fix(taskfile/eso/cert-manager): align k0s cluster auth on the shared convention#1406
Open
ixxeL2097 wants to merge 3 commits into
Open
fix(taskfile/eso/cert-manager): align k0s cluster auth on the shared convention#1406ixxeL2097 wants to merge 3 commits into
ixxeL2097 wants to merge 3 commits into
Conversation
The hardcoded `cluster: genmachine` task-level var in vault entry tasks prevented `task vault:eso-auth-setup cluster=k0s` from targeting a different cluster — task-level vars win over CLI in Taskfile v3. - Replace the hardcoded default with `requires: vars: [cluster]` so the cluster name must be passed explicitly on the CLI - Extract `kubernetes_host` dynamically from the current kubectl context instead of the hardcoded K8S_API root var, so configuring auth follows whichever cluster kubectl is pointed at - Drop the now-unused K8S_API root var Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…role convention
The beelink ClusterSecretStore authenticated against Vault via
`mountPath: kubernetes` + `role: external-secrets`, which didn't match
the naming convention enforced by `.taskfiles/vault/Taskfile.yaml`
(`{{.cluster}}-k8s/` mount, `eso` role) — same convention already used
by the genmachine manifest.
Align the beelink manifest on the same convention so ESO can authenticate
against the mount created by `task vault:eso-auth-setup cluster=beelink`.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ntion
The k0s ClusterIssuer referenced `mountPath: /v1/auth/kubernetes`, role
`certmanager-vault-auth-k0s`, and SA/Secret `certmanager-vault-auth-k0s`,
but `.taskfiles/vault/Taskfile.yaml` creates `{{.cluster}}-k8s/` mounts
with role `certmanager` and looks up SA `certmanager-auth` — causing
`task vault:certmanager-auth-setup cluster=beelink` to hang on
"ServiceAccount certmanager-auth not found".
Align the k0s manifest with the genmachine convention already in use:
- mountPath → /v1/auth/beelink-k8s
- role → certmanager
- SA + Secret → certmanager-auth
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
ixxeL2097
force-pushed
the
main
branch
10 times, most recently
from
99be2b4 to
0ff926a
Compare
ixxeL2097
force-pushed
the
main
branch
3 times, most recently
from
5248ff3 to
5c29049
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three-part fix that unblocks
task vault:eso-auth-setup cluster=beelink/task vault:certmanager-auth-setup cluster=beelinkand aligns the k0s (beelink) cluster auth wiring on the same convention already used by genmachine (<cluster>-k8smount path,certmanager/esoroles,certmanager-auth/eso-authSA names).vars: { cluster: genmachine }at task level was winning over the CLI value in Taskfile v3, socluster=beelinkwas silently ignored. Replaced withrequires: vars: [cluster]at entry tasks, and madekubernetes_hostextract dynamically from the currentkubectlcontext instead of the hardcodedK8S_APIroot var (now removed). Calling the task withoutcluster=now fails fast instead of quietly targetinggenmachine.mountPath: kubernetes/role: external-secrets, not matching the Vault mount the taskfile creates. Aligned onbeelink-k8s/esolike the genmachine manifest.certmanager-vault-auth-k0swithmountPath: /v1/auth/kubernetes, sotask vault:certmanager-auth-setupwas hanging on ServiceAccount certmanager-auth not found. Renamed SA/Secret tocertmanager-auth, role tocertmanager, mountPath to/v1/auth/beelink-k8s.Test plan
task vault:eso-auth-setup cluster=beelink(kubectl context on k0s) configuresauth/beelink-k8s/end-to-endtask vault:certmanager-auth-setup cluster=beelinkfinds SAcertmanager-authand creates thecertmanagerroletask vault:eso-auth-setup(no cluster arg) fails with therequires: varsmessage instead of silently usinggenmachineexternal-secrets-beelinkandcert-manager-k0sapplies the renamed manifests cleanlyClusterSecretStore/adminreachesReady=TrueClusterIssuer/fredcorp-careachesReady=Truecluster=genmachinestill pass (no regression on the existing cluster)Commits
fix(taskfile): allow cluster override via CLI in vault auth setupfix(external-secrets): align beelink ClusterSecretStore with cluster/role conventionfix(cert-manager): align k0s ClusterIssuer naming with taskfile convention