Add credential-change delegated applier flow

This commit is contained in:
2026-07-01 20:07:26 +02:00
parent c626bfcf15
commit a95236d2e5
21 changed files with 2705 additions and 119 deletions

View File

@@ -11,6 +11,9 @@ ESO_NAMESPACE="${ESO_NAMESPACE:-external-secrets}"
ESO_SERVICE_ACCOUNT="${ESO_SERVICE_ACCOUNT:-external-secrets}"
REPO_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
POLICY_FILE="${POLICY_FILE:-$REPO_DIR/openbao/policies/external-secrets-issue-core.hcl}"
NEXT_KV_PATH="${OPENBAO_ESO_NEXT_PATH:-platform/workloads/issue-core/issue-core/issue-core-runtime}"
NEXT_FIELDS="${OPENBAO_ESO_NEXT_FIELDS:-ISSUE_CORE_API_KEY and GITEA_BACKEND_TOKEN}"
NEXT_TARGET="${OPENBAO_ESO_NEXT_TARGET:-ExternalSecret/issue-core-runtime}"
DRY_RUN=0
usage() {
@@ -125,13 +128,12 @@ remote_bao "$token" write "auth/kubernetes/role/${ROLE_NAME}" \
remote_bao "$token" read "auth/kubernetes/role/${ROLE_NAME}"
cat <<'NEXT'
cat <<NEXT
External Secrets OpenBao role configured.
Next steps:
1. Sync the external-secrets and openbao-secretstore ArgoCD Applications.
2. Provision platform/workloads/issue-core/issue-core/issue-core-runtime
with ISSUE_CORE_API_KEY and GITEA_BACKEND_TOKEN without printing values.
3. Confirm ExternalSecret/issue-core-runtime becomes Ready.
2. Provision ${NEXT_KV_PATH} with ${NEXT_FIELDS} without printing values.
3. Confirm ${NEXT_TARGET} becomes Ready.
NEXT