aaron/k8s-deployments
1
0
Fork 0
Code Issues 2 Pull requests 2 Activity

add sops

Browse source
This commit is contained in:
Aaron Riedel 2024-11-04 20:45:29 +01:00
parent d767663f0d
commit 43c7d4b754
Signed by: aaron
GPG key ID: 643004654D40D577
10 changed files with 178 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1,3 +1,2 @@
**/secrets.yaml **/secrets.yaml
**/secret.yaml
**/.DS_Store **/.DS_Store

11
.sops.yaml Normal file
View file

@ -0,0 +1,11 @@
---
keys:
- &argo age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt
- &aaron age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2
creation_rules:
- path_regex: .*
encrypted_regex: ^(data|stringData)$
key_groups:
- age:
- *argo
- *aaron

25
app-files/apps.yaml
View file

@ -20,22 +20,33 @@ spec:
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: argocd-ingress name: argocd
namespace: argocd namespace: argocd
spec: spec:
project: default project: default
source: sources:
repoURL: https://git.ar21.de/aaron/k8s-deployments.git - repoURL: https://argoproj.github.io/argo-helm
targetRevision: HEAD chart: argo-cd
path: argocd targetRevision: 7.6.8
helm:
releaseName: argo
valueFiles:
- $values/argocd/values.yaml
- repoURL: https://git.ar21.de/aaron/k8s-deployments.git
targetRevision: HEAD
ref: values
- repoURL: https://git.ar21.de/aaron/k8s-deployments.git
targetRevision: HEAD
path: argocd
destination: destination:
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
namespace: argocd namespace: argocd
syncPolicy: syncPolicy:
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true
automated: automated:
prune: true selfHeal: true
prune: false
--- ---
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application

1
argocd/cm.yaml
View file

@ -9,6 +9,7 @@ metadata:
app.kubernetes.io/name: argocd-cm app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd app.kubernetes.io/part-of: argocd
data: data:
kustomize.buildOptions: "--enable-alpha-plugins --enable-exec"
statusbadge.enabled: "true" statusbadge.enabled: "true"
resource.customizations: | resource.customizations: |
networking.k8s.io/Ingress: networking.k8s.io/Ingress:

24
argocd/ingress.yaml
View file

@ -1,24 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/tls-acme: "true"
name: argocd-ingress
namespace: argocd
spec:
rules:
- host: "aaron-argo.services.yolokube.de"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: argocd-server
port:
number: 80
tls:
- hosts:
- aaron-argo.services.yolokube.de
secretName: argocd-tls-key

7
argocd/kustomization.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generators:
- ./secret-generator.yaml
resources:
- ./cm.yaml

12
argocd/secret-generator.yaml Normal file
View file

@ -0,0 +1,12 @@
---
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./sops-secret.yaml
- ./secret.yaml

40
argocd/secret.yaml Normal file
View file

@ -0,0 +1,40 @@
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
namespace: argocd
labels:
app.kubernetes.io/name: argocd-secret
app.kubernetes.io/part-of: argocd
stringData:
oidc.aaronid.clientSecret: ENC[AES256_GCM,data:ZrhSXPm+p9iD5tvJA3hyqiGw2czrO3YLbWPe7WvQf2Rok28f3V0a2DkFR336+5x4YTF6Khw1qYtQH6Kgc1HS7RbY7RDpynAwO2JHrxApfUir31UZ2oNsbTqv7nyNSrMFR4vgLEx9WSTaM66c43sgevdaCodDbzfiSe+Zjwrdcfw=,iv:Bzf8U16ZlkflMFM6BlfBbiJfaM6YzxkUXPTXnfjbApU=,tag:7T5e75XFm//aoTLTtQR3mA==,type:str]
type: Opaque
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlaUIvZmc3cFcxSExFcjhC
cXVNaU5TdVpGR09jTkIzWHNrTHhkSWV6ZXlvClArWGFwNlhtbzJVWUNIQXlCNlEr
aWtqMHdyNHJNTjM5dFQxN1J0QWtHTW8KLS0tIFBnWmI2NFhERWRISmVuVjhTK1E0
TmpCTWY5T1QxWnFlZG1TRUNuN1RTNmMKpadrE3scJFXK7qc5WADHtAJ4LCSvzsd9
j3Ew0vCLEVTjxON6rBD6k3KqZdIzQEJnDNJWUiPUaoPP+1FIl2cxvg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVnBnRlZlanI5MGFvQlpO
TEdldzQ1RkV3N3VwcUo1WXNBaGlSRFVqS1Y0CkU3RzUzSzBtU0dkZ1M5YXN6eXpL
OE5sTmc2Q2I2VnBna1lHYjQ3ak4zZ2sKLS0tIHVvelVTU29GWkVNeFdOLzJMdEY5
UDFQL2pGNTRlcURqcFZkTG12YjRmQUkKDe7jb3TtIJXIQfDs+VuIHFZjtnKfC6Sc
caPhCC6KBejq5hyJXSOHXh6n+xYshNkzEkHp90gLY41XFiAPHU6Sfg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-04T19:32:15Z"
mac: ENC[AES256_GCM,data:pzukaPYOzoo3vsXpwMiIpXCuOGy2MlWAsAuPvjsDimKb5kvYeZiVKhiT2BID6TtEcGL0FpX6pyrwl6c+lwK+5fcsKRGWPLowZ47RAQxnctieRH+QneMTnmIHI6Ex0PmDPasnG1EMoXyitGDNO7ouEk1ie0AK9z9+xVeyXCtUCRg=,iv:CzUiJmvUBjpwVmf0QW1X7b1CsQlSMX2fwnBHoqlRbo0=,tag:5yxJZOzuQ720YEQAbaHY8A==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.9.0

37
argocd/sops-secret.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: v1
kind: Secret
metadata:
name: sops-age
namespace: argocd
type: Opaque
data:
keys.txt: ENC[AES256_GCM,data:ywffPwk3i+622egcKEB3QmBdnRmcaYhtaF3niX9YzOAutQUuCAaKMjEZWbl5+S9/CVfUg+iVaBoUCSUsjzaFrf22upS45ayMnzS8F9JzvAz8L2IEecEhwDvbUtsupbpciOGYZlA+XPdRb6ab+VEnuTnrv7hIA0agdRdje/qlRZwJ8Vsfozq1xuvPFWKdtORcB6mA3pZaTMheOqEwPbosT+WD7Hn1m8rK1DG+pDQsRHb8TwBXK+YfyWnvScRa04jcvhPg8nyg3lZS6PjRLGKXZ5g0MytVDXJWzrGOfU3cUmt3XUM46Vl1t8gF/Y1P+jvFeNjK8tRdze1nUpee,iv:jUOFyM/KB4b3h9UZAyM64c6IDyL+Vw9kA6qDRRD7/uw=,tag:FF3F8R4cf/59ncGy4sbkHA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkenl5TnBHSWtXTU51TnZa
Z1pReHZlV0pPRzRsQ0RxUmsvWVI1b2RMeGljCmdSWDllRnBMSnlVSksycDI3cVVZ
TmExeEtuWStYSi9Ub0VCZS90MzZFZjgKLS0tIHEvSm5vTVVWdkRyOWNuRlhINzZY
RnRLR1grWm02UVE3TFhid3p3RHVSNlEK1fzRPAgFJmV3zEgX5FNNdV1zfd/Tv1q3
g8HEyBgyfBAm6SXIB4Z3uTGJh9rJ9mPuTecFkiThn6WtSJJHRgQ7lQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwSDV6VU92dXM5QTNSdmps
S3JCL2xZVERBOTZHZmlwVFptczZWMmpkZlIwCkp1TW42NWJveHdZOHp4cXY3eEpM
UkIzUWloNDJLQXRWM0g0ZzhHTmVyczQKLS0tIEE0d082L3g5MENlOTZFYkNtOGFB
NnRtdyttNjNWaGlOd09SdGhXZnZ2VE0K3bKDIJO2RQPY+1/p7nlwzZraPVnW+8L+
wY1MoIdwygMcH5tmo0Jy3sLWMupUHQXQM9CX933wTATRPJtojLS4HA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-04T19:39:31Z"
mac: ENC[AES256_GCM,data:OEeKuRW4Wvkqd/aafrvhNQxCQmuose5b/PfzxGh5a0+cN5ORib819ksjpLu78AL2rOhc0qRff8hi8TgWpoyBP7BiihpmCxZGFabITTAbH8x0Nacn3fef30K4Yw8AB7gLXrN1fwA9PLxfFoqmzsPnMh7xpEKMEKq1T0/ijqvmGJM=,iv:BM5gC/Vi4COBSFC/BHxV+bv8WXDwF+6eEx64ROIqpd4=,tag:WxwbtnYxa2okLdWUxWI7Yw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.9.0

52
argocd/values.yaml Normal file
View file

@ -0,0 +1,52 @@
---
global:
domain: aaron-argo.services.yolokube.de
configs:
cm:
create: false
params:
create: true
server.insecure: true
rbac:
create: true
policy.csv: |
g, ar21-general, role:admin
server:
ingress:
enabled: true
annotations:
kubernetes.io/tls-acme: "true"
tls: true
repoServer:
volumes:
- name: custom-tools
emptyDir: {}
- name: sops-key
secret:
secretName: sops-age
initContainers:
- name: install-ksops
image: viaductoss/ksops:v4.3.2
command: ["/bin/sh", "-c"]
args:
- echo "Installing KSOPS...";
mv ksops /custom-tools/;
mv kustomize /custom-tools/;
echo "Done.";
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
volumeMounts:
- mountPath: /usr/local/bin/kustomize
name: custom-tools
subPath: kustomize
- mountPath: /usr/local/bin/ksops
name: custom-tools
subPath: ksops
- mountPath: /.config/sops/age
name: sops-key
env:
- name: XDG_CONFIG_HOME
value: /.config
- name: SOPS_AGE_KEY_FILE
value: /.config/sops/age/keys.txt