Draft: Cluster-secrets units for root password (!1544) · Merge requests · Sylva-projects / sylva-core

Thomas Monguillon requested to merge tmon/cluster-secrets into main Jan 30, 2024

closes #722

This MR brings a new unit called cluster-secrets which is able to reconfigure Kyverno to manage password per cluster. This units is composed by the following sub-units:

cluster-secrets/kyverno which reconfigures Kyverno to manage K8S objects used in the generation of secret per cluster in Vault and replicated by ESO
cluster-secrets/init which allows declaring K8S requirements managed via Kyverno in the target NS, where a cluster is deployed. Here we need Vault K8S Auth role and a dedicated SA to allow the target NS accessing the dedicated NS in Vault
cluster-secrets/cluster-root-secret which allows declaring a RandomSecret + related ESO for the root account of the machines of the cluster.

In addition of that chart S-C-C is modified to used, as optional secret, the cluster-root-secret generated by the objects injected by Kyverno. Thus allows, when the secret is present or modified, to regenerate the config cloud-init config of the target cluster and thus injecting the password.

Draft: Cluster-secrets units for root password

Merge request reports