Added external-secrets helm files

akhil27051999 · akhil27051999 · commit 963de2167171 · 2025-10-02T17:10:14.000Z
diff --git a/helm/external-secrets/Chart.yaml b/helm/external-secrets/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: external-secrets
+description: Helm chart for External Secrets Operator with Vault
+type: application
+version: 0.1.0
+appVersion: v0.9.9
diff --git a/helm/external-secrets/templates/clusterrole.yaml b/helm/external-secrets/templates/clusterrole.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-secrets-cluster-role
+rules:
+  - apiGroups: [""]
+    resources: ["secrets", "namespaces"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+  - apiGroups: ["external-secrets.io"]
+    resources: ["secretstores", "clustersecretstores", "externalsecrets", "clusterexternalsecrets"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
diff --git a/helm/external-secrets/templates/clusterrolebinding.yaml b/helm/external-secrets/templates/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-secrets-cluster-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-secrets-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.name }}
+    namespace: {{ .Values.namespaces.eso }}
diff --git a/helm/external-secrets/templates/clustersecretstore.yaml b/helm/external-secrets/templates/clustersecretstore.yaml
@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-secretstore
+spec:
+  provider:
+    vault:
+      server: {{ .Values.vault.server | quote }}
+      path: {{ .Values.vault.path | quote }}
+      version: {{ .Values.vault.version | quote }}
+      auth:
+        tokenSecretRef:
+          name: {{ .Values.vault.secretName }}
+          key: token
+          namespace: {{ .Values.namespaces.eso }}
diff --git a/helm/external-secrets/templates/deployment.yaml b/helm/external-secrets/templates/deployment.yaml
@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-secrets-operator
+  namespace: {{ .Values.namespaces.eso }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: external-secrets
+  template:
+    metadata:
+      labels:
+        app: external-secrets
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      nodeSelector:
+        type: {{ .Values.nodeSelector.type }}
+      containers:
+        - name: external-secrets-operator
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
diff --git a/helm/external-secrets/templates/externalsecret.yaml b/helm/external-secrets/templates/externalsecret.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ .Values.database.secretName }}
+  namespace: {{ .Values.namespaces.app }}
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-secretstore
+    kind: ClusterSecretStore
+  target:
+    name: {{ .Values.database.secretName }}
+    creationPolicy: Owner
+  data:
+    - secretKey: {{ .Values.database.usernameKey }}
+      remoteRef:
+        key: {{ .Values.database.vaultKey }}
+        property: {{ .Values.database.usernameKey }}
+    - secretKey: {{ .Values.database.passwordKey }}
+      remoteRef:
+        key: {{ .Values.database.vaultKey }}
+        property: {{ .Values.database.passwordKey }}
diff --git a/helm/external-secrets/templates/secret-vault-token.yaml b/helm/external-secrets/templates/secret-vault-token.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.vault.secretName }}
+  namespace: {{ .Values.namespaces.eso }}
+type: Opaque
+stringData:
+  token: {{ .Values.vault.token | quote }}
diff --git a/helm/external-secrets/templates/serviceaccount.yaml b/helm/external-secrets/templates/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name }}
+  namespace: {{ .Values.namespaces.eso }}
diff --git a/helm/external-secrets/values.yaml b/helm/external-secrets/values.yaml
@@ -0,0 +1,29 @@
+namespaces:
+  eso: external-secrets
+  app: student-api
+
+replicaCount: 1
+
+image:
+  repository: ghcr.io/external-secrets/external-secrets
+  tag: v0.9.9
+  pullPolicy: IfNotPresent
+
+serviceAccount:
+  name: external-secrets
+
+vault:
+  secretName: vault-token
+  token: "root"
+  server: "http://vault.vault.svc.cluster.local:8200"
+  path: "secret"
+  version: "v2"
+
+database:
+  secretName: postgres-secret
+  vaultKey: studentdb
+  usernameKey: POSTGRES_USER
+  passwordKey: POSTGRES_PASSWORD
+
+nodeSelector:
+  type: dependent_services
