From 43c7d4b754ca520c894ec12fb85ff7d69e9a5940 Mon Sep 17 00:00:00 2001 From: Aaron Riedel Date: Mon, 4 Nov 2024 20:45:29 +0100 Subject: [PATCH] add sops --- .gitignore | 1 - .sops.yaml | 11 ++++++++ app-files/apps.yaml | 25 ++++++++++++----- argocd/cm.yaml | 1 + argocd/ingress.yaml | 24 ----------------- argocd/kustomization.yaml | 7 +++++ argocd/secret-generator.yaml | 12 +++++++++ argocd/secret.yaml | 40 +++++++++++++++++++++++++++ argocd/sops-secret.yaml | 37 +++++++++++++++++++++++++ argocd/values.yaml | 52 ++++++++++++++++++++++++++++++++++++ 10 files changed, 178 insertions(+), 32 deletions(-) create mode 100644 .sops.yaml delete mode 100644 argocd/ingress.yaml create mode 100644 argocd/kustomization.yaml create mode 100644 argocd/secret-generator.yaml create mode 100644 argocd/secret.yaml create mode 100644 argocd/sops-secret.yaml create mode 100644 argocd/values.yaml diff --git a/.gitignore b/.gitignore index e70443f..124c70a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,2 @@ **/secrets.yaml -**/secret.yaml **/.DS_Store \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..2fd620c --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,11 @@ +--- +keys: + - &argo age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt + - &aaron age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 +creation_rules: + - path_regex: .* + encrypted_regex: ^(data|stringData)$ + key_groups: + - age: + - *argo + - *aaron diff --git a/app-files/apps.yaml b/app-files/apps.yaml index 41bc31c..64e2702 100644 --- a/app-files/apps.yaml +++ b/app-files/apps.yaml @@ -20,22 +20,33 @@ spec: apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: argocd-ingress + name: argocd namespace: argocd spec: project: default - source: - repoURL: https://git.ar21.de/aaron/k8s-deployments.git - targetRevision: HEAD - path: argocd + sources: + - repoURL: https://argoproj.github.io/argo-helm + chart: argo-cd + targetRevision: 7.6.8 + helm: + releaseName: argo + valueFiles: + - $values/argocd/values.yaml + - repoURL: https://git.ar21.de/aaron/k8s-deployments.git + targetRevision: HEAD + ref: values + - repoURL: https://git.ar21.de/aaron/k8s-deployments.git + targetRevision: HEAD + path: argocd destination: server: https://kubernetes.default.svc namespace: argocd syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: - prune: true + selfHeal: true + prune: false --- apiVersion: argoproj.io/v1alpha1 kind: Application diff --git a/argocd/cm.yaml b/argocd/cm.yaml index 95c86af..85ac467 100644 --- a/argocd/cm.yaml +++ b/argocd/cm.yaml @@ -9,6 +9,7 @@ metadata: app.kubernetes.io/name: argocd-cm app.kubernetes.io/part-of: argocd data: + kustomize.buildOptions: "--enable-alpha-plugins --enable-exec" statusbadge.enabled: "true" resource.customizations: | networking.k8s.io/Ingress: diff --git a/argocd/ingress.yaml b/argocd/ingress.yaml deleted file mode 100644 index 47c654f..0000000 --- a/argocd/ingress.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kubernetes.io/tls-acme: "true" - name: argocd-ingress - namespace: argocd -spec: - rules: - - host: "aaron-argo.services.yolokube.de" - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: argocd-server - port: - number: 80 - tls: - - hosts: - - aaron-argo.services.yolokube.de - secretName: argocd-tls-key diff --git a/argocd/kustomization.yaml b/argocd/kustomization.yaml new file mode 100644 index 0000000..2d115cb --- /dev/null +++ b/argocd/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +generators: + - ./secret-generator.yaml +resources: + - ./cm.yaml diff --git a/argocd/secret-generator.yaml b/argocd/secret-generator.yaml new file mode 100644 index 0000000..552987a --- /dev/null +++ b/argocd/secret-generator.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: secret-generator + annotations: + config.kubernetes.io/function: | + exec: + path: ksops +files: + - ./sops-secret.yaml + - ./secret.yaml diff --git a/argocd/secret.yaml b/argocd/secret.yaml new file mode 100644 index 0000000..d552f0b --- /dev/null +++ b/argocd/secret.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Secret +metadata: + name: argocd-secret + namespace: argocd + labels: + app.kubernetes.io/name: argocd-secret + app.kubernetes.io/part-of: argocd +stringData: + oidc.aaronid.clientSecret: ENC[AES256_GCM,data:ZrhSXPm+p9iD5tvJA3hyqiGw2czrO3YLbWPe7WvQf2Rok28f3V0a2DkFR336+5x4YTF6Khw1qYtQH6Kgc1HS7RbY7RDpynAwO2JHrxApfUir31UZ2oNsbTqv7nyNSrMFR4vgLEx9WSTaM66c43sgevdaCodDbzfiSe+Zjwrdcfw=,iv:Bzf8U16ZlkflMFM6BlfBbiJfaM6YzxkUXPTXnfjbApU=,tag:7T5e75XFm//aoTLTtQR3mA==,type:str] +type: Opaque +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlaUIvZmc3cFcxSExFcjhC + cXVNaU5TdVpGR09jTkIzWHNrTHhkSWV6ZXlvClArWGFwNlhtbzJVWUNIQXlCNlEr + aWtqMHdyNHJNTjM5dFQxN1J0QWtHTW8KLS0tIFBnWmI2NFhERWRISmVuVjhTK1E0 + TmpCTWY5T1QxWnFlZG1TRUNuN1RTNmMKpadrE3scJFXK7qc5WADHtAJ4LCSvzsd9 + j3Ew0vCLEVTjxON6rBD6k3KqZdIzQEJnDNJWUiPUaoPP+1FIl2cxvg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVnBnRlZlanI5MGFvQlpO + TEdldzQ1RkV3N3VwcUo1WXNBaGlSRFVqS1Y0CkU3RzUzSzBtU0dkZ1M5YXN6eXpL + OE5sTmc2Q2I2VnBna1lHYjQ3ak4zZ2sKLS0tIHVvelVTU29GWkVNeFdOLzJMdEY5 + UDFQL2pGNTRlcURqcFZkTG12YjRmQUkKDe7jb3TtIJXIQfDs+VuIHFZjtnKfC6Sc + caPhCC6KBejq5hyJXSOHXh6n+xYshNkzEkHp90gLY41XFiAPHU6Sfg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-04T19:32:15Z" + mac: ENC[AES256_GCM,data:pzukaPYOzoo3vsXpwMiIpXCuOGy2MlWAsAuPvjsDimKb5kvYeZiVKhiT2BID6TtEcGL0FpX6pyrwl6c+lwK+5fcsKRGWPLowZ47RAQxnctieRH+QneMTnmIHI6Ex0PmDPasnG1EMoXyitGDNO7ouEk1ie0AK9z9+xVeyXCtUCRg=,iv:CzUiJmvUBjpwVmf0QW1X7b1CsQlSMX2fwnBHoqlRbo0=,tag:5yxJZOzuQ720YEQAbaHY8A==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/argocd/sops-secret.yaml b/argocd/sops-secret.yaml new file mode 100644 index 0000000..8832f72 --- /dev/null +++ b/argocd/sops-secret.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Secret +metadata: + name: sops-age + namespace: argocd +type: Opaque +data: + keys.txt: ENC[AES256_GCM,data:ywffPwk3i+622egcKEB3QmBdnRmcaYhtaF3niX9YzOAutQUuCAaKMjEZWbl5+S9/CVfUg+iVaBoUCSUsjzaFrf22upS45ayMnzS8F9JzvAz8L2IEecEhwDvbUtsupbpciOGYZlA+XPdRb6ab+VEnuTnrv7hIA0agdRdje/qlRZwJ8Vsfozq1xuvPFWKdtORcB6mA3pZaTMheOqEwPbosT+WD7Hn1m8rK1DG+pDQsRHb8TwBXK+YfyWnvScRa04jcvhPg8nyg3lZS6PjRLGKXZ5g0MytVDXJWzrGOfU3cUmt3XUM46Vl1t8gF/Y1P+jvFeNjK8tRdze1nUpee,iv:jUOFyM/KB4b3h9UZAyM64c6IDyL+Vw9kA6qDRRD7/uw=,tag:FF3F8R4cf/59ncGy4sbkHA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkenl5TnBHSWtXTU51TnZa + Z1pReHZlV0pPRzRsQ0RxUmsvWVI1b2RMeGljCmdSWDllRnBMSnlVSksycDI3cVVZ + TmExeEtuWStYSi9Ub0VCZS90MzZFZjgKLS0tIHEvSm5vTVVWdkRyOWNuRlhINzZY + RnRLR1grWm02UVE3TFhid3p3RHVSNlEK1fzRPAgFJmV3zEgX5FNNdV1zfd/Tv1q3 + g8HEyBgyfBAm6SXIB4Z3uTGJh9rJ9mPuTecFkiThn6WtSJJHRgQ7lQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwSDV6VU92dXM5QTNSdmps + S3JCL2xZVERBOTZHZmlwVFptczZWMmpkZlIwCkp1TW42NWJveHdZOHp4cXY3eEpM + UkIzUWloNDJLQXRWM0g0ZzhHTmVyczQKLS0tIEE0d082L3g5MENlOTZFYkNtOGFB + NnRtdyttNjNWaGlOd09SdGhXZnZ2VE0K3bKDIJO2RQPY+1/p7nlwzZraPVnW+8L+ + wY1MoIdwygMcH5tmo0Jy3sLWMupUHQXQM9CX933wTATRPJtojLS4HA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-04T19:39:31Z" + mac: ENC[AES256_GCM,data:OEeKuRW4Wvkqd/aafrvhNQxCQmuose5b/PfzxGh5a0+cN5ORib819ksjpLu78AL2rOhc0qRff8hi8TgWpoyBP7BiihpmCxZGFabITTAbH8x0Nacn3fef30K4Yw8AB7gLXrN1fwA9PLxfFoqmzsPnMh7xpEKMEKq1T0/ijqvmGJM=,iv:BM5gC/Vi4COBSFC/BHxV+bv8WXDwF+6eEx64ROIqpd4=,tag:WxwbtnYxa2okLdWUxWI7Yw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/argocd/values.yaml b/argocd/values.yaml new file mode 100644 index 0000000..ea54d70 --- /dev/null +++ b/argocd/values.yaml @@ -0,0 +1,52 @@ +--- +global: + domain: aaron-argo.services.yolokube.de +configs: + cm: + create: false + params: + create: true + server.insecure: true + rbac: + create: true + policy.csv: | + g, ar21-general, role:admin +server: + ingress: + enabled: true + annotations: + kubernetes.io/tls-acme: "true" + tls: true +repoServer: + volumes: + - name: custom-tools + emptyDir: {} + - name: sops-key + secret: + secretName: sops-age + initContainers: + - name: install-ksops + image: viaductoss/ksops:v4.3.2 + command: ["/bin/sh", "-c"] + args: + - echo "Installing KSOPS..."; + mv ksops /custom-tools/; + mv kustomize /custom-tools/; + echo "Done."; + volumeMounts: + - mountPath: /custom-tools + name: custom-tools + volumeMounts: + - mountPath: /usr/local/bin/kustomize + name: custom-tools + subPath: kustomize + - mountPath: /usr/local/bin/ksops + name: custom-tools + subPath: ksops + - mountPath: /.config/sops/age + name: sops-key + env: + - name: XDG_CONFIG_HOME + value: /.config + - name: SOPS_AGE_KEY_FILE + value: /.config/sops/age/keys.txt