feat(eso): chart 0.7.0 — migrate all 4 remaining Tower-stamped Secrets to ExternalSecret

Phase 2 of Item #9. Adds ExternalSecret manifests for: - docker-mirror-pull (×2 namespaces, dockerconfigjson template) - cloudflare-api-token-<slug> (per-tenant, gated on tenant.id+slug) - s3-backup-creds (per-tenant, in tenants ns) - longhorn-s3-creds (per-tenant, gated on tenant.s3Endpoint) New helm values: tenant.id, tenant.slug, tenant.s3Endpoint. Tower must pass these per-cluster (next ship). All manifests gated on externalSecrets.enabled + mountPath set + tenant.id set, so old apps without the new params remain on the legacy Tower-stamped path until the operator opts them in.
2026-05-07 21:25:41 +03:00
parent 52a157f187
commit c26ee5b3c6
6 changed files with 185 additions and 2 deletions
--- a/templates/longhorn-s3-creds-externalsecret.yaml
+++ b/templates/longhorn-s3-creds-externalsecret.yaml
@@ -0,0 +1,47 @@
+{{- if .Values.externalSecrets.enabled }}
+{{- if .Values.externalSecrets.openbao.mountPath }}
+{{- if and .Values.tenant.id .Values.tenant.s3Endpoint }}
+# longhorn-s3-creds — per-tenant credentials for Longhorn's async S3 backup
+# target. Same access_key/secret_key as s3-backup-creds (sourced from
+# tenants/<id>/s3-credentials in OpenBao) but lives in odoosky-system
+# (Longhorn's namespace) and includes AWS_ENDPOINTS for S3-compatible
+# providers. AWS_ENDPOINTS comes from a chart helm value (tenant settings,
+# not Vault) since it's a static config tied to the tenant's S3 provider
+# choice rather than rotated credential material. Gated on s3Endpoint
+# being set — empty endpoint = no Longhorn S3 backup configured.
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: longhorn-s3-creds
+  namespace: odoosky-system
+  labels:
+    app.kubernetes.io/managed-by: cluster-platform-v3
+    odoosky.io/tenant: {{ .Values.tenant.id | quote }}
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: openbao-platform
+    kind: ClusterSecretStore
+  target:
+    name: longhorn-s3-creds
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    template:
+      type: Opaque
+      engineVersion: v2
+      data:
+        AWS_ACCESS_KEY_ID: "{{ `{{ .access_key }}` }}"
+        AWS_SECRET_ACCESS_KEY: "{{ `{{ .secret_key }}` }}"
+        AWS_ENDPOINTS: {{ .Values.tenant.s3Endpoint | quote }}
+  data:
+    - secretKey: access_key
+      remoteRef:
+        key: tenants/{{ .Values.tenant.id }}/s3-credentials
+        property: access_key
+    - secretKey: secret_key
+      remoteRef:
+        key: tenants/{{ .Values.tenant.id }}/s3-credentials
+        property: secret_key
+{{- end }}
+{{- end }}
+{{- end }}