stacks_adding_alloy/template/stacks/local-backup/minio/manifests/secret-sync.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: secret-sync
  namespace: minio-backup
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/sync-wave: "-20"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: secret-sync
  namespace: minio-backup
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/sync-wave: "-20"
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: secret-sync
  namespace: minio-backup
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/sync-wave: "-20"
subjects:
  - kind: ServiceAccount
    name: secret-sync
    namespace: minio-backup
roleRef:
  kind: Role
  name: secret-sync
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: secret-sync
  namespace: velero
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/sync-wave: "-20"
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: secret-sync
  namespace: velero
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/sync-wave: "-20"
subjects:
  - kind: ServiceAccount
    name: secret-sync
    namespace: minio-backup
roleRef:
  kind: Role
  name: secret-sync
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: Job
metadata:
  name: secret-sync
  namespace: minio-backup
  annotations:
    argocd.argoproj.io/hook: PostSync
spec:
  template:
    metadata:
      generateName: secret-sync
    spec:
      serviceAccountName: secret-sync
      restartPolicy: Never
      containers:
        - name: kubectl
          image: docker.io/bitnami/kubectl
          command: ["/bin/bash", "-c"]
          args:
            - |
              set -e
              kubectl get secrets -n minio-backup root-creds -o json > /tmp/secret
              ACCESS=$(jq -r '.data.rootUser | @base64d'  /tmp/secret)
              SECRET=$(jq -r '.data.rootPassword | @base64d'  /tmp/secret)
              
              echo \
              "apiVersion: v1
              kind: Secret
              metadata:
                name: secret-key
                namespace: velero
              type: Opaque
              stringData:
                aws: |
                  [default]
                    aws_access_key_id=${ACCESS}
                    aws_secret_access_key=${SECRET}
              " > /tmp/secret.yaml
              
              kubectl apply -f /tmp/secret.yaml
---
apiVersion: batch/v1
kind: Job
metadata:
  name: minio-root-creds
  namespace: minio-backup
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/sync-wave: "-10"
spec:
  template:
    metadata:
      generateName: minio-root-creds
    spec:
      serviceAccountName: secret-sync
      restartPolicy: Never
      containers:
        - name: kubectl
          image: docker.io/bitnami/kubectl
          command: ["/bin/bash", "-c"]
          args:
            - |
              kubectl get secrets -n minio-backup root-creds
              if [ $? -eq 0 ]; then
                exit 0
              fi
              
              set -e
              
              NAME=$(openssl rand -base64 24)
              PASS=$(openssl rand -base64 36)
              
              echo \
              "apiVersion: v1
              kind: Secret
              metadata:
                name: root-creds
                namespace: minio-backup
              type: Opaque
              stringData:
                rootUser: "${NAME}"
                rootPassword: "${PASS}"
              " > /tmp/secret.yaml
              
              kubectl apply -f /tmp/secret.yaml
Backported changes of stacks in edfbuilder repo 2024-12-07 23:29:28 +00:00			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: secret-sync`
			`namespace: minio-backup`
			`annotations:`
			`argocd.argoproj.io/hook: Sync`
			`argocd.argoproj.io/sync-wave: "-20"`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: secret-sync`
			`namespace: minio-backup`
			`annotations:`
			`argocd.argoproj.io/hook: Sync`
			`argocd.argoproj.io/sync-wave: "-20"`
			`rules:`
			`- apiGroups: [""]`
			`resources: ["secrets"]`
			`verbs: ["get", "create", "update", "patch"]`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: secret-sync`
			`namespace: minio-backup`
			`annotations:`
			`argocd.argoproj.io/hook: Sync`
			`argocd.argoproj.io/sync-wave: "-20"`
			`subjects:`
			`- kind: ServiceAccount`
			`name: secret-sync`
			`namespace: minio-backup`
			`roleRef:`
			`kind: Role`
			`name: secret-sync`
			`apiGroup: rbac.authorization.k8s.io`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: secret-sync`
			`namespace: velero`
			`annotations:`
			`argocd.argoproj.io/hook: Sync`
			`argocd.argoproj.io/sync-wave: "-20"`
			`rules:`
			`- apiGroups: [""]`
			`resources: ["secrets"]`
			`verbs: ["get", "create", "update", "patch"]`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: secret-sync`
			`namespace: velero`
			`annotations:`
			`argocd.argoproj.io/hook: Sync`
			`argocd.argoproj.io/sync-wave: "-20"`
			`subjects:`
			`- kind: ServiceAccount`
			`name: secret-sync`
			`namespace: minio-backup`
			`roleRef:`
			`kind: Role`
			`name: secret-sync`
			`apiGroup: rbac.authorization.k8s.io`
			`---`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
			`name: secret-sync`
			`namespace: minio-backup`
			`annotations:`
			`argocd.argoproj.io/hook: PostSync`
			`spec:`
			`template:`
			`metadata:`
			`generateName: secret-sync`
			`spec:`
			`serviceAccountName: secret-sync`
			`restartPolicy: Never`
			`containers:`
			`- name: kubectl`
			`image: docker.io/bitnami/kubectl`
			`command: ["/bin/bash", "-c"]`
			`args:`
			`- \|`
			`set -e`
			`kubectl get secrets -n minio-backup root-creds -o json > /tmp/secret`
			`ACCESS=$(jq -r '.data.rootUser \| @base64d' /tmp/secret)`
			`SECRET=$(jq -r '.data.rootPassword \| @base64d' /tmp/secret)`

			`echo \`
			`"apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: secret-key`
			`namespace: velero`
			`type: Opaque`
			`stringData:`
			`aws: \|`
			`[default]`
			`aws_access_key_id=${ACCESS}`
			`aws_secret_access_key=${SECRET}`
			`" > /tmp/secret.yaml`

			`kubectl apply -f /tmp/secret.yaml`
			`---`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
			`name: minio-root-creds`
			`namespace: minio-backup`
			`annotations:`
			`argocd.argoproj.io/hook: Sync`
			`argocd.argoproj.io/sync-wave: "-10"`
			`spec:`
			`template:`
			`metadata:`
			`generateName: minio-root-creds`
			`spec:`
			`serviceAccountName: secret-sync`
			`restartPolicy: Never`
			`containers:`
			`- name: kubectl`
			`image: docker.io/bitnami/kubectl`
			`command: ["/bin/bash", "-c"]`
			`args:`
			`- \|`
			`kubectl get secrets -n minio-backup root-creds`
			`if [ $? -eq 0 ]; then`
			`exit 0`
			`fi`

			`set -e`

			`NAME=$(openssl rand -base64 24)`
			`PASS=$(openssl rand -base64 36)`

			`echo \`
			`"apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: root-creds`
			`namespace: minio-backup`
			`type: Opaque`
			`stringData:`
			`rootUser: "${NAME}"`
			`rootPassword: "${PASS}"`
			`" > /tmp/secret.yaml`

			`kubectl apply -f /tmp/secret.yaml`