From 0827a80bab0f8dec4d809c9594a510f53628cf68 Mon Sep 17 00:00:00 2001 From: Willian Paixao Date: Thu, 24 Oct 2024 13:08:03 +0200 Subject: [PATCH] feat(age): add sops age to new cluster --- .sops.yaml | 14 +++---- .../flux-system/cluster-secrets.sops.yaml | 38 +++++++++++++++++++ .../flux-system/github-deploy-key.sops.yaml | 37 ++++++++++++++++++ .../raspberry/flux-system/gotk-sync.yaml | 36 ++++++++++++++++-- .../raspberry/flux-system/kustomization.yaml | 7 +++- .../raspberry/flux-system/sops-age.sops.yaml | 37 ++++++++++++++++++ kubernetes/turing/flux-system/gotk-sync.yaml | 4 +- 7 files changed, 158 insertions(+), 15 deletions(-) create mode 100644 kubernetes/raspberry/flux-system/cluster-secrets.sops.yaml create mode 100644 kubernetes/raspberry/flux-system/github-deploy-key.sops.yaml create mode 100644 kubernetes/raspberry/flux-system/sops-age.sops.yaml diff --git a/.sops.yaml b/.sops.yaml index 57a5a7f6b..621e4485d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,12 +1,12 @@ --- creation_rules: - - path_regex: kubernetes/.*\.sops\.ya?ml + - path_regex: kubernetes/main/.*\.sops\.ya?ml encrypted_regex: "^(data|stringData)$" key_groups: - age: - - "age1nkvss2a8xvmjauvr5mxzm233hyh2mk2fg4s6pt0t0kcn03dv34wqtgymg8" - - "age1wxwqdrmkwkzsxajp58g0cgeextgf4wq287fv82pptv9yghkfgcqql66zhj" - - path_regex: ansible/.*\.sops\.ya?ml - key_groups: - - age: - - "age17ary36xtm566uptguuhsj7xmuqzyz06ce54tcf6p3mge2thphqfs3gln40" + - 'age17ary36xtm566uptguuhsj7xmuqzyz06ce54tcf6p3mge2thphqfs3gln40' + - path_regex: kubernetes/(raspberry|turing)/.*\.sops\.ya?ml + encrypted_regex: "^(data|stringData)$" + age: >- + age1nkvss2a8xvmjauvr5mxzm233hyh2mk2fg4s6pt0t0kcn03dv34wqtgymg8, + age1wxwqdrmkwkzsxajp58g0cgeextgf4wq287fv82pptv9yghkfgcqql66zhj diff --git a/kubernetes/raspberry/flux-system/cluster-secrets.sops.yaml b/kubernetes/raspberry/flux-system/cluster-secrets.sops.yaml new file mode 100644 index 000000000..5694d28e6 --- /dev/null +++ b/kubernetes/raspberry/flux-system/cluster-secrets.sops.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cluster-secrets + namespace: flux-system +stringData: + SECRET_DOMAIN: ENC[AES256_GCM,data:yxxmAaiQIgNNKuTP,iv:ijCjY0DZPDt2u/gjMxQ91V+a3okd/7J5rmSNqaABawM=,tag:1cEBaYTiQMxF6sJd1dSpWw==,type:str] + SECRET_ACME_EMAIL: ENC[AES256_GCM,data:NROOEvv2p/BqnKG5OVYv,iv:tLsrO8xW4rTEdaHm9bE60w1+pVtlQkmh3nfkOa6TK4Y=,tag:cY3VDLexaCOqwBZ+7hbM6g==,type:str] + SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:n91Brd4fEXGq0JhoHOBOOj6EAoRkVqk4w1VoqM/JUHOO8hgN,iv:ssaWwZdr9efj5TBQ6XB8TVbpSABlXqDQMC0sp8k1eAk=,tag:hJMlfE/ZJ6opKUbx6I6SIQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nkvss2a8xvmjauvr5mxzm233hyh2mk2fg4s6pt0t0kcn03dv34wqtgymg8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5UjVQcC9QMTFOV0pxSWRy + YzZPYVZvZGtwMUtXT2dGSW1MUUxXMnZyNHdJCmgxc3M1Z25ldmc0V3F2cG9DSHp5 + ajkwblhIeVNHd01VMzZQeDhVRFdsL0EKLS0tIGsyTjFSQXBvdmJrODNGRjk2cXli + R0RacFZvLzBnUkhvUzJCMTZUd3M1bDQKmHqDRkTzwNVwwSqBdHJoDAZ0256fLMuF + Xnhyp3qLpz1RP6MylZnQwTmsZBVvQFi6gac7Yu7jEGEyJJQ384IqEQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1wxwqdrmkwkzsxajp58g0cgeextgf4wq287fv82pptv9yghkfgcqql66zhj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Uk1TZTV1N3l4SW5oYUZr + ckwrY0Y0M05JK2piSDV5R1dIb1BBamJqbHgwCmlrSVY4V3kwSTI0RVlSQWNwR2Mv + UjFKQUpneVZ6cDN5eURleG5Oa0N2WHcKLS0tIG5rNExDdHNYR3BoeDh6M2VOWEJU + Tys4alpFdlVHZVBqeEIxaHgyTXJrSlEKayFLG7MILTO8Dapjn90S0pvFYDmSvlPQ + hVPLuWEwNNNVSfuRLPkQi3spegTCeyos3k+e0OQmdU1h1+W8CON/6A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-24T11:18:41Z" + mac: ENC[AES256_GCM,data:qh3OXT9opRkUqhy3xn2AVFSFz/B62VBOfppkr5mYxanOgFjz5RIqQlbBoSZTMq/0Dg1tc0oxxfv1seScatbROObdRSvDFbrDq82z8mKHVFxGm70bwEp1ZsZy2JUEyA6df3XPUuEivzcSvudivK1diBz89P0EpSvPpeb73LjHiaI=,iv:6wtwADYNqgZ98wb3Mu/PMeUQdFMmtUQIU7sZB07anPM=,tag:qaB403+Uk5IAsBigO4IJHA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/raspberry/flux-system/github-deploy-key.sops.yaml b/kubernetes/raspberry/flux-system/github-deploy-key.sops.yaml new file mode 100644 index 000000000..4e680376f --- /dev/null +++ b/kubernetes/raspberry/flux-system/github-deploy-key.sops.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Secret +metadata: + name: github-deploy-key + namespace: flux-system +stringData: + identity: ENC[AES256_GCM,data:IdcylpYFLEx6gzJYOXUX2PdUrhb75KqaTkUyKkZVwwHPdBDphMXatuVkL6LLyJKXgRGN5BwAn/v+3tNVCQpTBlX+2TJMTbPfnrICQ6IuXFCnADvlGBWxqm7PgrwT9RFzwDVEjhDMx8HvSFCDnASpfP3CqPzT5QjLaMhBA2e1/dQay0TscN2TVXzbHLV8qIoayM6vtQhshNmwY9TJEW1Vb51Jg9HbPSE5xov2brBFDQYZCSERW9ov2FI/jisTHaxTvsE9Ckf/12obE01m6CGMTv+vtMhHk26tk4fd2FTbTWC4PPQ4jQ25KararNe6STlbWV5AzeTDWXtF3b8SgY053wQmJjCMW8Kc8w8A2SqBQBYNs0ZiR+CsKIpDLhUNdijOvmLwVpf/bO3QHo39vX0JnGLQNH+sP/raVpXfMNGKusETYYe7PukP/W9Lbk8O9a5tls8ev8GaZMBp1ZGYxAnexeDd9DR3Pa6/jctCW2a4IXBJqOSaznpsdha67JmI9inw1T5ziSylOXwVKn6CacCO1/gQhgycVmZfgjGV,iv:iNb3RiKwQNtmZaTydA9Hwle42OMkHA8/17Qn6R1B4ik=,tag:mQBxGU+FHxcLzoyyuz/dIw==,type:str] + known_hosts: ENC[AES256_GCM,data:Gg9sIatOPh97GqutZ9B078KsHWgsdgOighWUeEFOCaHOnOTkh+iLd9iluiysoWqRCaMBZ2o3C/dYbm+ffMi4VxsKohEpzMGaktf2pQ8wJOABc6Wd3xMfziRPgkgiv+WC8FwN74HvpzXGdnpWLWnlCmEQxvYbHRijmaLzkHddE/Rn81+cqtOrWq75gAVTH10rhad/I+3pTM4hsndhdEXErT4DUYz5kcXJRQF0CC4VhQueDAmDlseyTQRo8zmAWXoXlfd3NbdmYhv1S1Jw1eIXLyicR+6IoJ9QJ6gaUtaJjdKKzqZXHIIKzCoWrXi7RP9QN75dM1jE6eJ42DAIUpV9JrRScQTiQ897L1+wuZ3AlyfAlSZ4L6BroDLxpM91z1ZpmTbUFR9x4Qshpc7SS50z0gwdeEWIh+b5eNPqmcJ+Ho8n83TsLKWMNcfQcgskC9hCnmCAtT7Zd4jUXFsonIEFtQi9u8lJDCoG8nhltJOZwL4F4I9qlj4Ue46EY7dLs7uP9ZaKifHqgYuT/6Sop0TppsgUn+7vbMlyfW8eXmZ+l8Law6EbJSD8A/kImaNdLG0ae6VpJuNmax398JnoU46GlAcd7OMgVJhKMoPeiFH1qNVWvoanmSWXYAN0dA6YLr6+v3BbnTVProYNMmwTD8NrNloU5VG5UoAVgvApX+733QauWvAnP26/tINvemdlLo36aIhHWnXbMOrb9pGvWLX9kOC03L3jMdPAu5YUp0+lED1Pwax9cD/WjuMpGxhUkrDESaOzQOOwYkyLcxbzViCU1t2rnrqF/ugOTwz5dogBGRZJw3ICVJV7lDGfRjSithmJfLvUW4a72AT5hOvwYMEDSr6wZf0iO9VM+R9yK7G1EIUx6mo/ThZYBSw+bx2xeuMfYsLl5jDTVSb7Nm2sFeH4BeJWT4U9Z5NTWRUYvVQfn1VAZtj2JBx0+OP0wPxJnDJQ1/fE2ss5b/kF0fSzmXZ0Xp/jqXRCsOPFU/pugZyftXdXsjJLDMryH91uwWkLyl2plM5elKVFqZ4klhhuSHbVwJA+8xtfhKQiVGKRqCs90DjF6PkUxVZDayvyJ59eV54jLg1rh8bMgxBZ18Wo,iv:m5OkxMR9uYjcavgJ3u81nqr2t42hdevS6Avrvm1i8Ao=,tag:jhqYJLmFUMffbxHYm/7ZtA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nkvss2a8xvmjauvr5mxzm233hyh2mk2fg4s6pt0t0kcn03dv34wqtgymg8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhU0dGdUE5b2l3ZXlQUC9N + NGhlYzV1a0tzZXM3aEYrdU9hQzZCRVFHMnpBCmhUU2tSWVdWWHlDdmp6NjU2elRK + SXBQdkV2a25RajJXU2pDWkRPTlJ3QW8KLS0tIEJEYm52MWhSZlRjSjhUdHc3cWpG + Uzkyd1RuY1hNUGMrRUV1MDYrQXhLQ3cKPo4fcEdmsuXf9bU0c0JscC7zssRMneYw + e7C1XtQwaf5TKJr1bywU1a/M/WFmBTOXE5jBR4RYsjoc+AdX7PdFAw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1wxwqdrmkwkzsxajp58g0cgeextgf4wq287fv82pptv9yghkfgcqql66zhj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eWRXeVRjM0k1dnpYenZi + ZFg5aERUc2RrMUhZUjY1ZVlQeHhzWmtGYmtvCmMxM2Ixa1lIZnZ4NlE3QUNvRmZs + T3V0cUFKcmJxUXhZbjVIMnF3UVR6bEkKLS0tIHdjdGZwejlLNmxSQ3ppdVp3QndP + QmQ0cWtzUHZSVE5xak91R20rSkFmclkKPZMf4QhC2yRHcjZ+RLCNILWuqe1x3kzG + u5pUravwkV9SiHSayVZbdJlzRYMLv05L3+eEjto9eEOJtKm611Xu0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-24T10:58:47Z" + mac: ENC[AES256_GCM,data:yAB00zb6rFGnatc+/K6Y/vy8ukNVgiK7Z7LFIKamOf97QtrhRdljnPCdtx1kAm1z6/Jxs1HQR6yha8ehJCxqeGo6iGCmhaAPPVgH/TxvAyIz7PIjnx0LRcva2wDXQ5+orHxklDsjXS1SM9L+8oG/vlS9Ls/+SS8OOPs0mmzYjck=,iv:OKqPrQz1KaPZMKGPAgzZpgBBeM7W1gsJbC00kZAePaM=,tag:SDQfn1sIdGjBXUXxhANlmg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/raspberry/flux-system/gotk-sync.yaml b/kubernetes/raspberry/flux-system/gotk-sync.yaml index 4e96dd875..e87cb7930 100644 --- a/kubernetes/raspberry/flux-system/gotk-sync.yaml +++ b/kubernetes/raspberry/flux-system/gotk-sync.yaml @@ -1,18 +1,19 @@ -# This manifest was generated by flux. DO NOT EDIT. --- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/refs/heads/main/gitrepository-source-v1.json apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: flux-system namespace: flux-system spec: - interval: 1m0s + interval: 5m0s ref: branch: main secretRef: - name: flux-system - url: ssh://git@github.com/willianpaixao/homelab.git + name: github-deploy-key + url: ssh://git@github.com:22/willianpaixao/homelab.git --- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -25,3 +26,30 @@ spec: sourceRef: kind: GitRepository name: flux-system + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: Secret + name: cluster-secrets + patches: + - patch: |- + apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + metadata: + name: not-used + spec: + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: Secret + name: cluster-secrets + target: + group: kustomize.toolkit.fluxcd.io + kind: Kustomization + labelSelector: substitution.flux.home.arpa/disabled notin (true) diff --git a/kubernetes/raspberry/flux-system/kustomization.yaml b/kubernetes/raspberry/flux-system/kustomization.yaml index 3842229e7..27c7401c6 100644 --- a/kubernetes/raspberry/flux-system/kustomization.yaml +++ b/kubernetes/raspberry/flux-system/kustomization.yaml @@ -1,5 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- gotk-components.yaml -- gotk-sync.yaml + - cluster-secrets.sops.yaml + - github-deploy-key.sops.yaml + - gotk-components.yaml + - gotk-sync.yaml + - sops-age.sops.yaml diff --git a/kubernetes/raspberry/flux-system/sops-age.sops.yaml b/kubernetes/raspberry/flux-system/sops-age.sops.yaml new file mode 100644 index 000000000..f9f2da7f8 --- /dev/null +++ b/kubernetes/raspberry/flux-system/sops-age.sops.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Secret +metadata: + name: sops-age + namespace: flux-system +type: Opaque +data: + age.agekey: ENC[AES256_GCM,data:4dlQlnQh950mu7SAX+mobGt8OWqB5s+sffCxG3BxMMIpsPgwWBQMEAnh0+BHtBIHZdMGMOl8rnmls6tZul9lOp90gx8qy8KCQ9kW7Iy3pzeeA8pHOwW7RhJaUuM2XBBw8TWOQrvVWnl8kau/FqvkEwU6qH33ZrAyHmS5SRzsf9uKE5OTPDjszFC3TM46XMPxaF7Rx0Jig8VYIPyz1SW1skr8mNkXyWsrP8rxvlP1l/KSnG0kxkYekipZxIh27q1hmGeFiQTYjkOcgsFk4jOKrS+ZZgd9s3vLgz/V6BYi0AY+SgodAUr9TdVVk+1mCZhnLt18trmPj0cu/3RL,iv:gfDivrS+MJ9hyHxlgyt51b0FnTpLn9K/naBWfLr28cg=,tag:Bw74hYCpKL62AY8kD+uk3w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nkvss2a8xvmjauvr5mxzm233hyh2mk2fg4s6pt0t0kcn03dv34wqtgymg8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNmd0WnZxT0lYb2NVb284 + cG83ekkyQW15L1RHQWxUWkd0Und3ZUozK0ZrClBEMHB3RmthYTAySUhXeWxvWTJP + cXkyNkFhRGhKV3JvOUZkUXFhTS9GWlkKLS0tIEU2TDNhbzMxVHpHcjd2Z2RtZEtF + UmRaZnNtck9HTkErSWR1VDVnUGIyZTQKMRzaAzRE6QcJZVMdLDQnuwpq6QWsSd8X + tnR7L2ec47EkWmShCUudqfpLM+HzYkXmBCjVZTyKaHFIvN91LneMeQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1wxwqdrmkwkzsxajp58g0cgeextgf4wq287fv82pptv9yghkfgcqql66zhj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybXZPdFlrOTdqSFhNZ3h6 + L1BtVnRVSXE0YjZZSURUQzBCMWFKRTNaa1ZVCklvcXFzT2dVVFlzSFpVblp2aU4r + V2w2Slhja1RVcm05VkszN01kL3JMSFEKLS0tIEh0ckpLcjNmVnRLVG9uZjhnWXpB + WWZwK29XS1krV1V0SzRscDMwOFNQZlUK3IqcARti2jKt57rXeCmJHIs4XBOPwHbW + L65yBrvQyGNJ4ICMTMLYvqnduIA7ZOWPiF1JWj0m05Iyg7euYEr2JA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-24T11:07:08Z" + mac: ENC[AES256_GCM,data:fKQ8G2NP9hJuo1s3ZNQo3bADHxqU5CfRWWPsAfCAUMrwMSl6X1NoQKOm3FnXqxD24hgJbhGMTiC5xfQwbxYa4lFQkWBVP9CTZQupsgvHpBQqrBhf1bv0jpjoGciGoPKL91gxtG2vOoa6DT7yW1Egz00fqIRslqy+TLVoIsWYn2M=,iv:ozZ/cKuMYAUVqa2Nsibl8yGZuMSNTyM+vbGYCi1b9j8=,tag:iAnBpsc3sYbuCfI/x2Ms3Q==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/turing/flux-system/gotk-sync.yaml b/kubernetes/turing/flux-system/gotk-sync.yaml index a9310dbc6..bef33da42 100644 --- a/kubernetes/turing/flux-system/gotk-sync.yaml +++ b/kubernetes/turing/flux-system/gotk-sync.yaml @@ -1,12 +1,12 @@ -# This manifest was generated by flux. DO NOT EDIT. --- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/refs/heads/main/gitrepository-source-v1.json apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: flux-system namespace: flux-system spec: - interval: 1m0s + interval: 5m0s ref: branch: main secretRef: