From eb37dd6c68f5ea4127c869d3f6e493df6b4214ab Mon Sep 17 00:00:00 2001 From: Steffen Illium Date: Mon, 22 Apr 2024 18:03:40 +0200 Subject: [PATCH] Secrets --- .../base/nextcloud-secret-sealed.yaml | 9 +- infrastructure/06-sealed-secrets/tml.yaml | 464 ++++++++++++++++++ 2 files changed, 470 insertions(+), 3 deletions(-) create mode 100644 infrastructure/06-sealed-secrets/tml.yaml diff --git a/apps/nextcloud/base/nextcloud-secret-sealed.yaml b/apps/nextcloud/base/nextcloud-secret-sealed.yaml index 9b43f6b..8bab9fa 100644 --- a/apps/nextcloud/base/nextcloud-secret-sealed.yaml +++ b/apps/nextcloud/base/nextcloud-secret-sealed.yaml @@ -18,11 +18,14 @@ "annotations": { "sealedsecrets.bitnami.com/namespace-wide": "true" } - } + }, + "type": "Opaque" }, "encryptedData": { - "MYSQL_PASSWORD": "AgAuYKuf8Hz2SOyaO3KcDPy2GubhyEKjRUUgZNwpQOwJO709rtqXK6cog5aYQGGOqlh01QbSxL2HBtZo/xrc93Ri/nnIbaSbpGK1miYKc8W17SD+Loo1Q+qdQDVlotiTaeg4EDPYgcc35yewN+BSm8XZlOKPTjT/RzsrLmWV+nlhY2MgnTt2fSCxP2oyXSRQdwsP1FjM5iCSowuH1ZAaYD+ySRsyCBZNorcGFkT7YZmEl6aWJ3pYx4NsPJfqYw5IlOWTTZnmZdVf8xhMUAJJ7fFom2hKRIY2iHAmlqRKFZQKlIUNgfR0EbR97YAtYqI7UYoaV1bKW+wtXdcY5p5fTH2eALTVSiI9+jBDe/LuPIPvzbutZjpyqCPYXz/zETr1uAhDNT80fJMG9gDdd+6jXtWZNXsVBFqQj+PoxAJPAIBlls0o6bhgjI+AhkbI5KzPMXQIfupI8jcmKd31Lw32GjjvlteAlc42HV38PDUesh2q3DFuWoLQb1VVonP+Q7c4dce1cetJtev5oPsw1HzG1KFKPaEXAuWdNIPiCdFKA1qoBhpWW5dmMiiNwID9vInZc91L92YI0uOkXqINMcGimJBWbO/LhgDbOd0kpS0Ku1wjcS9M/LGlQevO91V8UJ1r27ix6dmtxxA0k43bVcoMz3OJ/fwAvM+G+JtaEzcsEPRmHpv6vckNZsDAiOsgJ65BBLuxGKwQmGGXnyKg4+GWlgP3xz+htQ==", - "MYSQL_ROOT_PASSWORD": "AgC+vhwx8JMIvp98dJP+Piu51fn0/tSlvdPE0Fj5MruVw6exhf35/PlfiImrRhLC6QpWsv+CL9G2EG9Z6Zg8IuwJvEu5dQtENaJm6rkSIQeZxa2TZvPRl2buXoFjXw9lG+IAfMu+pqT9pz8nJS7OM9iEeVo5W9QR4j4cScCkx8gcep7l3X5uqx2xOuptTVajjggpwMunw9HfcPcd6V8vs5locS3hQY+OWxDhBhzKin0muWT16s2XBptnWeWaxryN9X3NpKyrGRX89QpiFOu76Aazop/XWYUdCGxgXIFq7FeegOlzlqVTKGNZt1j+qPWI4m3cmJiY130n2NWbcqBe61msFTf/jyHntm2nh7FVI3Ftfvj05Tc++423njpOTk5PfIXmKotxYPVQuy8KTprYuGWepTwpMhJBdxj0vsZV+HoFwpg/mw78333rVCYRbB82biEm6xxIaGPFYP+/A0pYeAES5+4W2HFItdJxEesy+Pn6KtO7a2vZBGXi6QDC8wbGfmDE26G0Fa8bSJsStwjhdZFKRam8vUjf/Auf5jA3Gu2kT/4q+QagYatEDDOTyF9hnIWkjrJBjJ0x0r/i1LMTZYt7J4taKxl8Gs+ZBPfA+jE3Vnv9c0Qt5ywImrLtshM76pmhWkqHklyFlq4FnKtbyG2E3L2ERDBvDqO8qL0MdoD///6YrkIExd9h1Lj4OT8XrL+94jy+xjoG1sYi+cP0CP4/b4753nsAXLjV" + "MARIABD_ROOT_PASSWORD": "AgCAj+JCOr56pxNEpjmBgW2QW9RziWuQeZ4LxKFXKV5EPxVT4ermfgzrtywkFVWYXbix+8anSC1wjPFg3ywj0TV08HWOq/Wjd/HNrvdQXQ0LvYxhmpEHPLRxUsC7boGF5y8PJI03TEr/Jkewmi+bq1vqRHkoJE5WFVDYRZ1mMNXUehiOAOMynm7vr9lMRmItEydu1UU/8PCrq6sdPc1TbXeJDqb5XHWVoa8/ypojsgeWZYG1bN6HvBet7Sw+bOc9W0ZJzbsjNH10kQpQCKT2SwOGaUxmDHTIJfDv3Dwrje7yN7ChuGFU5sDTg38uHHNNFo6ShFHLYcpHExsFzOJKW7dePQjgeG2WEcvoxg5EM0PUn6Vu4sCtUG1/19gI1ZryJYQAwVIhRVhmBFh2Xa1PWGlK7iNSYWT5BlqrX1u3z4shkuXh2ldnKXda0gpRCeI5tkZHctZoR03ONvUtn1Y9Q+kVCi80sX7h7IwqncC7uYnsOZ4acstHsRAIRhQhVX/lcBGxaJTq0XEuQJ1mNW+UYyttc3aubKifdXCB7UtRu+7XxLEI3HHoV66K/CYZzPmu4YPzdYIHLGOA/t1r8wdM4Lx/JGzHf1eHzaAC4KDt2QnGOGBvQ0Cqj/152PBekWuix0v3vwcg7EFqgm7Pcik13D5N0bHVkf7Z2iHnfQEwgVXuv9eXkA001uJKSauri4mrLQ5jhN4EL98101v6xqVlo9k+OdcSP9n57PZ4", + "MARIADB_PASSWORD": "AgCUCcG4fDGNHg8A0lXnv/AIXmOw2ar39hxpPuSgi3iYtpoCQavrxA3rNXlxqK+6JIRCrB6jLy+KQGmZubASYWYG/8PiEGzTiHoC3F0XZRfkPrQek43/+u53F/HdtougNEeiaPyMNvXHamHnMADHfyjVDj8nObX+bgzwFt1bKa3TH6O7z2O7Qz1XNEp1IGIXwmrEZJstPPY/kA4WVw/9OCqdymtEykWcNqRWJpCswdXBUh5ZCkgPeURZiziUgyaOEVkjogrKa2JwFtddSRZiQ2s0Wao5Dm4aemWksmVGRq3wxtJm3OIVVkvJUXxwEt/Gh008VMKuVs/YsBQISbdhC53uxmSsnAPpqsZd2J84pN7xoLP/o22go/n4qMr8Iee0RTs4TLiBVjJ3sCNfsO76bURRujDFOETyznig8iI6Cx6LEwrbC4le472qX3/plzuBzb700aSYMKytEWSB8YLfRrR5gv2KND7CDyBZEAkXSDiDk5baCfybS4Hni6mWBdUziKOVgaBBxEjiJ9sKD3TsEOVnOW9+OrE36dOJCAKPQegWXh3HN8jIKGr1Vx3i0PIViivpUCHiLsT2ZWb+5sBPN5f7a3pKyIF5Jxj54tDW38I+v+mNyKVWtzFYREAGInxXUzP8qdaHGNvDvl6jrYwh+IdWbTHRvyHMYCVKT38ZS9ClGOCWhrSnmaqSvaXhZ0+9vFgFYrHhWhZakP/Nv9mL6iUZbmLv3w==", + "MYSQL_PASSWORD": "AgBWVfPffFZGIl65LkfwPD5JvCyxDC8VRHOY0XzuC/S8pKEIZ3WIUMAj0RaHc7lsKefvRt9mbDUrVCTQsUGCW9OwMYsrVT9fKteVZpVF05g9pDKituAdfwD8KR3cGfiCusHyTVjnpulCTXWFyGgMmrvmtLuhKG7PEjFVEXGO9uQs81Qo5w+YpO5lx/xqcXy787gHkiK8skm+mLFIvMGjH/CNywbOhP+5ZJWSwMGpI1qyfSWEqW/Y6MpkQTLNgnGrXWGYdk4wlZ2jl66Lw/+ugY5cxwn1ukd9o0hPiecncO1Bdp9Hyz6k4czMqk2HzQ/lnCKEX4nl+vN3pHpR/Met/PxE8EtFiw9g7IBrA7veTeZVXnrxaZSA7vMgbLmgpvAYI4xqX+oD/35cPVfxkycxhZmlAON54ECFZjEZsKZL5M/AlECR9la6d3Zp4TXLqiLsR+f51H9MaqzagxnYCjegs4DuZpgoXWWvG411pjMTF6mEWusY8WlSKyWoEg8nGg6SCFoPqzz0Jd+j/LLGlD/2j0Cj6IJ56F7d2eu1LTZIK5O/4eclmVCZt94uxiV2/WrwqMk60Lgz5Fznf5+4rjUR0L37NJiE0G1a2TwvUuCNJw0vSi5KBAO97vuqhTWx/e5Y5Z0epz9yERFXHZGOTdIYXTPoIADEkewy4J7KR/y7GNFiM2Dv48CV7oQftde6BYMf9IqPxrxBvdXylVYiNs0oMepbaf6t5g==", + "MYSQL_ROOT_PASSWORD": "AgA0OMEc1UvMWF2rKdD98hBKbXYOw8cKoqiuhTBdHM5f+eyO743GOz3HNmoMLx1xddBSsErXx/M8/Erc2YOMqpmES3STzYBnOjkxJhlY+SAst+07ZeLdkCEFMf/8mkDEPIg9H2/jWAMdkYtK/E3bXqshDoEScVg597kI/6aRENIdRK+fbWy74WeuHO+QgbDtyB8VE4oFHZYp+I3nhuUMpVtl1fVQ4dRfMtnsveByZJMoRogCvB92qGN0ifpEuaDSC9UnFPg1QaNTiGLQKAmRdq6ZzHtnOrl1UuUCYdyZumNFDJUFnAKtPCA1gFoQq9mowD/qww/BoYDE3cmTEwdV1YRXrINtptm9YRXkVsa8HQa+7uKQhH7tim08MX9Z3kuihauKJs8NKxXJVSceVMZsmpoNWlwKnp5CR2jhzWhYflY1pjZ62rsYFL4YhM+36c8e335FWEwPlVn/Ij26sJe2ms0DeU81ZDT6Jynxm9arf3kwQG2auJqxAZ30RRiNt5DhYlhgB9GxKg77QXzn+Dee9BtSC9pSV7DLyzVF3LpiRf76bw3Xy6N/61/2JK8xBAXKi5R/GN5YCP0iFJgtzJaF49rMjsEhUQxMapmFpIfHkNbRxs2dkTC6s6PBQLfa7BmnpKrmxo+S23Ci0ObDbz8pGXkO2YKgQcXniANmOmsQarbHmeEkNP/6vvalQUDQ+HCn93wbMmiI3DCc7u2XMb/lNIYnbd9m56u4/Jcv" } } } diff --git a/infrastructure/06-sealed-secrets/tml.yaml b/infrastructure/06-sealed-secrets/tml.yaml new file mode 100644 index 0000000..17cf825 --- /dev/null +++ b/infrastructure/06-sealed-secrets/tml.yaml @@ -0,0 +1,464 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + name: sealedsecrets.bitnami.com +spec: + group: bitnami.com + names: + kind: SealedSecret + listKind: SealedSecretList + plural: sealedsecrets + singular: sealedsecret + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[0].message + name: Status + type: string + - jsonPath: .status.conditions[0].status + name: Synced + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: SealedSecret is the K8s representation of a "sealed Secret" - + a regular k8s Secret that has been sealed (encrypted) using the controller's + key. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SealedSecretSpec is the specification of a SealedSecret + properties: + data: + description: Data is deprecated and will be removed eventually. Use + per-value EncryptedData instead. + format: byte + type: string + encryptedData: + additionalProperties: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + template: + description: Template defines the structure of the Secret that will + be created from this sealed secret. + properties: + data: + additionalProperties: + type: string + description: Keys that should be templated using decrypted data + nullable: true + type: object + immutable: + description: Immutable, if set to true, ensures that data stored + in the Secret cannot be updated (only object metadata can be + modified). If not set to true, the field can be modified at + any time. Defaulted to nil. + type: boolean + metadata: + description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + nullable: true + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: + description: Used to facilitate programmatic handling of secret + data. + type: string + type: object + required: + - encryptedData + type: object + status: + description: SealedSecretStatus is the most recently observed status of + the SealedSecret. + properties: + conditions: + description: Represents the latest available observations of a sealed + secret's current state. + items: + description: SealedSecretCondition describes the state of a sealed + secret at a certain point. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: 'Status of the condition for a sealed secret. Valid + values for "Synced": "True", "False", or "Unknown".' + type: string + type: + description: 'Type of condition for a sealed secret. Valid value: + "Synced"' + type: string + required: + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration reflects the generation most recently + observed by the sealed-secrets controller. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: sealed-secrets + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: sealed-secrets + app.kubernetes.io/part-of: sealed-secrets + app.kubernetes.io/version: 0.26.1 + helm.sh/chart: sealed-secrets-2.15.2 + name: sealed-secrets + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: sealed-secrets + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: sealed-secrets + app.kubernetes.io/part-of: sealed-secrets + app.kubernetes.io/version: 0.26.1 + helm.sh/chart: sealed-secrets-2.15.2 + name: sealed-secrets-key-admin + namespace: kube-system +rules: +- apiGroups: + - "" + resourceNames: + - sealed-secrets-key + resources: + - secrets + verbs: + - get +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: sealed-secrets + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: sealed-secrets + app.kubernetes.io/part-of: sealed-secrets + app.kubernetes.io/version: 0.26.1 + helm.sh/chart: sealed-secrets-2.15.2 + name: sealed-secrets-service-proxier + namespace: kube-system +rules: +- apiGroups: + - "" + resourceNames: + - sealed-secrets + resources: + - services + verbs: + - get +- apiGroups: + - "" + resourceNames: + - 'http:sealed-secrets:' + - http:sealed-secrets:http + - sealed-secrets + resources: + - services/proxy + verbs: + - create + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: sealed-secrets + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: sealed-secrets + app.kubernetes.io/part-of: sealed-secrets + app.kubernetes.io/version: 0.26.1 + helm.sh/chart: sealed-secrets-2.15.2 + name: secrets-unsealer +rules: +- apiGroups: + - bitnami.com + resources: + - sealedsecrets + verbs: + - get + - list + - watch +- apiGroups: + - bitnami.com + resources: + - sealedsecrets/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - create + - update + - delete + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: sealed-secrets + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: sealed-secrets + app.kubernetes.io/part-of: sealed-secrets + app.kubernetes.io/version: 0.26.1 + helm.sh/chart: sealed-secrets-2.15.2 + name: sealed-secrets-key-admin + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sealed-secrets-key-admin +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sealed-secrets + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: sealed-secrets + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: sealed-secrets + app.kubernetes.io/part-of: sealed-secrets + app.kubernetes.io/version: 0.26.1 + helm.sh/chart: sealed-secrets-2.15.2 + name: sealed-secrets-service-proxier + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: sealed-secrets-service-proxier +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: sealed-secrets + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: sealed-secrets + app.kubernetes.io/part-of: sealed-secrets + app.kubernetes.io/version: 0.26.1 + helm.sh/chart: sealed-secrets-2.15.2 + name: sealed-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secrets-unsealer +subjects: +- apiGroup: "" + kind: ServiceAccount + name: sealed-secrets + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: sealed-secrets + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: sealed-secrets + app.kubernetes.io/part-of: sealed-secrets + app.kubernetes.io/version: 0.26.1 + helm.sh/chart: sealed-secrets-2.15.2 + name: sealed-secrets + namespace: kube-system +spec: + ports: + - name: http + nodePort: null + port: 8080 + targetPort: http + selector: + app.kubernetes.io/instance: sealed-secrets + app.kubernetes.io/name: sealed-secrets + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: metrics + app.kubernetes.io/instance: sealed-secrets + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: sealed-secrets + app.kubernetes.io/part-of: sealed-secrets + app.kubernetes.io/version: 0.26.1 + helm.sh/chart: sealed-secrets-2.15.2 + name: sealed-secrets-metrics + namespace: kube-system +spec: + ports: + - name: metrics + nodePort: null + port: 8081 + targetPort: metrics + selector: + app.kubernetes.io/instance: sealed-secrets + app.kubernetes.io/name: sealed-secrets + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: sealed-secrets + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: sealed-secrets + app.kubernetes.io/part-of: sealed-secrets + app.kubernetes.io/version: 0.26.1 + helm.sh/chart: sealed-secrets-2.15.2 + name: sealed-secrets + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: sealed-secrets + app.kubernetes.io/name: sealed-secrets + template: + metadata: + labels: + app.kubernetes.io/instance: sealed-secrets + app.kubernetes.io/name: sealed-secrets + spec: + containers: + - args: + - --update-status + - --key-prefix + - sealed-secrets-key + command: + - controller + image: docker.io/bitnami/sealed-secrets-controller:0.26.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 8080 + name: http + - containerPort: 8081 + name: metrics + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: {} + requests: {} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1001 + volumeMounts: + - mountPath: /tmp + name: tmp + securityContext: + fsGroup: 65534 + serviceAccountName: sealed-secrets + volumes: + - emptyDir: {} + name: tmp