Install SealedSecrets;Store hypervisor credentials in secret

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/certauthority.yml

@@ -36,8 +36,7 @@
       name: "{{ item.name }}"
       namespace: "{{ item.namespace }}"
       labels: "{{ item.labels | default({}) | indent(width=4, indent=True) }}"
-      key: "{{ item.key }}"
+      data: "{{ item.data }}"
-      value: "{{ item.value }}"
   loop:
     - name: argocd-tls-certs-cm
       namespace: argo-cd
@@ -45,13 +44,15 @@
       labels: |
         app.kubernetes.io/name: argocd-cm
         app.kubernetes.io/part-of: argocd
-      key: git.{{ vapp['metacluster.fqdn'] }}
+      data:
-      value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
+      - key: git.{{ vapp['metacluster.fqdn'] }}
+        value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] }}"
     - name: step-certificates-certs
       namespace: kube-system
       kind: secret
-      key: root_ca.crt
+      data:
-      value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] | b64encode }}"
+      - key: root_ca.crt
+        value: "{{ stepca_cm_certs.resources[0].data['root_ca.crt'] | b64encode }}"
   loop_control:
     label: "{{ item.kind + '/' + item.name + ' (' + item.namespace + ')' }}"
 

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml

@@ -5,6 +5,7 @@
 - import_tasks: storage.yml
 - import_tasks: certauthority.yml
 - import_tasks: registry.yml
+- import_tasks: secrets.yml
 - import_tasks: git.yml
 - import_tasks: gitops.yml
 

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/secrets.yml

@@ -0,0 +1,25 @@
+- name: Install sealed-secrets chart
+  kubernetes.core.helm:
+    name: sealed-secrets-controller
+    chart_ref: /opt/metacluster/helm-charts/sealed-secrets
+    release_namespace: kube-system
+    wait: yes
+    kubeconfig: "{{ kubeconfig.path }}"
+    values: "{{ components.sealedsecrets.chart_values }}"
+
+- name: Store hypervisor details in secret
+  kubernetes.core.k8s:
+    state: present
+    template: secret.j2
+    kubeconfig: "{{ kubeconfig.path }}"
+  vars:
+    _template:
+      name: hypervisor-credentials
+      namespace: kube-system
+      data:
+        - key: HV_FQDN
+          value: "{{ vapp['hv.fqdn'] | b64encode }}"
+        - key: HV_USERNAME
+          value: "{{ vapp['hv.username'] | b64encode }}"
+        - key: HV_PASSWORD
+          value: "{{ vapp['hv.password'] | b64encode }}"

ansible/roles/firstboot/files/ansible_payload/templates/configmap.j2

@@ -6,4 +6,6 @@ metadata:
   labels:
 {{ _template.labels }}
 data:
-  "{{ _template.key }}": {{ _template.value }}
+{% for kv_pair in _template.data %}
+  "{{ kv_pair.key }}": {{ kv_pair.value }}
+{% endfor %}

ansible/roles/firstboot/files/ansible_payload/templates/secret.j2

@@ -4,4 +4,6 @@ metadata:
   name: {{ _template.name }}
   namespace: {{ _template.namespace }}
 data:
-  "{{ _template.key }}": {{ _template.value }}
+{% for kv_pair in _template.data %}
+  "{{ kv_pair.key }}": {{ kv_pair.value }}
+{% endfor %}

ansible/vars/metacluster.yml

@@ -150,26 +150,6 @@ components:
         configs:
           secret:
             argocdServerAdminPassword: "{{ vapp['guestinfo.rootpw'] | password_hash('bcrypt') }}"
-        # controller:
-        #   volumeMounts:
-        #     - name: custom-ca-certificates
-        #       mountPath: /etc/ssl/certs/custom-ca-certificates.crt
-        #       subPath: custom-ca-certificates.crt
-        #   volumes:
-        #     - name: custom-ca-certificates
-        #       secret:
-        #         defaultMode: 420
-        #         secretName: step-certificates-certs
-        # repoServer:
-        #   volumeMounts:
-        #     - name: custom-ca-certificates
-        #       mountPath: /etc/ssl/certs/custom-ca-certificates.crt
-        #       subPath: custom-ca-certificates.crt
-        #   volumes:
-        #     - name: custom-ca-certificates
-        #       secret:
-        #         defaultMode: 420
-        #         secretName: step-certificates-certs
         server:
           extraArgs:
             - --insecure
@@ -177,15 +157,6 @@ components:
             enabled: true
             hosts:
               - gitops.{{ vapp['metacluster.fqdn'] }}
-        #   volumeMounts:
-        #     - name: custom-ca-certificates
-        #       mountPath: /etc/ssl/certs/custom-ca-certificates.crt
-        #       subPath: custom-ca-certificates.crt
-        #   volumes:
-        #     - name: custom-ca-certificates
-        #       secret:
-        #         defaultMode: 420
-        #         secretName: step-certificates-certs
 
   sealed-secrets:
     helm:
@@ -214,6 +185,9 @@ dependencies:
       url: https://get.helm.sh/helm-v3.9.0-linux-amd64.tar.gz
       archive: compressed
       extra_opts: --strip-components=1
+    - filename: kubeseal
+      url: https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.18.2/kubeseal-0.18.2-linux-amd64.tar.gz
+      archive: compressed
     - filename: skopeo
       url: https://code.spamasaurus.com/api/packages/djpbessems/generic/skopeo/v1.9.1/skopeo
     - filename: step