Skip to content

Commit 02e7fbe

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #8415 from sudharshanibm/secret-manager
Add ClusterSecretStore for IBM provider's Secrets Manager
2 parents acedf35 + d3b7fd7 commit 02e7fbe

File tree

2 files changed

+133
-133
lines changed

2 files changed

+133
-133
lines changed

kubernetes/ibm-s390x/helm/external-secrets.yaml

Lines changed: 79 additions & 79 deletions
Original file line numberDiff line numberDiff line change
@@ -7,32 +7,32 @@ extraObjects:
77
provider:
88
gcpsm:
99
projectID: k8s-infra-prow-build
10-
# - apiVersion: external-secrets.io/v1beta1
11-
# kind: ClusterSecretStore
12-
# metadata:
13-
# name: secretstore-ibm-k8s
14-
# spec:
15-
# provider:
16-
# ibm:
17-
# serviceUrl: "https://3297fd32-6322-45e2-af3f-00b1a5af3565.us-south.secrets-manager.appdomain.cloud"
18-
# auth:
19-
# secretRef:
20-
# secretApiKeySecretRef:
21-
# name: ibm-sm-apikey
22-
# key: API_KEY
23-
# namespace: external-secrets
24-
# - apiVersion: external-secrets.io/v1beta1
25-
# kind: ExternalSecret
26-
# metadata:
27-
# name: ibm-sm-apikey
28-
# spec:
29-
# data:
30-
# - remoteRef:
31-
# key: ibm-sm-apikey
32-
# secretKey: API_KEY
33-
# secretStoreRef:
34-
# kind: ClusterSecretStore
35-
# name: k8s-infra-prow-build
10+
- apiVersion: external-secrets.io/v1beta1
11+
kind: ClusterSecretStore
12+
metadata:
13+
name: secretstore-ibm-k8s
14+
spec:
15+
provider:
16+
ibm:
17+
serviceUrl: "https://0664d47c-fe42-423f-930d-69570443cd15.eu-de.secrets-manager.appdomain.cloud"
18+
auth:
19+
secretRef:
20+
secretApiKeySecretRef:
21+
name: ibm-sm-apikey
22+
key: API_KEY
23+
namespace: external-secrets
24+
- apiVersion: external-secrets.io/v1beta1
25+
kind: ExternalSecret
26+
metadata:
27+
name: ibm-sm-apikey
28+
spec:
29+
data:
30+
- remoteRef:
31+
key: ibm-sm-apikey
32+
secretKey: API_KEY
33+
secretStoreRef:
34+
kind: ClusterSecretStore
35+
name: k8s-infra-prow-build
3636
- apiVersion: v1
3737
kind: ConfigMap
3838
metadata:
@@ -52,60 +52,60 @@ extraObjects:
5252
}
5353
}
5454
}
55-
# - apiVersion: external-secrets.io/v1beta1
56-
# kind: ExternalSecret
57-
# metadata:
58-
# name: secret-rotator-api-key
59-
# spec:
60-
# refreshInterval: 60m
61-
# secretStoreRef:
62-
# name: secretstore-ibm-k8s
63-
# kind: ClusterSecretStore
64-
# target:
65-
# name: secret-rotator-api-key
66-
# creationPolicy: Owner
67-
# data:
68-
# - secretKey: api-key
69-
# remoteRef:
70-
# key: iam_credentials/2067d245-e61c-11b2-2c5a-b2be281ea4b8
71-
# - apiVersion: batch/v1
72-
# kind: CronJob
73-
# metadata:
74-
# name: ibmcloud-secret-rotator
75-
# labels:
76-
# app: ibmcloud-secret-rotator
77-
# spec:
78-
# schedule: "0 */2 * * *"
79-
# jobTemplate:
80-
# spec:
81-
# template:
82-
# spec:
83-
# containers:
84-
# - name: rotator-container
85-
# image: public.ecr.aws/docker/library/golang:1.24
86-
# imagePullPolicy: Always
87-
# command:
88-
# - /bin/bash
89-
# args:
90-
# - -c
91-
# - |
92-
# set -o errexit
93-
# set -o nounset
94-
# set -o pipefail
55+
- apiVersion: external-secrets.io/v1beta1
56+
kind: ExternalSecret
57+
metadata:
58+
name: secret-rotator-api-key
59+
spec:
60+
refreshInterval: 60m
61+
secretStoreRef:
62+
name: secretstore-ibm-k8s
63+
kind: ClusterSecretStore
64+
target:
65+
name: secret-rotator-api-key
66+
creationPolicy: Owner
67+
data:
68+
- secretKey: api-key
69+
remoteRef:
70+
key: iam_credentials/a2f576a8-e609-105f-e586-20b6706f2215
71+
- apiVersion: batch/v1
72+
kind: CronJob
73+
metadata:
74+
name: ibmcloud-secret-rotator
75+
labels:
76+
app: ibmcloud-secret-rotator
77+
spec:
78+
schedule: "0 */2 * * *"
79+
jobTemplate:
80+
spec:
81+
template:
82+
spec:
83+
containers:
84+
- name: rotator-container
85+
image: public.ecr.aws/docker/library/golang:1.24
86+
imagePullPolicy: Always
87+
command:
88+
- /bin/bash
89+
args:
90+
- -c
91+
- |
92+
set -o errexit
93+
set -o nounset
94+
set -o pipefail
9595
96-
# go install sigs.k8s.io/provider-ibmcloud-test-infra/secret-manager@71ef4d8
97-
# secret-manager rotate --instance-id 3297fd32-6322-45e2-af3f-00b1a5af3565 --labels rotate:true --confirm
98-
# env:
99-
# - name: IBMCLOUD_ENV_FILE
100-
# value: "/home/.ibmcloud/api-key"
101-
# volumeMounts:
102-
# - name: credentials
103-
# mountPath: /home/.ibmcloud
104-
# restartPolicy: OnFailure
105-
# volumes:
106-
# - name: credentials
107-
# secret:
108-
# secretName: secret-rotator-api-key
96+
go install sigs.k8s.io/provider-ibmcloud-test-infra/secret-manager@71ef4d8
97+
secret-manager rotate --instance-id 0664d47c-fe42-423f-930d-69570443cd1 --labels rotate:true --confirm
98+
env:
99+
- name: IBMCLOUD_ENV_FILE
100+
value: "/home/.ibmcloud/api-key"
101+
volumeMounts:
102+
- name: credentials
103+
mountPath: /home/.ibmcloud
104+
restartPolicy: OnFailure
105+
volumes:
106+
- name: credentials
107+
secret:
108+
secretName: secret-rotator-api-key
109109

110110
extraVolumes:
111111
- name: google-iam-token

kubernetes/ibm-s390x/prow/secrets.yaml

Lines changed: 54 additions & 54 deletions
Original file line numberDiff line numberDiff line change
@@ -19,57 +19,57 @@ stringData:
1919
}
2020
}
2121
22-
# ---
23-
# apiVersion: external-secrets.io/v1beta1
24-
# kind: ExternalSecret
25-
# metadata:
26-
# name: prow-job-api-key
27-
# namespace: test-pods
28-
# spec:
29-
# refreshInterval: 30m
30-
# secretStoreRef:
31-
# name: secretstore-ibm-k8s
32-
# kind: ClusterSecretStore
33-
# target:
34-
# name: prow-job-api-key
35-
# creationPolicy: Owner
36-
# data:
37-
# - secretKey: key
38-
# remoteRef:
39-
# key: iam_credentials/32412dc3-aa99-d54d-4b9b-7b33a8c741a3
40-
# ---
41-
# apiVersion: external-secrets.io/v1beta1
42-
# kind: ExternalSecret
43-
# metadata:
44-
# name: prow-job-ssh-private-key
45-
# namespace: test-pods
46-
# spec:
47-
# refreshInterval: 60m
48-
# secretStoreRef:
49-
# name: secretstore-ibm-k8s
50-
# kind: ClusterSecretStore
51-
# target:
52-
# name: prow-job-ssh-private-key
53-
# creationPolicy: Owner
54-
# data:
55-
# - secretKey: ssh-privatekey
56-
# remoteRef:
57-
# key: 72d8039f-6cfc-1bbf-ba8e-d85985b42ee0
58-
# ---
59-
# apiVersion: external-secrets.io/v1beta1
60-
# kind: ExternalSecret
61-
# metadata:
62-
# name: boskos-janitor-api-key
63-
# namespace: test-pods
64-
# spec:
65-
# refreshInterval: 60m
66-
# secretStoreRef:
67-
# name: secretstore-ibm-k8s
68-
# kind: ClusterSecretStore
69-
# target:
70-
# name: boskos-janitor-api-key
71-
# creationPolicy: Owner
72-
# data:
73-
# - secretKey: api-key
74-
# remoteRef:
75-
# key: iam_credentials/51518fbd-1667-f811-99ba-72688fd6c703
22+
---
23+
apiVersion: external-secrets.io/v1beta1
24+
kind: ExternalSecret
25+
metadata:
26+
name: prow-job-api-key
27+
namespace: test-pods
28+
spec:
29+
refreshInterval: 30m
30+
secretStoreRef:
31+
name: secretstore-ibm-k8s
32+
kind: ClusterSecretStore
33+
target:
34+
name: prow-job-api-key
35+
creationPolicy: Owner
36+
data:
37+
- secretKey: key
38+
remoteRef:
39+
key: iam_credentials/8d0c5130-2b8e-68f7-45b1-eeb54d36fe47
40+
---
41+
apiVersion: external-secrets.io/v1beta1
42+
kind: ExternalSecret
43+
metadata:
44+
name: prow-job-ssh-private-key
45+
namespace: test-pods
46+
spec:
47+
refreshInterval: 60m
48+
secretStoreRef:
49+
name: secretstore-ibm-k8s
50+
kind: ClusterSecretStore
51+
target:
52+
name: prow-job-ssh-private-key
53+
creationPolicy: Owner
54+
data:
55+
- secretKey: ssh-privatekey
56+
remoteRef:
57+
key: 9bf7242a-f493-7a86-61f3-4c75a1b73022
58+
---
59+
apiVersion: external-secrets.io/v1beta1
60+
kind: ExternalSecret
61+
metadata:
62+
name: boskos-janitor-api-key
63+
namespace: test-pods
64+
spec:
65+
refreshInterval: 60m
66+
secretStoreRef:
67+
name: secretstore-ibm-k8s
68+
kind: ClusterSecretStore
69+
target:
70+
name: boskos-janitor-api-key
71+
creationPolicy: Owner
72+
data:
73+
- secretKey: api-key
74+
remoteRef:
75+
key: iam_credentials/7e61f6ee-3d8d-f53b-70e7-c274e0dde72d

0 commit comments

Comments
 (0)