diff --git a/Chart.yaml b/Chart.yaml index 9d75f2c..79c9d25 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,7 +3,7 @@ description: A Helm chart to build and deploy secrets using external-secrets for keywords: - pattern name: aap-config -version: 0.1.4 +version: 0.1.5 dependencies: - name: vp-rbac version: '0.1.*' diff --git a/README.md b/README.md index ed6284d..c86948d 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # aap-config -![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) +![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) A Helm chart to build and deploy secrets using external-secrets for ansible-edge-gitops @@ -20,6 +20,9 @@ the 10-minute mark instead of every ten minutes as previously). external secrets validation job to prevent argo from proceeding past ES creation and erroring out early. +* v0.1.5: Extend default deadline for external secret validation job. Remove +namespaces from external secrets validation. + ## Requirements | Repository | Name | Version | @@ -47,7 +50,7 @@ erroring out early. | secretStore.name | string | `"vault-backend"` | | | serviceAccountName | string | `"aap-config-sa"` | | | serviceAccountNamespace | string | `"aap-config"` | | -| validationJob.activeDeadlineSeconds | int | `600` | | +| validationJob.activeDeadlineSeconds | int | `3600` | | | validationJob.disabled | bool | `false` | | | vp-rbac.clusterRoles.view-routes.rules[0].apiGroups[0] | string | `"route.openshift.io"` | | | vp-rbac.clusterRoles.view-routes.rules[0].resources[0] | string | `"routes"` | | diff --git a/README.md.gotmpl b/README.md.gotmpl index 0e18b13..aa88817 100644 --- a/README.md.gotmpl +++ b/README.md.gotmpl @@ -21,6 +21,9 @@ the 10-minute mark instead of every ten minutes as previously). external secrets validation job to prevent argo from proceeding past ES creation and erroring out early. +* v0.1.5: Extend default deadline for external secret validation job. Remove +namespaces from external secrets validation. + {{ template "chart.homepageLine" . }} {{ template "chart.maintainersSection" . }} diff --git a/templates/external-secrets-validation-job.yaml b/templates/external-secrets-validation-job.yaml index 1136230..931b335 100644 --- a/templates/external-secrets-validation-job.yaml +++ b/templates/external-secrets-validation-job.yaml @@ -10,7 +10,7 @@ spec: parallelism: 1 completions: 1 backoffLimit: 3 - activeDeadlineSeconds: {{ $.Values.validationJob.activeDeadlineSeconds | default 300 }} + activeDeadlineSeconds: {{ $.Values.validationJob.activeDeadlineSeconds }} template: spec: restartPolicy: Never @@ -25,7 +25,7 @@ spec: - | set -euo pipefail - echo "Starting external secrets validation for aap-config namespace..." + echo "Starting external secrets validation..." # List of external secrets to validate EXTERNAL_SECRETS=( @@ -40,13 +40,13 @@ spec: echo "Checking secret: $secret_name" # Check if secret exists - if ! kubectl get secret "$secret_name" -n aap-config >/dev/null 2>&1; then + if ! kubectl get secret "$secret_name" >/dev/null 2>&1; then echo "ERROR: Secret $secret_name does not exist" return 1 fi # Check if secret has data - local data_count=$(kubectl get secret "$secret_name" -n aap-config -o jsonpath='{.data}' | jq -r 'length') + local data_count=$(kubectl get secret "$secret_name" -o jsonpath='{.data}' | jq -r 'length') if [ "$data_count" -eq 0 ]; then echo "ERROR: Secret $secret_name exists but has no data" return 1 @@ -62,17 +62,17 @@ spec: echo "Checking ExternalSecret status: $external_secret_name" # Check if ExternalSecret exists - if ! kubectl get externalsecret "$external_secret_name" -n aap-config >/dev/null 2>&1; then + if ! kubectl get externalsecret "$external_secret_name" >/dev/null 2>&1; then echo "ERROR: ExternalSecret $external_secret_name does not exist" return 1 fi # Check ExternalSecret status - local ready_status=$(kubectl get externalsecret "$external_secret_name" -n aap-config -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}') + local ready_status=$(kubectl get externalsecret "$external_secret_name" -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}') if [ "$ready_status" != "True" ]; then echo "ERROR: ExternalSecret $external_secret_name is not ready. Status: $ready_status" # Get more details about the error - kubectl get externalsecret "$external_secret_name" -n aap-config -o jsonpath='{.status.conditions[?(@.type=="Ready")].message}' | xargs -I {} echo "Message: {}" + kubectl get externalsecret "$external_secret_name" -o jsonpath='{.status.conditions[?(@.type=="Ready")].message}' | xargs -I {} echo "Message: {}" return 1 fi @@ -136,9 +136,6 @@ spec: for secret in "${EXTERNAL_SECRETS[@]}"; do echo "✅ $secret: ExternalSecret ready and Secret populated" done - env: - - name: NAMESPACE - value: aap-config resources: requests: memory: "64Mi" diff --git a/values.yaml b/values.yaml index 06c9e78..0f94b85 100644 --- a/values.yaml +++ b/values.yaml @@ -30,7 +30,7 @@ serviceAccountNamespace: aap-config # Validation job configuration validationJob: disabled: false - activeDeadlineSeconds: 600 + activeDeadlineSeconds: 3600 # RBAC configuration using vp-rbac subchart vp-rbac: @@ -44,27 +44,27 @@ vp-rbac: clusterRoles: - view-secrets-cms - view-routes - + clusterRoles: view-secrets-cms: rules: - apiGroups: [""] resources: ["secrets", "configmaps"] verbs: ["get", "list", "watch"] - + view-routes: rules: - apiGroups: ["route.openshift.io"] resources: ["routes"] verbs: ["get", "list", "watch"] - + roles: view-all: rules: - apiGroups: ["*"] resources: ["*"] verbs: ["get", "list", "watch"] - + # RBAC for external secrets validation (namespace-scoped) external-secrets-validator: rules: