(#22) Copy external secret data files one for one

Without this patch the secret data was nested under a key with the same
name as the secret name.  This caused the ceph controller to not find
the values.

This patch changes the golden path for #ExternalSecret to copy all data
keys 1:1 from the external to the target in the cluster.

docs/examples/namespaces.cue

@@ -3,6 +3,7 @@ package holos
 // PlatformNamespace is a namespace to manage for Secret provisioning, SecretStore, etc...
 #PlatformNamespace: {
 	name: string
+	labels?: {[string]: string}
 }
 
 // #PlatformNamespaces is a list of namespaces to manage across the platform.

docs/examples/platforms/reference/clusters/metal/ceph/values.input.cue

@@ -1,8 +0,0 @@
-package holos
-
-#Input: {
-	config: {
-			clusterID: "a6de32ab-c84f-49a6-b97e-e31dc2a70931"
-			monitors: ["10.64.1.21:6789", "10.64.1.31:6789", "10.64.1.41:6789"]
-	}
-}

docs/examples/platforms/reference/clusters/metal/readme.md

@@ -1,3 +0,0 @@
-# Metal Clusters
-
-This cluster type is overlaid onto other cluster types to add services necessary outside of a cloud like GKE or EKS.  Ceph for PersistenVolumeClaim support on a Talos Proxmox cluster is the primary use case.

docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/namespaces/component.cue

@@ -14,9 +14,7 @@ import "list"
 	_ns: #PlatformNamespace
 
 	objects: [
-		#Namespace & {
-			metadata: name: _ns.name
-		},
+		#Namespace & {metadata: _ns},
 	]
 }
 

docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/validate/component.cue

@@ -13,7 +13,7 @@ package holos
 
 objects: [
 	#SecretStore,
-	#ExternalSecret & { _name: "validate" },
+	#ExternalSecret & {_name: "validate"},
 ]
 
 {} & #KubernetesObjects

docs/examples/platforms/reference/clusters/workload/metal/ceph/ceph.cue

@@ -4,6 +4,8 @@ package holos
 
 #TargetNamespace: "ceph-system"
 
+#SecretName: "\(#ClusterName)-ceph-csi-rbd"
+
 #InputKeys: {
 	project:   "metal"
 	service:   "ceph"
@@ -25,5 +27,8 @@ package holos
 			url:  "https://ceph.github.io/csi-charts"
 		}
 	}
-	objects: [#ExternalSecret & { _name: "ceph-csi-rbd" }]
+	objects: [
+		#SecretStore,
+		#ExternalSecret & {_name: #SecretName},
+	]
 }

docs/examples/platforms/reference/clusters/workload/metal/ceph/values.holos.cue

@@ -1,14 +1,14 @@
 package holos
 
 #Input: {
-	config : {
-		  // (required) String representing a Ceph cluster to provision storage from.
-		  // Should be unique across all Ceph clusters in use for provisioning,
-		  // cannot be greater than 36 bytes in length, and should remain immutable for
-		  // the lifetime of the StorageClass in use.
-			clusterID: string
-			// (required) []String list of ceph monitor "address:port" values.
-			monitors: [...string]
+	config: {
+		// (required) String representing a Ceph cluster to provision storage from.
+		// Should be unique across all Ceph clusters in use for provisioning,
+		// cannot be greater than 36 bytes in length, and should remain immutable for
+		// the lifetime of the StorageClass in use.
+		clusterID: string
+		// (required) []String list of ceph monitor "address:port" values.
+		monitors: [...string]
 	}
 }
 
@@ -30,7 +30,7 @@ package holos
 		// (optional) Prefix to use for naming RBD images.
 		// If omitted, defaults to "csi-vol-".
 		// NOTE: Set this to a cluster specific value, e.g. vol-k1-
-		volumeNamePrefix: "vol-\(#InputKeys.cluster)-"
+		volumeNamePrefix: "vol-\(#ClusterName)-"
 
 		// (required) String representing a Ceph cluster to provision storage from.
 		// Should be unique across all Ceph clusters in use for provisioning,
@@ -146,13 +146,13 @@ package holos
 
 		// The secrets have to contain Ceph credentials with required access
 		// to the 'pool'.
-		provisionerSecret: "csi-rbd-secret"
+		provisionerSecret: #SecretName
 		// If Namespaces are left empty, the secrets are assumed to be in the
 		// Release namespace.
 		provisionerSecretNamespace:      ""
-		controllerExpandSecret:          "csi-rbd-secret"
+		controllerExpandSecret:          #SecretName
 		controllerExpandSecretNamespace: ""
-		nodeStageSecret:                 "csi-rbd-secret"
+		nodeStageSecret:                 #SecretName
 		nodeStageSecretNamespace:        ""
 		// Specify the filesystem type of the volume. If not specified,
 		// csi-provisioner will set default as `ext4`.
@@ -165,7 +165,7 @@ package holos
 	secret: {
 		// Specifies whether the secret should be created
 		create: false
-		name:   "csi-rbd-secret"
+		name:   #SecretName
 		// Key values correspond to a user name and its key, as defined in the
 		// ceph cluster. User ID should have required access to the 'pool'
 		// specified in the storage class

docs/examples/platforms/reference/clusters/workload/metal/ceph/values.input.cue

@@ -0,0 +1,8 @@
+package holos
+
+#Input: {
+	config: {
+		clusterID: "a6de32ab-c84f-49a6-b97e-e31dc2a70931"
+		monitors: ["10.64.1.21:6789", "10.64.1.31:6789", "10.64.1.41:6789"]
+	}
+}

docs/examples/platforms/reference/clusters/workload/metal/readme.md

@@ -0,0 +1,23 @@
+# Metal Clusters
+
+This cluster type is overlaid onto other cluster types to add services necessary outside of a cloud like GKE or EKS.  Ceph for PersistenVolumeClaim support on a Talos Proxmox cluster is the primary use case.
+
+## Test Script
+
+Test ceph is working with:
+
+```bash
+apply -n default -f-<<EOF
+heredoc> apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: test
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+EOF
+```

docs/examples/platforms/reference/namespaces.cue

@@ -6,7 +6,10 @@ package holos
 	{name: "external-secrets"},
 	{name: "holos-system"},
 	{name: "flux-system"},
-	{name: "ceph-system"},
+	{
+		name: "ceph-system"
+		labels: "pod-security.kubernetes.io/enforce": "privileged"
+	},
 	{name: "istio-system"},
 	{name: "istio-ingress"},
 	{name: "cert-manager"},

docs/examples/schema.cue

@@ -11,6 +11,9 @@ import (
 	"encoding/yaml"
 )
 
+// #ClusterName is the cluster name for cluster scoped resources.
+#ClusterName: #InputKeys.cluster
+
 _apiVersion: "holos.run/v1alpha1"
 
 // #Name defines the name: string key value pair used all over the place.
@@ -90,8 +93,8 @@ _apiVersion: "holos.run/v1alpha1"
 #ExternalSecret: #NamespaceObject & es.#ExternalSecret & {
 	_name: string
 	metadata: {
-		namespace: #TargetNamespace
 		name:      _name
+		namespace: #TargetNamespace
 	}
 	spec: {
 		refreshInterval: string | *"1h"
@@ -100,12 +103,12 @@ _apiVersion: "holos.run/v1alpha1"
 			name: string | *"default"
 		}
 		target: {
+			name:           _name
 			creationPolicy: string | *"Owner"
+			deletionPolicy: string | *"Retain"
 		}
-		data: [{
-			remoteRef: key: _name
-			secretKey: _name
-		}]
+		// Copy fields 1:1 from external Secret to target Secret.
+		dataFrom: [{extract: key: _name}]
 	}
 }
 
@@ -200,7 +203,7 @@ _apiVersion: "holos.run/v1alpha1"
 	// objects holds a list of the kubernetes api objects to configure.
 	objects: [...metav1.#TypeMeta] | *[]
 	// content holds the rendered yaml text stream of kubernetes api objects.
-	content: yaml.MarshalStream(objects)
+	content:     yaml.MarshalStream(objects)
 	contentType: "application/yaml"
 	// ksObjects holds the flux Kustomization objects for gitops
 	ksObjects: [...#Kustomization] | *[#Kustomization]
@@ -246,7 +249,7 @@ _apiVersion: "holos.run/v1alpha1"
 	// objects holds a list of the kubernetes api objects to configure.
 	objects: [...metav1.#TypeMeta] | *[]
 	// content holds the rendered yaml text stream of kubernetes api objects.
-	content: yaml.MarshalStream(objects)
+	content:     yaml.MarshalStream(objects)
 	contentType: "application/yaml"
 }
 
@@ -260,3 +263,6 @@ _apiVersion: "holos.run/v1alpha1"
 
 // Holos component name
 metadata: name: #InstanceName
+
+// #SecretName is the name of a Secret, ususally coupling a Deployment to an ExternalSecret
+#SecretName: string

pkg/version/embedded/patch

@@ -1 +1 @@
-1
+2