mirror of
https://github.com/holos-run/holos.git
synced 2026-03-19 16:54:58 +00:00
fd306aae76
This patch adds a ConfigMap and Pod to the eso-creds-refresher component. The Pod executes the gcloud container, impersonates the eso-creds-refresher iam service account using workload identity, then authenticates to the remote provisioner cluster. This is the foundation for a script to automatically create Secret API objects in a workload cluster which have a kubernetes service account token ESO SecretStore resources can use to fetch secrets from the provisioner cluster. Once we have that script in place we can turn this Pod into a Job and replace Vault.
26 lines
1008 B
CUE
26 lines
1008 B
CUE
package holos
|
|
|
|
// PlatformNamespace is a namespace to manage for Secret provisioning, SecretStore, etc...
|
|
#PlatformNamespace: {
|
|
name: string
|
|
}
|
|
|
|
// #PlatformNamespaces is a list of namespaces to manage across the platform.
|
|
#PlatformNamespaces: [...#PlatformNamespace]
|
|
|
|
// #CredsRefresher defines attributes for the external secrets credential refresher job.
|
|
#CredsRefresher: {
|
|
// name is the name of the job, component, and related resources.
|
|
name: "eso-creds-refresher"
|
|
// namespace is the namespace where the job runs.
|
|
namespace: "holos-system"
|
|
// project is the gcp project id hosting the provisioner cluster.
|
|
project: #InputKeys.gcpProjectID
|
|
// projectNumber is the gcp project number hosting the provisioner cluster.
|
|
projectNumber: #InputKeys.gcpProjectNumber
|
|
// iamsa is the iam service account email address.
|
|
iamServiceAccount: name + "@" + project + ".iam.gserviceaccount.com"
|
|
// region is the region of the provisioner cluster
|
|
region: string | *"us-central1" @tag(region, type=string)
|
|
}
|