From 0b4243efc3832e10898c6ef62c071ea585657ffe Mon Sep 17 00:00:00 2001
From: Rob Kooper <kooper@illinois.edu>
Date: Thu, 30 Sep 2021 12:27:03 -0500
Subject: [PATCH] add sealed secrets

---
 charts/apps/templates/sealedsecrets.yaml      | 33 +++++++++++++++++++
 charts/apps/values.yaml                       |  4 +++
 terraform/modules/argocd/argocd.tf            |  1 +
 .../modules/argocd/templates/argocd.yaml.tmpl |  3 ++
 terraform/modules/argocd/variables.tf         |  6 ++++
 5 files changed, 47 insertions(+)
 create mode 100644 charts/apps/templates/sealedsecrets.yaml

diff --git a/charts/apps/templates/sealedsecrets.yaml b/charts/apps/templates/sealedsecrets.yaml
new file mode 100644
index 0000000..ac48e57
--- /dev/null
+++ b/charts/apps/templates/sealedsecrets.yaml
@@ -0,0 +1,33 @@
+{{ if .Values.sealedsecrets.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ .Values.cluster.name }}-sealed-secrets
+  labels:
+    cluster: {{ .Values.cluster.name | quote }}
+    app: sealed-secrets
+  namespace: argocd
+  annotations:
+    {{- toYaml .Values.notifications | nindent 4 }}
+spec:
+  project: {{ .Values.cluster.name }}
+  destination:
+    server: {{ .Values.cluster.url }}
+    namespace: kube-system
+  syncPolicy:
+    {{- if .Values.sync }}
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    {{- end }}
+    syncOptions:
+      - CreateNamespace=true
+  source:
+    repoURL: https://bitnami-labs.github.io/sealed-secrets/
+    chart: sealed-secrets
+    targetRevision: {{ .Values.sealedsecrets.version | quote }}
+    helm:
+      version: v3
+      releaseName: sealed-secrets
+{{- end }}
diff --git a/charts/apps/values.yaml b/charts/apps/values.yaml
index bcf13c2..4ff548b 100644
--- a/charts/apps/values.yaml
+++ b/charts/apps/values.yaml
@@ -35,6 +35,10 @@ ingresscontroller:
   traefik2:
     version: "10.*"
 
+sealedsecrets:
+  enabled: false
+  version: "0.*"
+
 metallb:
   enabled: false
   version: "0.10.*"
diff --git a/terraform/modules/argocd/argocd.tf b/terraform/modules/argocd/argocd.tf
index 3c6496a..7461a59 100644
--- a/terraform/modules/argocd/argocd.tf
+++ b/terraform/modules/argocd/argocd.tf
@@ -43,6 +43,7 @@ locals {
     traefik_dashboard           = var.traefik_dashboard
     acme_staging                = var.acme_staging
     acme_email                  = var.acme_email
+    sealedsecrets_enabled       = var.sealedsecrets_enabled
     healthmonitor_enabled       = var.healthmonitor_enabled
     healthmonitor_nfs           = var.healthmonitor_nfs
     healthmonitor_notifications = var.healthmonitor_notifications
diff --git a/terraform/modules/argocd/templates/argocd.yaml.tmpl b/terraform/modules/argocd/templates/argocd.yaml.tmpl
index a241a83..6f39b8b 100644
--- a/terraform/modules/argocd/templates/argocd.yaml.tmpl
+++ b/terraform/modules/argocd/templates/argocd.yaml.tmpl
@@ -81,6 +81,9 @@ spec:
           #notifiers:
           #  %%{ indent(12, healthmonitor) }%
 
+        sealedsecrets:
+          enabled: ${sealedsecrets_enabled}
+
         longhorn:
           enabled: ${longhorn_enabled}
           replicas: ${longhorn_replicas}
diff --git a/terraform/modules/argocd/variables.tf b/terraform/modules/argocd/variables.tf
index 58328a2..7031b77 100644
--- a/terraform/modules/argocd/variables.tf
+++ b/terraform/modules/argocd/variables.tf
@@ -160,6 +160,12 @@ variable "healthmonitor_notifications" {
   default     = ""
 }
 
+variable "sealedsecrets_enabled" {
+  type        = bool
+  description = "Enable sealed secrets"
+  default     = false
+}
+
 variable "metallb_enabled" {
   type        = bool
   description = "Enable MetalLB"
-- 
GitLab