From b5f93b3812f2be1eb9b0aa284862d3e32dddedbc Mon Sep 17 00:00:00 2001 From: Mayne0213 Date: Tue, 6 Jan 2026 16:42:24 +0900 Subject: [PATCH] REFACTOR(repo): move vault/ to manifests/ - Move ExternalSecret files from vault/ to manifests/secret.yaml - Merge multiple secrets with --- separator (postgresql) - Update kustomization.yaml references - Remove vault/ folders Apps: postgresql, postgresql-dev, pgweb, minio, velero --- minio/kustomization.yaml | 2 +- .../secret.yaml} | 0 pgweb/kustomization.yaml | 2 +- .../secret.yaml} | 0 postgresql-dev/kustomization.yaml | 2 +- .../secret.yaml} | 0 postgresql/kustomization.yaml | 7 +----- .../secret.yaml} | 25 +++++++++++++++++++ postgresql/vault/app-user-secret.yaml | 23 ----------------- velero/kustomization.yaml | 2 +- .../secret.yaml} | 0 11 files changed, 30 insertions(+), 33 deletions(-) rename minio/{vault/minio-root-password.yaml => manifests/secret.yaml} (100%) rename pgweb/{vault/pgweb-secret.yaml => manifests/secret.yaml} (100%) rename postgresql-dev/{vault/postgresql-password-dev.yaml => manifests/secret.yaml} (100%) rename postgresql/{vault/superuser-secret.yaml => manifests/secret.yaml} (50%) delete mode 100644 postgresql/vault/app-user-secret.yaml rename velero/{vault/velero-secrets.yaml => manifests/secret.yaml} (100%) diff --git a/minio/kustomization.yaml b/minio/kustomization.yaml index 474e16f..49a7e4d 100644 --- a/minio/kustomization.yaml +++ b/minio/kustomization.yaml @@ -1,7 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- vault/minio-root-password.yaml +- manifests/secret.yaml - manifests/storage-class.yaml - manifests/persistent-volumes.yaml - manifests/console-deployment.yaml diff --git a/minio/vault/minio-root-password.yaml b/minio/manifests/secret.yaml similarity index 100% rename from minio/vault/minio-root-password.yaml rename to minio/manifests/secret.yaml diff --git a/pgweb/kustomization.yaml b/pgweb/kustomization.yaml index 1bb4df4..f27909e 100644 --- a/pgweb/kustomization.yaml +++ b/pgweb/kustomization.yaml @@ -1,4 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- vault/pgweb-secret.yaml +- manifests/secret.yaml diff --git a/pgweb/vault/pgweb-secret.yaml b/pgweb/manifests/secret.yaml similarity index 100% rename from pgweb/vault/pgweb-secret.yaml rename to pgweb/manifests/secret.yaml diff --git a/postgresql-dev/kustomization.yaml b/postgresql-dev/kustomization.yaml index f94515d..f27909e 100644 --- a/postgresql-dev/kustomization.yaml +++ b/postgresql-dev/kustomization.yaml @@ -1,4 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- vault/postgresql-password-dev.yaml +- manifests/secret.yaml diff --git a/postgresql-dev/vault/postgresql-password-dev.yaml b/postgresql-dev/manifests/secret.yaml similarity index 100% rename from postgresql-dev/vault/postgresql-password-dev.yaml rename to postgresql-dev/manifests/secret.yaml diff --git a/postgresql/kustomization.yaml b/postgresql/kustomization.yaml index 3d204cb..bc7a64c 100644 --- a/postgresql/kustomization.yaml +++ b/postgresql/kustomization.yaml @@ -4,12 +4,7 @@ kind: Kustomization namespace: postgresql resources: - # Vault External Secrets - - vault/app-user-secret.yaml - - vault/superuser-secret.yaml - # - vault/backup-s3-secret.yaml # Disabled - using Velero instead - - # StorageClass with Retain policy + - manifests/secret.yaml - manifests/storageclass.yaml # CNPG Cluster diff --git a/postgresql/vault/superuser-secret.yaml b/postgresql/manifests/secret.yaml similarity index 50% rename from postgresql/vault/superuser-secret.yaml rename to postgresql/manifests/secret.yaml index 3928830..b8e2ea4 100644 --- a/postgresql/vault/superuser-secret.yaml +++ b/postgresql/manifests/secret.yaml @@ -1,5 +1,30 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret +metadata: + name: postgresql-app-user + namespace: postgresql +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + name: postgresql-app-user + creationPolicy: Owner + template: + type: kubernetes.io/basic-auth + data: + username: app + password: "{{ .password }}" + data: + - secretKey: password + remoteRef: + key: databases/postgresql + property: PASSWORD + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret metadata: name: postgresql-superuser namespace: postgresql diff --git a/postgresql/vault/app-user-secret.yaml b/postgresql/vault/app-user-secret.yaml deleted file mode 100644 index 57ae721..0000000 --- a/postgresql/vault/app-user-secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: postgresql-app-user - namespace: postgresql -spec: - refreshInterval: 1h - secretStoreRef: - kind: ClusterSecretStore - name: vault-backend - target: - name: postgresql-app-user - creationPolicy: Owner - template: - type: kubernetes.io/basic-auth - data: - username: app - password: "{{ .password }}" - data: - - secretKey: password - remoteRef: - key: databases/postgresql - property: PASSWORD diff --git a/velero/kustomization.yaml b/velero/kustomization.yaml index 15c4244..f27909e 100644 --- a/velero/kustomization.yaml +++ b/velero/kustomization.yaml @@ -1,4 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- vault/velero-secrets.yaml +- manifests/secret.yaml diff --git a/velero/vault/velero-secrets.yaml b/velero/manifests/secret.yaml similarity index 100% rename from velero/vault/velero-secrets.yaml rename to velero/manifests/secret.yaml