linode · ferruhcihan · May 28, 2026 · May 28, 2026 · May 28, 2026 · May 28, 2026
@@ -15,7 +15,8 @@
     "sourceMap": true,
     "strict": false,
     "strictNullChecks": true,
-    "target": "esnext"
+    "target": "esnext",
+    "types": ["jest", "node"]
   },
   "exclude": ["node_modules", "dist"],
   "include": ["src", "jest.config.ts"],

@@ -14,6 +14,14 @@ resources:
       - apiGroups: [""]
         resources: ["secrets"]
         verbs: ["get", "list", "watch"]
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      name: eso-push-secret-writer
+    rules:
+      - apiGroups: [""]
+        resources: ["secrets"]
+        verbs: ["get", "create", "update", "patch", "delete"]
   - apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
     metadata:
@@ -31,6 +39,11 @@ resources:
     metadata:
       name: core-secrets-store
     spec:
+      conditions:
+        - namespaceSelector:
+            matchExpressions:
+              - key: otomi.io/team
+                operator: DoesNotExist
       provider:
         kubernetes:
           remoteNamespace: apl-secrets

@@ -21,4 +21,4 @@ installCRDs: false
 processClusterExternalSecret: false
 processClusterPushSecret: false
 processClusterGenerator: false
-processPushSecret: false
+processPushSecret: true
@@ -10,38 +10,12 @@ resources:
       labels:
         name: {{ $ns }}
         type: team
+        otomi.io/team: "true"
         {{- if $v.apps.istio.defaultRevision }}
         istio.io/rev: {{ $v.apps.istio.defaultRevision | quote }}
         {{- else }}
         istio-injection: enabled
         {{- end }}
-    {{- with $v.otomi | get "globalPullSecret" nil }}
-    {{- $gpsUsername := . | get "username" "" }}
-    {{- $gpsServer := . | get "server" "docker.io" }}
-    {{- $gpsEmail := . | get "email" "not@val.id" }}
-  - apiVersion: external-secrets.io/v1
-    kind: ExternalSecret
-    metadata:
-      name: otomi-pullsecret-global
-      namespace: {{ $ns }}
-    spec:
-      refreshInterval: 1h
-      secretStoreRef:
-        name: core-secrets-store
-        kind: ClusterSecretStore
-      target:
-        name: otomi-pullsecret-global
-        creationPolicy: Owner
-        template:
-          type: kubernetes.io/dockerconfigjson
-          data:
-            .dockerconfigjson: '{"auths":{"{{ $gpsServer }}":{"username":"{{ $gpsUsername }}","password":"{{ "{{ .password | toString }}" }}","email":"{{ $gpsEmail }}"}}}'
-      data:
-        - secretKey: password
-          remoteRef:
-            key: otomi-secrets
-            property: globalPullSecret_password
-    {{- end }}
   # patching service account here as helm does not recognize it as it's own
   - apiVersion: v1
     kind: ServiceAccount
@@ -57,4 +31,17 @@ resources:
       - name: harbor-pullsecret
     {{- end }}
     {{- end }}
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: eso-push-secret-writer
+      namespace: {{ $ns }}
+    subjects:
+      - kind: ServiceAccount
+        name: eso-store-sa
+        namespace: external-secrets
+    roleRef:
+      kind: ClusterRole
+      name: eso-push-secret-writer
+      apiGroup: rbac.authorization.k8s.io
   {{- end }}