secrets

Author: Andreas Mautsch

helm/core/core/application/templates/secret.yaml renamed to helm/core/core/application/secret.yaml

@@ -43,9 +43,10 @@ spec:
                 name: {{ include "application.fullname" . }}-config
             - configMapRef:
                 name: {{ include "application.fullname" . }}-config-log
+            {{- range .Values.secrets }}
             - secretRef:
-                name: {{ include "application.fullname" . }}-secret
-
+                name: {{ .name }}
+            {{- end }}
           #resources and commands and args
           {{ if and (ne .Values.image.arch "-native") (ne .Values.image.arch "-native-arm64v8") }}
             {{- with .Values.resourcesAnnotations }}

helm/core/core/application/templates/deployment.yaml

@@ -53,6 +53,10 @@ initContainers:
 oidc:
   enabled:
 
-
 multiTenancy:
-  tenants: "0,5"
+  tenants: "0,5"
+
+secrets:
+  - name: postgresql-secret
+  - name: kafka-secret
+  - name: s3-secret

helm/core/core/application/values.yaml

@@ -36,7 +36,7 @@ resource "helm_release" "kafka" {
   }
   set_sensitive {
     name = "sasl.client.passwords[0]"
-    value = kubernetes_secret.kafka_secret.data["password"]
+    value = kubernetes_secret.kafka_secret["core"].data["password"]
   }
   set {
     name  = "networkPolicy.enabled"

terraform/core/catalog.tf renamed to terraform/core/catalog.arc

@@ -27,11 +27,11 @@ resource "helm_release" "postgresql" {
   }
   set_sensitive {
     name  = "global.postgresql.auth.username"
-    value = kubernetes_secret.postgresql_secret.data["username"]
+    value = kubernetes_secret.postgresql_secret["core"].data["username"]
   }
   set_sensitive {
     name  = "global.postgresql.auth.password"
-    value = kubernetes_secret.postgresql_secret.data["password"]
+    value = kubernetes_secret.postgresql_secret["core"].data["password"]
   }
   set {
     name  = "primary.networkPolicy.enabled"

terraform/data/kafka.tf

@@ -13,11 +13,11 @@ resource "helm_release" "s3-minio" {
 
   set {
     name  = "auth.rootUser"
-    value = kubernetes_secret.s3_secret.data["username"]
+    value = kubernetes_secret.s3_secret["core"].data["username"]
   }
   set_sensitive {
     name  = "auth.rootPassword"
-    value = kubernetes_secret.s3_secret.data["password"]
+    value = kubernetes_secret.s3_secret["core"].data["password"]
   }
   set {
     name  = "readinessProbe.initialDelaySeconds"

terraform/data/postgres.tf

@@ -13,10 +13,17 @@ resource "random_password" "oidc_session_secret" {
   special          = false
 }
 
+variable "namespaces" {
+  type    = list(string)
+  default = ["data", "core", "event", "invoice"]
+}
+
 resource "kubernetes_secret" "postgresql_secret" {
+  for_each = toset(var.namespaces)
+
   metadata {
     name      = "postgresql-secret"
-    namespace = "data"
+    namespace = each.key
   }
 
   data = {
@@ -30,10 +37,13 @@ resource "kubernetes_secret" "postgresql_secret" {
   type = "Opaque"
 }
 
+
 resource "kubernetes_secret" "s3_secret" {
+  for_each = toset(var.namespaces)
+
   metadata {
     name      = "s3-secret"
-    namespace = "data"
+    namespace = each.key
   }
 
   data = {
@@ -48,9 +58,11 @@ resource "kubernetes_secret" "s3_secret" {
 }
 
 resource "kubernetes_secret" "kafka_secret" {
+  for_each = toset(var.namespaces)
+
   metadata {
     name      = "kafka-secret"
-    namespace = "data"
+    namespace = each.key
   }
 
   data = {