steffen/kubedeploy-k3s
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Secrets

Browse Source
This commit is contained in:
Steffen Illium 2024-04-22 18:03:40 +02:00
parent 409c838aa3
commit eb37dd6c68
2 changed files with 470 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
apps/nextcloud/base/nextcloud-secret-sealed.yaml
View File

@ -18,11 +18,14 @@
"annotations": {
"sealedsecrets.bitnami.com/namespace-wide": "true"
}
}
},
"type": "Opaque"
},
"encryptedData": {
"MYSQL_PASSWORD": "AgAuYKuf8Hz2SOyaO3KcDPy2GubhyEKjRUUgZNwpQOwJO709rtqXK6cog5aYQGGOqlh01QbSxL2HBtZo/xrc93Ri/nnIbaSbpGK1miYKc8W17SD+Loo1Q+qdQDVlotiTaeg4EDPYgcc35yewN+BSm8XZlOKPTjT/RzsrLmWV+nlhY2MgnTt2fSCxP2oyXSRQdwsP1FjM5iCSowuH1ZAaYD+ySRsyCBZNorcGFkT7YZmEl6aWJ3pYx4NsPJfqYw5IlOWTTZnmZdVf8xhMUAJJ7fFom2hKRIY2iHAmlqRKFZQKlIUNgfR0EbR97YAtYqI7UYoaV1bKW+wtXdcY5p5fTH2eALTVSiI9+jBDe/LuPIPvzbutZjpyqCPYXz/zETr1uAhDNT80fJMG9gDdd+6jXtWZNXsVBFqQj+PoxAJPAIBlls0o6bhgjI+AhkbI5KzPMXQIfupI8jcmKd31Lw32GjjvlteAlc42HV38PDUesh2q3DFuWoLQb1VVonP+Q7c4dce1cetJtev5oPsw1HzG1KFKPaEXAuWdNIPiCdFKA1qoBhpWW5dmMiiNwID9vInZc91L92YI0uOkXqINMcGimJBWbO/LhgDbOd0kpS0Ku1wjcS9M/LGlQevO91V8UJ1r27ix6dmtxxA0k43bVcoMz3OJ/fwAvM+G+JtaEzcsEPRmHpv6vckNZsDAiOsgJ65BBLuxGKwQmGGXnyKg4+GWlgP3xz+htQ==",
"MYSQL_ROOT_PASSWORD": "AgC+vhwx8JMIvp98dJP+Piu51fn0/tSlvdPE0Fj5MruVw6exhf35/PlfiImrRhLC6QpWsv+CL9G2EG9Z6Zg8IuwJvEu5dQtENaJm6rkSIQeZxa2TZvPRl2buXoFjXw9lG+IAfMu+pqT9pz8nJS7OM9iEeVo5W9QR4j4cScCkx8gcep7l3X5uqx2xOuptTVajjggpwMunw9HfcPcd6V8vs5locS3hQY+OWxDhBhzKin0muWT16s2XBptnWeWaxryN9X3NpKyrGRX89QpiFOu76Aazop/XWYUdCGxgXIFq7FeegOlzlqVTKGNZt1j+qPWI4m3cmJiY130n2NWbcqBe61msFTf/jyHntm2nh7FVI3Ftfvj05Tc++423njpOTk5PfIXmKotxYPVQuy8KTprYuGWepTwpMhJBdxj0vsZV+HoFwpg/mw78333rVCYRbB82biEm6xxIaGPFYP+/A0pYeAES5+4W2HFItdJxEesy+Pn6KtO7a2vZBGXi6QDC8wbGfmDE26G0Fa8bSJsStwjhdZFKRam8vUjf/Auf5jA3Gu2kT/4q+QagYatEDDOTyF9hnIWkjrJBjJ0x0r/i1LMTZYt7J4taKxl8Gs+ZBPfA+jE3Vnv9c0Qt5ywImrLtshM76pmhWkqHklyFlq4FnKtbyG2E3L2ERDBvDqO8qL0MdoD///6YrkIExd9h1Lj4OT8XrL+94jy+xjoG1sYi+cP0CP4/b4753nsAXLjV"
"MARIABD_ROOT_PASSWORD": "AgCAj+JCOr56pxNEpjmBgW2QW9RziWuQeZ4LxKFXKV5EPxVT4ermfgzrtywkFVWYXbix+8anSC1wjPFg3ywj0TV08HWOq/Wjd/HNrvdQXQ0LvYxhmpEHPLRxUsC7boGF5y8PJI03TEr/Jkewmi+bq1vqRHkoJE5WFVDYRZ1mMNXUehiOAOMynm7vr9lMRmItEydu1UU/8PCrq6sdPc1TbXeJDqb5XHWVoa8/ypojsgeWZYG1bN6HvBet7Sw+bOc9W0ZJzbsjNH10kQpQCKT2SwOGaUxmDHTIJfDv3Dwrje7yN7ChuGFU5sDTg38uHHNNFo6ShFHLYcpHExsFzOJKW7dePQjgeG2WEcvoxg5EM0PUn6Vu4sCtUG1/19gI1ZryJYQAwVIhRVhmBFh2Xa1PWGlK7iNSYWT5BlqrX1u3z4shkuXh2ldnKXda0gpRCeI5tkZHctZoR03ONvUtn1Y9Q+kVCi80sX7h7IwqncC7uYnsOZ4acstHsRAIRhQhVX/lcBGxaJTq0XEuQJ1mNW+UYyttc3aubKifdXCB7UtRu+7XxLEI3HHoV66K/CYZzPmu4YPzdYIHLGOA/t1r8wdM4Lx/JGzHf1eHzaAC4KDt2QnGOGBvQ0Cqj/152PBekWuix0v3vwcg7EFqgm7Pcik13D5N0bHVkf7Z2iHnfQEwgVXuv9eXkA001uJKSauri4mrLQ5jhN4EL98101v6xqVlo9k+OdcSP9n57PZ4",
"MARIADB_PASSWORD": "AgCUCcG4fDGNHg8A0lXnv/AIXmOw2ar39hxpPuSgi3iYtpoCQavrxA3rNXlxqK+6JIRCrB6jLy+KQGmZubASYWYG/8PiEGzTiHoC3F0XZRfkPrQek43/+u53F/HdtougNEeiaPyMNvXHamHnMADHfyjVDj8nObX+bgzwFt1bKa3TH6O7z2O7Qz1XNEp1IGIXwmrEZJstPPY/kA4WVw/9OCqdymtEykWcNqRWJpCswdXBUh5ZCkgPeURZiziUgyaOEVkjogrKa2JwFtddSRZiQ2s0Wao5Dm4aemWksmVGRq3wxtJm3OIVVkvJUXxwEt/Gh008VMKuVs/YsBQISbdhC53uxmSsnAPpqsZd2J84pN7xoLP/o22go/n4qMr8Iee0RTs4TLiBVjJ3sCNfsO76bURRujDFOETyznig8iI6Cx6LEwrbC4le472qX3/plzuBzb700aSYMKytEWSB8YLfRrR5gv2KND7CDyBZEAkXSDiDk5baCfybS4Hni6mWBdUziKOVgaBBxEjiJ9sKD3TsEOVnOW9+OrE36dOJCAKPQegWXh3HN8jIKGr1Vx3i0PIViivpUCHiLsT2ZWb+5sBPN5f7a3pKyIF5Jxj54tDW38I+v+mNyKVWtzFYREAGInxXUzP8qdaHGNvDvl6jrYwh+IdWbTHRvyHMYCVKT38ZS9ClGOCWhrSnmaqSvaXhZ0+9vFgFYrHhWhZakP/Nv9mL6iUZbmLv3w==",
"MYSQL_PASSWORD": "AgBWVfPffFZGIl65LkfwPD5JvCyxDC8VRHOY0XzuC/S8pKEIZ3WIUMAj0RaHc7lsKefvRt9mbDUrVCTQsUGCW9OwMYsrVT9fKteVZpVF05g9pDKituAdfwD8KR3cGfiCusHyTVjnpulCTXWFyGgMmrvmtLuhKG7PEjFVEXGO9uQs81Qo5w+YpO5lx/xqcXy787gHkiK8skm+mLFIvMGjH/CNywbOhP+5ZJWSwMGpI1qyfSWEqW/Y6MpkQTLNgnGrXWGYdk4wlZ2jl66Lw/+ugY5cxwn1ukd9o0hPiecncO1Bdp9Hyz6k4czMqk2HzQ/lnCKEX4nl+vN3pHpR/Met/PxE8EtFiw9g7IBrA7veTeZVXnrxaZSA7vMgbLmgpvAYI4xqX+oD/35cPVfxkycxhZmlAON54ECFZjEZsKZL5M/AlECR9la6d3Zp4TXLqiLsR+f51H9MaqzagxnYCjegs4DuZpgoXWWvG411pjMTF6mEWusY8WlSKyWoEg8nGg6SCFoPqzz0Jd+j/LLGlD/2j0Cj6IJ56F7d2eu1LTZIK5O/4eclmVCZt94uxiV2/WrwqMk60Lgz5Fznf5+4rjUR0L37NJiE0G1a2TwvUuCNJw0vSi5KBAO97vuqhTWx/e5Y5Z0epz9yERFXHZGOTdIYXTPoIADEkewy4J7KR/y7GNFiM2Dv48CV7oQftde6BYMf9IqPxrxBvdXylVYiNs0oMepbaf6t5g==",
"MYSQL_ROOT_PASSWORD": "AgA0OMEc1UvMWF2rKdD98hBKbXYOw8cKoqiuhTBdHM5f+eyO743GOz3HNmoMLx1xddBSsErXx/M8/Erc2YOMqpmES3STzYBnOjkxJhlY+SAst+07ZeLdkCEFMf/8mkDEPIg9H2/jWAMdkYtK/E3bXqshDoEScVg597kI/6aRENIdRK+fbWy74WeuHO+QgbDtyB8VE4oFHZYp+I3nhuUMpVtl1fVQ4dRfMtnsveByZJMoRogCvB92qGN0ifpEuaDSC9UnFPg1QaNTiGLQKAmRdq6ZzHtnOrl1UuUCYdyZumNFDJUFnAKtPCA1gFoQq9mowD/qww/BoYDE3cmTEwdV1YRXrINtptm9YRXkVsa8HQa+7uKQhH7tim08MX9Z3kuihauKJs8NKxXJVSceVMZsmpoNWlwKnp5CR2jhzWhYflY1pjZ62rsYFL4YhM+36c8e335FWEwPlVn/Ij26sJe2ms0DeU81ZDT6Jynxm9arf3kwQG2auJqxAZ30RRiNt5DhYlhgB9GxKg77QXzn+Dee9BtSC9pSV7DLyzVF3LpiRf76bw3Xy6N/61/2JK8xBAXKi5R/GN5YCP0iFJgtzJaF49rMjsEhUQxMapmFpIfHkNbRxs2dkTC6s6PBQLfa7BmnpKrmxo+S23Ci0ObDbz8pGXkO2YKgQcXniANmOmsQarbHmeEkNP/6vvalQUDQ+HCn93wbMmiI3DCc7u2XMb/lNIYnbd9m56u4/Jcv"
}
}
}

464
infrastructure/06-sealed-secrets/tml.yaml Normal file
View File

@ -0,0 +1,464 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
name: sealedsecrets.bitnami.com
spec:
group: bitnami.com
names:
kind: SealedSecret
listKind: SealedSecretList
plural: sealedsecrets
singular: sealedsecret
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.conditions[0].message
name: Status
type: string
- jsonPath: .status.conditions[0].status
name: Synced
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: SealedSecret is the K8s representation of a "sealed Secret" -
a regular k8s Secret that has been sealed (encrypted) using the controller's
key.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SealedSecretSpec is the specification of a SealedSecret
properties:
data:
description: Data is deprecated and will be removed eventually. Use
per-value EncryptedData instead.
format: byte
type: string
encryptedData:
additionalProperties:
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
template:
description: Template defines the structure of the Secret that will
be created from this sealed secret.
properties:
data:
additionalProperties:
type: string
description: Keys that should be templated using decrypted data
nullable: true
type: object
immutable:
description: Immutable, if set to true, ensures that data stored
in the Secret cannot be updated (only object metadata can be
modified). If not set to true, the field can be modified at
any time. Defaulted to nil.
type: boolean
metadata:
description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
nullable: true
properties:
annotations:
additionalProperties:
type: string
type: object
finalizers:
items:
type: string
type: array
labels:
additionalProperties:
type: string
type: object
name:
type: string
namespace:
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
type:
description: Used to facilitate programmatic handling of secret
data.
type: string
type: object
required:
- encryptedData
type: object
status:
description: SealedSecretStatus is the most recently observed status of
the SealedSecret.
properties:
conditions:
description: Represents the latest available observations of a sealed
secret's current state.
items:
description: SealedSecretCondition describes the state of a sealed
secret at a certain point.
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
format: date-time
type: string
lastUpdateTime:
description: The last time this condition was updated.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: 'Status of the condition for a sealed secret. Valid
values for "Synced": "True", "False", or "Unknown".'
type: string
type:
description: 'Type of condition for a sealed secret. Valid value:
"Synced"'
type: string
required:
- status
- type
type: object
type: array
observedGeneration:
description: ObservedGeneration reflects the generation most recently
observed by the sealed-secrets controller.
format: int64
type: integer
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: sealed-secrets
app.kubernetes.io/part-of: sealed-secrets
app.kubernetes.io/version: 0.26.1
helm.sh/chart: sealed-secrets-2.15.2
name: sealed-secrets
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: sealed-secrets
app.kubernetes.io/part-of: sealed-secrets
app.kubernetes.io/version: 0.26.1
helm.sh/chart: sealed-secrets-2.15.2
name: sealed-secrets-key-admin
namespace: kube-system
rules:
- apiGroups:
- ""
resourceNames:
- sealed-secrets-key
resources:
- secrets
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: sealed-secrets
app.kubernetes.io/part-of: sealed-secrets
app.kubernetes.io/version: 0.26.1
helm.sh/chart: sealed-secrets-2.15.2
name: sealed-secrets-service-proxier
namespace: kube-system
rules:
- apiGroups:
- ""
resourceNames:
- sealed-secrets
resources:
- services
verbs:
- get
- apiGroups:
- ""
resourceNames:
- 'http:sealed-secrets:'
- http:sealed-secrets:http
- sealed-secrets
resources:
- services/proxy
verbs:
- create
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: sealed-secrets
app.kubernetes.io/part-of: sealed-secrets
app.kubernetes.io/version: 0.26.1
helm.sh/chart: sealed-secrets-2.15.2
name: secrets-unsealer
rules:
- apiGroups:
- bitnami.com
resources:
- sealedsecrets
verbs:
- get
- list
- watch
- apiGroups:
- bitnami.com
resources:
- sealedsecrets/status
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- create
- update
- delete
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: sealed-secrets
app.kubernetes.io/part-of: sealed-secrets
app.kubernetes.io/version: 0.26.1
helm.sh/chart: sealed-secrets-2.15.2
name: sealed-secrets-key-admin
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: sealed-secrets-key-admin
subjects:
- apiGroup: ""
kind: ServiceAccount
name: sealed-secrets
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: sealed-secrets
app.kubernetes.io/part-of: sealed-secrets
app.kubernetes.io/version: 0.26.1
helm.sh/chart: sealed-secrets-2.15.2
name: sealed-secrets-service-proxier
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: sealed-secrets-service-proxier
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: sealed-secrets
app.kubernetes.io/part-of: sealed-secrets
app.kubernetes.io/version: 0.26.1
helm.sh/chart: sealed-secrets-2.15.2
name: sealed-secrets
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: secrets-unsealer
subjects:
- apiGroup: ""
kind: ServiceAccount
name: sealed-secrets
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: sealed-secrets
app.kubernetes.io/part-of: sealed-secrets
app.kubernetes.io/version: 0.26.1
helm.sh/chart: sealed-secrets-2.15.2
name: sealed-secrets
namespace: kube-system
spec:
ports:
- name: http
nodePort: null
port: 8080
targetPort: http
selector:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/name: sealed-secrets
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: metrics
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: sealed-secrets
app.kubernetes.io/part-of: sealed-secrets
app.kubernetes.io/version: 0.26.1
helm.sh/chart: sealed-secrets-2.15.2
name: sealed-secrets-metrics
namespace: kube-system
spec:
ports:
- name: metrics
nodePort: null
port: 8081
targetPort: metrics
selector:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/name: sealed-secrets
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: sealed-secrets
app.kubernetes.io/part-of: sealed-secrets
app.kubernetes.io/version: 0.26.1
helm.sh/chart: sealed-secrets-2.15.2
name: sealed-secrets
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/name: sealed-secrets
template:
metadata:
labels:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/name: sealed-secrets
spec:
containers:
- args:
- --update-status
- --key-prefix
- sealed-secrets-key
command:
- controller
image: docker.io/bitnami/sealed-secrets-controller:0.26.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: http
initialDelaySeconds: 0
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 8080
name: http
- containerPort: 8081
name: metrics
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: http
initialDelaySeconds: 0
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
limits: {}
requests: {}
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
volumeMounts:
- mountPath: /tmp
name: tmp
securityContext:
fsGroup: 65534
serviceAccountName: sealed-secrets
volumes:
- emptyDir: {}
name: tmp