external-secrets manifest for k8s deployment

Author: akhil27051999

k8s/external-secrets.yaml

@@ -1,28 +1,58 @@
-# Namespaces
+# Namespaces with Helm labels
 apiVersion: v1
 kind: Namespace
 metadata:
   name: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    meta.helm.sh/release-name: external-secrets
+    meta.helm.sh/release-namespace: external-secrets
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   name: student-api
+  labels:
+    app.kubernetes.io/name: student-api
+    app.kubernetes.io/instance: student-api
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    meta.helm.sh/release-name: external-secrets
+    meta.helm.sh/release-namespace: external-secrets
 ---
 
-# ServiceAccount for ESO
+# ServiceAccount for ESO with Helm labels
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: external-secrets
   namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/component: service-account
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    meta.helm.sh/release-name: external-secrets
+    meta.helm.sh/release-namespace: external-secrets
 ---
 
-# ClusterRole for ESO - UPDATED WITH MISSING PERMISSIONS
+# ClusterRole for ESO with Helm labels - FIXED RBAC
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: external-secrets-cluster-role
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    meta.helm.sh/release-name: external-secrets
+    meta.helm.sh/release-namespace: external-secrets
 rules:
   - apiGroups: [""]
     resources: ["secrets", "namespaces", "events"]
@@ -31,18 +61,26 @@ rules:
     resources: ["secretstores", "clustersecretstores", "externalsecrets", "clusterexternalsecrets", "pushsecrets"]
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
   - apiGroups: ["external-secrets.io"]
-    resources: ["externalsecrets/status", "clusterexternalsecrets/status"]
+    resources: ["externalsecrets/status", "clusterexternalsecrets/status", "secretstores/status", "clustersecretstores/status"]
     verbs: ["get", "list", "watch", "update", "patch"]
   - apiGroups: [""]
     resources: ["services"]
     verbs: ["get", "list"]
 ---
 
-# ClusterRoleBinding for ESO
+# ClusterRoleBinding for ESO with Helm labels
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: external-secrets-cluster-role-binding
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    meta.helm.sh/release-name: external-secrets
+    meta.helm.sh/release-namespace: external-secrets
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -53,23 +91,39 @@ subjects:
     namespace: external-secrets
 ---
 
-# Vault token secret (in external-secrets namespace)
+# Vault token secret with Helm labels - FIXED envsubst syntax
 apiVersion: v1
 kind: Secret
 metadata:
   name: vault-token
   namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/component: secret
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    meta.helm.sh/release-name: external-secrets
+    meta.helm.sh/release-namespace: external-secrets
 type: Opaque
 stringData:
   token: ${VAULT_TOKEN}
 ---
 
-# ESO deployment
+# ESO deployment with Helm labels
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: external-secrets-operator
   namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/component: operator
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    meta.helm.sh/release-name: external-secrets
+    meta.helm.sh/release-namespace: external-secrets
 spec:
   replicas: 1
   selector:
@@ -79,19 +133,35 @@ spec:
     metadata:
       labels:
         app: external-secrets
+        app.kubernetes.io/name: external-secrets
+        app.kubernetes.io/instance: external-secrets
     spec:
       serviceAccountName: external-secrets
       containers:
         - name: external-secrets-operator
           image: ghcr.io/external-secrets/external-secrets:v0.9.9
           imagePullPolicy: IfNotPresent
+          env:
+            - name: VAULT_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: vault-token
+                  key: token
 ---
 
-# ClusterSecretStore pointing to Vault
+# ClusterSecretStore pointing to Vault with Helm labels
 apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
   name: vault-backend
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/component: secret-store
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    meta.helm.sh/release-name: external-secrets
+    meta.helm.sh/release-namespace: external-secrets
 spec:
   provider:
     vault:
@@ -104,11 +174,19 @@ spec:
           key: "token"
           namespace: "external-secrets"
 ---
-# ClusterSecretStore for Vault in observability namespace
+# ClusterSecretStore for Vault in observability namespace with Helm labels
 apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
   name: vault-backend-monitoring
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/component: secret-store
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    meta.helm.sh/release-name: external-secrets
+    meta.helm.sh/release-namespace: external-secrets
 spec:
   provider:
     vault:
@@ -122,12 +200,20 @@ spec:
           namespace: "external-secrets"
 ---
 
-# ExternalSecret for Student db in student-api namespace
+# ExternalSecret for Student db in student-api namespace with Helm labels
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: studentdb-secrets
   namespace: student-api
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/component: external-secret
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    meta.helm.sh/release-name: external-secrets
+    meta.helm.sh/release-namespace: external-secrets
 spec:
   refreshInterval: "1h"
   secretStoreRef:
@@ -146,12 +232,20 @@ spec:
         key: "studentdb"
         property: "POSTGRES_PASSWORD"
 ---
-# ExternalSecret for Postgres Exporter in Observability namespace
+# ExternalSecret for Postgres Exporter in Observability namespace with Helm labels
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: postgres-exporter-secret
   namespace: observability
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/component: external-secret
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    meta.helm.sh/release-name: external-secrets
+    meta.helm.sh/release-namespace: external-secrets
 spec:
   refreshInterval: "1h"
   secretStoreRef:
@@ -174,12 +268,20 @@ spec:
       property: connection-uri
 
 ---
-# ExternalSecret for Grafana Admin in Observability namespace
+# ExternalSecret for Grafana Admin in Observability namespace with Helm labels
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: grafana-secret
   namespace: observability
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/component: external-secret
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    meta.helm.sh/release-name: external-secrets
+    meta.helm.sh/release-namespace: external-secrets
 spec:
   refreshInterval: "1h"
   secretStoreRef: