separate deploySecrets template into two types

- one for admin cluster, the other for user cluster
openinfradev · Sep 29, 2021 · 58b3168 · 58b3168
1 parent 1727b4b
commit 58b3168
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 15 deletions.
diff --git a/sealed_secrets/deploy-secrets.yaml b/sealed_secrets/deploy-secrets.yaml
@@ -5,13 +5,13 @@ metadata:
   namespace: argo
 spec:
   templates:
-  - name: deploySecrets
+  - name: deploySecretsToUserCluster
     activeDeadlineSeconds: 120
     inputs:
       parameters:
-      - name: repo_url   # Eg, "openinfradev/tks-admin-site"
-      - name: secret_path  # Eg, "directory/secret.yaml"
-      - name: kubeconfig_secret_name
+      - name: repo_url   # Eg, "tks-management/011b88fa-4d53-439f-9336-67845f994051/25db54c6-d6cb-459b-9148-1b02ac545753"
+      - name: secret_path  # Eg, "sealed-cert/secret.yaml"
+      - name: kubeconfig_secret_name  # Eg, "25db54c6-d6cb-459b-9148-1b02ac545753-kubeconfig"
     container:
       image: k8s.gcr.io/hyperkube:v1.18.8
       imagePullPolicy: IfNotPresent
@@ -38,3 +38,27 @@ spec:
             secretKeyRef:
               name: "{{ inputs.parameters.kubeconfig_secret_name }}"
               key: value
+
+  - name: deploySecretsToAdminCluster
+    activeDeadlineSeconds: 120
+    inputs:
+      parameters:
+      - name: repo_url   # Eg, "openinfradev/tks-admin-site"
+      - name: secret_path  # Eg, "directory/secret.yaml"
+    container:
+      image: k8s.gcr.io/hyperkube:v1.18.8
+      imagePullPolicy: IfNotPresent
+      command:
+      - /bin/bash
+      - -c
+      - |
+
+        git clone https://$(echo $gittoken|xargs)@{{input.parameters.repo_url}}
+        repo_name=$(basename "{{input.parameters.repo_url}}")
+
+        kubectl apply -f $repo_name/{{input.parameters.secret_path}}
+
+        # TODO: need to add logic to check if the secret was successfully created?
+      envFrom:
+        - secretRef:
+            name: "gittoken"
diff --git a/sealed_secrets/setup-sealed-secrets-infra.yaml b/sealed_secrets/setup-sealed-secrets-infra.yaml
@@ -7,35 +7,38 @@ spec:
   entrypoint: process
   arguments:
     parameters:
+    # Params for user cluster #
     - name: contract_id
       value: "011b88fa-4d53-439f-9336-67845f994051"
     - name: cluster_id
       value: ""
     - name: git_account
       value: "tks-management"
-    # For cluster selection in Argo CD #
-    - name: tks_admin
-      value: "tks-admin"
+    # For create-application task #
+    - name: manifest_repo_url
+      value: "https://github.com/openinfradev/decapod-manifests"
+    - name: site_name
+      value: "hanu-reference"
     - name: app_group
       value: "sealed-secrets"
     - name: revision
       value: "main"
-## Uncomment following lines if you need to customize these ##
+## Uncomment following lines and customize to fetch any secrets you want ##
 #    - name: master_key_repo_url
 #      value: "github.com/openinfradev/tks-admin-site"
 #    - name: master_key_secret_name
 #      value: "github.com/openinfradev/tks-admin-site"
 #    - name: sealed_secrets_repo_url
 #      value: "github.com/openinfradev/tks-admin-site"
 #      ...
-##############################################################
+###########################################################################
   templates:
   - name: process
     steps:
     - - name: deployMasterKey
         templateRef:
           name: deploy-secrets
-          template: deploySecrets
+          template: deploySecretsToAdminCluster
         arguments:
           parameters:
           # In case of user cluster, repo url should be constructed from parameters
@@ -44,8 +47,6 @@ spec:
             value: "github.com/openinfradev/tks-admin-site"
           - name: secret_path
             value: "sealed-secret-key/master-key-secret.yaml"
-          - name: kubeconfig_secret_name
-            value: "{{workflow.parameters.cluster_id}}-kubeconfig"
 
     - - name: installControllers
         templateRef:
@@ -63,12 +64,10 @@ spec:
     - - name: deploySealedSecret
         templateRef:
           name: deploy-secrets
-          template: deploySecrets
+          template: deploySecretsToAdminCluster
         arguments:
           parameters:
           - name: repo_url
             value: "github.com/openinfradev/tks-admin-site"
           - name: secret_path
             value: "sealed-certificates/taco-cat-tls-sealed.yaml"
-          - name: kubeconfig_secret_name
-            value: "{{workflow.parameters.cluster_id}}-kubeconfig"