(#32) SecretStore Component

Separate the SecretStore resources from the namespaces component because
it creates a deadlock.  The secretstore crds don't get applied until the
eso component is managed.

The namespaces component should have nothing but core api objects, no
custom resources.

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/crdb/cockroachdb.cue

@@ -0,0 +1,20 @@
+package holos
+
+#InputKeys: component: "crdb"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: {
+		name:    "cockroachdb"
+		version: "11.2.3"
+		repository: {
+			name: "cockroachdb"
+			url:  "https://charts.cockroachdb.com/"
+		}
+	}
+	values: #Values
+	apiObjects: {
+		ExternalSecret: node: #ExternalSecret & {_name: "cockroachdb-node"}
+		ExternalSecret: root: #ExternalSecret & {_name: "cockroachdb-root"}
+	}
+}

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/crdb/values.cue

@@ -478,7 +478,7 @@ package holos
 		copyCerts: image: "busybox"
 		certs: {
 			// Bring your own certs scenario. If provided, tls.init section will be ignored.
-			provided: false
+			provided: true | *false
 			// Secret name for the client root cert.
 			clientRootSecret: "cockroachdb-root"
 			// Secret name for node cert.
@@ -487,7 +487,7 @@ package holos
 			caSecret: "cockroach-ca"
 			// Enable if the secret is a dedicated TLS.
 			// TLS secrets are created by cert-mananger, for example.
-			tlsSecret: false
+			tlsSecret: true | *false
 			// Enable if the you want cockroach db to create its own certificates
 			selfSigner: {
 				// If set, the cockroach db will generate its own certificates

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/crdb/values.holos.cue

@@ -10,11 +10,9 @@ package holos
 		certs: {
 			// https://github.com/cockroachdb/helm-charts/blob/3dcf96726ebcfe3784afb526ddcf4095a1684aea/README.md?plain=1#L204-L215
 			selfSigner: enabled: false
-			certManager: true
-			certManagerIssuer: {
-				kind: "Issuer"
-				name: #ComponentName
-			}
+			certManager: false
+			provided:    true
+			tlsSecret:   true
 		}
 	}
 

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/zitadel/zitadel.cue

@@ -24,23 +24,8 @@ let Name = "zitadel"
 		ExternalSecret: masterkey: #ExternalSecret & {
 			_name: "zitadel-masterkey"
 		}
-		Certificate: zitadel: #Certificate & {
-			metadata: name:      "crdb-zitadel-client"
-			metadata: namespace: #TargetNamespace
-			spec: {
-				commonName: "zitadel"
-				issuerRef: {
-					group: "cert-manager.io"
-					kind:  "Issuer"
-					name:  "crdb-ca-issuer"
-				}
-				privateKey: algorithm: "RSA"
-				privateKey: size:      2048
-				renewBefore: "48h0m0s"
-				secretName:  "cockroachdb-zitadel"
-				subject: organizations: ["Cockroach"]
-				usages: ["digital signature", "key encipherment", "client auth"]
-			}
+		ExternalSecret: zitadel: #ExternalSecret & {
+			_name: "cockroachdb-zitadel"
 		}
 		VirtualService: zitadel: #VirtualService & {
 			metadata: name:      Name

docs/examples/platforms/reference/clusters/provisioner/iam/zitadel/crdb/crdbissuer.cue

@@ -85,7 +85,24 @@ package holos
 					usages: ["digital signature", "key encipherment", "client auth"]
 				}
 			}
-
+		}
+		Certificate: zitadel: #Certificate & {
+			metadata: name:      "crdb-zitadel-client"
+			metadata: namespace: #TargetNamespace
+			spec: {
+				commonName: "zitadel"
+				issuerRef: {
+					group: "cert-manager.io"
+					kind:  "Issuer"
+					name:  "crdb-ca-issuer"
+				}
+				privateKey: algorithm: "RSA"
+				privateKey: size:      2048
+				renewBefore: "48h0m0s"
+				secretName:  "cockroachdb-zitadel"
+				subject: organizations: ["Cockroach"]
+				usages: ["digital signature", "key encipherment", "client auth"]
+			}
 		}
 	}
 }

docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/crdb/cockroachdb.cue

@@ -1,26 +0,0 @@
-package holos
-
-#InputKeys: component: "crdb"
-
-#HelmChart & {
-	namespace: #TargetNamespace
-	chart: {
-		name:    "cockroachdb"
-		version: "11.2.3"
-		repository: {
-			name: "cockroachdb"
-			url:  "https://charts.cockroachdb.com/"
-		}
-	}
-	values: #Values
-	apiObjects: {
-		Issuer: {
-			// https://github.com/cockroachdb/helm-charts/blob/3dcf96726ebcfe3784afb526ddcf4095a1684aea/README.md?plain=1#L196-L201
-			cockroachdb: #Issuer & {
-				metadata: name:      #ComponentName
-				metadata: namespace: #TargetNamespace
-				spec: selfSigned: {}
-			}
-		}
-	}
-}

docs/examples/platforms/reference/clusters/workload/cloud/init/namespaces/component.cue

@@ -15,9 +15,6 @@ package holos
 		#Namespace & {
 			metadata: _ns
 		},
-		#SecretStore & {
-			_namespace: _ns.name
-		},
 	]
 }
 

docs/examples/platforms/reference/clusters/workload/cloud/secrets/eso-creds-refresher/component.cue

@@ -2,6 +2,15 @@ package holos
 
 import "encoding/json"
 
+#DependsOn: _ESO
+
+#InputKeys: {
+	project:   "secrets"
+	component: "eso-creds-refresher"
+}
+
+#TargetNamespace: #CredsRefresher.namespace
+
 // output kubernetes api objects for holos
 #KubernetesObjects & {
 	apiObjects: {
@@ -13,15 +22,6 @@ import "encoding/json"
 	}
 }
 
-#InputKeys: {
-	project:   "secrets"
-	component: "eso-creds-refresher"
-}
-
-#TargetNamespace: #CredsRefresher.namespace
-
-#DependsOn: Namespaces: name: #InstancePrefix + "-namespaces"
-
 let NAME = #CredsRefresher.name
 let AUD = "//iam.googleapis.com/projects/\(#InputKeys.gcpProjectNumber)/locations/global/workloadIdentityPools/holos/providers/k8s-\(#InputKeys.cluster)"
 let MOUNT = "/var/run/service-account"

docs/examples/platforms/reference/clusters/workload/cloud/secrets/secrets.cue

@@ -0,0 +1,12 @@
+package holos
+
+// Components under this directory are part of this collection
+#InputKeys: project: "secrets"
+
+// Shared dependencies for all components in this collection.
+#DependsOn: _Namespaces
+
+// Common Dependencies
+_Namespaces: Namespaces: name: "\(#StageName)-secrets-namespaces"
+_ESO: ESO: name:               "\(#InstancePrefix)-eso"
+_ESOCreds: ESOCreds: name:     "\(#InstancePrefix)-eso-creds-refresher"

docs/examples/platforms/reference/clusters/workload/cloud/secrets/secretstores/secretstores.cue

@@ -0,0 +1,34 @@
+package holos
+
+#DependsOn: _ESOCreds
+
+#TargetNamespace: "default"
+
+#InputKeys: {
+	project:   "secrets"
+	component: "stores"
+}
+
+// #PlatformNamespaceObjects defines the api objects necessary for eso SecretStores in external clusters to access secrets in a given namespace in the provisioner cluster.
+#PlatformNamespaceObjects: {
+	_ns: #PlatformNamespace
+
+	objects: [
+		#SecretStore & {
+			_namespace: _ns.name
+		},
+	]
+}
+
+#KubernetesObjects & {
+	apiObjects: {
+		for ns in #PlatformNamespaces {
+			for obj in (#PlatformNamespaceObjects & {_ns: ns}).objects {
+				let Kind = obj.kind
+				let NS = ns.name
+				let Name = obj.metadata.name
+				"\(Kind)": "\(NS)/\(Name)": obj
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/secrets/validate/component.cue

@@ -9,7 +9,7 @@ package holos
 	component: "validate"
 }
 
-#DependsOn: Namespaces: name: #InstancePrefix + "-eso"
+#DependsOn: _ESO
 
 #KubernetesObjects & {
 	apiObjects: {

docs/provisioner/readme.md

@@ -133,9 +133,12 @@ This section configured:
 
 1. Provisioner Cluster to provide secrets to workload clusters.
 2. IAM service account `eso-creds-refresher` to identify the credential refresher job.
-3. Workload identity pool to authenticate the `eso-creds-refresher` Kubernetes service account in an external cluster.
-4. IAM policy to allow `eso-creds-refresher` to authenticate to the Provisioner Cluster.
-5. RoleBinding to allow `eso-creds-refresher` to create kubernetes service account tokens representing the credentials for use by SecretStore resources in workload clusters.
+3. Workload identity pool to authenticate the `system:serviceaccount:holos-system:eso-creds-refresher` Kubernetes service account in all clusters that share the workload identity pool.
+4. IAM policy to allow the `eso-creds-refresher` IAM service account to authenticate to the Provisioner Cluster.
+5. RoleBinding to allow the `eso-creds-refresher` IAM service account to create kubernetes service account tokens representing the credentials for use by SecretStore resources in workload clusters.
+
+> [!NOTE]
+> Any cluster in the workload identity pool can impersonate the eso-creds-refresher IAM service account.
 
 ## Cluster Setup
 
@@ -150,6 +153,12 @@ HOLOS_CLUSTER_NAME=west1
 ISSUER_URL="https://example.com/clusters/${HOLOS_CLUSTER_NAME}"
 ```
 
+Alternatively:
+
+```shell
+ISSUER_URL="$(kubectl get --raw='/.well-known/openid-configuration' | jq -r .issuer)"
+```
+
 ```shell
 gcloud iam workload-identity-pools providers create-oidc \
   k8s-$HOLOS_CLUSTER_NAME \

pkg/cli/secret/create.go

@@ -1,6 +1,7 @@
 package secret
 
 import (
+	"bytes"
 	"fmt"
 	"github.com/holos-run/holos/pkg/cli/command"
 	"github.com/holos-run/holos/pkg/holos"
@@ -29,6 +30,7 @@ func NewCreateCmd(hc *holos.Config) *cobra.Command {
 	cfg.dryRun = flagSet.Bool("dry-run", false, "dry run")
 	cfg.appendHash = flagSet.Bool("append-hash", true, "append hash to kubernetes secret name")
 	cfg.dataStdin = flagSet.Bool("data-stdin", false, "read data field as json from stdin if")
+	cfg.trimTrailingNewlines = flagSet.Bool("trim-trailing-newlines", true, "trim trailing newlines if true")
 
 	cmd.Flags().SortFlags = false
 	cmd.Flags().AddGoFlagSet(flagSet)
@@ -80,7 +82,7 @@ func makeCreateRunFunc(hc *holos.Config, cfg *config) command.RunFunc {
 		}
 
 		for _, file := range cfg.files {
-			if err := filepath.WalkDir(file, makeWalkFunc(secret.Data, file)); err != nil {
+			if err := filepath.WalkDir(file, makeWalkFunc(secret.Data, file, *cfg.trimTrailingNewlines)); err != nil {
 				return wrapper.Wrap(err)
 			}
 		}
@@ -125,7 +127,7 @@ func makeCreateRunFunc(hc *holos.Config, cfg *config) command.RunFunc {
 	}
 }
 
-func makeWalkFunc(data secretData, root string) fs.WalkDirFunc {
+func makeWalkFunc(data secretData, root string, trimNewlines bool) fs.WalkDirFunc {
 	return func(path string, d os.DirEntry, err error) error {
 		if err != nil {
 			return err
@@ -143,6 +145,9 @@ func makeWalkFunc(data secretData, root string) fs.WalkDirFunc {
 			if data[key], err = os.ReadFile(path); err != nil {
 				return wrapper.Wrap(err)
 			}
+			if trimNewlines {
+				data[key] = bytes.TrimRight(data[key], "\r\n")
+			}
 		}
 
 		return nil

pkg/cli/secret/secret.go

@@ -12,15 +12,16 @@ const ClusterLabel = "holos.run/cluster.name"
 type secretData map[string][]byte
 
 type config struct {
-	files      holos.StringSlice
-	printFile  *string
-	extract    *bool
-	dryRun     *bool
-	appendHash *bool
-	dataStdin  *bool
-	cluster    *string
-	namespace  *string
-	extractTo  *string
+	files                holos.StringSlice
+	printFile            *string
+	extract              *bool
+	dryRun               *bool
+	appendHash           *bool
+	dataStdin            *bool
+	trimTrailingNewlines *bool
+	cluster              *string
+	namespace            *string
+	extractTo            *string
 }
 
 func newConfig() (*config, *flag.FlagSet) {

pkg/cli/secret/testdata/create_secret_dry_run.txt

@@ -1,5 +1,5 @@
 # Create the secret
-holos create secret directory --from-file=$WORK/fixture --dry-run
+holos create secret directory --trim-trailing-newlines=false --from-file=$WORK/fixture --dry-run
 
 # Want no warnings.
 ! stderr 'WRN'

pkg/cli/secret/testdata/create_secret_from_dir.txt

@@ -1,5 +1,5 @@
 # Create the secret
-holos create secret directory --from-file=$WORK/want
+holos create secret directory --trim-trailing-newlines=false --from-file=$WORK/want
 stderr 'created: directory-..........'
 stderr 'secret=directory-..........'
 stderr 'name=directory'

pkg/cli/secret/testdata/create_secret_from_dir_strip_newlines.txt

@@ -0,0 +1,17 @@
+# Create a secret from files with trailing newlines
+holos create secret smtp --from-file=$WORK/smtp
+
+# Get the secret back expecting no trailing newlines
+mkdir have
+holos get secret smtp
+stdout '"username": "holos.run@gmail.com"'
+stdout '"password": "secret"'
+
+-- smtp/username --
+holos.run@gmail.com
+-- smtp/password --
+secret
+-- smtp/host --
+smtp.gmail.com
+-- smtp/port --
+587

pkg/cli/secret/testdata/create_secret_no_depth.txt

@@ -1,5 +1,5 @@
 # Create the secret
-holos create secret directory --from-file=$WORK/want
+holos create secret directory --trim-trailing-newlines=false --from-file=$WORK/want
 
 # Get the secret back
 mkdir have

pkg/version/embedded/patch

@@ -1 +1 @@
-1
+4