Update CLUSTER-BUILD.md to reflect the current state of the Talos cluster, detailing progress through Phase D (observability) and advancements in Phase E (secrets). Include updates on Sealed Secrets, External Secrets Operator, and Vault configurations, along with deployment instructions and next steps for Kubernetes auth and ClusterSecretStore integration. Mark relevant tasks as completed and outline remaining objectives for future phases.

2026-03-28 01:17:22 -04:00
parent d2b52f3518
commit a5e624f542
12 changed files with 454 additions and 5 deletions
--- a/clusters/noble/apps/external-secrets/examples/vault-cluster-secret-store.yaml
+++ b/clusters/noble/apps/external-secrets/examples/vault-cluster-secret-store.yaml
@@ -0,0 +1,31 @@
+# ClusterSecretStore for HashiCorp Vault (KV v2) using Kubernetes auth.
+#
+# Do not apply until Vault is running, reachable from the cluster, and configured with:
+# - Kubernetes auth at mountPath (default: kubernetes)
+# - A role (below: external-secrets) bound to this service account:
+#     name: external-secrets
+#     namespace: external-secrets
+# - A policy allowing read on the KV path used below (e.g. secret/data/* for path "secret")
+#
+# Adjust server, mountPath, role, and path to match your Vault deployment. If Vault uses TLS
+# with a private CA, set provider.vault.caProvider or caBundle (see README).
+#
+# kubectl apply -f clusters/noble/apps/external-secrets/examples/vault-cluster-secret-store.yaml
+---
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: vault
+spec:
+  provider:
+    vault:
+      server: "http://vault.vault.svc.cluster.local:8200"
+      path: secret
+      version: v2
+      auth:
+        kubernetes:
+          mountPath: kubernetes
+          role: external-secrets
+          serviceAccountRef:
+            name: external-secrets
+            namespace: external-secrets