Add eso to all remainings clusters.

This change will deploy ESO to all clusters (save for smaug which already has it). And set up an initial secret store for the namespace openshift-monitoring, as a means to confirm it works and also as a set up for a future addition of slack alerting support (the slack api url will need to be fetched by eso from vault for all clusters).
sabrycito · May 19, 2022 · 197bfbd · 197bfbd
1 parent 988c09b
commit 197bfbd
Show file tree

Hide file tree

Showing 49 changed files with 289 additions and 5 deletions.
diff --git a/...ase/rbac.authorization.k8s.io/clusterrolebindings/eso-tokenreview/clusterrolebinding.yaml b/...ase/rbac.authorization.k8s.io/clusterrolebindings/eso-tokenreview/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: eso-tokenreview
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: eso-vault-auth
+    namespace: external-secrets-operator
diff --git a/...ope/base/rbac.authorization.k8s.io/clusterrolebindings/eso-tokenreview/kustomization.yaml b/...ope/base/rbac.authorization.k8s.io/clusterrolebindings/eso-tokenreview/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- clusterrolebinding.yaml
diff --git a/cluster-scope/bundles/external-secrets-operator/kustomization.yaml b/cluster-scope/bundles/external-secrets-operator/kustomization.yaml
@@ -3,4 +3,5 @@ kind: Kustomization
 
 resources:
   - ../../base/core/namespaces/external-secrets-operator
+  - ../../base/rbac.authorization.k8s.io/clusterrolebindings/eso-tokenreview
   - ../../base/operators.coreos.com/subscriptions/external-secrets-operator
diff --git a/cluster-scope/overlays/prod/emea/balrog/kustomization.yaml b/cluster-scope/overlays/prod/emea/balrog/kustomization.yaml
@@ -24,10 +24,13 @@ resources:
     - ../../../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-reader-k8s-annotations-exporter
     - ../../../../base/user.openshift.io/groups/cluster-admins
     - ../../../../bundles/acme-operator
+    - ../../../../bundles/external-secrets-operator
     - apiserver
     - machineautoscalers.yaml
     - ingresscontrollers
     - secrets
+    - secretstores
+    - serviceaccounts
 generators:
     - secret-generator.yaml
 patchesStrategicMerge:

diff --git a/cluster-scope/overlays/prod/emea/balrog/secretstores/kustomization.yaml b/cluster-scope/overlays/prod/emea/balrog/secretstores/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/emea/balrog/secretstores/openshift-monitoring.yaml b/cluster-scope/overlays/prod/emea/balrog/secretstores/openshift-monitoring.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: openshift-monitoring
+  namespace: openshift-monitoring
+spec:
+  provider:
+    vault:
+      auth:
+        kubernetes:
+          mountPath: balrog-k8s
+          role: emea-ops
+          serviceAccountRef:
+            name: vault-secret-fetcher
+      path: k8s_secrets
+      server: 'https://vault-ui-vault.apps.smaug.na.operate-first.cloud'
+      version: v2
diff --git a/cluster-scope/overlays/prod/emea/balrog/serviceaccounts/kustomization.yaml b/cluster-scope/overlays/prod/emea/balrog/serviceaccounts/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - vault-openshift-monitoring.yaml
diff --git a/...serviceaccounts/vault-secret-fetcher.yaml → ...eaccounts/vault-openshift-monitoring.yaml b/...serviceaccounts/vault-secret-fetcher.yaml → ...eaccounts/vault-openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/emea/morty/kustomization.yaml b/cluster-scope/overlays/prod/emea/morty/kustomization.yaml
@@ -48,8 +48,11 @@ resources:
 - ../../../../base/rbac.authorization.k8s.io/clusterrolebindings/sudoers
 - ../../../../base/user.openshift.io/groups/cluster-admins
 - ../../../../base/user.openshift.io/groups/sudoers
+- ../../../../bundles/external-secrets-operator
 - ../../../../bundles/nfd
 - ../common
 - apiserver/api_server_cert.yaml
 - ingresscontrollers/default.yaml
 - secrets
+- secretstores
+- serviceaccounts
diff --git a/cluster-scope/overlays/prod/emea/morty/secretstores/kustomization.yaml b/cluster-scope/overlays/prod/emea/morty/secretstores/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/emea/morty/secretstores/openshift-monitoring.yaml b/cluster-scope/overlays/prod/emea/morty/secretstores/openshift-monitoring.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: openshift-monitoring
+  namespace: openshift-monitoring
+spec:
+  provider:
+    vault:
+      auth:
+        kubernetes:
+          mountPath: morty-k8s
+          role: emea-ops
+          serviceAccountRef:
+            name: vault-secret-fetcher
+      path: k8s_secrets
+      server: 'https://vault-ui-vault.apps.smaug.na.operate-first.cloud'
+      version: v2
diff --git a/cluster-scope/overlays/prod/emea/morty/serviceaccounts/kustomization.yaml b/cluster-scope/overlays/prod/emea/morty/serviceaccounts/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - vault-openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/emea/morty/serviceaccounts/vault-openshift-monitoring.yaml b/cluster-scope/overlays/prod/emea/morty/serviceaccounts/vault-openshift-monitoring.yaml
@@ -0,0 +1,5 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: vault-secret-fetcher
+  namespace: openshift-monitoring
diff --git a/cluster-scope/overlays/prod/emea/rick/kustomization.yaml b/cluster-scope/overlays/prod/emea/rick/kustomization.yaml
@@ -37,9 +37,12 @@ resources:
     - ../../../../base/user.openshift.io/groups/cluster-admins
     - ../../../../base/storage.k8s.io/storageclasses/ocs-storagecluster-cephfs
     - ../../../../bundles/acme-operator
+    - ../../../../bundles/external-secrets-operator
     - ../../../../bundles/nfd
     - clusterversion.yaml
     - secrets
+    - secretstores
+    - serviceaccounts
 
 generators:
     - secret-generator.yaml

diff --git a/cluster-scope/overlays/prod/emea/rick/secretstores/kustomization.yaml b/cluster-scope/overlays/prod/emea/rick/secretstores/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/emea/rick/secretstores/openshift-monitoring.yaml b/cluster-scope/overlays/prod/emea/rick/secretstores/openshift-monitoring.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: openshift-monitoring
+  namespace: openshift-monitoring
+spec:
+  provider:
+    vault:
+      auth:
+        kubernetes:
+          mountPath: rick-k8s
+          role: emea-ops
+          serviceAccountRef:
+            name: vault-secret-fetcher
+      path: k8s_secrets
+      server: 'https://vault-ui-vault.apps.smaug.na.operate-first.cloud'
+      version: v2
diff --git a/cluster-scope/overlays/prod/emea/rick/serviceaccounts/kustomization.yaml b/cluster-scope/overlays/prod/emea/rick/serviceaccounts/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - vault-openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/emea/rick/serviceaccounts/vault-openshift-monitoring.yaml b/cluster-scope/overlays/prod/emea/rick/serviceaccounts/vault-openshift-monitoring.yaml
@@ -0,0 +1,5 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: vault-secret-fetcher
+  namespace: openshift-monitoring
diff --git a/cluster-scope/overlays/prod/moc/curator/kustomization.yaml b/cluster-scope/overlays/prod/moc/curator/kustomization.yaml
@@ -15,10 +15,11 @@ resources:
   - ../../../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-rb
   - ../../../../base/storage.k8s.io/storageclasses/hostpath-provisioner
   - ../../../../base/user.openshift.io/groups/cluster-admins
-
+  - ../../../../bundles/external-secrets-operator
   - machineconfigs/50-ipmi-route.yaml
   - configmaps/admin-acks.yaml
-
+  - secretstores
+  - serviceaccounts
 generators:
   - secret-generator.yaml
 

diff --git a/cluster-scope/overlays/prod/moc/curator/secretstores/kustomization.yaml b/cluster-scope/overlays/prod/moc/curator/secretstores/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/moc/curator/secretstores/openshift-monitoring.yaml b/cluster-scope/overlays/prod/moc/curator/secretstores/openshift-monitoring.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: openshift-monitoring
+  namespace: openshift-monitoring
+spec:
+  provider:
+    vault:
+      auth:
+        kubernetes:
+          mountPath: curator-k8s
+          role: moc-ops
+          serviceAccountRef:
+            name: vault-secret-fetcher
+      path: k8s_secrets
+      server: 'https://vault-ui-vault.apps.smaug.na.operate-first.cloud'
+      version: v2
diff --git a/cluster-scope/overlays/prod/moc/curator/serviceaccounts/kustomization.yaml b/cluster-scope/overlays/prod/moc/curator/serviceaccounts/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - vault-openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/moc/curator/serviceaccounts/vault-openshift-monitoring.yaml b/cluster-scope/overlays/prod/moc/curator/serviceaccounts/vault-openshift-monitoring.yaml
@@ -0,0 +1,5 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: vault-secret-fetcher
+  namespace: openshift-monitoring
diff --git a/cluster-scope/overlays/prod/moc/infra/kustomization.yaml b/cluster-scope/overlays/prod/moc/infra/kustomization.yaml
@@ -41,6 +41,7 @@ resources:
   - ../../../../base/storage.k8s.io/storageclasses/moc-nfs-csi
   - ../../../../base/user.openshift.io/groups/cluster-admins
   - ../../../../bundles/acme-operator
+  - ../../../../bundles/external-secrets-operator
   - ../../../../bundles/idp-mgmt-operator
   - apiserver/api_server_cert.yaml
   - clusterversion.yaml
@@ -53,7 +54,8 @@ resources:
   - nodenetworkconfigurationpolicies/zero-provisioning-vlan.yaml
   - oauth
   - secrets
-
+  - secretstores
+  - serviceaccounts
 generators:
   - secret-generator.yaml
 

diff --git a/cluster-scope/overlays/prod/moc/infra/secretstores/kustomization.yaml b/cluster-scope/overlays/prod/moc/infra/secretstores/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/moc/infra/secretstores/openshift-monitoring.yaml b/cluster-scope/overlays/prod/moc/infra/secretstores/openshift-monitoring.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: openshift-monitoring
+  namespace: openshift-monitoring
+spec:
+  provider:
+    vault:
+      auth:
+        kubernetes:
+          mountPath: infra-k8s
+          role: moc-ops
+          serviceAccountRef:
+            name: vault-secret-fetcher
+      path: k8s_secrets
+      server: 'https://vault-ui-vault.apps.smaug.na.operate-first.cloud'
+      version: v2
diff --git a/cluster-scope/overlays/prod/moc/infra/serviceaccounts/kustomization.yaml b/cluster-scope/overlays/prod/moc/infra/serviceaccounts/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - vault-openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/moc/infra/serviceaccounts/vault-openshift-monitoring.yaml b/cluster-scope/overlays/prod/moc/infra/serviceaccounts/vault-openshift-monitoring.yaml
@@ -0,0 +1,5 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: vault-secret-fetcher
+  namespace: openshift-monitoring
diff --git a/cluster-scope/overlays/prod/moc/smaug/serviceaccounts/kustomization.yaml b/cluster-scope/overlays/prod/moc/smaug/serviceaccounts/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - vault-secret-fetcher.yaml
+  - vault-openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/moc/smaug/serviceaccounts/vault-openshift-monitoring.yaml b/cluster-scope/overlays/prod/moc/smaug/serviceaccounts/vault-openshift-monitoring.yaml
@@ -0,0 +1,5 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: vault-secret-fetcher
+  namespace: openshift-monitoring
diff --git a/cluster-scope/overlays/prod/osc/osc-cl1/kustomization.yaml b/cluster-scope/overlays/prod/osc/osc-cl1/kustomization.yaml
@@ -41,8 +41,11 @@ resources:
 - ../../../../base/user.openshift.io/groups/pachyderm-admins
 - ../../../../base/user.openshift.io/groups/seldon-admin
 - ../../../../base/user.openshift.io/groups/sostrades
+- ../../../../bundles/external-secrets-operator
 - ../../../../bundles/opendatahub-operator-manual
 - ../../../../bundles/training-operator
 - ../../../../bundles/openshift-pipelines
 - apiserver
 - ingresscontroller
+- secretstores
+- serviceaccounts
diff --git a/cluster-scope/overlays/prod/osc/osc-cl1/secretstores/kustomization.yaml b/cluster-scope/overlays/prod/osc/osc-cl1/secretstores/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/osc/osc-cl1/secretstores/openshift-monitoring.yaml b/cluster-scope/overlays/prod/osc/osc-cl1/secretstores/openshift-monitoring.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: openshift-monitoring
+  namespace: openshift-monitoring
+spec:
+  provider:
+    vault:
+      auth:
+        kubernetes:
+          mountPath: osc-cl1-k8s
+          role: osc-ops
+          serviceAccountRef:
+            name: vault-secret-fetcher
+      path: k8s_secrets
+      server: 'https://vault-ui-vault.apps.smaug.na.operate-first.cloud'
+      version: v2
diff --git a/cluster-scope/overlays/prod/osc/osc-cl1/serviceaccounts/kustomization.yaml b/cluster-scope/overlays/prod/osc/osc-cl1/serviceaccounts/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - vault-openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/osc/osc-cl1/serviceaccounts/vault-openshift-monitoring.yaml b/cluster-scope/overlays/prod/osc/osc-cl1/serviceaccounts/vault-openshift-monitoring.yaml
@@ -0,0 +1,5 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: vault-secret-fetcher
+  namespace: openshift-monitoring
diff --git a/cluster-scope/overlays/prod/osc/osc-cl2/kustomization.yaml b/cluster-scope/overlays/prod/osc/osc-cl2/kustomization.yaml
@@ -29,6 +29,7 @@ resources:
   - ../../../../base/user.openshift.io/groups/odh-users
   - ../../../../base/user.openshift.io/groups/pachyderm-admins
   - ../../../../base/user.openshift.io/groups/seldon-admin
+  - ../../../../bundles/external-secrets-operator
   - ../../../../bundles/kfp-tekton
   - ../../../../bundles/opendatahub-operator-manual
   - ../../../../bundles/openshift-pipelines
@@ -41,7 +42,8 @@ resources:
   - operators.coreos.com/operatorgroups/nvidia-gpu-operator
   - operators.coreos.com/subscriptions/nvidia-gpu-operator
   - nvidia-gpu
-
+  - secretstores
+  - serviceaccounts
 patchesStrategicMerge:
   - oauths/cluster-patch.yaml
   - configmaps/cluster-monitoring-config.yaml

diff --git a/cluster-scope/overlays/prod/osc/osc-cl2/secretstores/kustomization.yaml b/cluster-scope/overlays/prod/osc/osc-cl2/secretstores/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/osc/osc-cl2/secretstores/openshift-monitoring.yaml b/cluster-scope/overlays/prod/osc/osc-cl2/secretstores/openshift-monitoring.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: openshift-monitoring
+  namespace: openshift-monitoring
+spec:
+  provider:
+    vault:
+      auth:
+        kubernetes:
+          mountPath: osc-cl2-k8s
+          role: osc-ops
+          serviceAccountRef:
+            name: vault-secret-fetcher
+      path: k8s_secrets
+      server: 'https://vault-ui-vault.apps.smaug.na.operate-first.cloud'
+      version: v2
diff --git a/cluster-scope/overlays/prod/osc/osc-cl2/serviceaccounts/kustomization.yaml b/cluster-scope/overlays/prod/osc/osc-cl2/serviceaccounts/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - vault-openshift-monitoring.yaml
diff --git a/cluster-scope/overlays/prod/osc/osc-cl2/serviceaccounts/vault-openshift-monitoring.yaml b/cluster-scope/overlays/prod/osc/osc-cl2/serviceaccounts/vault-openshift-monitoring.yaml
@@ -0,0 +1,5 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: vault-secret-fetcher
+  namespace: openshift-monitoring
diff --git a/external-secrets/base/kustomization.yaml b/external-secrets/base/kustomization.yaml
@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - eso.yaml
+  - serviceaccount.yaml
diff --git a/external-secrets/base/serviceaccount.yaml b/external-secrets/base/serviceaccount.yaml
@@ -0,0 +1,4 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: eso-vault-auth
diff --git a/external-secrets/overlays/emea/balrog/kustomization.yaml b/external-secrets/overlays/emea/balrog/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: external-secrets-operator
+resources:
+  - ../../../base
diff --git a/external-secrets/overlays/emea/morty/kustomization.yaml b/external-secrets/overlays/emea/morty/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: external-secrets-operator
+resources:
+  - ../../../base
diff --git a/external-secrets/overlays/emea/rick/kustomization.yaml b/external-secrets/overlays/emea/rick/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: external-secrets-operator
+resources:
+  - ../../../base