martyn
/
infra4talos
1
0
Fork 0
Code Issues Pull Requests 3 Packages Projects Releases Wiki Activity

Update to helm chart so we can use csi-secrets-store

This commit is contained in:
Martyn 2023-12-04 15:40:08 +00:00
parent 06001b4216
commit 5ebcfa7aad
3 changed files with 39 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
apps-helm/wg-access-server/templates/deployment.yaml
View File

@ -1,4 +1,8 @@
{{- $fullName := include "wg-access-server.fullname" . -}} {{- $fullName := include "wg-access-server.fullname" . -}}
{{ $secretName := $fullName }}
{{- if .Values.config.existingSecret -}}
{{ $secretName = .Values.config.existingSecret }}
{{ end -}}
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
@ -46,21 +50,21 @@ spec:
- name: WG_WIREGUARD_PRIVATE_KEY - name: WG_WIREGUARD_PRIVATE_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: "{{ $fullName }}" name: "{{ $secretName }}"
key: privateKey key: privateKey
{{- end }} {{- end }}
{{- if .Values.web.config.adminUsername }} {{- if .Values.web.config.adminUsername }}
- name: WG_ADMIN_USERNAME - name: WG_ADMIN_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: "{{ $fullName }}" name: "{{ $secretName }}"
key: adminUsername key: adminUsername
{{- end}} {{- end}}
{{- if .Values.web.config.adminPassword }} {{- if .Values.web.config.adminPassword }}
- name: WG_ADMIN_PASSWORD - name: WG_ADMIN_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: "{{ $fullName }}" name: "{{ $secretName }}"
key: adminPassword key: adminPassword
{{- end}} {{- end}}
volumeMounts: volumeMounts:
@ -68,9 +72,14 @@ spec:
mountPath: /dev/net/tun mountPath: /dev/net/tun
- name: data - name: data
mountPath: /data mountPath: /data
{{- if .Values.config.csiSecretsStore }}
- name: config
mountPath: /config.yaml
{{- else }}
- name: config - name: config
mountPath: /config.yaml mountPath: /config.yaml
subPath: config.yaml subPath: config.yaml
{{- end}}
readinessProbe: readinessProbe:
httpGet: httpGet:
path: / path: /
@ -90,9 +99,18 @@ spec:
{{- if not .Values.persistence.enabled }} {{- if not .Values.persistence.enabled }}
emptyDir: {} emptyDir: {}
{{- end }} {{- end }}
{{- if .Values.config.csiSecretsStore }}
- name: config
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: app-secrets
{{- else }}
- name: config - name: config
configMap: configMap:
name: "{{ $fullName }}" name: "{{ $fullName }}"
{{- end }}
{{- with .Values.nodeSelector }} {{- with .Values.nodeSelector }}
nodeSelector: nodeSelector:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}

13
apps-helm/wg-access-server/templates/secretProviderClass.yaml Normal file
View File

@ -0,0 +1,13 @@
---
{{- if .Values.wireguard.config.csiSecretsStore -}}
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: app-secrets
spec:
provider: {{ .Values.wireguard.config.csiSecretsStore.providerName | default "1password" }}
parameters:
secrets: |
- resourceName: {{ .Values.wireguard.config.csiSecretsStore.resourceName | default "https://my.1password.eu/vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes" }}
path: "config"
{{- end -}}

6
apps-helm/wg-access-server/values.yaml
View File

@ -1,5 +1,9 @@
# wg-access-server config # wg-access-server config
config: {} config:
existingSecret: ""
csiSecretsStore: {}
# providerName: 1password
# resourceName: https://my.1password.eu/vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes
web: web:
config: config: