Merge pull request #2596 from lsst-sqre/tickets/DM-40952

DM-40952: Secrets migration for roundtable-dev

applications/giftless/secrets.yaml

@@ -0,0 +1,5 @@
+"giftless-gcp-key.json":
+  description: >-
+    The GCP service account JSON file for the giftless
+  onepassword:
+    encoded: true

applications/monitoring/secrets.yaml

@@ -0,0 +1,15 @@
+GH_CLIENT_SECRET:
+  description: >-
+    ?
+INFLUXDB_TOKEN:
+  description: >-
+    ?
+TOKEN_SECRET:
+  description: >-
+    ?
+admin-token:
+  description: >-
+    ?
+influx-alert-token:
+  description: >-
+    ?

applications/ook/secrets.yaml

@@ -10,12 +10,12 @@ OOK_GITHUB_APP_ID:
   copy:
     application: squarebot
     key: SQUAREBOT_GITHUB_APP_ID
-OOK_GITHUB_APP_KEY:
+OOK_GITHUB_APP_PRIVATE_KEY:
   description: >-
     The private key for the GitHub App shared by all Squarebot services.
   copy:
     application: squarebot
-    key: SQUAREBOT_GITHUB_APP_KEY
+    key: SQUAREBOT_GITHUB_APP_PRIVATE_KEY
 ca.crt:
   description: >-
     The cluster CA certificate for the Kubernetes cluster. This is available

applications/sasquatch/secrets.yaml

@@ -34,33 +34,44 @@ influxdb-user:
 kafdrop-kafka-properties:
   description: >-
     ?
+  if: kafdrop.enabled
 kafdrop-password:
   description: >-
     ?
+  if: kafdrop.enabled
 kafka-connect-manager-password:
   description: >-
     ?
+  if: strimzi-kafka.connect.enabled
 prompt-processing-password:
   description: >-
     ?
+  if: strimzi-kafka.users.promptProcessing.enabled
 replicator-password:
   description: >-
     ?
+  if: strimzi-kafka.users.replicator.enabled
 rest-proxy-password:
   description: >-
     ?
+  if: rest-proxy.enabled
 rest-proxy-sasl-jass-config:
   description: >-
     ?
+  if: rest-proxy.enabled
 sasquatch-test-kafka-properties:
   description: >-
     ?
+  if: kafka.listeners.plain.enabled
 sasquatch-test-password:
   description: >-
     ?
+  if: kafka.listeners.plain.enabled
 telegraf-password:
   description: >-
     ?
+  if: strimzi-kafka.users.telegraf.enabled
 ts-salkafka-password:
   description: >-
     ?
+  if: strimzi-kafka.users.telegraf.enabled

applications/squarebot/secrets.yaml

@@ -1,7 +1,7 @@
 SQUAREBOT_GITHUB_APP_ID:
   description: >-
     The ID of the GitHub App shared by all Squarebot services.
-SQUAREBOT_GITHUB_APP_KEY:
+SQUAREBOT_GITHUB_APP_PRIVATE_KEY:
   description: >-
     The private key for the GitHub App shared by all Squarebot services.
   onepassword:
@@ -12,13 +12,9 @@ SQUAREBOT_SLACK_APP_ID:
 SQUAREBOT_SLACK_TOKEN:
   description: >-
     The Slack bot user oauth token for the Slack App shared by all Squarebot services.
-  onepassword:
-    encoded: true
 SQUAREBOT_SLACK_SIGNING:
   description: >-
     The signing secret for all webhook payloads from Slack.
-  onepassword:
-    encoded: true
 ca.crt:
   description: >-
     The cluster CA certificate for the Kubernetes cluster. This is available

applications/vault-secrets-operator/values-roundtable-dev.yaml

@@ -0,0 +1,14 @@
+vault-secrets-operator:
+  environmentVars:
+    - name: VAULT_ROLE_ID
+      valueFrom:
+        secretKeyRef:
+          name: vault-credentials
+          key: VAULT_ROLE_ID
+    - name: VAULT_SECRET_ID
+      valueFrom:
+        secretKeyRef:
+          name: vault-credentials
+          key: VAULT_SECRET_ID
+  vault:
+    authMethod: approle

environments/values-roundtable-dev.yaml

@@ -3,7 +3,8 @@ fqdn: roundtable-dev.lsst.cloud
 onepassword:
   connectUrl: "https://roundtable-dev.lsst.cloud/1password"
   vaultTitle: "RSP roundtable-dev.lsst.cloud"
-vaultPathPrefix: secret/k8s_operator/roundtable-dev.lsst.cloud
+vaultUrl: "https://vault.lsst.codes"
+vaultPathPrefix: secret/phalanx/roundtable-dev
 
 applications:
   giftless: true