Draft: Cluster-secrets units for root password
closes #722
This MR brings a new unit called cluster-secrets
which is able to reconfigure Kyverno
to manage password per cluster. This units is composed by the following sub-units:
-
cluster-secrets/kyverno
which reconfigures Kyverno to manage K8S objects used in the generation of secret per cluster in Vault and replicated by ESO -
cluster-secrets/init
which allows declaring K8S requirements managed via Kyverno in the target NS, where a cluster is deployed. Here we need Vault K8S Auth role and a dedicated SA to allow the target NS accessing the dedicated NS in Vault -
cluster-secrets/cluster-root-secret
which allows declaring aRandomSecret
+ relatedESO
for theroot
account of the machines of the cluster.
In addition of that chart S-C-C is modified to used, as optional secret, the cluster-root-secret
generated by the objects injected by Kyverno
. Thus allows, when the secret is present or modified, to regenerate the config cloud-init config of the target cluster and thus injecting the password.