duynguyen/k8s-cluster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove ArgoCD certificate and key files; add External Secrets Helm chart with Bitwarden SDK server integration, including configuration files, templates, and monitoring dashboard.

Browse Source
This commit is contained in:
duynguyen
2026-04-12 21:11:11 +07:00
parent 9545b79b7a
commit 26f8dd6b11
64 changed files with 36725 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

256
manifest/external-secrets/templates/crds/gcraccesstoken.yaml Normal file
View File

@@ -0,0 +1,256 @@
{{- if .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4}}
{{- end }}
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
controller-gen.kubebuilder.io/version: v0.19.0
labels:
external-secrets.io/component: controller
name: gcraccesstokens.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- external-secrets
- external-secrets-generators
kind: GCRAccessToken
listKind: GCRAccessTokenList
plural: gcraccesstokens
singular: gcraccesstoken
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
GCRAccessToken generates an GCP access token
that can be used to authenticate with GCR.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
properties:
auth:
description: Auth defines the means for authenticating with GCP
properties:
secretRef:
description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
properties:
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication
properties:
key:
description: |-
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
maxLength: 253
minLength: 1
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: The name of the Secret resource being referred to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: |-
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
type: object
workloadIdentity:
description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
properties:
clusterLocation:
type: string
clusterName:
type: string
clusterProjectID:
type: string
serviceAccountRef:
description: ServiceAccountSelector is a reference to a ServiceAccount resource.
properties:
audiences:
description: |-
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: |-
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
required:
- clusterLocation
- clusterName
- serviceAccountRef
type: object
workloadIdentityFederation:
description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
properties:
audience:
description: |-
audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
If specified, Audience found in the external account credential config will be overridden with the configured value.
audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
type: string
awsSecurityCredentials:
description: |-
awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
when using the AWS metadata server is not an option.
properties:
awsCredentialsSecretRef:
description: |-
awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
Secret should be created with below names for keys
- aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
- aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
- aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
properties:
name:
description: name of the secret.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
region:
description: region is for configuring the AWS region to be used.
example: ap-south-1
maxLength: 50
minLength: 1
pattern: ^[a-z0-9-]+$
type: string
required:
- awsCredentialsSecretRef
- region
type: object
credConfig:
description: |-
credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
serviceAccountRef must be used by providing operators service account details.
properties:
key:
description: key name holding the external account credential config.
maxLength: 253
minLength: 1
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: name of the configmap.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- key
- name
type: object
externalTokenEndpoint:
description: |-
externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
credential_source.url in the provided credConfig. This field is merely to double-check the external token source
URL is having the expected value.
type: string
serviceAccountRef:
description: |-
serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
when Kubernetes is configured as provider in workload identity pool.
properties:
audiences:
description: |-
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: |-
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
type: object
type: object
projectID:
description: ProjectID defines which project to use to authenticate with
type: string
required:
- auth
- projectID
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}