diff --git a/chart/templates/external-secrets/git-credentials.yaml b/chart/templates/external-secrets/git-credentials.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..1d97643d654fe41f7b80cb753755ec29ec21593c
--- /dev/null
+++ b/chart/templates/external-secrets/git-credentials.yaml
@@ -0,0 +1,7 @@
+{{- $gitCredsSecretDict := dict
+ "name" "externalSecrets"
+ "targetScope" .Values.addons.externalSecrets
+ "releaseName" .Release.Name
+ "releaseNamespace" .Release.Namespace
+}}
+{{- include "gitCredsSecret" $gitCredsSecretDict | nindent 0 -}}
diff --git a/chart/templates/external-secrets/gitrepository.yaml b/chart/templates/external-secrets/gitrepository.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..82014b9d8504c661c34ea46ab3e8e076c0964b9c
--- /dev/null
+++ b/chart/templates/external-secrets/gitrepository.yaml
@@ -0,0 +1,24 @@
+{{- if and (eq .Values.addons.externalSecrets.sourceType "git") .Values.addons.externalSecrets.enabled }}
+{{- $gitCredsDict := dict
+ "name" "externalSecrets"
+ "packageGitScope" .Values.addons.externalSecrets.git
+ "rootScope" .
+ "releaseName" .Release.Name
+}}
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+ name: external-secrets
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: external-secrets
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+spec:
+ interval: {{ .Values.flux.interval }}
+ url: {{ .Values.addons.externalSecrets.git.repo }}
+ ref:
+ {{- include "validRef" .Values.addons.externalSecrets.git | nindent 4 }}
+ {{ include "gitIgnore" . }}
+ {{- include "gitCredsExtended" $gitCredsDict | nindent 2 }}
+{{- end }}
diff --git a/chart/templates/external-secrets/helmrelease.yaml b/chart/templates/external-secrets/helmrelease.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..1ff84d188e27bb2a4669df83766f25fc6a76c44c
--- /dev/null
+++ b/chart/templates/external-secrets/helmrelease.yaml
@@ -0,0 +1,73 @@
+{{- $fluxSettings := merge .Values.addons.externalSecrets.flux .Values.flux -}}
+{{- if .Values.addons.externalSecrets.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ name: external-secrets
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: external-secrets
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+ annotations:
+ checksum/bigbang-values: {{ include (print $.Template.BasePath "/external-secrets/values.yaml") . | sha256sum }}
+spec:
+ targetNamespace: external-secrets
+ chart:
+ spec:
+ {{- if eq .Values.addons.externalSecrets.sourceType "git" }}
+ chart: {{ .Values.addons.externalSecrets.git.path }}
+ sourceRef:
+ kind: GitRepository
+ name: external-secrets
+ namespace: {{ .Release.Namespace }}
+ {{- else }}
+ chart: {{ .Values.addons.externalSecrets.helmRepo.chartName }}
+ version: {{ .Values.addons.externalSecrets.helmRepo.tag }}
+ sourceRef:
+ kind: HelmRepository
+ name: {{ .Values.addons.externalSecrets.helmRepo.repoName }}
+ namespace: {{ .Release.Namespace }}
+ {{- $repoType := include "getRepoType" (dict "repoName" .Values.addons.externalSecrets.helmRepo.repoName "allRepos" .Values.helmRepositories) -}}
+ {{- if (and .Values.addons.externalSecrets.helmRepo.cosignVerify (eq $repoType "oci")) }} # Needs to be an OCI repo
+ verify:
+ provider: cosign
+ secretRef:
+ name: {{ printf "%s-cosign-pub" .Values.addons.externalSecrets.helmRepo.repoName }}
+ {{- end }}
+ {{- end }}
+ interval: 5m
+
+ {{- toYaml $fluxSettings | nindent 2 }}
+
+ {{- if .Values.addons.externalSecrets.postRenderers }}
+ postRenderers:
+ {{- toYaml .Values.addons.externalSecrets.postRenderers | nindent 2 }}
+ {{- end }}
+ valuesFrom:
+ - name: {{ .Release.Name }}-external-secrets-values
+ kind: Secret
+ valuesKey: "common"
+ - name: {{ .Release.Name }}-external-secrets-values
+ kind: Secret
+ valuesKey: "defaults"
+ - name: {{ .Release.Name }}-external-secrets-values
+ kind: Secret
+ valuesKey: "overlays"
+
+ {{- if or .Values.istio.enabled .Values.kyvernoPolicies.enabled .Values.monitoring.enabled }}
+ dependsOn:
+ {{- if .Values.istio.enabled }}
+ - name: istio
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+ {{- if .Values.kyvernoPolicies.enabled }}
+ - name: kyverno-policies
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+ {{- if .Values.monitoring.enabled }}
+ - name: monitoring
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+ {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/external-secrets/imagepullsecret.yaml b/chart/templates/external-secrets/imagepullsecret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8c01b2b78d1728d828fd42c71241dcf3f5437311
--- /dev/null
+++ b/chart/templates/external-secrets/imagepullsecret.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.addons.externalSecrets.enabled }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: private-registry
+ namespace: external-secrets
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}
diff --git a/chart/templates/external-secrets/namespace.yaml b/chart/templates/external-secrets/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8a997f657bba1b66ac0cbb804ff7ee686d06209a
--- /dev/null
+++ b/chart/templates/external-secrets/namespace.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.addons.externalSecrets.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ meta.helm.sh/release-namespace: bigbang
+ meta.helm.sh/release-name: bigbang
+ app.kubernetes.io/name: external-secrets
+ app.kubernetes.io/component: "core"
+ {{- include "commonLabels" . | nindent 4}}
+ istio-injection: enabled
+ name: external-secrets
+{{- end }}
diff --git a/chart/templates/external-secrets/values.yaml b/chart/templates/external-secrets/values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..3c979f079dbb817b27d1e509a50629336545cb97
--- /dev/null
+++ b/chart/templates/external-secrets/values.yaml
@@ -0,0 +1,26 @@
+{{- if .Values.addons.externalSecrets.enabled }}
+{{- include "values-secret" (dict "root" $ "package" .Values.addons.externalSecrets "name" "external-secrets" "defaults" (include "bigbang.defaults.external-secrets" .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.external-secrets" -}}
+
+image:
+ imagePullPolicy: {{ .Values.imagePullPolicy }}
+
+monitoring:
+ enabled: {{ .Values.monitoring.enabled }}
+
+networkPolicies:
+ enabled: {{ .Values.networkPolicies.enabled }}
+ controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+
+{{- if .Values.istio.enabled }}
+annotations:
+ {{ include "istioAnnotation" . }}
+{{- end }}
+
+istio:
+ enabled: {{ .Values.istio.enabled }}
+
+openshift: {{ .Values.openshift }}
+{{- end -}}
diff --git a/chart/templates/kyverno-policies/values.yaml b/chart/templates/kyverno-policies/values.yaml
index ad1b805b9da99da208c5177bf6a33151270b65c7..fc0c17ab570d214f161fe471ec3d8c0c02e20f05 100644
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -144,6 +144,13 @@ policies:
- source-controller*
- kustomize-controller*
{{- end }}
+ {{- if .Values.addons.externalSecrets.enabled }}
+ - resources:
+ namespaces:
+ - external-secrets
+ names:
+ - external-secrets*
+ {{- end }}
{{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.twistlock.enabled }}
disallow-tolerations:
diff --git a/chart/values.yaml b/chart/values.yaml
index 6c3231e88ad5180bf11dc0568b869355b2866fbe..71d0b5a9472f25e6504989f287d44d0cb44b2800 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -2076,6 +2076,33 @@ addons:
postRenderers: []
+ externalSecrets:
+ # -- Toggle deployment of external secrets
+ enabled: false
+
+ # -- Choose source type of "git" or "helmRepo"
+ sourceType: "git"
+
+ git:
+ repo: https://repo1.dso.mil/big-bang/product/packages/external-secrets.git
+ tag: "0.9.18-bb.7"
+ path: "./chart"
+ helmRepo:
+ repoName: "registry1"
+ chartName: "external-secrets"
+ tag: "0.9.18-bb.7"
+
+ # -- Override flux settings for this package
+ flux: {}
+
+ # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
+ ingress:
+ gateway: ""
+
+ values: {}
+
+ postRenderers: []
+
# -- Wrapper chart for integrating Big Bang components alongside a package
wrapper:
# -- Choose source type of "git" or "helmRepo"
diff --git a/tests/package-mapping.yaml b/tests/package-mapping.yaml
index 61f39b2923ff2031efde39f144c0b9b41dbae205..b98854f2604d4ce50dccc66761905f22cd60d6d9 100644
--- a/tests/package-mapping.yaml
+++ b/tests/package-mapping.yaml
@@ -87,3 +87,7 @@ metricsServer:
repoName: "metrics-server"
hrName: "metrics-server"
filePath: "metrics-server"
+externalSecrets:
+ repoName: "external-secrets"
+ hrName: "external-secrets"
+ filePath: "external-secrets"
\ No newline at end of file
diff --git a/tests/test-values.yaml b/tests/test-values.yaml
index 824856bbb7deb27c5f47f1002a9404797662d704..1ad103251597ddd5d4c53afdf06985feef0321c1 100644
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -2864,3 +2864,12 @@ addons:
name: https
resolution: DNS
+ externalSecrets:
+ values:
+ istio:
+ hardened:
+ enabled: true
+ bbtests:
+ enabled: true
+ cypress:
+ artifacts: true