feat(eso): chart 0.7.0 — migrate all 4 remaining Tower-stamped Secrets to ExternalSecret

Phase 2 of Item #9. Adds ExternalSecret manifests for: - docker-mirror-pull (×2 namespaces, dockerconfigjson template) - cloudflare-api-token-<slug> (per-tenant, gated on tenant.id+slug) - s3-backup-creds (per-tenant, in tenants ns) - longhorn-s3-creds (per-tenant, gated on tenant.s3Endpoint) New helm values: tenant.id, tenant.slug, tenant.s3Endpoint. Tower must pass these per-cluster (next ship). All manifests gated on externalSecrets.enabled + mountPath set + tenant.id set, so old apps without the new params remain on the legacy Tower-stamped path until the operator opts them in.
2026-05-07 21:25:41 +03:00
parent 52a157f187
commit c26ee5b3c6
6 changed files with 185 additions and 2 deletions
--- a/values.yaml
+++ b/values.yaml
@@ -19,6 +19,21 @@ cluster:
 # but a real deploy MUST set domain + wildcardHost (the Certificate
 # template fails with `required` on an empty value).
 tenant:
+  # Tenant UUID — used by ESO ExternalSecrets to construct the
+  # OpenBao path `v3/tenants/<id>/{cloudflare-token,s3-credentials}`.
+  # Empty default = ESO ExternalSecret manifests skip rendering (chart
+  # remains usable for non-ESO clusters during transition).
+  id: ""
+  # Tenant slug — used as the per-tenant Secret name suffix
+  # (e.g., `cloudflare-api-token-<slug>`). Must match the slug
+  # cert-manager's ClusterIssuer references via secrets.cloudflareTokenSecret.
+  slug: ""
+  # S3-compatible endpoint for the tenant's backup target. When set,
+  # the longhorn-s3-creds ExternalSecret manifest renders with
+  # AWS_ENDPOINTS literal alongside the access_key+secret_key from
+  # OpenBao. Empty = no Longhorn S3 backup wired (instance-level
+  # backups still work via s3-backup-creds + the per-tenant CronJob).
+  s3Endpoint: ""
  # Domain the Cloudflare zone covers, e.g. "acme-erp.com".
  # Mirror of domains[primary].root — kept for legacy chart consumers.
  domain: ""