diff --git a/.github/linters/.markdown-lint.yml b/.github/linters/.markdown-lint.yml new file mode 100644 index 0000000..9da2123 --- /dev/null +++ b/.github/linters/.markdown-lint.yml @@ -0,0 +1,5 @@ +--- +default: true +MD013: + line_length: 800 + tables: false diff --git a/.github/linters/.yaml-lint.yml b/.github/linters/.yaml-lint.yml new file mode 100644 index 0000000..7b179ac --- /dev/null +++ b/.github/linters/.yaml-lint.yml @@ -0,0 +1,17 @@ +--- +extends: default + +ignore: | + templates/ + +rules: + document-start: disable + line-length: + max: 150 + allow-non-breakable-inline-mappings: true + allow-non-breakable-words: true + braces: disable + brackets: disable + indentation: disable + truthy: disable + comments: disable diff --git a/.prettierignore b/.prettierignore new file mode 100644 index 0000000..0350652 --- /dev/null +++ b/.prettierignore @@ -0,0 +1 @@ +templates/ diff --git a/Chart.yaml b/Chart.yaml index 0f6e9c0..39b1da6 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,4 +3,4 @@ description: A Helm chart to set up the Openshift External Secrets Operator keywords: - pattern name: openshift-external-secrets -version: 0.0.3 +version: 0.0.4 diff --git a/README.md b/README.md index ccd1f9e..445ce82 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,75 @@ # openshift-external-secrets -![Version: 0.0.3](https://img.shields.io/badge/Version-0.0.3-informational?style=flat-square) +![Version: 0.0.4](https://img.shields.io/badge/Version-0.0.4-informational?style=flat-square) A Helm chart to set up the Openshift External Secrets Operator ## Notable changes +v0.0.4: Add vault.externalAddress to allow configuration of separate, unmanaged vault + +## Using a completely external Vault + +Use this when HashiCorp Vault is **not** deployed by Validated Patterns on the hub (for example a shared corporate Vault or a cluster-external service). + +1. **ClusterSecretStore backend** – Keep `global.secretStore.backend` as `vault` (or omit it; the chart defaults to Vault). + +2. **Vault API URL** – Set `ocpExternalSecrets.vault.externalAddress` to the reachable HTTPS base URL of your Vault (same value you would put in `spec.provider.vault.server`), for example `https://vault.example.corp:8200`. When this is empty, the chart targets the framework hub route `vault-vault.` instead. + +3. **KV engine** – Optional. Under `ocpExternalSecrets.vault.external`, set `kvPath` and/or `kvVersion` if your mount is not the default path `secret` or not KV v2. These keys are **only** read when `externalAddress` is non-empty; otherwise they are ignored. + +4. **Arbitrary external auth provider** – When `ocpExternalSecrets.vault.externalAddress` is non-empty, you can provide `ocpExternalSecrets.vault.external.auth` to inject any supported ESO Vault auth block directly into `spec.provider.vault.auth` (for example AppRole, token, JWT/OIDC, LDAP, cert). This is the recommended path when your external Vault does not use Kubernetes auth from this chart. + +5. **Kubernetes auth on the external Vault** – If you do not set `ocpExternalSecrets.vault.external.auth`, the chart uses Kubernetes auth. On the Vault side, configure a Kubernetes auth mount and role that trust the External Secrets Operator service account (`ocpExternalSecrets.rbac.serviceAccount` in this chart). In values, you can pin the store to that Vault configuration by setting **both** `ocpExternalSecrets.vault.external.kubernetesMountPath` and `ocpExternalSecrets.vault.external.kubernetesRole`. If either is left empty, the chart falls back to the usual hub/spoke auth fields (`vault.mountPath`, `rbac.rolename`, or spoke `global.clusterDomain`), which may not match your external Vault and should be overridden for a fully external setup. + +6. **External Kubernetes auth token Secret reference** – When `ocpExternalSecrets.vault.externalAddress` is non-empty and you use the Kubernetes auth fallback path, you must set: + - `ocpExternalSecrets.vault.external.secretRef.name` + - `ocpExternalSecrets.vault.external.secretRef.namespace` + - `ocpExternalSecrets.vault.external.secretRef.key` + + These values are used directly in `spec.provider.vault.auth.kubernetes.secretRef` and should point to an existing Secret that contains the JWT token expected by your external Vault Kubernetes auth mount. They are ignored when `ocpExternalSecrets.vault.external.auth` is set. + +7. **TLS / CA** – If Vault presents a certificate signed by a CA that is not the cluster default, keep `ocpExternalSecrets.caProvider.enabled` true and point `hostCluster` or `clientCluster` at a ConfigMap or Secret that holds the PEM for that CA, depending on whether you render this chart on the hub or a spoke. + +8. **Special Note** – The patterns framework will be unable to manage authentication, policy or inject secrets into a vault that it does not manage. In such cases, set `global.secretLoader.disabled` to `true` (in `values-global.yaml`) to prevent the secret loader from running locally during the `make install` phase. + +Example fragment: + +```yaml +global: + secretStore: + backend: vault + +ocpExternalSecrets: + vault: + externalAddress: "https://vault.example.corp:8200" + external: + kvPath: "kv/my-team" + kvVersion: "v2" + auth: + appRole: + path: "approle" + roleRef: + name: "vault-approle" + key: "role-id" + secretRef: + name: "vault-approle" + key: "secret-id" + caProvider: + enabled: true + hostCluster: + type: Secret + name: corp-vault-ca + key: ca.crt + namespace: external-secrets +``` + + ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| clusterGroup.isHubCluster | bool | `true` | The variable that defines when a cluster is the HUB | +| clusterGroup.applications | object | `{}` | | | global | object | depends on the individual settings | The global namespace containes some globally used variables used in patterns | | global.clusterDomain | string | `"foo.example.com"` | The DNS entry for the cluster the chart is being rendered on | | global.hubClusterDomain | string | `"hub.example.com"` | The DNS entry for the hub cluster | @@ -36,7 +95,19 @@ A Helm chart to set up the Openshift External Secrets Operator | ocpExternalSecrets.rbac.serviceAccount.name | string | `"ocp-external-secrets"` | The name of the service account used by external secrets | | ocpExternalSecrets.rbac.serviceAccount.namespace | string | `"external-secrets"` | The namespace where the service account is created | | ocpExternalSecrets.vault | object | depends on the individual settings | Some vault configuration entries | +| ocpExternalSecrets.vault.external | object | depends on the individual settings | Settings below apply only when `externalAddress` is non-empty (ignored for framework-managed hub Vault). | +| ocpExternalSecrets.vault.external.auth | object | `{}` | Arbitrary auth stanza rendered directly into `spec.provider.vault.auth` when `externalAddress` is non-empty. Use this for non-Kubernetes auth methods (for example AppRole, JWT/OIDC, token, LDAP, cert). When set, this takes precedence over `kubernetesMountPath`/`kubernetesRole` and `secretRef`. | +| ocpExternalSecrets.vault.external.kubernetesMountPath | string | `""` | Vault Kubernetes auth mount path for the external Vault. Must be set together with `kubernetesRole`; if either is empty, hub/spoke auth from this chart is used instead. | +| ocpExternalSecrets.vault.external.kubernetesRole | string | `""` | Vault Kubernetes auth role for the external Vault. Must be set together with `kubernetesMountPath`. | +| ocpExternalSecrets.vault.external.kvPath | string | `""` | KV mount path segment for `spec.provider.vault.path` (e.g. `secret` or a team-specific engine). Empty keeps the default `secret`. | +| ocpExternalSecrets.vault.external.kvVersion | string | `""` | KV version (`v1` or `v2`). Empty keeps the default `v2`. | +| ocpExternalSecrets.vault.external.secretRef | object | depends on the individual settings | Secret reference used for `spec.provider.vault.auth.kubernetes.secretRef` when `externalAddress` is non-empty. All fields are required in that case and should point to an existing Secret holding the Kubernetes auth JWT. Ignored when `external.auth` is provided. | +| ocpExternalSecrets.vault.external.secretRef.key | string | `""` | Secret key containing the JWT token for external Vault Kubernetes auth. Required when `externalAddress` is non-empty. | +| ocpExternalSecrets.vault.external.secretRef.name | string | `""` | Secret name for external Vault Kubernetes auth. Required when `externalAddress` is non-empty. | +| ocpExternalSecrets.vault.external.secretRef.namespace | string | `""` | Namespace of the secret for external Vault Kubernetes auth. Required when `externalAddress` is non-empty. | +| ocpExternalSecrets.vault.externalAddress | string | `""` | If non-empty, sets the Vault API URL on the ClusterSecretStore (`spec.provider.vault.server`), for example an external Vault reachable at an HTTPS URL you provide. When empty, the chart uses the in-cluster hub pattern `vault-vault` plus `global.hubClusterDomain` (no separate parameter required). | | ocpExternalSecrets.vault.mountPath | string | `"hub"` | The vault secrets' path when connecting to it from the hub | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) + diff --git a/README.md.gotmpl b/README.md.gotmpl index 8875935..957211b 100644 --- a/README.md.gotmpl +++ b/README.md.gotmpl @@ -7,6 +7,64 @@ ## Notable changes +v0.0.4: Add vault.externalAddress to allow configuration of separate, unmanaged vault + +## Using a completely external Vault + +Use this when HashiCorp Vault is **not** deployed by Validated Patterns on the hub (for example a shared corporate Vault or a cluster-external service). + +1. **ClusterSecretStore backend** – Keep `global.secretStore.backend` as `vault` (or omit it; the chart defaults to Vault). + +2. **Vault API URL** – Set `ocpExternalSecrets.vault.externalAddress` to the reachable HTTPS base URL of your Vault (same value you would put in `spec.provider.vault.server`), for example `https://vault.example.corp:8200`. When this is empty, the chart targets the framework hub route `vault-vault.` instead. + +3. **KV engine** – Optional. Under `ocpExternalSecrets.vault.external`, set `kvPath` and/or `kvVersion` if your mount is not the default path `secret` or not KV v2. These keys are **only** read when `externalAddress` is non-empty; otherwise they are ignored. + +4. **Arbitrary external auth provider** – When `ocpExternalSecrets.vault.externalAddress` is non-empty, you can provide `ocpExternalSecrets.vault.external.auth` to inject any supported ESO Vault auth block directly into `spec.provider.vault.auth` (for example AppRole, token, JWT/OIDC, LDAP, cert). This is the recommended path when your external Vault does not use Kubernetes auth from this chart. + +5. **Kubernetes auth on the external Vault** – If you do not set `ocpExternalSecrets.vault.external.auth`, the chart uses Kubernetes auth. On the Vault side, configure a Kubernetes auth mount and role that trust the External Secrets Operator service account (`ocpExternalSecrets.rbac.serviceAccount` in this chart). In values, you can pin the store to that Vault configuration by setting **both** `ocpExternalSecrets.vault.external.kubernetesMountPath` and `ocpExternalSecrets.vault.external.kubernetesRole`. If either is left empty, the chart falls back to the usual hub/spoke auth fields (`vault.mountPath`, `rbac.rolename`, or spoke `global.clusterDomain`), which may not match your external Vault and should be overridden for a fully external setup. + +6. **External Kubernetes auth token Secret reference** – When `ocpExternalSecrets.vault.externalAddress` is non-empty and you use the Kubernetes auth fallback path, you must set: + - `ocpExternalSecrets.vault.external.secretRef.name` + - `ocpExternalSecrets.vault.external.secretRef.namespace` + - `ocpExternalSecrets.vault.external.secretRef.key` + + These values are used directly in `spec.provider.vault.auth.kubernetes.secretRef` and should point to an existing Secret that contains the JWT token expected by your external Vault Kubernetes auth mount. They are ignored when `ocpExternalSecrets.vault.external.auth` is set. + +7. **TLS / CA** – If Vault presents a certificate signed by a CA that is not the cluster default, keep `ocpExternalSecrets.caProvider.enabled` true and point `hostCluster` or `clientCluster` at a ConfigMap or Secret that holds the PEM for that CA, depending on whether you render this chart on the hub or a spoke. + +8. **Special Note** – The patterns framework will be unable to manage authentication, policy or inject secrets into a vault that it does not manage. In such cases, set `global.secretLoader.disabled` to `true` (in `values-global.yaml`) to prevent the secret loader from running locally during the `make install` phase. + +Example fragment: + +```yaml +global: + secretStore: + backend: vault + +ocpExternalSecrets: + vault: + externalAddress: "https://vault.example.corp:8200" + external: + kvPath: "kv/my-team" + kvVersion: "v2" + auth: + appRole: + path: "approle" + roleRef: + name: "vault-approle" + key: "role-id" + secretRef: + name: "vault-approle" + key: "secret-id" + caProvider: + enabled: true + hostCluster: + type: Secret + name: corp-vault-ca + key: ca.crt + namespace: external-secrets +``` + {{ template "chart.homepageLine" . }} {{ template "chart.maintainersSection" . }} @@ -15,6 +73,8 @@ {{ template "chart.requirementsSection" . }} + {{ template "chart.valuesSection" . }} {{ template "helm-docs.versionFooter" . }} + diff --git a/templates/vault/external-secrets-hub-secretstore.yaml b/templates/vault/external-secrets-hub-secretstore.yaml index ebd6d34..c3ff5a9 100644 --- a/templates/vault/external-secrets-hub-secretstore.yaml +++ b/templates/vault/external-secrets-hub-secretstore.yaml @@ -7,6 +7,29 @@ {{- end }} {{- end }} {{- end }} +{{- $extVault := .Values.ocpExternalSecrets.vault.externalAddress | default "" | trim }} +{{- $extCfg := .Values.ocpExternalSecrets.vault.external | default dict }} +{{- $extAuth := $extCfg.auth | default dict }} +{{- $vaultPath := "secret" }} +{{- $vaultVersion := "v2" }} +{{- if ne $extVault "" }} + {{- $p := $extCfg.kvPath | default "" | trim }} + {{- if ne $p "" }} + {{- $vaultPath = $p }} + {{- end }} + {{- $ver := $extCfg.kvVersion | default "" | trim }} + {{- if ne $ver "" }} + {{- $vaultVersion = $ver }} + {{- end }} +{{- end }} +{{- $extK8sMount := $extCfg.kubernetesMountPath | default "" | trim }} +{{- $extK8sRole := $extCfg.kubernetesRole | default "" | trim }} +{{- $useExtK8sAuth := and (ne $extVault "") (ne $extK8sMount "") (ne $extK8sRole "") }} +{{- $useExtAuth := and (ne $extVault "") (not (empty $extAuth)) }} +{{- $extSecretRef := $extCfg.secretRef | default dict }} +{{- $extSecretRefName := $extSecretRef.name | default "" | trim }} +{{- $extSecretRefNamespace := $extSecretRef.namespace | default "" | trim }} +{{- $extSecretRefKey := $extSecretRef.key | default "" | trim }} --- apiVersion: external-secrets.io/v1 kind: ClusterSecretStore @@ -16,10 +39,14 @@ metadata: spec: provider: vault: - server: https://vault-vault.{{ .Values.global.hubClusterDomain }} - path: secret +{{- if ne $extVault "" }} + server: {{ $extVault | quote }} +{{- else }} + server: "https://vault-vault.{{ .Values.global.hubClusterDomain }}" +{{- end }} + path: {{ $vaultPath | quote }} # Version of KV backend - version: v2 + version: {{ $vaultVersion | quote }} {{- if .Values.ocpExternalSecrets.caProvider.enabled }} {{- if or (eq (include "ocp_eso.ishubcluster" .) "true") $hashicorp_vault_found }} caProvider: @@ -35,9 +62,16 @@ spec: namespace: {{ .Values.ocpExternalSecrets.caProvider.clientCluster.namespace }} {{ end }} {{- end }} +{{- if $useExtAuth }} + auth: +{{ toYaml $extAuth | nindent 8 }} +{{- else }} auth: kubernetes: -{{- if or (eq (include "ocp_eso.ishubcluster" .) "true") $hashicorp_vault_found }} +{{- if $useExtK8sAuth }} + mountPath: {{ $extK8sMount | quote }} + role: {{ $extK8sRole | quote }} +{{- else if or (eq (include "ocp_eso.ishubcluster" .) "true") $hashicorp_vault_found }} mountPath: {{ .Values.ocpExternalSecrets.vault.mountPath }} role: {{ .Values.ocpExternalSecrets.rbac.rolename }} {{ else }} @@ -45,7 +79,14 @@ spec: role: {{ $.Values.global.clusterDomain }}-role {{ end }} secretRef: +{{- if and (ne $extVault "") (not $useExtAuth) }} + name: {{ required "ocpExternalSecrets.vault.external.secretRef.name must be set when ocpExternalSecrets.vault.externalAddress is non-empty" $extSecretRefName | quote }} + namespace: {{ required "ocpExternalSecrets.vault.external.secretRef.namespace must be set when ocpExternalSecrets.vault.externalAddress is non-empty" $extSecretRefNamespace | quote }} + key: {{ required "ocpExternalSecrets.vault.external.secretRef.key must be set when ocpExternalSecrets.vault.externalAddress is non-empty" $extSecretRefKey | quote }} +{{- else }} name: {{ .Values.ocpExternalSecrets.rbac.serviceAccount.name }} namespace: {{ .Values.ocpExternalSecrets.rbac.serviceAccount.namespace }} key: "token" {{- end }} +{{- end }} +{{- end }} diff --git a/tests/edge_cases_test.yaml b/tests/edge_cases_test.yaml index aea519c..f9b054e 100644 --- a/tests/edge_cases_test.yaml +++ b/tests/edge_cases_test.yaml @@ -121,4 +121,4 @@ tests: asserts: - equal: path: apiVersion - value: external-secrets.io/v1 \ No newline at end of file + value: external-secrets.io/v1 diff --git a/tests/external_secrets_config_test.yaml b/tests/external_secrets_config_test.yaml index 1d55e58..4148fbf 100644 --- a/tests/external_secrets_config_test.yaml +++ b/tests/external_secrets_config_test.yaml @@ -33,4 +33,4 @@ tests: value: TCP - equal: path: spec.controllerConfig.networkPolicies[0].egress[0].ports[0].port - value: 443 \ No newline at end of file + value: 443 diff --git a/tests/external_secrets_secretstore_test.yaml b/tests/external_secrets_secretstore_test.yaml index aefddf3..34a3ac2 100644 --- a/tests/external_secrets_secretstore_test.yaml +++ b/tests/external_secrets_secretstore_test.yaml @@ -48,6 +48,258 @@ tests: path: spec.provider.vault.server value: "https://vault-vault.foo.bar.baz" + - it: should use ocpExternalSecrets.vault.externalAddress when set + set: + global: + hubClusterDomain: ignored.hub.example.com + ocpExternalSecrets: + vault: + externalAddress: "https://vault.external.example:8200" + external: + secretRef: + name: external-auth + namespace: external-secrets + key: token + asserts: + - equal: + path: spec.provider.vault.server + value: "https://vault.external.example:8200" + + - it: should use hub vault URL when externalAddress is empty + set: + global: + hubClusterDomain: my.hub.domain + ocpExternalSecrets: + vault: + externalAddress: "" + asserts: + - equal: + path: spec.provider.vault.server + value: "https://vault-vault.my.hub.domain" + + - it: should ignore vault.external when externalAddress is empty + set: + global: + hubClusterDomain: my.hub.domain + clusterGroup: + isHubCluster: true + ocpExternalSecrets: + rbac: + rolename: hub-role + vault: + externalAddress: "" + external: + kvPath: custom-kv + kvVersion: v1 + kubernetesMountPath: custom-mount + kubernetesRole: custom-role + mountPath: hub + asserts: + - equal: + path: spec.provider.vault.path + value: secret + - equal: + path: spec.provider.vault.version + value: v2 + - equal: + path: spec.provider.vault.auth.kubernetes.mountPath + value: hub + - equal: + path: spec.provider.vault.auth.kubernetes.role + value: hub-role + + - it: should apply vault.external KV settings when externalAddress is set + set: + ocpExternalSecrets: + vault: + externalAddress: "https://vault.external.example:8200" + external: + kvPath: team-secrets + kvVersion: v1 + secretRef: + name: external-auth + namespace: external-secrets + key: token + asserts: + - equal: + path: spec.provider.vault.server + value: "https://vault.external.example:8200" + - equal: + path: spec.provider.vault.path + value: team-secrets + - equal: + path: spec.provider.vault.version + value: v1 + + - it: should use default KV path and version for external vault when external.kvPath and kvVersion are empty + set: + ocpExternalSecrets: + vault: + externalAddress: "https://vault.external.example:8200" + external: + kvPath: "" + kvVersion: "" + secretRef: + name: external-auth + namespace: external-secrets + key: token + asserts: + - equal: + path: spec.provider.vault.path + value: secret + - equal: + path: spec.provider.vault.version + value: v2 + + - it: should use vault.external kubernetes auth when externalAddress and both mount and role are set + set: + ocpExternalSecrets: + vault: + externalAddress: "https://vault.external.example:8200" + external: + kubernetesMountPath: ocp/kubernetes/prod + kubernetesRole: eso-external-role + secretRef: + name: external-auth + namespace: external-secrets + key: token + asserts: + - equal: + path: spec.provider.vault.auth.kubernetes.mountPath + value: ocp/kubernetes/prod + - equal: + path: spec.provider.vault.auth.kubernetes.role + value: eso-external-role + + - it: should fall back to hub kubernetes auth when external vault omits external kubernetes mount or role + set: + clusterGroup: + isHubCluster: true + ocpExternalSecrets: + rbac: + rolename: hub-rolename + vault: + externalAddress: "https://vault.external.example:8200" + external: + kubernetesMountPath: "" + kubernetesRole: "" + secretRef: + name: external-auth + namespace: external-secrets + key: token + mountPath: hub-mount + asserts: + - equal: + path: spec.provider.vault.auth.kubernetes.mountPath + value: hub-mount + - equal: + path: spec.provider.vault.auth.kubernetes.role + value: hub-rolename + + - it: should not use partial external kubernetes auth when only mountPath is set + set: + clusterGroup: + isHubCluster: true + ocpExternalSecrets: + rbac: + rolename: hub-rolename + vault: + externalAddress: "https://vault.external.example:8200" + external: + kubernetesMountPath: partial-mount + kubernetesRole: "" + secretRef: + name: external-auth + namespace: external-secrets + key: token + mountPath: hub-mount + asserts: + - equal: + path: spec.provider.vault.auth.kubernetes.mountPath + value: hub-mount + - equal: + path: spec.provider.vault.auth.kubernetes.role + value: hub-rolename + + - it: should fall back to spoke kubernetes auth for external vault when external k8s auth is not set + set: + global: + clusterDomain: spoke.example.org + clusterGroup: + isHubCluster: false + ocpExternalSecrets: + vault: + externalAddress: "https://vault.external.example:8200" + external: + kubernetesMountPath: "" + kubernetesRole: "" + secretRef: + name: external-auth + namespace: external-secrets + key: token + asserts: + - equal: + path: spec.provider.vault.auth.kubernetes.mountPath + value: spoke.example.org + - equal: + path: spec.provider.vault.auth.kubernetes.role + value: spoke.example.org-role + + - it: should use external secretRef when externalAddress is set + set: + ocpExternalSecrets: + vault: + externalAddress: "https://vault.external.example:8200" + external: + secretRef: + name: external-auth + namespace: external-secrets + key: vault-token + asserts: + - equal: + path: spec.provider.vault.auth.kubernetes.secretRef.name + value: external-auth + - equal: + path: spec.provider.vault.auth.kubernetes.secretRef.namespace + value: external-secrets + - equal: + path: spec.provider.vault.auth.kubernetes.secretRef.key + value: vault-token + + - it: should use arbitrary external auth provider settings when externalAddress is set + set: + ocpExternalSecrets: + vault: + externalAddress: "https://vault.external.example:8200" + external: + auth: + appRole: + path: approle + roleRef: + name: vault-approle + key: role-id + secretRef: + name: vault-approle + key: secret-id + asserts: + - equal: + path: spec.provider.vault.auth.appRole.path + value: approle + - equal: + path: spec.provider.vault.auth.appRole.roleRef.name + value: vault-approle + - equal: + path: spec.provider.vault.auth.appRole.roleRef.key + value: role-id + - equal: + path: spec.provider.vault.auth.appRole.secretRef.name + value: vault-approle + - equal: + path: spec.provider.vault.auth.appRole.secretRef.key + value: secret-id + - notExists: + path: spec.provider.vault.auth.kubernetes + - it: should set secretRef with default values asserts: - equal: diff --git a/values.yaml b/values.yaml index 3df2bb1..efbca7c 100644 --- a/values.yaml +++ b/values.yaml @@ -20,11 +20,43 @@ ocpExternalSecrets: remoteNamespace: "validated-patterns-secrets" server: # -- The URL used in the ClusterSecretStore - url: 'https://kubernetes.default' + url: "https://kubernetes.default" # -- Some vault configuration entries # @default -- depends on the individual settings vault: + # -- If non-empty, sets the Vault API URL on the ClusterSecretStore (`spec.provider.vault.server`), for example an + # external Vault reachable at an HTTPS URL you provide. When empty, the chart uses the in-cluster hub pattern + # `vault-vault` plus `global.hubClusterDomain` (no separate parameter required). + externalAddress: "" + # -- Settings below apply only when `externalAddress` is non-empty (ignored for framework-managed hub Vault). + # @default -- depends on the individual settings + external: + # -- Arbitrary auth stanza rendered directly into `spec.provider.vault.auth` when `externalAddress` is non-empty. + # Use this for non-Kubernetes auth methods (for example AppRole, JWT/OIDC, token, LDAP, cert). When set, this + # takes precedence over `kubernetesMountPath`/`kubernetesRole` and `secretRef`. + auth: {} + # -- KV mount path segment for `spec.provider.vault.path` (e.g. `secret` or a team-specific engine). Empty keeps + # the default `secret`. + kvPath: "" + # -- KV version (`v1` or `v2`). Empty keeps the default `v2`. + kvVersion: "" + # -- Vault Kubernetes auth mount path for the external Vault. Must be set together with `kubernetesRole`; if + # either is empty, hub/spoke auth from this chart is used instead. + kubernetesMountPath: "" + # -- Vault Kubernetes auth role for the external Vault. Must be set together with `kubernetesMountPath`. + kubernetesRole: "" + # -- Secret reference used for `spec.provider.vault.auth.kubernetes.secretRef` when `externalAddress` is non-empty. + # All fields are required in that case and should point to an existing Secret holding the Kubernetes auth JWT. + # Ignored when `external.auth` is provided. + # @default -- depends on the individual settings + secretRef: + # -- Secret name for external Vault Kubernetes auth. Required when `externalAddress` is non-empty. + name: "" + # -- Namespace of the secret for external Vault Kubernetes auth. Required when `externalAddress` is non-empty. + namespace: "" + # -- Secret key containing the JWT token for external Vault Kubernetes auth. Required when `externalAddress` is non-empty. + key: "" # -- The vault secrets' path when connecting to it from the hub mountPath: "hub"