A Helm chart to build and deploy secrets using external-secrets for ansible-edge-gitops
This chart is used to set up the Ansible Automation Platform Operator version 2.5.
-
v0.1.2: Introduce EXTRA_PLAYBOOK_OPTS to config job, to allow for extra vars and -v options (usually -vvv) to be passed to playbook to help debug it
-
v0.1.3: Introduce "bootstrap" phase; this means that the config job will run until it succeeds, and only then proceed to create the cronjob to re-configure. It also means the cronjob scheduling is nowehere near as aggressive (every even hour at the 10-minute mark instead of every ten minutes as previously).
-
v0.1.4: Use vp-rbac subchart to configure RBACs instead of local code. Introduce external secrets validation job to prevent argo from proceeding past ES creation and erroring out early.
-
v0.1.5: Extend default deadline for external secret validation job. Remove namespaces from external secrets validation.
-
v0.2.0: Breaking External Secrets API Version updated to
v1fromv1beta1. To use this version, you will also need to update your pattern to use theopenshift-external-secrets-operatorandopenshift-external-secretshelm chart. -
v0.2.1: Support credential (HTTPS or SSH) injection for git client in AGOF config jobs.
-
v0.2.2: Make agof-vault-file optional. Allow for skipping of the local Vault Hub instance integration if desired.
-
v0.2.3: Align with AGOF config-as-code naming and git authentication. Add
agof.cac_repo/agof.cac_revision(preferred over legacyiac_repo/iac_revision). Git credential injection in init now covers both AGOF and the config-as-code repo URL. Requires a compatible AGOF revision (see agof README OpenShift section). -
v0.2.4: Add
agof.gitHttpsSslVerifyto disable TLS verification for HTTPS git operations whenagof_repoor the config-as-code repo uses an untrusted or private CA (lab use only). Applies to the init-container AGOF clone and is passed through to AGOF for the config-as-code checkout.
When agof_repo or the config-as-code repo (agof.cac_repo / agof.iac_repo) is
private, set agof.gitAuthSecret to the name of a Kubernetes Secret in the same
namespace. The init container mounts that Secret and configures git before cloning
AGOF. Use one authentication shape per Secret; the chart checks mechanisms in
this order: .git-credentials, then ssh-privatekey, then HTTPS
username/password/token.
Pattern Helm values:
agof:
gitAuthSecret: git-auth-secret
# Optional: populate the Secret from Vault via External Secrets (VP-Secrets-v2 below)
gitAuthVaultKey: secret/data/hub/git-auth-secret
# Used only for token-only HTTPS Secrets (see examples)
gitAuthHttpsStyle: auto # auto | github | gitlab | giteaBy default, HTTPS git operations validate the server TLS certificate against the
container trust store. When agof_repo or the config-as-code repo
(agof.cac_repo / agof.iac_repo) is served by a host with a private or
corporate CA that is not installed in the image, set:
agof:
gitHttpsSslVerify: falseThis disables certificate verification for the init-container clone of AGOF and
for the config-as-code repo checkout during configure_aap. Prefer installing the
CA in the container image or on the provisioner for production.
Secret key .git-credentials is copied to ~/.git-credentials and used with
credential.helper store. One line per host; credentials apply to both AGOF and
the config-as-code repo when the host matches.
VP-Secrets-v2:
- name: git-auth-secret
fields:
- name: .git-credentials
value: |
https://x-access-token:ghp_xxxxxxxxxxxxxxxxxxxx@github.comMultiple hosts (GitLab, Forgejo, etc.):
- name: git-auth-secret
fields:
- name: .git-credentials
value: |
https://oauth2:glpat-xxxxxxxxxxxxxxxxxxxx@gitlab.com
https://my-gitea-user:0123456789abcdef0123456789abcdef01234567@forgejo.example.comThe init container writes a git credential-store entry for each unique host parsed
from agof_repo and the config-as-code repo URL.
Username and password:
- name: git-auth-secret
fields:
- name: username
value: my-gitea-user
- name: password
value: my-secret-passwordUsername and token (PAT / deploy token):
- name: git-auth-secret
fields:
- name: username
value: x-access-token
- name: token
value: ghp_xxxxxxxxxxxxxxxxxxxxWhen the Secret has a token key but no username, the chart picks the HTTPS
username from agof.gitAuthHttpsStyle and the repo host (auto: GitHub → git,
GitLab / Gitea / Forgejo / Codeberg → oauth2, otherwise git).
GitHub PAT:
agof:
gitAuthSecret: git-auth-secret
gitAuthVaultKey: secret/data/hub/git-auth-secret
gitAuthHttpsStyle: auto
secrets:
- name: git-auth-secret
fields:
- name: token
value: ghp_xxxxxxxxxxxxxxxxxxxxGitLab project or group access token:
- name: git-auth-secret
fields:
- name: token
value: glpat-xxxxxxxxxxxxxxxxxxxxForce a platform username when auto does not match your host (for example a
self-managed GitLab hostname):
agof:
gitAuthSecret: git-auth-secret
gitAuthHttpsStyle: gitlab
secrets:
- name: git-auth-secret
fields:
- name: token
value: glpat-xxxxxxxxxxxxxxxxxxxxSecret key ssh-privatekey is installed as ~/.ssh/id_rsa. When known_hosts is
present it is copied to ~/.ssh/known_hosts and SSH uses strict host key
checking. When known_hosts is omitted, SSH uses StrictHostKeyChecking=accept-new
for the clone.
Deploy key with pinned host key (recommended):
- name: git-auth-secret
fields:
- name: ssh-privatekey
path: /path/to/deploy_key # or use value: with inline PEM/OpenSSH key
- name: known_hosts
value: |
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...
# obtain with: ssh-keyscan -t ed25519 github.comDeploy key without known_hosts (accepts the host key on first connect):
- name: git-auth-secret
fields:
- name: ssh-privatekey
value: |
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----Self-managed Forgejo / Gitea:
- name: git-auth-secret
fields:
- name: ssh-privatekey
path: /path/to/forgejo_deploy_key
- name: known_hosts
value: |
forgejo.example.com ssh-ed25519 AAAA...You can also create the Secret directly (for example kubernetes.io/ssh-auth) as
long as the data keys are ssh-privatekey and optionally known_hosts, and
agof.gitAuthSecret points at that Secret name.
---
# NEVER COMMIT THESE VALUES TO GIT
version: "2.0"
secrets:
- name: aap-manifest
fields:
- name: b64content
path: 'full pathname of file containing Satellite Manifest for entitling Ansible Automation Platform'
base64: true
- name: automation-hub-token
fields:
- name: token
value: 'An automation hub token for retrieving Certified and Validated Ansible content'
# Optional
- name: agof-vault-file
fields:
- name: agof-vault-file
path: 'full pathname of a valid agof_vault file for secrets to overlay the iac config'
base64: true
# Optional: private git auth for agof_repo and/or config-as-code repo (see section above)
- name: git-auth-secret
fields:
- name: token
value: ghp_xxxxxxxxxxxxxxxxxxxxHomepage: https://github.com/validatedpatterns/aap-config-chart.git
| Repository | Name | Version |
|---|---|---|
| https://charts.validatedpatterns.io | vp-rbac | 0.1.* |
| Key | Type | Default | Description |
|---|---|---|---|
| aapManifest.key | string | "secret/data/hub/aap-manifest" |
|
| agof.agof_repo | string | "https://github.com/validatedpatterns/agof.git" |
|
| agof.agof_revision | string | "v2" |
|
| agof.automationHubTokenKey | string | "secret/data/hub/automation-hub-token" |
|
| agof.cac_repo | string | "" |
|
| agof.cac_revision | string | "" |
|
| agof.doAutoHubVaultConfig | bool | true |
|
| agof.extraPlaybookOpts | string | "" |
|
| agof.gitAuthHttpsStyle | string | "auto" |
|
| agof.gitAuthSecret | string | "" |
|
| agof.gitAuthVaultKey | string | "" |
|
| agof.gitHttpsSslVerify | bool | true |
|
| agof.iac_repo | string | "https://github.com/validatedpatterns-demos/ansible-edge-gitops-hmi-config-as-code.git" |
|
| agof.iac_revision | string | "main" |
|
| agof.vaultFileKey | string | "" |
|
| configJob.activeDeadlineSeconds | int | 3600 |
|
| configJob.configTimeout | int | 1800 |
|
| configJob.image | string | "quay.io/hybridcloudpatterns/imperative-container:v1" |
|
| configJob.imagePullPolicy | string | "Always" |
|
| configJob.schedule | string | "10 */2 * * *" |
|
| secretStore.kind | string | "ClusterSecretStore" |
|
| secretStore.name | string | "vault-backend" |
|
| serviceAccountName | string | "aap-config-sa" |
|
| serviceAccountNamespace | string | "aap-config" |
|
| validationJob.activeDeadlineSeconds | int | 3600 |
|
| validationJob.disabled | bool | false |
|
| vp-rbac.clusterRoles.view-routes.rules[0].apiGroups[0] | string | "route.openshift.io" |
|
| vp-rbac.clusterRoles.view-routes.rules[0].resources[0] | string | "routes" |
|
| vp-rbac.clusterRoles.view-routes.rules[0].verbs[0] | string | "get" |
|
| vp-rbac.clusterRoles.view-routes.rules[0].verbs[1] | string | "list" |
|
| vp-rbac.clusterRoles.view-routes.rules[0].verbs[2] | string | "watch" |
|
| vp-rbac.clusterRoles.view-secrets-cms.rules[0].apiGroups[0] | string | "" |
|
| vp-rbac.clusterRoles.view-secrets-cms.rules[0].resources[0] | string | "secrets" |
|
| vp-rbac.clusterRoles.view-secrets-cms.rules[0].resources[1] | string | "configmaps" |
|
| vp-rbac.clusterRoles.view-secrets-cms.rules[0].verbs[0] | string | "get" |
|
| vp-rbac.clusterRoles.view-secrets-cms.rules[0].verbs[1] | string | "list" |
|
| vp-rbac.clusterRoles.view-secrets-cms.rules[0].verbs[2] | string | "watch" |
|
| vp-rbac.roles.external-secrets-validator.rules[0].apiGroups[0] | string | "external-secrets.io" |
|
| vp-rbac.roles.external-secrets-validator.rules[0].resources[0] | string | "externalsecrets" |
|
| vp-rbac.roles.external-secrets-validator.rules[0].verbs[0] | string | "get" |
|
| vp-rbac.roles.external-secrets-validator.rules[0].verbs[1] | string | "list" |
|
| vp-rbac.roles.external-secrets-validator.rules[0].verbs[2] | string | "watch" |
|
| vp-rbac.roles.external-secrets-validator.rules[1].apiGroups[0] | string | "" |
|
| vp-rbac.roles.external-secrets-validator.rules[1].resources[0] | string | "secrets" |
|
| vp-rbac.roles.external-secrets-validator.rules[1].verbs[0] | string | "get" |
|
| vp-rbac.roles.external-secrets-validator.rules[1].verbs[1] | string | "list" |
|
| vp-rbac.roles.external-secrets-validator.rules[1].verbs[2] | string | "watch" |
|
| vp-rbac.roles.external-secrets-validator.rules[2].apiGroups[0] | string | "authorization.k8s.io" |
|
| vp-rbac.roles.external-secrets-validator.rules[2].resources[0] | string | "selfsubjectrulesreviews" |
|
| vp-rbac.roles.external-secrets-validator.rules[2].verbs[0] | string | "create" |
|
| vp-rbac.roles.view-all.rules[0].apiGroups[0] | string | "*" |
|
| vp-rbac.roles.view-all.rules[0].resources[0] | string | "*" |
|
| vp-rbac.roles.view-all.rules[0].verbs[0] | string | "get" |
|
| vp-rbac.roles.view-all.rules[0].verbs[1] | string | "list" |
|
| vp-rbac.roles.view-all.rules[0].verbs[2] | string | "watch" |
|
| vp-rbac.serviceAccounts.aap-config-sa.namespace | string | "aap-config" |
|
| vp-rbac.serviceAccounts.aap-config-sa.roleBindings.clusterRoles[0] | string | "view-secrets-cms" |
|
| vp-rbac.serviceAccounts.aap-config-sa.roleBindings.clusterRoles[1] | string | "view-routes" |
|
| vp-rbac.serviceAccounts.aap-config-sa.roleBindings.roles[0] | string | "view-all" |
|
| vp-rbac.serviceAccounts.aap-config-sa.roleBindings.roles[1] | string | "external-secrets-validator" |
Autogenerated from chart metadata using helm-docs v1.14.2