odoo-tower/cluster-platform-v3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c26ee5b3c6a15bdfc8fb24ecdfe2fa24c7974bdd
cluster-platform-v3/templates/longhorn-s3-creds-externalsecret.yaml
OdooSky v3 c26ee5b3c6 feat(eso): chart 0.7.0 — migrate all 4 remaining Tower-stamped Secrets to ExternalSecret 
Phase 2 of Item #9. Adds ExternalSecret manifests for:
  - docker-mirror-pull (×2 namespaces, dockerconfigjson template)
  - cloudflare-api-token-<slug> (per-tenant, gated on tenant.id+slug)
  - s3-backup-creds (per-tenant, in tenants ns)
  - longhorn-s3-creds (per-tenant, gated on tenant.s3Endpoint)

New helm values: tenant.id, tenant.slug, tenant.s3Endpoint. Tower must
pass these per-cluster (next ship). All manifests gated on
externalSecrets.enabled + mountPath set + tenant.id set, so old apps
without the new params remain on the legacy Tower-stamped path until
the operator opts them in.
2026-05-07 21:25:41 +03:00

48 lines
1.7 KiB
YAML
Raw Blame History

{{- if .Values.externalSecrets.enabled }}
{{- if .Values.externalSecrets.openbao.mountPath }}
{{- if and .Values.tenant.id .Values.tenant.s3Endpoint }}
# longhorn-s3-creds — per-tenant credentials for Longhorn's async S3 backup
# target. Same access_key/secret_key as s3-backup-creds (sourced from
# tenants/<id>/s3-credentials in OpenBao) but lives in odoosky-system
# (Longhorn's namespace) and includes AWS_ENDPOINTS for S3-compatible
# providers. AWS_ENDPOINTS comes from a chart helm value (tenant settings,
# not Vault) since it's a static config tied to the tenant's S3 provider
# choice rather than rotated credential material. Gated on s3Endpoint
# being set — empty endpoint = no Longhorn S3 backup configured.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: longhorn-s3-creds
namespace: odoosky-system
labels:
app.kubernetes.io/managed-by: cluster-platform-v3
odoosky.io/tenant: {{ .Values.tenant.id | quote }}
spec:
refreshInterval: "1h"
secretStoreRef:
name: openbao-platform
kind: ClusterSecretStore
target:
name: longhorn-s3-creds
creationPolicy: Owner
deletionPolicy: Retain
template:
type: Opaque
engineVersion: v2
data:
AWS_ACCESS_KEY_ID: "{{ `{{ .access_key }}` }}"
AWS_SECRET_ACCESS_KEY: "{{ `{{ .secret_key }}` }}"
AWS_ENDPOINTS: {{ .Values.tenant.s3Endpoint | quote }}
data:
- secretKey: access_key
remoteRef:
key: tenants/{{ .Values.tenant.id }}/s3-credentials
property: access_key
- secretKey: secret_key
remoteRef:
key: tenants/{{ .Values.tenant.id }}/s3-credentials
property: secret_key
{{- end }}
{{- end }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink