review comments implementation

syedhaseebahmed · syedhaseebahmed · commit 50f6815ef1af · 2025-09-24T06:06:10.000+05:30
diff --git a/components/secretstore-gen-secrets/templates/secrets.yaml.tmpl b/components/secretstore-gen-secrets/templates/secrets.yaml.tmpl
@@ -1,6 +1,5 @@
-{{- $site := .Values.site }}
-{{- $secretStore := $site.secretStore }}
-{{- range $site.secrets }}
+{{- $secretStore := .Values.secretStore }}
+{{- range .Values.secrets }}
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
diff --git a/components/secretstore-gen-secrets/values.yaml b/components/secretstore-gen-secrets/values.yaml
@@ -1,8 +1 @@
-site:
-  name: uc-iad3-dev
-  partition: uc-dev
-  env: dev
-  role: aio
-  secretStore:
-    kind: SecretStore
-    name: vault
+---
diff --git a/workflows/nautobot/kustomization.yaml b/workflows/nautobot/kustomization.yaml
@@ -9,5 +9,6 @@ resources:
 
   # noutobot secret
   - serviceaccounts/k8s-secret-events-nautobot.yaml
+  - serviceaccounts/k8s-job-create.yaml
   - eventsources/k8s-secret-nautobot-token.yaml
   - sensors/k8s-nautobot-secret.yaml
diff --git a/workflows/nautobot/sensors/k8s-nautobot-secret.yaml b/workflows/nautobot/sensors/k8s-nautobot-secret.yaml
@@ -9,7 +9,7 @@ metadata:
       this process ensures the user is created in Nautobot and a corresponding token is provisioned.
 spec:
   template:
-    serviceAccountName: k8s-events-secret-nautobot
+    serviceAccountName: k8s-job-create
   dependencies:
     - name: nautobot-token-secret
       eventSourceName: k8s-secret-nautobot-token
@@ -38,7 +38,7 @@ spec:
                   spec:
                     containers:
                       - name: nautobot-create-token
-                        image: ghcr.io/rackerlabs/understack/ansible:pr-1256
+                        image: ghcr.io/rackerlabs/understack/ansible:latest
                         imagePullPolicy: Always
                         command:
                           - "ansible-runner"
diff --git a/workflows/nautobot/serviceaccounts/k8s-job-create.yaml b/workflows/nautobot/serviceaccounts/k8s-job-create.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-job-create
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-job
+rules:
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create", "get", "list", "watch"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-job-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-job
+subjects:
+  - kind: ServiceAccount
+    name: k8s-job-create
+    namespace: nautobot
diff --git a/workflows/nautobot/serviceaccounts/k8s-secret-events-nautobot.yaml b/workflows/nautobot/serviceaccounts/k8s-secret-events-nautobot.yaml
@@ -3,21 +3,15 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: k8s-events-secret-nautobot
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: secret-reader
 rules:
-  - apiGroups:
-      - ""
-      - batch
-    resources:
-      - secrets
-      - jobs
-    verbs:
-      - '*'
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["list", "watch"]
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
