search

ricoberger / vault-secrets-operator

Create Kubernetes secrets from Vault for a secure GitOps based workflow.
MIT License
633 stars 103 forks source link

Install via GitOps way (FluxCD)? #176

Closed danielkimuipath closed 1 year ago

danielkimuipath commented 1 year ago

Hi, I am trying to use this operator and have a question regarding installation.

from the installation, I see that it uses Helm command to install.

Can I install it via FluxCD, GitOps approach? like checking in HelmRelease yaml file and kustomization to install.

If so, is there an example or document for it?

Thank you!

ricoberger commented 1 year ago

Hi @danielkimuipath, yes you can install it via Flux. We are using the following to install it via Flux:

---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: ricoberger
  namespace: flux-system
spec:
  interval: 15m
  url: https://ricoberger.github.io/helm-charts

---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: vault-secrets-operator
  namespace: vault-secrets-operator
  labels:
    app: vault-secrets-operator
spec:
  interval: 5m
  releaseName: vault-secrets-operator
  chart:
    spec:
      chart: vault-secrets-operator
      version: 1.19.8
      sourceRef:
        kind: HelmRepository
        name: ricoberger
        namespace: flux-system
  install:
    crds: Skip
  upgrade:
    crds: Skip
  values:
    deploymentStrategy:
      type: Recreate

    image:
      repository: ricoberger/vault-secrets-operator
      tag: 1.19.8
      pullPolicy: IfNotPresent

    imagePullSecrets:
      - name: dockerhub-registry

    environmentVars:
      - name: VAULT_TOKEN_RENEWAL_RETRY_INTERVAL
        value: "300"

    # Additional labels for the vault-secrets-operator pod(s).
    podLabels:
      app: vault-secrets-operator

    vault:
      address: "https://vault.yourdomain.com"
      authMethod: kubernetes
      kubernetesPath: auth/kubernetes
      kubernetesRole: vault-secrets-operator
      reconciliationTime: 300

    crd:
      create: false

    rbac:
      create: true

    serviceAccount:
      create: true
      name: vault-secrets-operator

    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        memory: 256Mi

    # Create ServiceMonitor for the Prometheus Operator
    serviceMonitor:
      enabled: true
      labels:
        release: prometheus-operator
      interval: 30s
      scrapeTimeout: 30s
      honorLabels: true

Note: We are adding the CRDs via Kustomize by copying the following file to our GitOps repository: https://github.com/ricoberger/vault-secrets-operator/blob/main/config/crd/bases/ricoberger.de_vaultsecrets.yaml

danielkimuipath commented 1 year ago

Awesome! I was able to install it via Gitops way, Thank you very much! :)