helmfile: services: rename redbot into redbot-main, add redbot-premiers deployment

Author: dezeroku

helmfile/services/helmfile.yaml

@@ -33,7 +33,7 @@ releases:
     inherit:
       - template: argocd-app
 
-  - name: redbot
+  - name: redbot-main
     chart: bjw-s/app-template
     version: 3.7.0
     inherit:
@@ -42,13 +42,32 @@ releases:
     # https://github.com/roboll/helmfile/issues/1329 result
     # This pattern will be shared by all metube deployments for the time being
     labels:
-      vaultRole: redbot
-      vaultSubPath: redbot
-      appName: redbot
+      vaultRole: redbot-main
+      vaultSubPath: redbot/main
+      appName: redbot-main
     values:
       - values/redbot-common.yaml.gotmpl
 
-  - name: redbot
+  - name: redbot-main
+    inherit:
+      - template: argocd-app
+
+  - name: redbot-premiers
+    chart: bjw-s/app-template
+    version: 3.7.0
+    inherit:
+      - template: default
+    # Using labels as "release values", in anticipation of
+    # https://github.com/roboll/helmfile/issues/1329 result
+    # This pattern will be shared by all metube deployments for the time being
+    labels:
+      vaultRole: redbot-premiers
+      vaultSubPath: redbot/premiers
+      appName: redbot-premiers
+    values:
+      - values/redbot-common.yaml.gotmpl
+
+  - name: redbot-premiers
     inherit:
       - template: argocd-app
 

helmfile/services/values/redbot-common.yaml.gotmpl

@@ -32,7 +32,7 @@ controllers:
           TOKEN:
             valueFrom:
               secretKeyRef:
-                name: redbot-secrets
+                name: {{ .Release.Labels.appName }}-secrets
                 key: token
         resources:
           limits:

helmfile/services/values/redbot.yaml.gotmpl renamed to helmfile/services/values/redbot-main.yaml.gotmpl

@@ -0,0 +1,28 @@
+resource "vault_kubernetes_auth_backend_role" "redbot-main" {
+  backend                          = vault_auth_backend.kubernetes_homeserver.path
+  role_name                        = "redbot-main"
+  bound_service_account_namespaces = ["redbot-main"]
+  token_ttl                        = 3600
+  bound_service_account_names      = ["redbot"]
+  token_policies                   = ["redbot-main"]
+}
+
+resource "vault_policy" "redbot-main" {
+  name = "redbot-main"
+
+  policy = <<EOT
+path "kvv2/data/services/redbot/main/secrets" {
+  capabilities = ["read"]
+}
+EOT
+}
+
+resource "vault_generic_secret" "redbot-main-secrets" {
+  path = "kvv2/services/redbot/main/secrets"
+
+  data_json = jsonencode(
+    {
+      "token" : var.redbot_main_token
+    }
+  )
+}

helmfile/services/values/redbot-premiers.yaml.gotmpl

@@ -0,0 +1,28 @@
+resource "vault_kubernetes_auth_backend_role" "redbot-premiers" {
+  backend                          = vault_auth_backend.kubernetes_homeserver.path
+  role_name                        = "redbot-premiers"
+  bound_service_account_namespaces = ["redbot-premiers"]
+  token_ttl                        = 3600
+  bound_service_account_names      = ["redbot"]
+  token_policies                   = ["redbot-premiers"]
+}
+
+resource "vault_policy" "redbot-premiers" {
+  name = "redbot-premiers"
+
+  policy = <<EOT
+path "kvv2/data/services/redbot/premiers/secrets" {
+  capabilities = ["read"]
+}
+EOT
+}
+
+resource "vault_generic_secret" "redbot-premiers-secrets" {
+  path = "kvv2/services/redbot/premiers/secrets"
+
+  data_json = jsonencode(
+    {
+      "token" : var.redbot_premiers_token
+    }
+  )
+}

helmfile/vault-terraform/redbot-main.tf

@@ -44,7 +44,8 @@ home_assistant_prometheus_token = "example_token"
 # Can be generated with pwgen 20 1
 invidious_hmac_key = "example_key"
 #redbot_owner = ""
-redbot_token = ""
+redbot_main_token = ""
+redbot_premiers_token = ""
 homepage_jellyfin_apikey = ""
 # Can be generated with pwgen 20 1
 paperless_secret_key = "example_key"

helmfile/vault-terraform/redbot-premiers.tf

@@ -138,7 +138,11 @@ variable "invidious_hmac_key" {
 #  type = string
 #}
 
-variable "redbot_token" {
+variable "redbot_main_token" {
+  type = string
+}
+
+variable "redbot_premiers_token" {
   type = string
 }