argo: add aarons age key

.gitignore

@@ -1,4 +1,4 @@
-**/secret.yaml
 **/temp.yaml
 **/credentials
 **/.DS_Store
+*.agekey

.sops.yaml

@@ -0,0 +1,13 @@
+---
+keys:
+  - &argo age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz
+  - &tom age1s9nvc4rxj3kaj4apmzzn8fmjrudrvdhgu70rg04we9hyse5aadsq7kmckn
+  - &aaron age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2
+creation_rules:
+  - path_regex: .*
+    encrypted_regex: ^(data|stringData)$
+    key_groups:
+      - age:
+          - *argo
+          - *tom
+          - *aaron

app-files/core-deployments.yaml

@@ -32,14 +32,26 @@ spec:
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: argocd-ingress
+  name: argocd
   namespace: argocd
 spec:
   project: default
-  source:
+  sources:
-    repoURL: https://git.ar21.de/yolokube/core-deployments.git
+    - repoURL: https://argoproj.github.io/argo-helm
+      chart: argo-cd
+      targetRevision: 7.6.6
+      helm:
+        releaseName: argo
+        valueFiles:
+        - $values/argo/values.yaml
+    - repoURL: https://git.ar21.de/yolokube/core-deployments.git
+      targetRevision: HEAD
+      ref: values
+    - repoURL: https://git.ar21.de/yolokube/core-deployments.git
       targetRevision: HEAD
       path: argo
+      kustomize:
+        buildOptions: "--enable-alpha-plugins --enable-exec"
   destination:
     server: https://kubernetes.default.svc
     namespace: argocd
@@ -47,7 +59,8 @@ spec:
     syncOptions:
     - CreateNamespace=true
     automated:
-      prune: true
+      selfHeal: true
+      prune: false
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application

argo/cm.yaml

@@ -9,6 +9,7 @@ metadata:
     app.kubernetes.io/name: argocd-cm
     app.kubernetes.io/part-of: argocd
 data:
+  kustomize.buildOptions: "--enable-alpha-plugins --enable-exec"
   statusbadge.enabled: "true"
   resource.customizations: |
     networking.k8s.io/Ingress:
@@ -33,28 +34,3 @@ data:
     # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
     requestedScopes: ["openid", "profile", "email"]
     logoutURL: https://auth.ar21.de/application/o/yolokube-argocd/end-session/
----
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: argocd-cmd-params-cm
-  namespace: argocd
-  labels:
-    app.kubernetes.io/instance: argocd-ingress
-    app.kubernetes.io/name: argocd-cm
-    app.kubernetes.io/part-of: argocd
-data:
-  server.insecure: "true"
----
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: argocd-rbac-cm
-  namespace: argocd
-  labels:
-    app.kubernetes.io/instance: argocd-ingress
-    app.kubernetes.io/name: argocd-cm
-    app.kubernetes.io/part-of: argocd
-data:
-  policy.csv: |
-    g, yolokube-general, role:admin

argo/ingress.yaml

@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  annotations:
-    kubernetes.io/tls-acme: "true"
-  name: argocd-ingress
-  namespace: argocd
-spec:
-  rules:
-  - host: "argo.services.yolokube.de"
-    http:
-      paths:
-      - pathType: Prefix
-        path: "/"
-        backend:
-          service:
-            name: argocd-server
-            port:
-              number: 80
-  tls:
-  - hosts:
-      - argo.services.yolokube.de
-    secretName: argocd-tls-key

argo/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+generators:
+  - ./secret-generator.yaml
+resources:
+  - ./cm.yaml

argo/secret-generator.yaml

@@ -0,0 +1,10 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - ./sops-secret.yaml

argo/sops-secret.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: sops-age
+    namespace: argocd
+type: Opaque
+data:
+    keys.txt: ENC[AES256_GCM,data:EQvfQQy6rco2iqbVLn/3jxsNTcU1tbfCkkAP9D3ggD/MJcIaQ3ZdxonbnnYUS34mmhEwba9R3vn80EQCj0M5jU5ucMeU+E25HbQAJFPBI2pvXuRQy8nMVtRwgrJZdaFKBUzGjtNrSj04y1y6QdIsIMqkn8byi5RthJ86IYo4if4WNPJp1EyiM/3+PTn/fLT/QtzU83LUz8D/hPTtUYJCxyeHEYBuC/niHfT1NgqsBRspI13bPUmxBjmtew1docQL61QSRdflopD7vxb9b6elQ/Zj4vs/TK0ILT5do1KkRGnZT8hRTnqnArcLdTr8xR5gVlIFFInncvzdLPsN,iv:JvuOYExMwMBlgM/W83ttlnvUPkuFPVvkBNwzumBxpLU=,tag:AXJOv4ZO0znONF9VG+5j3g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxeitkMzBjTGxSM09RTnFB
+            N0UxRytKMmszMHhKVFY3b0pNcHIwWHcwbUNjClY4cHMvemhzRkNXRVhtcVRtN1c4
+            OGtaWFkwTWYwNHNTL3lMVmlYOGREYTAKLS0tIEZxNm1IMmFxdzB2dUhvdlNsUUxl
+            UHdKaW8ydkpoLzQ0dEVyc0plaVhCTlUK6PF6CVvLDDTIozhRYHZxgcNeeKQPJAPr
+            Ay/35PSwzZ4RVJyAKqyhkkQSXkwLsytV1AC527NEZbmBniGgioyFHA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1s9nvc4rxj3kaj4apmzzn8fmjrudrvdhgu70rg04we9hyse5aadsq7kmckn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZ1BmeUNLT1RQR3cybzQx
+            aTRJVXkzQTFmNVowTmpVckJHdmRWTlVtSEV3Cm1oakp0c0NoRnF5c3pIb01ja2g3
+            UE1hUXV2bmNqeFlPM2tsY0J0UndYVTgKLS0tIDRBaGVBK0xlSFVFVVdXZjQ1RXhQ
+            UUo1Q0lXVjNGWllzYnlJS29qZHdZZGsK8Z1JWhY9HSY5xm6gZaT3TB2eqMysNxgL
+            MDk4gaQq8qbrMF/jN40ljt1ZgtAlY2gQKFyqygUNiwgHxN8iC2upng==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-30T17:09:05Z"
+    mac: ENC[AES256_GCM,data:Qvm2+3NQy9oywWveAhJdvnmg9tQzdCwjQSczYAS2j5Y0nPw3VeCT27Efm0A591fsvUhjukcDnX2ogEkKtPPJgq5VAJtGLXh2akAdjFxYxm8UPkgw8e6ev/R4kQQdTQ0if8qeeIO3CHEvAKhmrGimbg4DDHgPvyGoiHtTbBBFFr0=,iv:EDmPxMOXpHdyTmGbHFYAholnzi+WLc+GBXmu0k3GAuE=,tag:ThMbGppwFUocX7g2bsWI7w==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.0

argo/values.yaml

@@ -0,0 +1,51 @@
+global:
+  domain: argo.services.yolokube.de
+configs:
+  cm:
+    create: false
+  params:
+    create: true
+    server.insecure: true
+  rbac:
+    create: true
+    policy.csv: |
+      g, yolokube-general, role:admin
+server:
+  ingress:
+    enabled: true
+    annotations:
+      kubernetes.io/tls-acme: "true"
+    tls: true
+repoServer:
+  volumes:
+    - name: custom-tools
+      emptyDir: {}
+    - name: sops-key
+      secret:
+        secretName: sops-age
+  initContainers:
+    - name: install-ksops
+      image: viaductoss/ksops:v4.3.2
+      command: ["/bin/sh", "-c"]
+      args:
+        - echo "Installing KSOPS...";
+          mv ksops /custom-tools/;
+          mv kustomize /custom-tools/;
+          echo "Done.";
+      volumeMounts:
+        - mountPath: /custom-tools
+          name: custom-tools
+  volumeMounts:
+    - mountPath: /usr/local/bin/kustomize
+      name: custom-tools
+      subPath: kustomize
+    - mountPath: /usr/local/bin/ksops
+      name: custom-tools
+      subPath: ksops
+    - mountPath: /.config/sops/age
+      name: sops-key
+  env:
+    - name: XDG_CONFIG_HOME
+      value: /.config
+    - name: SOPS_AGE_KEY_FILE
+      value: /.config/sops/age/keys.txt

renovate.json

@@ -5,6 +5,10 @@
   "argocd": {
     "fileMatch": ["^app-files/core-deployments\\.yaml$"]
   },
+  "kubernetes": {
+    "enabled": true,
+    "fileMatch": ["\\.yaml$"]
+  },
   "packageRules": [
     {
       "matchPackageNames": ["kube-prometheus-stack"],