diff --git a/argocd-apps/vault-secrets.yaml b/argocd-apps/vault-secrets.yaml new file mode 100644 index 0000000..a10329c --- /dev/null +++ b/argocd-apps/vault-secrets.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault-secrets + namespace: argocd +spec: + project: dev-tools + source: + repoURL: https://git.dvirlabs.com/dvirlabs/dev-tools.git + targetRevision: HEAD + path: manifests/secret-seeding + directory: + recurse: true + destination: + server: https://kubernetes.default.svc + namespace: dev-tools + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/manifests/external-secrets/clustersecretstore.yaml b/manifests/external-secrets/clustersecretstore.yaml new file mode 100644 index 0000000..c73d977 --- /dev/null +++ b/manifests/external-secrets/clustersecretstore.yaml @@ -0,0 +1,15 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: vault-backend +spec: + provider: + vault: + server: "http://vault.dev-tools.svc.cluster.local:8200" + path: "secret" + version: "v2" + auth: + tokenSecretRef: + name: vault-init + key: root-token + namespace: dev-tools \ No newline at end of file diff --git a/manifests/secret-seeding/grafana.yaml b/manifests/secret-seeding/grafana.yaml new file mode 100644 index 0000000..7d09d3c --- /dev/null +++ b/manifests/secret-seeding/grafana.yaml @@ -0,0 +1,26 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: vault-seed-grafana-oidc + namespace: dev-tools +spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: seed + image: vault:1.15.5 + command: ["/bin/sh", "-c"] + args: + - | + export VAULT_ADDR=http://vault.dev-tools.svc.cluster.local:8200 + export VAULT_TOKEN=$(cat /vault/secrets/root-token) + vault kv put secret/grafana-oidc client_secret=6mfAtg8ZrioiCZMsbMi4dbZyJk205nRi + volumeMounts: + - name: vault-token + mountPath: /vault/secrets + readOnly: true + volumes: + - name: vault-token + secret: + secretName: vault-init \ No newline at end of file