From b08ee1b646924a1e0eb27b5ed636a9a8785cd21d Mon Sep 17 00:00:00 2001
From: Joakim Olsson <joakim@unbound.se>
Date: Tue, 8 Apr 2025 10:15:22 +0200
Subject: [PATCH] feat(k8s): add external secret for geo-service

Creates an ExternalSecret for the geo-service to manage
sensitive information through an external secrets store.
Removes the legacy create-secrets script and updates
references in the deployment configuration to use the
new secret. This enhances security and maintainability
by centralizing secret management.
---
 k8s/create-secrets.sh | 17 -----------------
 k8s/deploy.yaml       |  2 +-
 k8s/secrets.yaml      | 14 ++++++++++++++
 3 files changed, 15 insertions(+), 18 deletions(-)
 delete mode 100755 k8s/create-secrets.sh
 create mode 100644 k8s/secrets.yaml

diff --git a/k8s/create-secrets.sh b/k8s/create-secrets.sh
deleted file mode 100755
index 565551e..0000000
--- a/k8s/create-secrets.sh
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-source ${BUILD_TOOLS_PATH}/scripts/kubernetes.sh
-
-ENVIRONMENT="${1?usage: secrets.sh <environment>}"
-LASTPASS_SHARE="envconfig\\${ENVIRONMENT}"
-
-kube_cmd=$(kubernetes:get_command ${ENVIRONMENT})
-
-SECRET_NAME="google-maps-api"
-API_KEY=$(lpass show --name "${LASTPASS_SHARE}/${SECRET_NAME}" --notes)
-
-$kube_cmd delete secret ${SECRET_NAME,,} &> /dev/null || true
-$kube_cmd create secret generic \
-  ${SECRET_NAME,,} \
-  --from-literal=MAPS_API_KEY="${API_KEY}"
diff --git a/k8s/deploy.yaml b/k8s/deploy.yaml
index 18ccb62..b2f1335 100644
--- a/k8s/deploy.yaml
+++ b/k8s/deploy.yaml
@@ -47,7 +47,7 @@ spec:
               name: http
           envFrom:
             - secretRef:
-                name: google-maps-api
+                name: geo-service
       restartPolicy: Always
 ---
 apiVersion: v1
diff --git a/k8s/secrets.yaml b/k8s/secrets.yaml
new file mode 100644
index 0000000..d25ec82
--- /dev/null
+++ b/k8s/secrets.yaml
@@ -0,0 +1,14 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: geo-service
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: external-secrets
+    kind: ClusterSecretStore
+  target:
+    creationPolicy: Owner
+  dataFrom:
+  - extract:
+      key: applications/dancefinder/geo-service