External Secrets Operator in Colima for development with custom certificates

ESO_COLIMA_DEVELOPMENT.md

Init colima with kubernetes

colima start --kubernetes

Create configmap with custom certs

k create configmap certs-bundle --from-file=ca_bundle.pem=./CA_bundle.pem

Generate docker image and export image variables

export TAG=$(make docker.tag)
export IMAGE=$(make docker.imagename)

make docker.build

Generate helm chart, CRDs and apply

make helm.generate

helm upgrade --install external-secrets ./deploy/charts/external-secrets/ \
  --values ./values-custom-certs.yaml \
  --set image.repository=$IMAGE \
  --set image.tag=$TAG \
  --set webhook.image.repository=$IMAGE \
  --set webhook.image.tag=$TAG \
  --set certController.image.repository=$IMAGE \
  --set certController.image.tag=$TAG

Apply secrets

k apply -f ./manifest.yaml

manifest.yaml

apiVersion: v1
kind: Secret
metadata:
  name: fortanix-api-key
data:
  key: <FORTANIX_API_KEY>
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: fortanix-secret-store
spec:
  provider:
    fortanix:
      apiUrl: <FORTANIX_API_HOST>
      apiKey:
        secretRef:
          name: fortanix-api-key
          key: key
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: fortanix-secret
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name: fortanix-secret-store
  data:
  - secretKey: SUPER_SECRET
    remoteRef:
      key: super-secret
      property: my-super-secret-key
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: fortanix-secret-map
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name: fortanix-secret-store
  dataFrom:
  - extract:
      key: super-secret

values-custom-certs.yaml

extraVolumes:
- name: certs-bundle
  configMap:
    name: certs-bundle
    items:
    - key: ca_bundle.pem
      path: ca_bundle.pem

extraVolumeMounts:
- name: certs-bundle
  mountPath: /etc/ssl/certs/extra_ca_bundle.pem
  subPath: ca_bundle.pem

webhook:
  extraVolumes:
  - name: certs-bundle
    configMap:
      name: certs-bundle
      items:
      - key: ca_bundle.pem
        path: ca_bundle.pem

  extraVolumeMounts:
  - name: certs-bundle
    mountPath: /etc/ssl/certs/extra_ca_bundle.pem
    subPath: ca_bundle.pem

certController:
  extraVolumes:
  - name: certs-bundle
    configMap:
      name: certs-bundle
      items:
      - key: ca_bundle.pem
        path: ca_bundle.pem

  extraVolumeMounts:
  - name: certs-bundle
    mountPath: /etc/ssl/certs/extra_ca_bundle.pem
    subPath: ca_bundle.pem