Add sealedsecrets deployment (#45)

nephelaiio · Feb 4, 2024 · ab83e71 · ab83e71
1 parent 6ab4b46
commit ab83e71
Show file tree

Hide file tree

Showing 17 changed files with 77 additions and 26 deletions.
diff --git a/.talismanrc b/.talismanrc
@@ -1,17 +1,13 @@
 fileignoreconfig:
   - filename: defaults/main/mysql.yml
     ignore_detectors: [ filename ]
+  - filename: defaults/main/sealedsecrets.yml
+    ignore_detectors: [ filecontent ]
   - filename: poetry.lock
     ignore_detectors: [ filecontent ]
   - filename: tasks/deploy/mysql.yml
     ignore_detectors: [ filename ]
-  - filename: tasks/verify/mysql.yml
-    ignore_detectors: [ filename ]
-  - filename: tasks/verify/argocd.yml
-    ignore_detectors: [ filecontent ]
-  - filename: tasks/verify/install.yml
-    ignore_detectors: [ filecontent ]
-  - filename: tasks/verify/secrets.yml
-    ignore_detectors: [ filecontent ]
+  - filename: tasks/verify/*.yml
+    ignore_detectors: [ filename, filecontent ]
   - filename: .github/workflows/release.yml
     ignore_detectors: [ filecontent ]
diff --git a/defaults/main/argocd.yml b/defaults/main/argocd.yml
@@ -8,8 +8,8 @@ k8s_argocd_exec_timeout: "3m"
 k8s_argocd_chart:
   name: "argo-cd"
   repo: "https://argoproj.github.io/argo-helm"
-  release: "5.53.6"
-  last_checked: "2024-01-22T16:18:49-06:00"
+  release: "5.53.13"
+  last_checked: "2024-02-02T22:37:26-06:00"
 k8s_argocd_chart_values:
   redis-ha:
     enabled: false
@@ -26,8 +26,8 @@ k8s_argocd_apps_wait_timeout: "{{ k8s_wait_timeout }}"
 k8s_argocd_apps_chart:
   name: "argocd-apps"
   repo: "https://argoproj.github.io/argo-helm"
-  release: "1.4.1"
-  last_checked: "2024-01-22T16:18:59-06:00"
+  release: "1.6.1"
+  last_checked: "2024-02-02T22:37:49-06:00"
 k8s_argocd_apps_chart_values:
   applications: []
   applicationsets: []

diff --git a/defaults/main/certmanager.yml b/defaults/main/certmanager.yml
@@ -4,7 +4,7 @@ k8s_certmanager_namespace: "cert-manager"
 k8s_certmanager_chart:
   name: "cert-manager"
   repo: "https://charts.jetstack.io"
-  release: "v1.13.3"
-  last_checked: "2024-01-22T16:18:28-06:00"
+  release: "v1.14.1"
+  last_checked: "2024-02-02T22:35:38-06:00"
 k8s_certmanager_wait_timeout: "{{ k8s_wait_timeout }}"
 k8s_certmanager_cacert: "/usr/share/ca-certificates/{{ k8s_cluster_name }}.crt"
diff --git a/defaults/main/keel.yml b/defaults/main/keel.yml
@@ -5,5 +5,5 @@ k8s_keel_chart:
   name: "keel"
   repo: "https://charts.keel.sh "
   release: "1.0.3"
-  last_checked: "2024-01-22T16:18:35-06:00"
+  last_checked: "2024-02-02T22:36:18-06:00"
 k8s_keel_wait_timeout: "{{ k8s_wait_timeout }}"
diff --git a/defaults/main/longhorn.yml b/defaults/main/longhorn.yml
@@ -6,8 +6,8 @@ k8s_longhorn_wait_timeout: "{{ k8s_wait_timeout }}"
 k8s_longhorn_chart:
   name: longhorn
   repo: "https://charts.longhorn.io"
-  release: "1.5.3"
-  last_checked: "2024-01-22T16:19:07-06:00"
+  release: "1.6.0"
+  last_checked: "2024-02-02T22:37:02-06:00"
 k8s_longhorn_chart_values:
   persistence:
     defaultClass: false
diff --git a/defaults/main/metallb.yml b/defaults/main/metallb.yml
@@ -3,6 +3,6 @@ k8s_metallb_namespace: "metallb-system"
 k8s_metallb_chart:
   name: "metallb"
   repo: "https://charts.bitnami.com/bitnami"
-  release: "4.11.0"
-  last_checked: "2024-01-22T16:18:43-06:00"
+  release: "4.11.1"
+  last_checked: "2024-02-02T22:38:36-06:00"
 k8s_metallb_wait_timeout: "{{ k8s_wait_timeout }}"
diff --git a/defaults/main/mysql.yml b/defaults/main/mysql.yml
@@ -7,4 +7,4 @@ k8s_mysql_chart:
   name: "mysql-operator"
   repo: "https://mysql.github.io/mysql-operator"
   release: "2.1.2"
-  last_checked: "2024-01-22T16:19:34-06:00"
+  last_checked: "2024-02-02T22:38:14-06:00"
diff --git a/defaults/main/nginx.yml b/defaults/main/nginx.yml
@@ -5,6 +5,6 @@ k8s_nginx_namespace: "nginx"
 k8s_nginx_chart:
   name: "ingress-nginx"
   repo: "https://kubernetes.github.io/ingress-nginx"
-  release: "4.9.0"
-  last_checked: "2024-01-22T16:19:49-06:00"
+  release: "4.9.1"
+  last_checked: "2024-02-02T22:36:40-06:00"
 k8s_nginx_wait_timeout: "{{ k8s_wait_timeout }}"
diff --git a/defaults/main/opensearch.yml b/defaults/main/opensearch.yml
@@ -5,6 +5,6 @@ k8s_opensearch_chart:
   name: "opensearch-operator"
   repo: "https://opensearch-project.github.io/opensearch-k8s-operator"
   release: "2.4.0"
-  last_checked: "2024-01-22T16:19:41-06:00"
+  last_checked: "2024-02-02T22:35:57-06:00"
 k8s_opensearch_namespace: opensearch
 k8s_opensearch_wait_timeout: "{{ k8s_wait_timeout }}"
diff --git a/defaults/main/reflector.yml b/defaults/main/reflector.yml
@@ -5,5 +5,5 @@ k8s_reflector_chart:
   name: "reflector"
   repo: "https://emberstack.github.io/helm-charts"
   release: "7.1.238"
-  last_checked: "2024-01-22T16:19:27-06:00"
+  last_checked: "2024-02-02T22:35:12-06:00"
 k8s_reflector_wait_timeout: "{{ k8s_wait_timeout }}"
diff --git a/defaults/main/sealedsecrets.yml b/defaults/main/sealedsecrets.yml
@@ -0,0 +1,9 @@
+---
+k8s_sealedsecrets_deploy: true
+k8s_sealedsecrets_namespace: "kube-system"
+k8s_sealedsecrets_chart:
+  name: "sealed-secrets"
+  repo: "https://bitnami-labs.github.io/sealed-secrets"
+  release: "2.14.2"
+  last_checked: "2024-02-02T22:34:36-06:00"
+k8s_sealedsecrets_wait_timeout: "{{ k8s_wait_timeout }}"
diff --git a/defaults/main/strimzi.yml b/defaults/main/strimzi.yml
@@ -5,6 +5,6 @@ k8s_strimzi_chart:
   name: "strimzi-kafka-operator"
   repo: "https://strimzi.io/charts/"
   release: "0.39.0"
-  last_checked: "2024-01-22T16:19:19-06:00"
+  last_checked: "2024-02-02T22:34:11-06:00"
 k8s_strimzi_namespace: strimzi
 k8s_strimzi_wait_timeout: "{{ k8s_wait_timeout }}"
diff --git a/defaults/main/zalando.yml b/defaults/main/zalando.yml
@@ -9,4 +9,4 @@ k8s_zalando_chart:
   name: "postgres-operator"
   repo: "https://opensource.zalando.com/postgres-operator/charts/postgres-operator"
   release: "1.10.1"
-  last_checked: "2024-01-22T16:19:13-06:00"
+  last_checked: "2024-02-02T22:34:47-06:00"
diff --git a/tasks/deploy.yml b/tasks/deploy.yml
@@ -54,3 +54,7 @@
 - name: Include reflector deployment tasks
   ansible.builtin.include_tasks: "deploy/reflector.yml"
   when: k8s_reflector_deploy | bool
+
+- name: Include sealedsecrets deployment tasks
+  ansible.builtin.include_tasks: "deploy/sealedsecrets.yml"
+  when: k8s_sealedsecrets_deploy | bool
diff --git a/tasks/deploy/sealedsecrets.yml b/tasks/deploy/sealedsecrets.yml
@@ -0,0 +1,14 @@
+---
+- name: Manage sealed-secrets Helm chart
+  kubernetes.core.helm:
+    name: sealedsecrets
+    chart_ref: "{{ k8s_sealedsecrets_chart.name }}"
+    chart_repo_url: "{{ k8s_sealedsecrets_chart.repo }}"
+    chart_version: "{{ k8s_sealedsecrets_chart.release }}"
+    release_namespace: "{{ k8s_sealedsecrets_namespace }}"
+    create_namespace: true
+    state: present
+    wait: true
+    wait_timeout: "{{ k8s_sealedsecrets_wait_timeout }}s"
+    kubeconfig: "{{ k8s_kubeconfig | default(omit) }}"
+    binary_path: "{{ lookup('ansible.builtin.env', 'HELM_BIN', default=k8s_helm_bin) }}"
diff --git a/tasks/verify/reflector.yml b/tasks/verify/reflector.yml
@@ -0,0 +1,14 @@
+---
+- name: Query Helm deployments
+  ansible.builtin.command: "{{ k8s_helm_bin }} list -A -o json"
+  environment:
+    KUBECONFIG: "{{ k8s_kubeconfig }}"
+  register: helm_query
+  changed_when: false
+
+- name: Verify reflector deployment
+  ansible.builtin.assert:
+    that: _helm_reflector | length == 1
+    fail_msg: "reflector deployment not found"
+  vars:
+    _helm_reflector: "{{ helm_query.stdout | from_json | selectattr('name', 'equalto', 'reflector') }}"
diff --git a/tasks/verify/sealedsecrets.yml b/tasks/verify/sealedsecrets.yml
@@ -0,0 +1,14 @@
+---
+- name: Query Helm deployments
+  ansible.builtin.command: "{{ k8s_helm_bin }} list -A -o json"
+  environment:
+    KUBECONFIG: "{{ k8s_kubeconfig }}"
+  register: helm_query
+  changed_when: false
+
+- name: Verify sealedsecrets deployment
+  ansible.builtin.assert:
+    that: _helm_sealedsecrets | length == 1
+    fail_msg: "sealedsecrets deployment not found"
+  vars:
+    _helm_sealedsecrets: "{{ helm_query.stdout | from_json | selectattr('name', 'equalto', 'sealed-secrets') }}"