feat(secrets): add sealed secrets for database and internal configurations

This commit is contained in:
Janis Eccarius
2026-05-30 14:35:06 +02:00
parent 1ed4fc4c33
commit e08bb654b5
6 changed files with 82 additions and 9 deletions
+17
View File
@@ -0,0 +1,17 @@
# PLACEHOLDER — seal with htwg-1 cluster key before use:
# kubectl -n nowchess create secret docker-registry ghcr-pull-secret \
# --docker-server=ghcr.io --docker-username=<user> --docker-password=<token> \
# --dry-run=client -o yaml | kubeseal --controller-namespace kube-system -o yaml > this-file.yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: ghcr-pull-secret
namespace: nowchess
spec:
encryptedData:
.dockerconfigjson: REPLACE_WITH_SEALED_VALUE
template:
type: kubernetes.io/dockerconfigjson
metadata:
name: ghcr-pull-secret
namespace: nowchess
+9 -9
View File
@@ -1,12 +1,12 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# Seal each secret with the htwg-1 cluster key before uncommenting:
# kubectl -n nowchess create secret generic <name> ... --dry-run=client -o yaml \
# | kubeseal --controller-namespace kube-system -o yaml > secrets/nowchess/htwg-1-prod/<name>.yaml
# Seal each secret with the htwg-1 cluster key before use:
# kubectl -n <namespace> create secret generic <name> ... --dry-run=client -o yaml \
# | kubeseal --controller-name sealed-secrets --controller-namespace kube-system -o yaml > <file>
resources:
- ../nowchess/htwg-1-prod/ghcr-pull-secret.yaml
- ../nowchess/htwg-1-prod/ncs-jwt-keys.yaml
- ../nowchess/htwg-1-prod/ncs-db-secrets.yaml
- ../nowchess/htwg-1-prod/ncs-internal-secret.yaml
- ../nowchess/htwg-1-prod/remotek6-certs.yaml
- ../postgres/credentials-htwg-1.yaml
- ghcr-pull-secret.yaml
- ncs-jwt-keys.yaml
- ncs-db-secrets.yaml
- ncs-internal-secret.yaml
- remotek6-certs.yaml
- postgres-credentials.yaml
+17
View File
@@ -0,0 +1,17 @@
# PLACEHOLDER — seal with htwg-1 cluster key before use:
# kubectl -n nowchess create secret generic ncs-db-secrets \
# --from-literal=ACCOUNT_DB_URL=... --from-literal=ACCOUNT_DB_PASSWORD=... \
# (add all other DB keys) \
# --dry-run=client -o yaml | kubeseal --controller-namespace kube-system -o yaml > this-file.yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: ncs-db-secrets
namespace: nowchess
spec:
encryptedData:
REPLACE_KEY: REPLACE_WITH_SEALED_VALUE
template:
metadata:
name: ncs-db-secrets
namespace: nowchess
+13
View File
@@ -0,0 +1,13 @@
# PLACEHOLDER — seal with htwg-1 cluster key before use
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: ncs-internal-secret
namespace: nowchess
spec:
encryptedData:
REPLACE_KEY: REPLACE_WITH_SEALED_VALUE
template:
metadata:
name: ncs-internal-secret
namespace: nowchess
+13
View File
@@ -0,0 +1,13 @@
# PLACEHOLDER — seal with htwg-1 cluster key before use
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: ncs-jwt-keys
namespace: nowchess
spec:
encryptedData:
REPLACE_KEY: REPLACE_WITH_SEALED_VALUE
template:
metadata:
name: ncs-jwt-keys
namespace: nowchess
+13
View File
@@ -0,0 +1,13 @@
# PLACEHOLDER — seal with htwg-1 cluster key before use
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: remotek6-certs
namespace: nowchess
spec:
encryptedData:
REPLACE_KEY: REPLACE_WITH_SEALED_VALUE
template:
metadata:
name: remotek6-certs
namespace: nowchess