feat(secrets): add sealed secrets for database and internal configurations
This commit is contained in:
@@ -0,0 +1,17 @@
|
||||
# PLACEHOLDER — seal with htwg-1 cluster key before use:
|
||||
# kubectl -n nowchess create secret docker-registry ghcr-pull-secret \
|
||||
# --docker-server=ghcr.io --docker-username=<user> --docker-password=<token> \
|
||||
# --dry-run=client -o yaml | kubeseal --controller-namespace kube-system -o yaml > this-file.yaml
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
name: ghcr-pull-secret
|
||||
namespace: nowchess
|
||||
spec:
|
||||
encryptedData:
|
||||
.dockerconfigjson: REPLACE_WITH_SEALED_VALUE
|
||||
template:
|
||||
type: kubernetes.io/dockerconfigjson
|
||||
metadata:
|
||||
name: ghcr-pull-secret
|
||||
namespace: nowchess
|
||||
@@ -1,12 +1,12 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
# Seal each secret with the htwg-1 cluster key before uncommenting:
|
||||
# kubectl -n nowchess create secret generic <name> ... --dry-run=client -o yaml \
|
||||
# | kubeseal --controller-namespace kube-system -o yaml > secrets/nowchess/htwg-1-prod/<name>.yaml
|
||||
# Seal each secret with the htwg-1 cluster key before use:
|
||||
# kubectl -n <namespace> create secret generic <name> ... --dry-run=client -o yaml \
|
||||
# | kubeseal --controller-name sealed-secrets --controller-namespace kube-system -o yaml > <file>
|
||||
resources:
|
||||
- ../nowchess/htwg-1-prod/ghcr-pull-secret.yaml
|
||||
- ../nowchess/htwg-1-prod/ncs-jwt-keys.yaml
|
||||
- ../nowchess/htwg-1-prod/ncs-db-secrets.yaml
|
||||
- ../nowchess/htwg-1-prod/ncs-internal-secret.yaml
|
||||
- ../nowchess/htwg-1-prod/remotek6-certs.yaml
|
||||
- ../postgres/credentials-htwg-1.yaml
|
||||
- ghcr-pull-secret.yaml
|
||||
- ncs-jwt-keys.yaml
|
||||
- ncs-db-secrets.yaml
|
||||
- ncs-internal-secret.yaml
|
||||
- remotek6-certs.yaml
|
||||
- postgres-credentials.yaml
|
||||
|
||||
@@ -0,0 +1,17 @@
|
||||
# PLACEHOLDER — seal with htwg-1 cluster key before use:
|
||||
# kubectl -n nowchess create secret generic ncs-db-secrets \
|
||||
# --from-literal=ACCOUNT_DB_URL=... --from-literal=ACCOUNT_DB_PASSWORD=... \
|
||||
# (add all other DB keys) \
|
||||
# --dry-run=client -o yaml | kubeseal --controller-namespace kube-system -o yaml > this-file.yaml
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
name: ncs-db-secrets
|
||||
namespace: nowchess
|
||||
spec:
|
||||
encryptedData:
|
||||
REPLACE_KEY: REPLACE_WITH_SEALED_VALUE
|
||||
template:
|
||||
metadata:
|
||||
name: ncs-db-secrets
|
||||
namespace: nowchess
|
||||
@@ -0,0 +1,13 @@
|
||||
# PLACEHOLDER — seal with htwg-1 cluster key before use
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
name: ncs-internal-secret
|
||||
namespace: nowchess
|
||||
spec:
|
||||
encryptedData:
|
||||
REPLACE_KEY: REPLACE_WITH_SEALED_VALUE
|
||||
template:
|
||||
metadata:
|
||||
name: ncs-internal-secret
|
||||
namespace: nowchess
|
||||
@@ -0,0 +1,13 @@
|
||||
# PLACEHOLDER — seal with htwg-1 cluster key before use
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
name: ncs-jwt-keys
|
||||
namespace: nowchess
|
||||
spec:
|
||||
encryptedData:
|
||||
REPLACE_KEY: REPLACE_WITH_SEALED_VALUE
|
||||
template:
|
||||
metadata:
|
||||
name: ncs-jwt-keys
|
||||
namespace: nowchess
|
||||
@@ -0,0 +1,13 @@
|
||||
# PLACEHOLDER — seal with htwg-1 cluster key before use
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
name: remotek6-certs
|
||||
namespace: nowchess
|
||||
spec:
|
||||
encryptedData:
|
||||
REPLACE_KEY: REPLACE_WITH_SEALED_VALUE
|
||||
template:
|
||||
metadata:
|
||||
name: remotek6-certs
|
||||
namespace: nowchess
|
||||
Reference in New Issue
Block a user