ff7eb9fafc
ArgoCD was reporting all 6 ExternalSecrets as OutOfSync because the live CRs had conversionStrategy/decodingStrategy/metadataPolicy fields filled in by the CRD defaults that werent in the chart manifests. Stamping them explicitly so the diff is clean. Tower UI will now show Provisioning state correctly transition to Ready.
50 lines
1.5 KiB
YAML
50 lines
1.5 KiB
YAML
{{- if .Values.externalSecrets.enabled }}
|
|
{{- if .Values.externalSecrets.openbao.mountPath }}
|
|
{{- if .Values.tenant.id }}
|
|
# s3-backup-creds — per-tenant S3 backup credentials consumed by the
|
|
# instance-template-v3 backup-cronjob (env: AWS_ACCESS_KEY_ID +
|
|
# AWS_SECRET_ACCESS_KEY). Source: v3/tenants/<id>/s3-credentials in
|
|
# OpenBao with fields access_key + secret_key. Lives in the `tenants`
|
|
# namespace where the per-instance backup CronJobs run.
|
|
apiVersion: external-secrets.io/v1beta1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: s3-backup-creds
|
|
namespace: tenants
|
|
labels:
|
|
app.kubernetes.io/managed-by: cluster-platform-v3
|
|
odoosky.io/tenant: {{ .Values.tenant.id | quote }}
|
|
spec:
|
|
refreshInterval: "1h"
|
|
secretStoreRef:
|
|
name: openbao-platform
|
|
kind: ClusterSecretStore
|
|
target:
|
|
name: s3-backup-creds
|
|
creationPolicy: Owner
|
|
deletionPolicy: Retain
|
|
template:
|
|
type: Opaque
|
|
engineVersion: v2
|
|
data:
|
|
AWS_ACCESS_KEY_ID: "{{ `{{ .access_key }}` }}"
|
|
AWS_SECRET_ACCESS_KEY: "{{ `{{ .secret_key }}` }}"
|
|
data:
|
|
- secretKey: access_key
|
|
remoteRef:
|
|
key: tenants/{{ .Values.tenant.id }}/s3-credentials
|
|
property: access_key
|
|
conversionStrategy: Default
|
|
decodingStrategy: None
|
|
metadataPolicy: None
|
|
- secretKey: secret_key
|
|
remoteRef:
|
|
key: tenants/{{ .Values.tenant.id }}/s3-credentials
|
|
property: secret_key
|
|
conversionStrategy: Default
|
|
decodingStrategy: None
|
|
metadataPolicy: None
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|