Add keyvault to ESO (gitops_azure_eso.yml)
Description
Automates adding or updating an Azure Key Vault (keyvault) integration to the ESO GitOps repository. Retrieves EntraID credentials from Passwordstate, clones the ArgoCD Git repo, seals credentials with kubeseal, and updates the ArgoCD application's helm values with the secretstore configuration.
Modes:
- Create mode (default): Adds a new secretstore entry if the keyvaultname doesn't exist
- Update mode (UpdateEsoSecret=1): Updates clientid and clientsecret for an existing secretstore with the specified keyvaultname
Commits and pushes changes to the GitOps repository.
Credentials
- pws_user / pws_password — API credentials for Passwordstate
- gitlab_privkey — private SSH key used to clone/push the Git repo
Input
| Variable | Description | Default |
|---|---|---|
app_env |
Application environment (PR or QA) - determines GitOps repo path | (required) |
keyvault_name |
Azure Key Vault name to configure in secretstore | (required) |
azure_tenant |
Azure tenant ID for the Key Vault | (required) |
identity |
Passwordstate match_field_value to look up EntraID credentials (Title field) | (required) |
UpdateEsoSecret |
Set to 1 to update existing secretstore credentials, 0 to create new |
0 |
Output
- Modified ArgoCD application file with updated helm values:
- Adds/updates secretstore entry with sealed clientid and clientsecret
- File path:
{{ search_root }}/application_{{ target_namespace }}.yaml - Changes committed and pushed to Git repository