baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(external-secrets): upgrade and set pod security standards

Browse Source
This commit is contained in:
Masaki Yatsu
2025-11-23 15:00:25 +09:00
parent 0957ef9791
commit bcf9cab7b8
3 changed files with 32 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
external-secrets/external-secrets-values.yaml
View File

@@ -1,6 +1,14 @@
# External Secrets Operator resource configuration # External Secrets Operator resource configuration
# Based on Goldilocks recommendations (Burstable QoS) # Based on Goldilocks recommendations (Burstable QoS)
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
# Main controller # Main controller
resources: resources:
requests: requests:
@@ -10,8 +18,14 @@ resources:
cpu: 50m cpu: 50m
memory: 256Mi memory: 256Mi
# Cert controller
certController: certController:
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
resources: resources:
requests: requests:
cpu: 15m cpu: 15m
@@ -20,8 +34,14 @@ certController:
cpu: 50m cpu: 50m
memory: 256Mi memory: 256Mi
# Webhook
webhook: webhook:
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
resources: resources:
requests: requests:
cpu: 15m cpu: 15m

7
external-secrets/justfile
View File

@@ -1,7 +1,7 @@
set fallback := true set fallback := true
export EXTERNAL_SECRETS_NAMESPACE := env("EXTERNAL_SECRETS_NAMESPACE", "external-secrets") export EXTERNAL_SECRETS_NAMESPACE := env("EXTERNAL_SECRETS_NAMESPACE", "external-secrets")
export EXTERNAL_SECRETS_CHART_VERSION := env("EXTERNAL_SECRETS_CHART_VERSION", "0.19.2") export EXTERNAL_SECRETS_CHART_VERSION := env("EXTERNAL_SECRETS_CHART_VERSION", "1.1.0")
export EXTERNAL_SECRETS_REFRESH_INTERVAL := env("EXTERNAL_SECRETS_REFRESH_INTERVAL", "1800") export EXTERNAL_SECRETS_REFRESH_INTERVAL := env("EXTERNAL_SECRETS_REFRESH_INTERVAL", "1800")
export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault") export K8S_VAULT_NAMESPACE := env("K8S_VAULT_NAMESPACE", "vault")
export VAULT_HOST := env("VAULT_HOST", "") export VAULT_HOST := env("VAULT_HOST", "")
@@ -28,6 +28,10 @@ install:
--version ${EXTERNAL_SECRETS_CHART_VERSION} -n ${EXTERNAL_SECRETS_NAMESPACE} \ --version ${EXTERNAL_SECRETS_CHART_VERSION} -n ${EXTERNAL_SECRETS_NAMESPACE} \
--create-namespace --wait \ --create-namespace --wait \
-f external-secrets-values.yaml -f external-secrets-values.yaml
kubectl label namespace ${EXTERNAL_SECRETS_NAMESPACE} \
pod-security.kubernetes.io/enforce=restricted --overwrite
just create-external-secrets-role just create-external-secrets-role
just create-vault-secret-store just create-vault-secret-store
@@ -56,5 +60,6 @@ create-external-secrets-role root_token='':
vault write auth/kubernetes/role/external-secrets \ vault write auth/kubernetes/role/external-secrets \
bound_service_account_names=external-secrets \ bound_service_account_names=external-secrets \
bound_service_account_namespaces=${EXTERNAL_SECRETS_NAMESPACE} \ bound_service_account_namespaces=${EXTERNAL_SECRETS_NAMESPACE} \
audience=vault \
policies=admin \ policies=admin \
ttl=1h ttl=1h

4
external-secrets/vault-secret-store.gomplate.yaml
View File

@@ -15,4 +15,8 @@ spec:
serviceAccountRef: serviceAccountRef:
name: external-secrets name: external-secrets
namespace: {{ .Env.EXTERNAL_SECRETS_NAMESPACE }} namespace: {{ .Env.EXTERNAL_SECRETS_NAMESPACE }}
# Audience must match the audience configured in Vault Kubernetes auth role
# Required for Vault 1.21+ compatibility
audiences:
- vault
refreshInterval: {{ .Env.EXTERNAL_SECRETS_REFRESH_INTERVAL }} refreshInterval: {{ .Env.EXTERNAL_SECRETS_REFRESH_INTERVAL }}