diff --git a/stacks/platform/main.tf b/stacks/platform/main.tf index 9da650fd..3431851c 100644 --- a/stacks/platform/main.tf +++ b/stacks/platform/main.tf @@ -432,6 +432,14 @@ module "cnpg" { tier = local.tiers.cluster } +# ----------------------------------------------------------------------------- +# Sealed Secrets — encrypts secrets for safe git storage +# ----------------------------------------------------------------------------- +module "sealed-secrets" { + source = "./modules/sealed-secrets" + tier = local.tiers.cluster +} + # ----------------------------------------------------------------------------- # NVIDIA — GPU device plugin # ----------------------------------------------------------------------------- diff --git a/stacks/platform/modules/k8s-portal/files/src/routes/setup/script/+server.ts b/stacks/platform/modules/k8s-portal/files/src/routes/setup/script/+server.ts index 696ab6dc..0f1b18e7 100644 --- a/stacks/platform/modules/k8s-portal/files/src/routes/setup/script/+server.ts +++ b/stacks/platform/modules/k8s-portal/files/src/routes/setup/script/+server.ts @@ -92,6 +92,19 @@ else echo "[OK] kubelogin installed" fi +# Install kubeseal +if command -v kubeseal &>/dev/null; then + echo "[OK] kubeseal already installed" +else + echo "[..] Installing kubeseal..." + KUBESEAL_VERSION=\$(curl -fsSL -o /dev/null -w "%{url_effective}" https://github.com/bitnami-labs/sealed-secrets/releases/latest | grep -o '[^/]*\$') + curl -fsSLO "https://github.com/bitnami-labs/sealed-secrets/releases/download/\${KUBESEAL_VERSION}/kubeseal-\${KUBESEAL_VERSION#v}-linux-amd64.tar.gz" + tar -xzf "kubeseal-\${KUBESEAL_VERSION#v}-linux-amd64.tar.gz" kubeseal + \$SUDO mv kubeseal "\$INSTALL_DIR/" + rm -f "kubeseal-\${KUBESEAL_VERSION#v}-linux-amd64.tar.gz" + echo "[OK] kubeseal installed" +fi + # Write kubeconfig mkdir -p ~/.kube cat > ~/.kube/config-home << 'KUBECONFIG_EOF' @@ -146,6 +159,15 @@ else echo "[OK] kubelogin installed" fi +# Install kubeseal +if command -v kubeseal &>/dev/null; then + echo "[OK] kubeseal already installed" +else + echo "[..] Installing kubeseal..." + brew install kubeseal + echo "[OK] kubeseal installed" +fi + # Write kubeconfig mkdir -p ~/.kube cat > ~/.kube/config-home << 'KUBECONFIG_EOF' diff --git a/stacks/platform/modules/sealed-secrets/main.tf b/stacks/platform/modules/sealed-secrets/main.tf new file mode 100644 index 00000000..aa9965d9 --- /dev/null +++ b/stacks/platform/modules/sealed-secrets/main.tf @@ -0,0 +1,46 @@ +variable "tier" { type = string } + +# ----------------------------------------------------------------------------- +# Namespace +# ----------------------------------------------------------------------------- +resource "kubernetes_namespace" "sealed_secrets" { + metadata { + name = "sealed-secrets" + labels = { + tier = var.tier + } + } +} + +# ----------------------------------------------------------------------------- +# Sealed Secrets — encrypts secrets for safe git storage +# https://github.com/bitnami-labs/sealed-secrets +# ----------------------------------------------------------------------------- +resource "helm_release" "sealed_secrets" { + namespace = kubernetes_namespace.sealed_secrets.metadata[0].name + create_namespace = false + name = "sealed-secrets" + atomic = true + timeout = 300 + + repository = "https://bitnami-labs.github.io/sealed-secrets" + chart = "sealed-secrets" + version = "2.18.3" + + values = [yamlencode({ + crds = { + create = true + } + + resources = { + requests = { + cpu = "50m" + memory = "64Mi" + } + limits = { + cpu = "250m" + memory = "256Mi" + } + } + })] +}