Feat: Hydrate application environment variables from local vault (#3)

* Hydrate kubernetes secret w/ secrets from local vault

* Fix CI sourcing of env var file

* Compact and reduce output

* Make sure secret is defined before cronjob

* Create ghcr-login-secret from env variable injected from vault

* Import ghcr-login-secret namespace from NAMESPACE

* Export env variables for debugging

* Prepend export keyword to variables file

* Remove debug output

.drone.yml

@@ -1,7 +1,7 @@
 ---
 kind: pipeline
 type: docker
-name: Build
+name: Publish
 
 platform:
   os: linux
@@ -17,18 +17,19 @@ steps:
       username:
         from_secret: GITHUB_USERNAME
       password:
-        from_secret: GITHUB_PASSWORD
+        from_secret: GHCR_UPLOAD_TOKEN
       tags:
         - latest
         - ${DRONE_COMMIT_SHA}
-    when:
+
-      event:
+trigger:
-        include:
+  event:
-          - push
+    include:
-        exclude:
+      - push
-          - pull_request
+    exclude:
-      branch:
+      - pull_request
-        - main
+  branch:
+    - main
 
 ---
 kind: pipeline
@@ -40,26 +41,64 @@ platform:
   arch: amd64
 
 steps:
-  - name: Deploy to kubernetes
+  - name: Prepare kubernetes environment
     image: alpine/k8s:1.25.15
     commands:
       - mkdir -p /root/.kube
-      - echo $KUBE_CONFIG | base64 -di > /root/.kube/config
+      - echo "NAMESPACE=${DRONE_REPO_NAME}" > /root/.kube/variables.env
-      - export IMAGE=ghcr.io/kevinmidboe/cloudflare-ddns:${DRONE_COMMIT_SHA}
+      - 'curl -s
+        -H "X-Vault-Token: $VAULT_TOKEN"
+        $VAULT_HOST/v1/schleppe/data/kazan/_infra
+        | jq -r ".data.data.KUBE_CONFIG" > /root/.kube/config'
+      - 'curl -s
+        -H "X-Vault-Token: $VAULT_TOKEN"
+        $VAULT_HOST/v1/schleppe/data/kazan/_infra
+        | jq -r ".data | .data | .[\"ghcr-login-secret\"]" > /root/.kube/dockerconfig.json'
+      - 'curl -s
+        -H "X-Vault-Token: $VAULT_TOKEN"
+        $VAULT_HOST/v1/schleppe/data/kazan/${DRONE_REPO_NAME}
+        | jq -cr ".data.data | to_entries[] | .key + \"=\" + (.value | @base64)" >> /root/.kube/variables.env'
+    environment:
+      VAULT_TOKEN:
+        from_secret: VAULT_TOKEN
+      VAULT_HOST:
+        from_secret: VAULT_HOST
+    volumes:
+    - name: kube-config
+      path: /root/.kube
+
+  - name: Deploy to kubernetes
+    image: alpine/k8s:1.25.15
+    commands:
+      - export DOCKER_CONFIG_BASE64=$(cat /root/.kube/dockerconfig.json | tr -d "\n\t " | base64 -w 0)
+      - export IMAGE="ghcr.io/kevinmidboe/${DRONE_REPO_NAME}:${DRONE_COMMIT_SHA}"
+      - sed -i '/^$/!s/^/export /' /root/.kube/variables.env
+      - source /root/.kube/variables.env > /dev/null 2>&1
       - cat .kubernetes/*.yml
         | envsubst
         | kubectl --kubeconfig=/root/.kube/config apply -f -
-    environment:
+    volumes:
-      KUBE_CONFIG:
+    - name: kube-config
-        from_secret: KUBE_CONFIG
+      path: /root/.kube
-    when:
+
-      event:
+trigger:
-        include:
+  event:
-          - push
+    include:
-        exclude:
+      - push
-          - pull_request
+    exclude:
-      branch:
+      - pull_request
-        - main
+  branch:
+    - main
 
 depends_on:
-  - Build
+  - Publish
+
+volumes:
+- name: kube-config
+  temp: {}
+
+---
+kind: signature
+hmac: 4b290c54b9fb5f4951a6501ce97c14ffb79fd57464547e4dda75560ed0d57e7c
+
+...

.kubernetes/1-secret.yml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: secret-env-values
+  namespace: cloudflare-ddns
+data:
+  DDNS_ZONE: ${DDNS_ZONE}
+  API_KEY: ${API_KEY}

.kubernetes/cronjob.yml

@@ -1,3 +1,4 @@
+---
 apiVersion: batch/v1
 kind: CronJob
 metadata:

.kubernetes/ghcr-token-secret.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ghcr-login-secret
+  namespace: ${NAMESPACE}
+data:
+  .dockerconfigjson: ${DOCKER_CONFIG_BASE64}
+type: kubernetes.io/dockerconfigjson