💚(ci) improve secrets for k8s deployment

Avoid secrets to be visible from running deployments
2024-04-23 11:55:20 +02:00
parent 5fbb5106a9
commit 0c2d097d8d
4 changed files with 58 additions and 34 deletions
--- a/src/helm/env.d/staging/secrets.enc.yaml
+++ b/src/helm/env.d/staging/secrets.enc.yaml
@@ -1,7 +1,8 @@
-djangoSecretKey: ENC[AES256_GCM,data:fXffaVSb45taCPlKygMUI6KBsOkW1lnSjeMVY2LZ0Bm21tk2nW4A9tx77819PcMr6Gw=,iv:Slr1gHQRxZ9dm9wwPobmCgx0XvlWFCKruvsGJJShDyI=,tag:Zon6jXDx1G01BbmoHIOiNg==,type:str]
+djangoSuperUserPass: ENC[AES256_GCM,data:SI+D1Zw=,iv:8qgW0GurOmIj0rK96uwe7Fd8vy/qL/lXPUacbI6fEbc=,tag:c8pUxk8dJB2PwdkT/v+SQA==,type:str]
+djangoSecretKey: ENC[AES256_GCM,data:Huwvo8hDmaN/gA08ZunK8QpDzAUfMUG7Bay8t6R0j3Ft9xbJDj+wUN3OvRg96BEQzJU=,iv:EIhRr9vfPiUl1/BYu+EdnURyw6GRwA9snfua/YHl2wc=,tag:5Jg0WcTznIQRLsNzLZdtpw==,type:str]
 oidc:
-    clientId: ENC[AES256_GCM,data:z0dcJfY1vGSA+UI3gwNe052Ftp+SY98bVBw3/FHoJs1ysiVu,iv:6jCCk0uutMEaubMCdbwcg6x3DGZNcw+bB5Yg1BZemDI=,tag:uEiXET+RblyfWQkQoG2FEg==,type:str]
-    clientSecret: ENC[AES256_GCM,data:C9h3NGrnjkloRLAMz4n8SnElUCMpU1P43Jsg+AkiXlU8lRy9Fx8U1EePdxAd1oNOYpY3KHqNY9ZUI1Kib9VROA==,iv:hicMK2L9fEcpWsI/upyuSBiA2BP/UmuJCSVYB4MBR8o=,tag:jQkm//0GTk6cDM8o4XVgIw==,type:str]
+    clientId: ENC[AES256_GCM,data:dbyq0iIRNo+iGVrX9DGsMrr0bdlsi1Z9RVz61bWxJPg0GGlB,iv:imP0uutbiDg4uWc6zIoGghEtPkXSPdeaywEOjkvqO+0=,tag:pCEp9ev7kokwzBpI7qKzEA==,type:str]
+    clientSecret: ENC[AES256_GCM,data:HjZC/GXyMn/UoMMs3C4xjL+B+UTyC4BtEfreiqKIWoOPdVyHJHOlytIl7QF+uO+bW0CNoNwcDceLdvYfXnK80A==,iv:p/BQZYdyCPeGpo/x1ydM25Ac5/dnb674Ai5uqdWvtJ4=,tag:yXS2StcxP4QZ+X7V0tT5Uw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -11,50 +12,50 @@ sops:
        - recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArWURKNm5LNm9iU2Q2Z01t
-            TVlzcmNRMG4vM0ZlVG0ra2cxNzdBVGN5d1I0CkU2SHBpUjcyRzBmUTl6ZnVBNFY2
-            V3BJYzZDOGJySG04RmhjelFvU2dtV1EKLS0tIERQZmNPMGtOaW9qWGI3cmRlaEc2
-            aGJDSDB2QU5aZXgvRHVNR0JXRFlmMjAKoCkjaE9RNe77R66Bgufo8LoKhdEpJsx5
-            AqK9Y6zaYFmTeHZLF0a3RAc5c5obsXPzlXRrls8qz9DutRRxI0Q1BQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZ2t2elFRbGhoY2JaRmox
+            R3NvM2VBeC9sNXdxN3hnRDZuK1VZdlhqRmo4CjhaWUw5QUR3a3pzTTY5eHc4dkdW
+            LzM4WlUzalJHem9EQ3pnUCt1R2pSM2sKLS0tIGZ0dTNuSCt5WXZlYWtUYjB4V1Uw
+            aTU5eGJqRWRVL2tvRDk5ZWpyVzRQeFEKfw+U98UZZNFDnn7MuSK2Wv1KOEIRfCM6
+            AfFjC+9HlAyUR+iyjeqqRgrO6VHDq92AvZyP5rmMPGZDWfepwTau+Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MW40Rkg1Z3FaR2Q3dlRS
-            dW5abXJTLzRoM3VjUCs0MEYzdEUwU3ZkZzNJCkw2NElSSWNmNDZwMFNJZ0lCSk5W
-            eUpER0ZwQUVxcGI1dTAxN3RrMlNDdHMKLS0tIG52eTc2V3RzOCtJcXY0MSswdWto
-            Z0VjOEl6cGVZQWVKTjM4dGovSEx0V2sKckUCryf0iwfqDg9YYXpzSDZeTE+snlki
-            /ifCHM0jlkX1mM/9sLlxdxTYhHEfNfMi2EJPTk/ypspG9Jsty9+s6g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYV3VIVVNNaWtsWDZKbTk3
+            Qk9UL3Y3Szd1UStRZnFETnJGSjdCTEtaSW5jCnFiRnJ4Wk8xOE1Qa3VhdUZ3a0tK
+            TEpMUWNuQTVGSmY4eitEZ2FZYVQ5Qm8KLS0tIG8rSGloc0dzcnJDSzhRNWpsVm5X
+            OWprL2RHTWJ5STNyK0MwMXN3L0JOVzAKaW+9RDM+YTUpSF3sUV3q+TIrr3ZI216g
+            olxkNup9Jy6jbK1YVxdzay6lTR+Brg+2bqPDCZx9jIyKQP3m78UERQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCck1wNWZhaFFzZkJ6VDBh
-            OUlpS2FRVENreER1THpWUHJUUmwyRUFqMmpFCjFjcXZIMWRxdkhheXlpeW1mdkZa
-            cUlxWURqdTVCS3MzeTdXR2VZTHYzK3cKLS0tIDRQM2VKeSs5SldEb0VjSVFIOHVU
-            bU8vdzhjUkVGNmdTUndDajE3RWRqcDQKm6wgY7QCor7hYZx3HcwINY4B9PkP0DLS
-            KekZcOq7OarVejjbgJXozGokiHsLyy0tVbCMOgSGnMiW+DUjKwxF2g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WG8wM2NXY2hlOE1CU3hz
+            bnh5dTRZL2NuQWszSkxnV0xwcXhuN3ZRcERRCkJzeE5naTdYaWdodzNsSVMrZncw
+            YXdqLzFLNVU0SVZXNmREcHpvdkhNWXcKLS0tIDVWb2lMK3hZU0dMcUhUbGVDNWsx
+            dnhMa0pEM3ZQQ1pQMUFuNnhnMWtrcTQK+wU3EUIGWXC6vao1I4lOWWuE6XoLIAkK
+            4edHmywzHmDbHNDWDdROw7jc/DMR3zTrvzyY69i8/RaIbfJL+Scx/Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4VG56S08yTmtIWlJHQmdx
-            REMxdHFIeWNWci9LZG5SSVBSS3cveEFreUhNCkMxUGhqUWpQeGlwNTVyVW1FL2h6
-            RGpyOTNnS0U2eTEyTWUzODloVS9XYVEKLS0tIEdOTWNzbjlwN1dOaEVwV2t4bzlk
-            M3QxOVdLTDRKT1VDTlFTa090Wmo2QUkKQ440MRv3Kj+mNswtLWqUriNfIrTHly9G
-            lediVDsIuhddG/jR6kqYtZu/QbRzzJFTvbScPpKcDyuSvJrjOUcpjg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdHgzVXl2QzJqazR2MzhP
+            VHRiY1Zvdi9VRlBFWnF4T1grbm5LU0Vic0JNClR1VTlJVklSVDVCVTNDNmxhZUt2
+            V1pUYjBNMjNQZWRJUDcycDcrSGx6OEUKLS0tIHFxRjk5Vm85OElVeE5lNzE1eGxG
+            aHo1M2pkQ05ub0laWCsyNWV6enMzOUUKKHDZ16fxx/6wfOeTtga/iDxP5zKdaCAL
+            OxZilGmf6OCfLv7BJ3+BWeILXFHYK1BiXxkH60h0BxRP59GBIEtpLA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dWFzeU9FZ1h1U0V3T3JZ
-            STNQWmJmcWwyRU92RzVMV0lRWmhKTGFwN1VzCjJrSjRVb0NYbjg1UGhWVm1lT0do
-            aDA1Mm9oSm04S0JDbi9sN2dXY1orQXcKLS0tIHNlejBHM2h4Q1ppeFNkQ1JFN1F1
-            Z0l3aXBwSkpNS3dnc1pJUmpNSVFmRVEKzIWyJvKIMxJSnFZuG2OZmtCReHk/zO+s
-            naGqflrMdCeqSxUFVWyIquNO8FEseMtslYVTnlBA3UoBij+jmdGIEA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSERVbmxJaXloSW5DR0pT
+            V2pGUFp4TkJkUi9VYkIwTDI4bWUrc2FVcUNFCnA5LytWOWRiRWVPT1VNSDAzdU9m
+            dkM2NlgvRHhRWkE0Ujc5RFMrMnAwYW8KLS0tIEN5dWtqdW55QXFUL0VmREN6RjVP
+            S2p2T1llNnlveGZ5NG1ic2lGSWdndFEK151lp8jV15LxXwva6rYJkNtBnJSb4DPc
+            I2IJTkMF4pw8Z/zuDvDcHx5J6XDUycpjxEZtVmu84dclpPAf+tw8AA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-12T08:03:19Z"
-    mac: ENC[AES256_GCM,data:a6rVdMYft/qyxBbF/3tVkKWtCkKKJ8uQsktiujEgJy/eH9iDUB0pYcOnR05IPermqiMu8SjcpzzivmC06c5MUXJvoHwrOmK7D46PD+ZhygScThW535koyCglMlSgetfksUW3y3M8nwdADHRydNcXYVT2DQt1enkhT5OoF98xApQ=,iv:ynxCfd+M/rmwlgzKClOBfYplBdKm1WOM5MBR2XZrpjs=,tag:fdLdY6ZnzA9ZXHIIZh8Bkg==,type:str]
+    lastmodified: "2024-04-23T09:52:58Z"
+    mac: ENC[AES256_GCM,data:ZoUXKuLe8AkrZojEmTQslLw9YuQI+cxHa17jDyic0ahqzQ9zrECpWFphFlisaUyNtp1L1ALH1SrNwO6Q7vqnLYKEGcjv0BIZDQvpfmTNrpFYG/shE9GzGq0UvRcjS6zdgjG9BxdLkb/5ke9AB7lUdGv2ztLD8SEQqHIbBAc4UCQ=,iv:j3X70vSidHqDIfxKnenFk5Tcs5V5yBOuLyioZcjiH4w=,tag:lgPX2WZXqZ8493Lwzv2rBg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/src/helm/env.d/staging/values.impress.yaml.gotmpl
+++ b/src/helm/env.d/staging/values.impress.yaml.gotmpl
@@ -11,9 +11,15 @@ backend:
    DJANGO_CSRF_TRUSTED_ORIGINS: http://impress-staging.beta.numerique.gouv.fr,https://impress-staging.beta.numerique.gouv.fr
    DJANGO_CONFIGURATION: Production
    DJANGO_ALLOWED_HOSTS: "*"
-    DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }}
+    DJANGO_SECRET_KEY:
+      secretKeyRef:
+        name: backend
+        key: DJANGO_SECRET_KEY
    DJANGO_SETTINGS_MODULE: impress.settings
-    DJANGO_SUPERUSER_PASSWORD: admin
+    DJANGO_SUPERUSER_PASSWORD:
+      secretKeyRef:
+        name: backend
+        key: DJANGO_SUPERUSER_PASSWORD
    DJANGO_EMAIL_HOST: "snap-mail.numerique.gouv.fr"
    DJANGO_EMAIL_PORT: 465
    DJANGO_EMAIL_USE_SSL: True
@@ -22,8 +28,14 @@ backend:
    OIDC_OP_AUTHORIZATION_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/authorize
    OIDC_OP_TOKEN_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/token
    OIDC_OP_USER_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo
-    OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }}
-    OIDC_RP_CLIENT_SECRET: {{ .Values.oidc.clientSecret }}
+    OIDC_RP_CLIENT_ID:
+      secretKeyRef:
+        name: backend
+        key: OIDC_RP_CLIENT_ID
+    OIDC_RP_CLIENT_SECRET:
+      secretKeyRef:
+        name: backend
+        key: OIDC_RP_CLIENT_SECRET
    OIDC_RP_SIGN_ALGO: RS256
    OIDC_RP_SCOPES: "openid email"
    OIDC_REDIRECT_ALLOWED_HOSTS: https://impress-staging.beta.numerique.gouv.fr
--- a/src/helm/extra/templates/secrets.yaml
+++ b/src/helm/extra/templates/secrets.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: backend
+stringData:
+  DJANGO_SUPERUSER_PASSWORD: {{ .Values.djangoSuperUserPass }}
+  DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }}
+  OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }}
+  OIDC_RP_CLIENT_SECRET: {{ .Values.oidc.clientSecret }}
--- a/src/helm/helmfile.yaml
+++ b/src/helm/helmfile.yaml
@@ -32,6 +32,8 @@ releases:
    installed: {{ ne .Environment.Name "dev" | toYaml }}
    namespace: {{ .Namespace }}
    chart: ./extra
+    secrets:
+      - env.d/{{ .Environment.Name }}/secrets.enc.yaml

  - name: impress
    version: {{ .Values.version }}