create ESO manifest for k8s deployment

akhil27051999 · akhil27051999 · commit dbbb366554d5 · 2025-09-20T18:10:12.000Z
diff --git a/k8s/external-secrets.yaml b/k8s/external-secrets.yaml
@@ -0,0 +1,142 @@
+# ----------------------
+# Namespaces
+# ----------------------
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external-secrets
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: student-api
+
+# ----------------------
+# ServiceAccount for ESO
+# ----------------------
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-secrets
+  namespace: external-secrets
+
+# ----------------------
+# ClusterRole for ESO
+# ----------------------
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-secrets-cluster-role
+rules:
+  - apiGroups: [""]
+    resources: ["secrets", "namespaces"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+  - apiGroups: ["external-secrets.io"]
+    resources: ["secretstores", "clustersecretstores", "externalsecrets", "clusterexternalsecrets"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+
+# ----------------------
+# ClusterRoleBinding for ESO
+# ----------------------
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-secrets-cluster-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-secrets-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: external-secrets
+
+# ----------------------
+# Vault token secret (in external-secrets namespace)
+# ----------------------
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-token
+  namespace: external-secrets
+type: Opaque
+stringData:
+  token: "root"
+
+# ----------------------
+# ESO deployment
+# ----------------------
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-secrets-operator
+  namespace: external-secrets
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: external-secrets
+  template:
+    metadata:
+      labels:
+        app: external-secrets
+    spec:
+      serviceAccountName: external-secrets
+      nodeSelector:
+        type: dependent_services
+      containers:
+        - name: external-secrets-operator
+          image: ghcr.io/external-secrets/external-secrets:v0.9.9
+          imagePullPolicy: IfNotPresent
+
+# ----------------------
+# ClusterSecretStore pointing to Vault
+# ----------------------
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-secretstore
+spec:
+  provider:
+    vault:
+      server: "http://vault.vault.svc.cluster.local:8200"
+      path: "secret"
+      version: "v2"
+      auth:
+        tokenSecretRef:
+          name: vault-token
+          key: token
+          namespace: external-secrets   # ✅ Explicit namespace
+
+# ----------------------
+# ExternalSecret pulling Postgres credentials
+# ----------------------
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: postgres-secret
+  namespace: student-api
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-secretstore
+    kind: ClusterSecretStore
+  target:
+    name: postgres-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: POSTGRES_USER
+      remoteRef:
+        key: studentdb
+        property: POSTGRES_USER
+    - secretKey: POSTGRES_PASSWORD
+      remoteRef:
+        key: studentdb
+        property: POSTGRES_PASSWORD
