: + ## @param ingress.enabled Enable ingress record generation for Sealed Secret + ## + enabled: false + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster. + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.hostname Default host for the ingress record + ## + hostname: sealed-secrets.local + ## @param ingress.path Default path for the ingress record + ## + path: /v1/cert.pem + ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Relay on cert-manager to create it by setting the corresponding annotations + ## - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: false + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts [array] An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: sealed-secrets.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths [array] An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls [array] TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - sealed-secrets.local + ## secretName: sealed-secrets.local-tls + ## + extraTls: [] + ## @param ingress.secrets [array] Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: sealed-secrets.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] + ## Network policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: false + ## NetworkPolicy Egress configuration + ## + egress: + ## @param networkPolicy.egress.enabled Specifies wheter a egress is set in the NetworkPolicy + ## + enabled: false + ## @param networkPolicy.egress.kubeapiCidr Specifies the kubeapiCidr, which is the only egress allowed. If not set, kubeapiCidr will be found using Helm lookup + ## + kubeapiCidr: "" + ## @param networkPolicy.egress.kubeapiPort Specifies the kubeapiPort, which is the only egress allowed. If not set, kubeapiPort will be found using Helm lookup + ## + kubeapiPort: "" + + ## @section Other Parameters + + ## ServiceAccount configuration + ## + serviceAccount: + ## @param serviceAccount.annotations [object] Annotations for Sealed Secret service account + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + annotations: {} + ## @param serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param serviceAccount.labels Extra labels to be added to the ServiceAccount + ## + labels: {} + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the sealed-secrets.fullname template + ## + name: "" + ## RBAC configuration + ## + rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + ## + create: true + ## @param rbac.clusterRole Specifies whether the Cluster Role resource should be created + ## + clusterRole: true + ## @param rbac.clusterRoleName Specifies the name for the Cluster Role resource + ## + clusterRoleName: "secrets-unsealer" + ## @param rbac.namespacedRoles Specifies whether the namespaced Roles should be created (in each of the specified additionalNamespaces) + ## + namespacedRoles: false + ## @param rbac.namespacedRolesName Specifies the name for the namesapced Role resource + ## + namespacedRolesName: "secrets-unsealer" + ## @param rbac.labels Extra labels to be added to RBAC resources + ## + labels: {} + ## @param rbac.pspEnabled PodSecurityPolicy + ## + pspEnabled: false + + ## @section Metrics parameters + + metrics: + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Specify if a ServiceMonitor will be deployed for Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace where Prometheus Operator is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor + ## + labels: {} + ## @param metrics.serviceMonitor.annotations Extra annotations for the ServiceMonitor + ## + annotations: {} + ## @param metrics.serviceMonitor.interval How frequently to scrape metrics + ## e.g: + ## interval: 10s + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 10s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.honorLabels Specify if ServiceMonitor endPoints will honor labels + ## + honorLabels: true + ## @param metrics.serviceMonitor.metricRelabelings [array] Specify additional relabeling of metrics + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.relabelings [array] Specify general relabeling + ## + relabelings: [] + ## Grafana dashboards configuration + ## + dashboards: + ## @param metrics.dashboards.create Specifies whether a ConfigMap with a Grafana dashboard configuration should be created + ## ref https://github.com/helm/charts/tree/master/stable/grafana#configuration + ## + create: false + ## @param metrics.dashboards.labels Extra labels to be added to the Grafana dashboard ConfigMap + ## + labels: {} + ## @param metrics.dashboards.annotations Annotations to be added to the Grafana dashboard ConfigMap + ## + annotations: {} + ## @param metrics.dashboards.namespace Namespace where Grafana dashboard ConfigMap is deployed + ## + namespace: "" diff --git a/sealed-secrets-system/helmrelease-sealed-secrets.yaml b/sealed-secrets-system/helmrelease-sealed-secrets.yaml new file mode 100644 index 0000000..b6a0d5b --- /dev/null +++ b/sealed-secrets-system/helmrelease-sealed-secrets.yaml @@ -0,0 +1,22 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: sealed-secrets + namespace: sealed-secrets +spec: + chart: + spec: + chart: sealed-secrets + version: 1.x + sourceRef: + kind: HelmRepository + name: sealed-secrets + namespace: flux-system + interval: 15m + timeout: 5m + releaseName: sealed-secrets + valuesFrom: + - kind: ConfigMap + name: sealed-secrets-helm-chart-value-overrides + valuesKey: values.yaml # This is the default, but best to be explicit for clarity + diff --git a/sealed-secrets/sealed-secrets-kustomization.yaml b/sealed-secrets/sealed-secrets-kustomization.yaml index 23fa3fc..893bf2d 100644 --- a/sealed-secrets/sealed-secrets-kustomization.yaml +++ b/sealed-secrets/sealed-secrets-kustomization.yaml @@ -5,7 +5,7 @@ metadata: namespace: flux-system spec: interval: 15m - path: ./sealed-secrets + path: sealed-secrets-system prune: true # remove any elements later removed from the above path timeout: 2m # if not set, this defaults to interval duration, which is 1h sourceRef: