Add global secrets

clusters/production/apps.yaml

@@ -27,6 +27,9 @@ spec:
     substituteFrom:
     - kind: ConfigMap
       name: global-settings
+    - kind: Secret
+      name: global-secrets
     - kind: ConfigMap
       name: cluster-settings
-
+    - kind: Secret
+      name: cluster-secrets

clusters/production/flux-system/gotk-sync.yaml

@@ -21,6 +21,10 @@ spec:
   interval: 10m0s
   path: ./clusters/production
   prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
   sourceRef:
     kind: GitRepository
     name: flux-system

clusters/production/infrastructure.yaml

@@ -22,5 +22,9 @@ spec:
     substituteFrom:
     - kind: ConfigMap
       name: global-settings
+    - kind: Secret
+      name: global-secrets
     - kind: ConfigMap
       name: cluster-settings
+    - kind: Secret
+      name: cluster-secrets

clusters/production/kustomization.yaml

@@ -2,7 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../settings.yaml
+- ../secrets.yaml
 - settings.yaml
+- secrets.yaml
 - flux-system
 - operators.yaml
 - infrastructure.yaml

clusters/production/operators.yaml

@@ -20,5 +20,9 @@ spec:
     substituteFrom:
     - kind: ConfigMap
       name: global-settings
+    - kind: Secret
+      name: global-secrets
     - kind: ConfigMap
       name: cluster-settings
+    - kind: Secret
+      name: cluster-secrets

clusters/production/secrets.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    namespace: flux-system
+    name: cluster-secrets
+stringData:
+    FLUX_SLACK_URL: ENC[AES256_GCM,data:WQipMia9CbIPGIYkDCcA3mPhwheqLgGAijYmcYohUJpfM0+TlqlHQGZ14AsEPqG37aBr6zjZpW1cCwkRcQ5oQ41VUrZR6VncrWl63qaByLq2,iv:ed72GikcbAMNh1invdDJQjvDiyKvzY8rPoob0rGL9hw=,tag:pQGN1Msh3kvhbp3KhEgV9w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-04-25T15:47:17Z"
+    mac: ENC[AES256_GCM,data:72nyuoG9Lq7fDFc7lgdrM04JeiuRnPj0Og0fWiIrokMGks7oE81+RrRBTxpTWa+2TYxcRdlwBfOLO76zk9mtJ2ZF3aZ7hv3D9/rC8Cpao8D42mIbu4rD5N33D+BWH5WLkMMmFDbe/oEH/dOZap/AZKVbA2VppSYlQbdJV69OfVE=,iv:1zEK+0Dnt+XsyxjABdnV0VtQVmIwv4egskEuVnDx3pw=,tag:mU/aeM1geYfTD++eDlugxQ==,type:str]
+    pgp:
+        - created_at: "2021-02-06T22:19:41Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA2CuQNd5ml+/AQ/8C9XUcea9/KWIdpX24KB5y7OpYPA1F0F/zKAoXpPejUS8
+            FNYXUUaDohzBXD/E40iEUMR/WoLWS+brRsp1bJkq7ihPVwXr8o/p1AceDZY211vi
+            odFZ50zDOuFxKWja4HXqEVW8sPW5THNiJprsVIJVe4BRxc1eVD/7cm76S/M+urXO
+            8L7K+N2IbZtLxyR9boWeDZj6aJI06skcZMqC6WBCrV+oGOTbVqLNwUXpa++fefkm
+            d/tv2hLajX784s918tbzGrC6/HVdReAc5BNp5/L3RnCR4rXLPdOfy2cq6MEmSHeh
+            SMI7Scpw/O6a1qFkfVyKPjY5f+05PsoOrt3cvbe4uPHFU4U8QNeKiLfeViQAd+va
+            DmAjcrjxKEs9Xw+Hx34G0rtAqy/VeNRLGhQz3AAbzjqXVO8gNh2fGr5MFkKgQDj+
+            Y6J1d0ksNhwGRu0gol/LT7ti/uyV11rsCmeycJq9CUm0aAed59a+aENPqA5hPRTp
+            fuqDuuNVzCFz+4jTcBm4QK0kCcQBGHaTueAj45+FDnBzN1DRbjK/9o4fA3ncGs06
+            F+dig6UqFF22u8vCKpYwuhdwo7Kb4Fza+pAAcH42Npe0CNaUYna1Oy6+LO2fMrsm
+            iDnSIY85UOhxeiLFNQ9gu2YsFXQ7wHrgZCGECvAypU/nJLqHdYTrEXVD8mpX/KPS
+            XgGS2XUYd7DnNiJbQ1KAULc0mkapvX6M7dv4q2ZPfg5QOBy7jNLPKOa1Wr78o+8R
+            /DAP//v2+I/+9M9inAxbWUyH7FqvgH22AugsmIrsAUhuIr+cmSG8LlYMxSWQzEg=
+            =rVWE
+            -----END PGP MESSAGE-----
+          fp: E61087FD0DC8B3AA734061498564C79FC27F08E2
+    encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData))
+    version: 3.7.1

infrastructure/base/flux-system/notifications/slack_secret.yaml → clusters/secrets.yaml

@@ -1,19 +1,21 @@
 apiVersion: v1
 kind: Secret
 metadata:
-    name: slack-url
+    namespace: flux-system
+    name: global-secrets
 stringData:
-    address: ENC[AES256_GCM,data:yyUbxt28McMFOrJ1m7QVZIdYRrXPCHRh95b1i33gCgDUBE80GnwN6nDKykO8ZFnOr93yhri/fYCDENj6Pu8e+xvcZlsJXAglrbAzbSRp/GLn,iv:RqDaEFjjIfO2u/6Mj7SzyQAp3MoywTYnwS8aPyO20vg=,tag:/26PRyik/Rp39xInUj0WMw==,type:str]
+    TESTING_SECRET: ENC[AES256_GCM,data:ZtsOoyATHJk=,iv:ibHJIF9HByPTkilk8FfbMy8OEH/mdtwL8WpRXKoVHMg=,tag:hwqbjiTTmyd0GKHBVIKH4Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
-    lastmodified: '2021-02-07T01:06:26Z'
-    mac: ENC[AES256_GCM,data:f0gbXSm9Z98N1zyW0pivLVZ/IMVrIYjoaPkOW0hjry66eLjL1x2xQm/xX7/yUuVnOqIx2PE0dELCSrpRxPjoWHzwRzAxVznQoWdxURege5OEbMKCikJ1JU6MWNGlnj+KOvdwAjXAs4/WDJ+ocL6FMSHPCvWN9VifP6DBpS8Rw/s=,iv:1cuQlIVlQuw5FkanYE/jBLFLkpiHXxfXZc436iMduLA=,tag:jZAH80pgv+O9q4y1byZcCA==,type:str]
+    age: []
+    lastmodified: "2021-04-25T15:49:06Z"
+    mac: ENC[AES256_GCM,data:llmBigk2Eoe9vdAm1C6EvfSLCszJ8RAfOZHKH4XoWBVBkHilwVQiinCKscOuPeETW5LL29oMkK+pPSShJx1Ujd0Th2FMZcrKHbD9idM5V67mvEUzRY8Arzb2laFkbSN0ACNy84zzvYRx8d9GLP6SVJrwNmc3QE+X04ZdopmHVjc=,iv:M6kZoLpJ/gIkQAOvItabimMFXgDjLO4phbc5T25ajAc=,tag:wCHO5WBYIBRZOaN1VHereQ==,type:str]
     pgp:
-    -   created_at: '2021-02-06T22:19:41Z'
-        enc: |
+        - created_at: "2021-02-06T22:19:41Z"
+          enc: |
             -----BEGIN PGP MESSAGE-----
 
             hQIMA2CuQNd5ml+/AQ/8C9XUcea9/KWIdpX24KB5y7OpYPA1F0F/zKAoXpPejUS8
@@ -31,6 +33,6 @@ sops:
             /DAP//v2+I/+9M9inAxbWUyH7FqvgH22AugsmIrsAUhuIr+cmSG8LlYMxSWQzEg=
             =rVWE
             -----END PGP MESSAGE-----
-        fp: E61087FD0DC8B3AA734061498564C79FC27F08E2
+          fp: E61087FD0DC8B3AA734061498564C79FC27F08E2
     encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData))
-    version: 3.6.1
+    version: 3.7.1

clusters/staging/apps.yaml

@@ -27,5 +27,9 @@ spec:
     substituteFrom:
     - kind: ConfigMap
       name: global-settings
+    - kind: Secret
+      name: global-secrets
     - kind: ConfigMap
-      name: cluster-settings
+      name: cluster-settings
+    - kind: Secret
+      name: cluster-secrets

clusters/staging/flux-system/gotk-sync.yaml

@@ -21,6 +21,10 @@ spec:
   interval: 10m0s
   path: ./clusters/staging
   prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
   sourceRef:
     kind: GitRepository
     name: flux-system

clusters/staging/infrastructure.yaml

@@ -22,5 +22,9 @@ spec:
     substituteFrom:
     - kind: ConfigMap
       name: global-settings
+    - kind: Secret
+      name: global-secrets
     - kind: ConfigMap
       name: cluster-settings
+    - kind: Secret
+      name: cluster-secrets

clusters/staging/kustomization.yaml

@@ -2,7 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../settings.yaml
+- ../secrets.yaml
 - settings.yaml
+- secrets.yaml
 - flux-system
 - operators.yaml
 - infrastructure.yaml

clusters/staging/operators.yaml

@@ -20,5 +20,9 @@ spec:
     substituteFrom:
     - kind: ConfigMap
       name: global-settings
+    - kind: Secret
+      name: global-secrets
     - kind: ConfigMap
       name: cluster-settings
+    - kind: Secret
+      name: cluster-secrets

clusters/staging/secrets.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    namespace: flux-system
+    name: cluster-secrets
+stringData:
+    FLUX_SLACK_URL: ENC[AES256_GCM,data:bKMHzxch8dKANO2V36Dv7vBlqkCwGJy3IGCFa4RVS3KLf192rmocQph2/NDtXCUDbNloMkJsxOS0Dm6wbXRZDfuEaJiZ+0ip1smgaJriUmiQ,iv:+zWGye5okytXg5a3kWTF6GnGSaTfEqBqkxdSVC3flWk=,tag:7BIGoKErP7di5acaFvkEOg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-04-25T15:48:21Z"
+    mac: ENC[AES256_GCM,data:GIKvXIfjuHhLvFd1fhYF1wnOtz4jS66XL6Gw5OoXFMTM9Vr574+VvihRpFeaVxZMfMIIfRJnpApit5EjxVJvNmguiF/zU7+Qg4Jqb9ZQWx4TwdBTBOL60inYrcAr+ULf4krLarpay4YmD3LBT9re0jgswBkct4uCRZOY5S8qhmg=,iv:r6Xi9NjAVkG78obzt2/Nscbp5UlLUj4L6h83gScM0lY=,tag:vOtKj7OxAoxU2l/dtGWzfQ==,type:str]
+    pgp:
+        - created_at: "2021-02-06T22:19:41Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA2CuQNd5ml+/AQ/8C9XUcea9/KWIdpX24KB5y7OpYPA1F0F/zKAoXpPejUS8
+            FNYXUUaDohzBXD/E40iEUMR/WoLWS+brRsp1bJkq7ihPVwXr8o/p1AceDZY211vi
+            odFZ50zDOuFxKWja4HXqEVW8sPW5THNiJprsVIJVe4BRxc1eVD/7cm76S/M+urXO
+            8L7K+N2IbZtLxyR9boWeDZj6aJI06skcZMqC6WBCrV+oGOTbVqLNwUXpa++fefkm
+            d/tv2hLajX784s918tbzGrC6/HVdReAc5BNp5/L3RnCR4rXLPdOfy2cq6MEmSHeh
+            SMI7Scpw/O6a1qFkfVyKPjY5f+05PsoOrt3cvbe4uPHFU4U8QNeKiLfeViQAd+va
+            DmAjcrjxKEs9Xw+Hx34G0rtAqy/VeNRLGhQz3AAbzjqXVO8gNh2fGr5MFkKgQDj+
+            Y6J1d0ksNhwGRu0gol/LT7ti/uyV11rsCmeycJq9CUm0aAed59a+aENPqA5hPRTp
+            fuqDuuNVzCFz+4jTcBm4QK0kCcQBGHaTueAj45+FDnBzN1DRbjK/9o4fA3ncGs06
+            F+dig6UqFF22u8vCKpYwuhdwo7Kb4Fza+pAAcH42Npe0CNaUYna1Oy6+LO2fMrsm
+            iDnSIY85UOhxeiLFNQ9gu2YsFXQ7wHrgZCGECvAypU/nJLqHdYTrEXVD8mpX/KPS
+            XgGS2XUYd7DnNiJbQ1KAULc0mkapvX6M7dv4q2ZPfg5QOBy7jNLPKOa1Wr78o+8R
+            /DAP//v2+I/+9M9inAxbWUyH7FqvgH22AugsmIrsAUhuIr+cmSG8LlYMxSWQzEg=
+            =rVWE
+            -----END PGP MESSAGE-----
+          fp: E61087FD0DC8B3AA734061498564C79FC27F08E2
+    encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData))
+    version: 3.7.1

infrastructure/base/flux-system/notifications/kustomization.yaml

@@ -1,7 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - slack_secret.yaml
   - slack_provider.yaml
   - slack_alert.yaml
   - github_secret.yaml

infrastructure/base/flux-system/notifications/slack_provider.yaml

@@ -4,6 +4,5 @@ metadata:
   name: slack
 spec:
   type: slack
-  channel: $ {{ FLUX_NOTIFICATIONS_CHANNEL}}
-  secretRef:
-    name: slack-url
+  channel: ${FLUX_NOTIFICATIONS_CHANNEL}
+  address: ${FLUX_SLACK_URL}