From 58b3168ee2678cfc056f31b062c48ecf0d8df92e Mon Sep 17 00:00:00 2001 From: Robert Choi Date: Wed, 29 Sep 2021 14:40:33 +0900 Subject: [PATCH] separate deploySecrets template into two types - one for admin cluster, the other for user cluster --- sealed_secrets/deploy-secrets.yaml | 32 ++++++++++++++++--- .../setup-sealed-secrets-infra.yaml | 21 ++++++------ 2 files changed, 38 insertions(+), 15 deletions(-) diff --git a/sealed_secrets/deploy-secrets.yaml b/sealed_secrets/deploy-secrets.yaml index b3211a0a..27f31c18 100644 --- a/sealed_secrets/deploy-secrets.yaml +++ b/sealed_secrets/deploy-secrets.yaml @@ -5,13 +5,13 @@ metadata: namespace: argo spec: templates: - - name: deploySecrets + - name: deploySecretsToUserCluster activeDeadlineSeconds: 120 inputs: parameters: - - name: repo_url # Eg, "openinfradev/tks-admin-site" - - name: secret_path # Eg, "directory/secret.yaml" - - name: kubeconfig_secret_name + - name: repo_url # Eg, "tks-management/011b88fa-4d53-439f-9336-67845f994051/25db54c6-d6cb-459b-9148-1b02ac545753" + - name: secret_path # Eg, "sealed-cert/secret.yaml" + - name: kubeconfig_secret_name # Eg, "25db54c6-d6cb-459b-9148-1b02ac545753-kubeconfig" container: image: k8s.gcr.io/hyperkube:v1.18.8 imagePullPolicy: IfNotPresent @@ -38,3 +38,27 @@ spec: secretKeyRef: name: "{{ inputs.parameters.kubeconfig_secret_name }}" key: value + + - name: deploySecretsToAdminCluster + activeDeadlineSeconds: 120 + inputs: + parameters: + - name: repo_url # Eg, "openinfradev/tks-admin-site" + - name: secret_path # Eg, "directory/secret.yaml" + container: + image: k8s.gcr.io/hyperkube:v1.18.8 + imagePullPolicy: IfNotPresent + command: + - /bin/bash + - -c + - | + + git clone https://$(echo $gittoken|xargs)@{{input.parameters.repo_url}} + repo_name=$(basename "{{input.parameters.repo_url}}") + + kubectl apply -f $repo_name/{{input.parameters.secret_path}} + + # TODO: need to add logic to check if the secret was successfully created? + envFrom: + - secretRef: + name: "gittoken" diff --git a/sealed_secrets/setup-sealed-secrets-infra.yaml b/sealed_secrets/setup-sealed-secrets-infra.yaml index f43f3231..9dc30fa6 100644 --- a/sealed_secrets/setup-sealed-secrets-infra.yaml +++ b/sealed_secrets/setup-sealed-secrets-infra.yaml @@ -7,20 +7,23 @@ spec: entrypoint: process arguments: parameters: + # Params for user cluster # - name: contract_id value: "011b88fa-4d53-439f-9336-67845f994051" - name: cluster_id value: "" - name: git_account value: "tks-management" - # For cluster selection in Argo CD # - - name: tks_admin - value: "tks-admin" + # For create-application task # + - name: manifest_repo_url + value: "https://github.com/openinfradev/decapod-manifests" + - name: site_name + value: "hanu-reference" - name: app_group value: "sealed-secrets" - name: revision value: "main" -## Uncomment following lines if you need to customize these ## +## Uncomment following lines and customize to fetch any secrets you want ## # - name: master_key_repo_url # value: "github.com/openinfradev/tks-admin-site" # - name: master_key_secret_name @@ -28,14 +31,14 @@ spec: # - name: sealed_secrets_repo_url # value: "github.com/openinfradev/tks-admin-site" # ... -############################################################## +########################################################################### templates: - name: process steps: - - name: deployMasterKey templateRef: name: deploy-secrets - template: deploySecrets + template: deploySecretsToAdminCluster arguments: parameters: # In case of user cluster, repo url should be constructed from parameters @@ -44,8 +47,6 @@ spec: value: "github.com/openinfradev/tks-admin-site" - name: secret_path value: "sealed-secret-key/master-key-secret.yaml" - - name: kubeconfig_secret_name - value: "{{workflow.parameters.cluster_id}}-kubeconfig" - - name: installControllers templateRef: @@ -63,12 +64,10 @@ spec: - - name: deploySealedSecret templateRef: name: deploy-secrets - template: deploySecrets + template: deploySecretsToAdminCluster arguments: parameters: - name: repo_url value: "github.com/openinfradev/tks-admin-site" - name: secret_path value: "sealed-certificates/taco-cat-tls-sealed.yaml" - - name: kubeconfig_secret_name - value: "{{workflow.parameters.cluster_id}}-kubeconfig"