c26ee5b3c6
Phase 2 of Item #9. Adds ExternalSecret manifests for: - docker-mirror-pull (×2 namespaces, dockerconfigjson template) - cloudflare-api-token-<slug> (per-tenant, gated on tenant.id+slug) - s3-backup-creds (per-tenant, in tenants ns) - longhorn-s3-creds (per-tenant, gated on tenant.s3Endpoint) New helm values: tenant.id, tenant.slug, tenant.s3Endpoint. Tower must pass these per-cluster (next ship). All manifests gated on externalSecrets.enabled + mountPath set + tenant.id set, so old apps without the new params remain on the legacy Tower-stamped path until the operator opts them in.
33 lines
1.1 KiB
YAML
33 lines
1.1 KiB
YAML
{{- if .Values.externalSecrets.enabled }}
|
|
{{- if .Values.externalSecrets.openbao.mountPath }}
|
|
{{- if and .Values.tenant.id .Values.tenant.slug }}
|
|
# cloudflare-api-token-<slug> — per-tenant CF token used by cert-manager's
|
|
# DNS-01 solver. Pulled from OpenBao path v3/tenants/<id>/cloudflare-token,
|
|
# field api_token, exposed as Secret key "api-token" (matches what the
|
|
# ClusterIssuer references via secretKeyRef.key in cluster-issuer.yaml).
|
|
apiVersion: external-secrets.io/v1beta1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: cloudflare-api-token-{{ .Values.tenant.slug }}
|
|
namespace: odoosky-system
|
|
labels:
|
|
app.kubernetes.io/managed-by: cluster-platform-v3
|
|
odoosky.io/tenant: {{ .Values.tenant.id | quote }}
|
|
spec:
|
|
refreshInterval: "1h"
|
|
secretStoreRef:
|
|
name: openbao-platform
|
|
kind: ClusterSecretStore
|
|
target:
|
|
name: cloudflare-api-token-{{ .Values.tenant.slug }}
|
|
creationPolicy: Owner
|
|
deletionPolicy: Retain
|
|
data:
|
|
- secretKey: api-token
|
|
remoteRef:
|
|
key: tenants/{{ .Values.tenant.id }}/cloudflare-token
|
|
property: api_token
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|