Refactor noble cluster configurations by removing deprecated Argo CD application management files and transitioning to a streamlined Ansible-driven installation approach. Update kustomization.yaml files to reflect the new structure, ensuring clarity on resource management. Introduce new namespaces and configurations for cert-manager, external-secrets, and logging components, enhancing the overall deployment process. Add detailed README.md documentation for each component to guide users through the setup and management of the noble lab environment.

2026-03-28 17:02:50 -04:00
parent 41841abc84
commit 90fd8fb8a6
59 changed files with 28 additions and 38 deletions
--- a/clusters/noble/bootstrap/external-secrets/README.md
+++ b/clusters/noble/bootstrap/external-secrets/README.md
@@ -0,0 +1,60 @@
+# External Secrets Operator (noble)
+
+Syncs secrets from external systems into Kubernetes **Secret** objects via **ExternalSecret** / **ClusterExternalSecret** CRDs.
+
+- **Chart:** `external-secrets/external-secrets` **2.2.0** (app **v2.2.0**)
+- **Namespace:** `external-secrets`
+- **Helm release name:** `external-secrets` (matches the operator **ServiceAccount** name `external-secrets`)
+
+## Install
+
+```bash
+helm repo add external-secrets https://charts.external-secrets.io
+helm repo update
+kubectl apply -f clusters/noble/apps/external-secrets/namespace.yaml
+helm upgrade --install external-secrets external-secrets/external-secrets -n external-secrets \
+  --version 2.2.0 -f clusters/noble/apps/external-secrets/values.yaml --wait
+```
+
+Verify:
+
+```bash
+kubectl -n external-secrets get deploy,pods
+kubectl get crd | grep external-secrets
+```
+
+## Vault `ClusterSecretStore` (after Vault is deployed)
+
+The checklist expects a **Vault**-backed store. Install Vault first (`talos/CLUSTER-BUILD.md` Phase E — Vault on Longhorn + auto-unseal), then:
+
+1. Enable **KV v2** secrets engine and **Kubernetes** auth in Vault; create a **role** (e.g. `external-secrets`) that maps the cluster’s **`external-secrets` / `external-secrets`** service account to a policy that can read the paths you need.
+2. Copy **`examples/vault-cluster-secret-store.yaml`**, set **`spec.provider.vault.server`** to your Vault URL. This repo’s Vault Helm values use **HTTP** on port **8200** (`global.tlsDisable: true`): **`http://vault.vault.svc.cluster.local:8200`**. Use **`https://`** if you enable TLS on the Vault listener.
+3. If Vault uses a **private TLS CA**, configure **`caProvider`** or **`caBundle`** on the Vault provider — see [HashiCorp Vault provider](https://external-secrets.io/latest/provider/hashicorp-vault/). Do not commit private CA material to public git unless intended.
+4. Apply: **`kubectl apply -f …/vault-cluster-secret-store.yaml`**
+5. Confirm the store is ready: **`kubectl describe clustersecretstore vault`**
+
+Example **ExternalSecret** (after the store is healthy):
+
+```yaml
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: demo
+  namespace: default
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: demo-synced
+  data:
+    - secretKey: password
+      remoteRef:
+        key: secret/data/myapp
+        property: password
+```
+
+## Upgrades
+
+Pin the chart version in `values.yaml` header comments; run the same **`helm upgrade --install`** with the new **`--version`** after reviewing [release notes](https://github.com/external-secrets/external-secrets/releases).