feat: custom K3S token

AtomiCloud · Oct 15, 2023 · 67333b0 · 67333b0
1 parent 0738e62
commit 67333b0
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 29 deletions.
diff --git a/chart/README.md b/chart/README.md
@@ -15,8 +15,8 @@ Helm chart to install virtual cluster on a physical cluster
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| auth | object | `{"name":"pichu-root-token","policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteName":"PICHU_SULFOXIDE_SOS","secretKey":"DOPPLER_TOKEN","secretStore":{"kind":"ClusterSecretStore","name":"doppler"},"upsyncNamespace":"default"}` | Root Doppler token |
-| auth.name | string | `"pichu-root-token"` | name of the secret to be created |
+| auth | object | `{"name":"root-token","policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteName":"PICHU_SULFOXIDE_SOS","secretKey":"DOPPLER_TOKEN","secretStore":{"kind":"ClusterSecretStore","name":"doppler"},"upsyncNamespace":"sulfoxide"}` | Root Doppler token |
+| auth.name | string | `"root-token"` | name of the secret to be created |
 | auth.policy.creation | string | `"Owner"` | External Secret creation policy |
 | auth.policy.deletion | string | `"Retain"` | External Secret deletion policy |
 | auth.refreshInterval | string | `"1h"` | external secret refresh interval |
@@ -25,9 +25,9 @@ Helm chart to install virtual cluster on a physical cluster
 | auth.secretStore | object | `{"kind":"ClusterSecretStore","name":"doppler"}` | Secret store to reference |
 | auth.secretStore.kind | string | `"ClusterSecretStore"` | kind of the secret store to reference |
 | auth.secretStore.name | string | `"doppler"` | name of the secret store to reference |
-| auth.upsyncNamespace | string | `"default"` | upsync namespace |
-| datastore | object | `{"name":"pichu-root-token","policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteName":"PICHU_K3S_DATASTORE_ENDPOINT","secretKey":"K3S_DATASTORE_ENDPOINT","secretStore":{"kind":"SecretStore","name":"doppler-iodine"}}` | K3S state (postgresql) auth |
-| datastore.name | string | `"pichu-root-token"` | name of the secret to be created |
+| auth.upsyncNamespace | string | `"sulfoxide"` | upsync namespace |
+| datastore | object | `{"name":"datastore-endpoint","policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteName":"PICHU_K3S_DATASTORE_ENDPOINT","secretKey":"K3S_DATASTORE_ENDPOINT","secretStore":{"kind":"SecretStore","name":"doppler-iodine"}}` | K3S state (postgresql) auth |
+| datastore.name | string | `"datastore-endpoint"` | name of the secret to be created |
 | datastore.policy.creation | string | `"Owner"` | External Secret creation policy |
 | datastore.policy.deletion | string | `"Retain"` | External Secret deletion policy |
 | datastore.refreshInterval | string | `"1h"` | external secret refresh interval |
@@ -36,13 +36,23 @@ Helm chart to install virtual cluster on a physical cluster
 | datastore.secretStore | object | `{"kind":"SecretStore","name":"doppler-iodine"}` | Secret store to reference |
 | datastore.secretStore.kind | string | `"SecretStore"` | kind of the secret store to reference |
 | datastore.secretStore.name | string | `"doppler-iodine"` | name of the secret store to reference |
+| k3sSyncToken | object | `{"name":"k3s-sync-token","policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteName":"PIKACHU_K3S_TOKEN","secretKey":"K3S_TOKEN","secretStore":{"kind":"SecretStore","name":"doppler-iodine"}}` | K3S sync token |
+| k3sSyncToken.name | string | `"k3s-sync-token"` | name of the secret to be created |
+| k3sSyncToken.policy.creation | string | `"Owner"` | External Secret creation policy |
+| k3sSyncToken.policy.deletion | string | `"Retain"` | External Secret deletion policy |
+| k3sSyncToken.refreshInterval | string | `"1h"` | external secret refresh interval |
+| k3sSyncToken.remoteName | string | `"PIKACHU_K3S_TOKEN"` | name of the remote secret name |
+| k3sSyncToken.secretKey | string | `"K3S_TOKEN"` | secret key to store the connection string secret |
+| k3sSyncToken.secretStore | object | `{"kind":"SecretStore","name":"doppler-iodine"}` | Secret store to reference |
+| k3sSyncToken.secretStore.kind | string | `"SecretStore"` | kind of the secret store to reference |
+| k3sSyncToken.secretStore.name | string | `"doppler-iodine"` | name of the secret store to reference |
 | serviceTree | object | `{"layer":"1","platform":"sulfoxide","service":"iodine"}` | AtomiCloud Service Tree. See [ServiceTree](https://atomicloud.larksuite.com/wiki/OkfJwTXGFiMJkrk6W3RuwRrZs64?theme=DARK&contentTheme=DARK#MHw5d76uDo2tBLx86cduFQMRsBb) |
-| sulfoxide-bromine | object | `{"rootSecret":{"ref":"SULFOXIDE_IODINE"},"storeName":"doppler-boron"}` | Create SecretStore via secret of secrets pattern |
+| sulfoxide-bromine | object | `{"rootSecret":{"ref":"SULFOXIDE_IODINE"},"storeName":"doppler-iodine"}` | Create SecretStore via secret of secrets pattern |
 | sulfoxide-bromine.rootSecret | object | `{"ref":"SULFOXIDE_IODINE"}` | Secret of Secrets reference |
 | sulfoxide-bromine.rootSecret.ref | string | `"SULFOXIDE_IODINE"` | DOPPLER Token Reference |
-| sulfoxide-bromine.storeName | string | `"doppler-boron"` | Store name to create |
+| sulfoxide-bromine.storeName | string | `"doppler-iodine"` | Store name to create |
 | tags | object | `{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"iodine"}` | Kubernetes labels and annotations, following Service Tree |
-| vcluster | object | `{"annotations":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"iodine"}},"coredns":{"replicas":3},"enableHA":true,"ingress":{"enabled":true,"host":"kubernetes.atomi.cloud","ingressClassName":"nginx"},"init":{"manifests":"apiVersion: v1\nkind: Namespace\nmetadata:\n  labels:\n    kubernetes.io/metadata.name: sulfoxide\n  name: sulfoxide\n"},"labels":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"iodine"}},"plugin":{"secret-syncer":{"image":"ghcr.io/kirinnee/vcluster-secret-syncer/secret-syncer-amd:1.0.0","imagePullPolicy":"IfNotPresent"}},"podAnnotations":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"iodine"}},"podLabels":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"iodine"}},"proxy":{"metricsServer":{"nodes":{"enabled":true},"pods":{"enabled":true}}},"replicas":3,"storage":{"persistence":false},"sync":{"configmaps":{"all":true},"ingresses":{"enabled":true},"nodes":{"enableScheduler":true,"enabled":true,"fakeKubeletIPs":true,"syncAllNodes":true,"syncNodeChanges":true},"pods":{"enabled":true,"ephemeralContainers":true,"status":true},"secrets":{"all":true}},"syncer":{"extraArgs":["--tls-san=https://kubernetes.atomi.cloud"]},"telemetry":{"disabled":true},"vcluster":{"env":[{"name":"K3S_DATASTORE_ENDPOINT","valueFrom":{"secretKeyRef":{"key":"K3S_DATASTORE_ENDPOINT","name":"pichu-root-token"}}}]}}` | Virtual Cluster Configuration. See [vcluster documentation](https://artifacthub.io/packages/helm/loft/vcluster) |
+| vcluster | object | `{"annotations":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"iodine"}},"coredns":{"replicas":3},"enableHA":true,"ingress":{"enabled":true,"host":"kubernetes.atomi.cloud","ingressClassName":"nginx"},"init":{"manifests":"apiVersion: v1\nkind: Namespace\nmetadata:\n  labels:\n    kubernetes.io/metadata.name: sulfoxide\n  name: sulfoxide\n"},"k3s":{"serverTokenKey":"K3S_TOKEN","tokenSecretName":"k3s-sync-token"},"labels":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"iodine"}},"plugin":{"secret-syncer":{"image":"ghcr.io/kirinnee/vcluster-secret-syncer/secret-syncer-amd:1.0.0","imagePullPolicy":"IfNotPresent"}},"podAnnotations":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"iodine"}},"podLabels":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"iodine"}},"proxy":{"metricsServer":{"nodes":{"enabled":true},"pods":{"enabled":true}}},"replicas":3,"storage":{"persistence":false},"sync":{"configmaps":{"all":true},"ingresses":{"enabled":true},"nodes":{"enableScheduler":true,"enabled":true,"fakeKubeletIPs":true,"syncAllNodes":true,"syncNodeChanges":true},"pods":{"enabled":true,"ephemeralContainers":true,"status":true},"secrets":{"all":true}},"syncer":{"extraArgs":["--tls-san=https://kubernetes.atomi.cloud"]},"telemetry":{"disabled":true},"vcluster":{"env":[{"name":"K3S_DATASTORE_ENDPOINT","valueFrom":{"secretKeyRef":{"key":"K3S_DATASTORE_ENDPOINT","name":"datastore-endpoint"}}}]}}` | Virtual Cluster Configuration. See [vcluster documentation](https://artifacthub.io/packages/helm/loft/vcluster) |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.1](https://github.com/norwoodj/helm-docs/releases/v1.11.1)
diff --git a/chart/templates/k3s-secret.yaml b/chart/templates/k3s-secret.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ .Release.Name -}}-k3s-external-secret
+  annotations: {{- include "sulfoxide-iodine.annotations" . | nindent 4 }}
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-1"
+  labels: {{- include "sulfoxide-iodine.labels" . | nindent 4 }}
+spec:
+  refreshInterval: {{ .Values.datastore.refreshInterval }}
+  secretStoreRef:
+    name: {{ .Values.k3sSyncToken.secretStore.name }}
+    kind: {{ .Values.k3sSyncToken.secretStore.kind }}
+  target:
+    name: {{ .Values.k3sSyncToken.name }}
+    creationPolicy: {{ .Values.k3sSyncToken.policy.creation }}
+    deletionPolicy: {{ .Values.k3sSyncToken.policy.deletion }}
+  data:
+    - secretKey: "{{ .Values.k3sSyncToken.secretKey }}"
+      remoteRef:
+        key: "{{ .Values.k3sSyncToken.remoteName }}"
diff --git a/chart/values.pichu.opal.yaml b/chart/values.pichu.opal.yaml
@@ -7,28 +7,12 @@ tags: &tags
   atomi.cloud/cluster: *cluster
 
 auth:
-  name: pichu-root-token
   remoteName: PICHU_SULFOXIDE_SOS
-  upsyncNamespace: sulfoxide
-
-sulfoxide-bromine:
-  storeName: &storeName doppler-pichu-iodine
 
 datastore:
-  secretStore:
-    name: *storeName
-  name: &k3sDatastoreEndpoint pichu-datastore-endpoint
   remoteName: PICHU_K3S_DATASTORE_ENDPOINT
-  secretKey: &k3sSecretKey K3S_DATASTORE_ENDPOINT
 
 vcluster:
-  vcluster:
-    env:
-      - name: K3S_DATASTORE_ENDPOINT
-        valueFrom:
-          secretKeyRef:
-            name: *k3sDatastoreEndpoint
-            key: *k3sSecretKey
   podLabels:
     <<: *tags
   podAnnotations:

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -13,7 +13,7 @@ tags: &tags
 # -- Create SecretStore via secret of secrets pattern
 sulfoxide-bromine:
   # -- Store name to create
-  storeName: doppler-boron
+  storeName: doppler-iodine
   # -- Secret of Secrets reference
   rootSecret:
     # -- DOPPLER Token Reference
@@ -35,11 +35,11 @@ auth:
     # -- External Secret deletion policy
     deletion: Retain
   # -- name of the secret to be created
-  name: pichu-root-token
+  name: root-token
   # -- name of DOPPLER_TOKEN to be stored
   remoteName: PICHU_SULFOXIDE_SOS
   # -- upsync namespace
-  upsyncNamespace: default
+  upsyncNamespace: sulfoxide
   # -- secret key to store DOPPLER_TOKEN
   secretKey: DOPPLER_TOKEN
 
@@ -59,12 +59,34 @@ datastore:
     # -- External Secret deletion policy
     deletion: Retain
   # -- name of the secret to be created
-  name: pichu-root-token
+  name: datastore-endpoint
   # -- name of the remote secret name
   remoteName: PICHU_K3S_DATASTORE_ENDPOINT
   # -- secret key to store the connection string secret
   secretKey: K3S_DATASTORE_ENDPOINT
 
+# -- K3S sync token
+k3sSyncToken:
+  # -- external secret refresh interval
+  refreshInterval: 1h
+  # -- Secret store to reference
+  secretStore:
+    # -- name of the secret store to reference
+    name: doppler-iodine
+    # -- kind of the secret store to reference
+    kind: SecretStore
+  policy:
+    # -- External Secret creation policy
+    creation: Owner
+    # -- External Secret deletion policy
+    deletion: Retain
+  # -- name of the secret to be created
+  name: k3s-sync-token
+  # -- name of the remote secret name
+  remoteName: PIKACHU_K3S_TOKEN
+  # -- secret key to store the connection string secret
+  secretKey: K3S_TOKEN
+
 # -- Virtual Cluster Configuration. See [vcluster documentation](https://artifacthub.io/packages/helm/loft/vcluster)
 vcluster:
   enableHA: true
@@ -73,12 +95,15 @@ vcluster:
     persistence: false
   coredns:
     replicas: 3
+  k3s:
+    serverTokenKey: K3S_TOKEN
+    tokenSecretName: k3s-sync-token
   vcluster:
     env:
       - name: K3S_DATASTORE_ENDPOINT
         valueFrom:
           secretKeyRef:
-            name: pichu-root-token
+            name: datastore-endpoint
             key: K3S_DATASTORE_ENDPOINT
   podLabels:
     <<: *tags