-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ROX-13709: Introduce the external secrets operator on the Data Plane #1078
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very nice! Thanks for picking up ROX-13709 in its unrefined state 🚀 . We can do a follow up for other service secrets (like probe and cloudwatch exporter).
What do you think about enabling etcd encryption? That way the secrets are encrypted at rest in the cluster as well as in AWS - see https://docs.openshift.com/container-platform/4.13/security/encrypting-etcd.html on how to do that.
repository: quay.io/app-sre/external-secrets | ||
tag: v0.9.5 | ||
securityContext: | ||
runAsUser: 1001130000 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for my ignorance here, where do these user IDs come from? I know the default of 1000 but what's the source for these?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They came from openshift, the default is 1000, but this is outside the allowed range of values. I took the first values from the range
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ebensh, kovayur, porridge, SimonBaeumer, stehessel The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@stehessel raised a follow-up ticket for this: ROX-20619 |
Description
This change introduces the external secrets operator (https://external-secrets.io) on the Data Plane clusters.
This allows to load secrets from AWS on the cluster instead of populating them to the deployment script in Github Actions.
The change includes:
ExternalSecret
CR.After we make all the secrets load from the operator we can:
Checklist (Definition of Done)
Unit and integration tests addedTest manual
Documentation added if necessary (i.e. changes to dev setup, test execution, ...)ROX-12345: ...
Test manual
Tested manually on the stage cluster.