AI changes to try fix bsm clusterstore

2026-03-22 20:41:01 +13:00 · 2026-03-22 20:41:01 +13:00 · f3efdda66f
parent b97fdd3d7e
commit f3efdda66f
4 changed files with 77 additions and 4 deletions
--- a/infrastructure/bitwarden/bitwarden-sdk-certs.yaml
+++ b/infrastructure/bitwarden/bitwarden-sdk-certs.yaml
@ -0,0 +1,66 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: bitwarden-bootstrap-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: bitwarden-bootstrap-certificate
+  namespace: cert-manager
+spec:
+  isCA: true
+  secretName: bitwarden-bootstrap-certs
+  subject:
+    organizations:
+      - external-secrets.io
+  dnsNames:
+    - external-secrets-bitwarden-sdk-server.external-secrets.svc.cluster.local
+    - bitwarden-sdk-server.external-secrets.svc.cluster.local
+    - localhost
+  ipAddresses:
+    - 127.0.0.1
+    - ::1
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+    rotationPolicy: Always
+  issuerRef:
+    name: bitwarden-bootstrap-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: bitwarden-certificate-issuer
+spec:
+  ca:
+    secretName: bitwarden-bootstrap-certs
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: bitwarden-tls-certs
+  namespace: external-secrets
+spec:
+  secretName: bitwarden-tls-certs
+  dnsNames:
+    - bitwarden-sdk-server.external-secrets.svc.cluster.local
+    - external-secrets-bitwarden-sdk-server.external-secrets.svc.cluster.local
+    - localhost
+  ipAddresses:
+    - 127.0.0.1
+    - ::1
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+    rotationPolicy: Always
+  issuerRef:
+    name: bitwarden-certificate-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
--- a/infrastructure/bitwarden/clustersecretstore.yaml
+++ b/infrastructure/bitwarden/clustersecretstore.yaml
@ -7,11 +7,11 @@ spec:
    bitwardensecretsmanager:
      apiURL: https://api.bitwarden.com
      identityURL: https://identity.bitwarden.com
-      bitwardenServerSDKURL: https://sdk.bitwarden.com
+      bitwardenServerSDKURL: https://bitwarden-sdk-server.external-secrets.svc.cluster.local:9998
      caProvider:
        type: Secret
-        name: store-ca-bundle
-        namespace: security
+        name: bitwarden-tls-certs
+        namespace: external-secrets
        key: ca.crt
      organizationID: 0df293ad-6afb-4d0b-b3ff-b41000581de5
      projectID: cafdbc0f-9d64-47eb-a0f5-b4100059cbc7
--- a/infrastructure/bitwarden/kustomization.yaml
+++ b/infrastructure/bitwarden/kustomization.yaml
@ -3,5 +3,6 @@ kind: Kustomization
 resources:
  - helmrelease.yaml
  - bitwardenaccesstoken.enc.yaml
-#  - clustersecretstore.yaml
+  - bitwarden-sdk-certs.yaml
+  - clustersecretstore.yaml
  - namespace.yaml
--- a/infrastructure/eso/helmrelease.yaml
+++ b/infrastructure/eso/helmrelease.yaml
@ -15,3 +15,9 @@ spec:
        namespace: flux-system
  install:
    createNamespace: true
+  values:
+    bitwarden-sdk-server:
+      enabled: true
+      image:
+        tls:
+          secretName: bitwarden-tls-certs