diff --git a/src/helm/env.d/staging/secrets.enc.yaml b/src/helm/env.d/staging/secrets.enc.yaml index 0549ad0d..afc1c216 100644 --- a/src/helm/env.d/staging/secrets.enc.yaml +++ b/src/helm/env.d/staging/secrets.enc.yaml @@ -1,7 +1,8 @@ -djangoSecretKey: ENC[AES256_GCM,data:fXffaVSb45taCPlKygMUI6KBsOkW1lnSjeMVY2LZ0Bm21tk2nW4A9tx77819PcMr6Gw=,iv:Slr1gHQRxZ9dm9wwPobmCgx0XvlWFCKruvsGJJShDyI=,tag:Zon6jXDx1G01BbmoHIOiNg==,type:str] +djangoSuperUserPass: ENC[AES256_GCM,data:SI+D1Zw=,iv:8qgW0GurOmIj0rK96uwe7Fd8vy/qL/lXPUacbI6fEbc=,tag:c8pUxk8dJB2PwdkT/v+SQA==,type:str] +djangoSecretKey: ENC[AES256_GCM,data:Huwvo8hDmaN/gA08ZunK8QpDzAUfMUG7Bay8t6R0j3Ft9xbJDj+wUN3OvRg96BEQzJU=,iv:EIhRr9vfPiUl1/BYu+EdnURyw6GRwA9snfua/YHl2wc=,tag:5Jg0WcTznIQRLsNzLZdtpw==,type:str] oidc: - clientId: ENC[AES256_GCM,data:z0dcJfY1vGSA+UI3gwNe052Ftp+SY98bVBw3/FHoJs1ysiVu,iv:6jCCk0uutMEaubMCdbwcg6x3DGZNcw+bB5Yg1BZemDI=,tag:uEiXET+RblyfWQkQoG2FEg==,type:str] - clientSecret: ENC[AES256_GCM,data:C9h3NGrnjkloRLAMz4n8SnElUCMpU1P43Jsg+AkiXlU8lRy9Fx8U1EePdxAd1oNOYpY3KHqNY9ZUI1Kib9VROA==,iv:hicMK2L9fEcpWsI/upyuSBiA2BP/UmuJCSVYB4MBR8o=,tag:jQkm//0GTk6cDM8o4XVgIw==,type:str] + clientId: ENC[AES256_GCM,data:dbyq0iIRNo+iGVrX9DGsMrr0bdlsi1Z9RVz61bWxJPg0GGlB,iv:imP0uutbiDg4uWc6zIoGghEtPkXSPdeaywEOjkvqO+0=,tag:pCEp9ev7kokwzBpI7qKzEA==,type:str] + clientSecret: ENC[AES256_GCM,data:HjZC/GXyMn/UoMMs3C4xjL+B+UTyC4BtEfreiqKIWoOPdVyHJHOlytIl7QF+uO+bW0CNoNwcDceLdvYfXnK80A==,iv:p/BQZYdyCPeGpo/x1ydM25Ac5/dnb674Ai5uqdWvtJ4=,tag:yXS2StcxP4QZ+X7V0tT5Uw==,type:str] sops: kms: [] gcp_kms: [] @@ -11,50 +12,50 @@ sops: - recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArWURKNm5LNm9iU2Q2Z01t - TVlzcmNRMG4vM0ZlVG0ra2cxNzdBVGN5d1I0CkU2SHBpUjcyRzBmUTl6ZnVBNFY2 - V3BJYzZDOGJySG04RmhjelFvU2dtV1EKLS0tIERQZmNPMGtOaW9qWGI3cmRlaEc2 - aGJDSDB2QU5aZXgvRHVNR0JXRFlmMjAKoCkjaE9RNe77R66Bgufo8LoKhdEpJsx5 - AqK9Y6zaYFmTeHZLF0a3RAc5c5obsXPzlXRrls8qz9DutRRxI0Q1BQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZ2t2elFRbGhoY2JaRmox + R3NvM2VBeC9sNXdxN3hnRDZuK1VZdlhqRmo4CjhaWUw5QUR3a3pzTTY5eHc4dkdW + LzM4WlUzalJHem9EQ3pnUCt1R2pSM2sKLS0tIGZ0dTNuSCt5WXZlYWtUYjB4V1Uw + aTU5eGJqRWRVL2tvRDk5ZWpyVzRQeFEKfw+U98UZZNFDnn7MuSK2Wv1KOEIRfCM6 + AfFjC+9HlAyUR+iyjeqqRgrO6VHDq92AvZyP5rmMPGZDWfepwTau+Q== -----END AGE ENCRYPTED FILE----- - recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MW40Rkg1Z3FaR2Q3dlRS - dW5abXJTLzRoM3VjUCs0MEYzdEUwU3ZkZzNJCkw2NElSSWNmNDZwMFNJZ0lCSk5W - eUpER0ZwQUVxcGI1dTAxN3RrMlNDdHMKLS0tIG52eTc2V3RzOCtJcXY0MSswdWto - Z0VjOEl6cGVZQWVKTjM4dGovSEx0V2sKckUCryf0iwfqDg9YYXpzSDZeTE+snlki - /ifCHM0jlkX1mM/9sLlxdxTYhHEfNfMi2EJPTk/ypspG9Jsty9+s6g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYV3VIVVNNaWtsWDZKbTk3 + Qk9UL3Y3Szd1UStRZnFETnJGSjdCTEtaSW5jCnFiRnJ4Wk8xOE1Qa3VhdUZ3a0tK + TEpMUWNuQTVGSmY4eitEZ2FZYVQ5Qm8KLS0tIG8rSGloc0dzcnJDSzhRNWpsVm5X + OWprL2RHTWJ5STNyK0MwMXN3L0JOVzAKaW+9RDM+YTUpSF3sUV3q+TIrr3ZI216g + olxkNup9Jy6jbK1YVxdzay6lTR+Brg+2bqPDCZx9jIyKQP3m78UERQ== -----END AGE ENCRYPTED FILE----- - recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCck1wNWZhaFFzZkJ6VDBh - OUlpS2FRVENreER1THpWUHJUUmwyRUFqMmpFCjFjcXZIMWRxdkhheXlpeW1mdkZa - cUlxWURqdTVCS3MzeTdXR2VZTHYzK3cKLS0tIDRQM2VKeSs5SldEb0VjSVFIOHVU - bU8vdzhjUkVGNmdTUndDajE3RWRqcDQKm6wgY7QCor7hYZx3HcwINY4B9PkP0DLS - KekZcOq7OarVejjbgJXozGokiHsLyy0tVbCMOgSGnMiW+DUjKwxF2g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WG8wM2NXY2hlOE1CU3hz + bnh5dTRZL2NuQWszSkxnV0xwcXhuN3ZRcERRCkJzeE5naTdYaWdodzNsSVMrZncw + YXdqLzFLNVU0SVZXNmREcHpvdkhNWXcKLS0tIDVWb2lMK3hZU0dMcUhUbGVDNWsx + dnhMa0pEM3ZQQ1pQMUFuNnhnMWtrcTQK+wU3EUIGWXC6vao1I4lOWWuE6XoLIAkK + 4edHmywzHmDbHNDWDdROw7jc/DMR3zTrvzyY69i8/RaIbfJL+Scx/Q== -----END AGE ENCRYPTED FILE----- - recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4VG56S08yTmtIWlJHQmdx - REMxdHFIeWNWci9LZG5SSVBSS3cveEFreUhNCkMxUGhqUWpQeGlwNTVyVW1FL2h6 - RGpyOTNnS0U2eTEyTWUzODloVS9XYVEKLS0tIEdOTWNzbjlwN1dOaEVwV2t4bzlk - M3QxOVdLTDRKT1VDTlFTa090Wmo2QUkKQ440MRv3Kj+mNswtLWqUriNfIrTHly9G - lediVDsIuhddG/jR6kqYtZu/QbRzzJFTvbScPpKcDyuSvJrjOUcpjg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdHgzVXl2QzJqazR2MzhP + VHRiY1Zvdi9VRlBFWnF4T1grbm5LU0Vic0JNClR1VTlJVklSVDVCVTNDNmxhZUt2 + V1pUYjBNMjNQZWRJUDcycDcrSGx6OEUKLS0tIHFxRjk5Vm85OElVeE5lNzE1eGxG + aHo1M2pkQ05ub0laWCsyNWV6enMzOUUKKHDZ16fxx/6wfOeTtga/iDxP5zKdaCAL + OxZilGmf6OCfLv7BJ3+BWeILXFHYK1BiXxkH60h0BxRP59GBIEtpLA== -----END AGE ENCRYPTED FILE----- - recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3dWFzeU9FZ1h1U0V3T3JZ - STNQWmJmcWwyRU92RzVMV0lRWmhKTGFwN1VzCjJrSjRVb0NYbjg1UGhWVm1lT0do - aDA1Mm9oSm04S0JDbi9sN2dXY1orQXcKLS0tIHNlejBHM2h4Q1ppeFNkQ1JFN1F1 - Z0l3aXBwSkpNS3dnc1pJUmpNSVFmRVEKzIWyJvKIMxJSnFZuG2OZmtCReHk/zO+s - naGqflrMdCeqSxUFVWyIquNO8FEseMtslYVTnlBA3UoBij+jmdGIEA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSERVbmxJaXloSW5DR0pT + V2pGUFp4TkJkUi9VYkIwTDI4bWUrc2FVcUNFCnA5LytWOWRiRWVPT1VNSDAzdU9m + dkM2NlgvRHhRWkE0Ujc5RFMrMnAwYW8KLS0tIEN5dWtqdW55QXFUL0VmREN6RjVP + S2p2T1llNnlveGZ5NG1ic2lGSWdndFEK151lp8jV15LxXwva6rYJkNtBnJSb4DPc + I2IJTkMF4pw8Z/zuDvDcHx5J6XDUycpjxEZtVmu84dclpPAf+tw8AA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-12T08:03:19Z" - mac: ENC[AES256_GCM,data:a6rVdMYft/qyxBbF/3tVkKWtCkKKJ8uQsktiujEgJy/eH9iDUB0pYcOnR05IPermqiMu8SjcpzzivmC06c5MUXJvoHwrOmK7D46PD+ZhygScThW535koyCglMlSgetfksUW3y3M8nwdADHRydNcXYVT2DQt1enkhT5OoF98xApQ=,iv:ynxCfd+M/rmwlgzKClOBfYplBdKm1WOM5MBR2XZrpjs=,tag:fdLdY6ZnzA9ZXHIIZh8Bkg==,type:str] + lastmodified: "2024-04-23T09:52:58Z" + mac: ENC[AES256_GCM,data:ZoUXKuLe8AkrZojEmTQslLw9YuQI+cxHa17jDyic0ahqzQ9zrECpWFphFlisaUyNtp1L1ALH1SrNwO6Q7vqnLYKEGcjv0BIZDQvpfmTNrpFYG/shE9GzGq0UvRcjS6zdgjG9BxdLkb/5ke9AB7lUdGv2ztLD8SEQqHIbBAc4UCQ=,iv:j3X70vSidHqDIfxKnenFk5Tcs5V5yBOuLyioZcjiH4w=,tag:lgPX2WZXqZ8493Lwzv2rBg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/src/helm/env.d/staging/values.impress.yaml.gotmpl b/src/helm/env.d/staging/values.impress.yaml.gotmpl index 8f568127..b0b08cc8 100644 --- a/src/helm/env.d/staging/values.impress.yaml.gotmpl +++ b/src/helm/env.d/staging/values.impress.yaml.gotmpl @@ -11,9 +11,15 @@ backend: DJANGO_CSRF_TRUSTED_ORIGINS: http://impress-staging.beta.numerique.gouv.fr,https://impress-staging.beta.numerique.gouv.fr DJANGO_CONFIGURATION: Production DJANGO_ALLOWED_HOSTS: "*" - DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }} + DJANGO_SECRET_KEY: + secretKeyRef: + name: backend + key: DJANGO_SECRET_KEY DJANGO_SETTINGS_MODULE: impress.settings - DJANGO_SUPERUSER_PASSWORD: admin + DJANGO_SUPERUSER_PASSWORD: + secretKeyRef: + name: backend + key: DJANGO_SUPERUSER_PASSWORD DJANGO_EMAIL_HOST: "snap-mail.numerique.gouv.fr" DJANGO_EMAIL_PORT: 465 DJANGO_EMAIL_USE_SSL: True @@ -22,8 +28,14 @@ backend: OIDC_OP_AUTHORIZATION_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/authorize OIDC_OP_TOKEN_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/token OIDC_OP_USER_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo - OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }} - OIDC_RP_CLIENT_SECRET: {{ .Values.oidc.clientSecret }} + OIDC_RP_CLIENT_ID: + secretKeyRef: + name: backend + key: OIDC_RP_CLIENT_ID + OIDC_RP_CLIENT_SECRET: + secretKeyRef: + name: backend + key: OIDC_RP_CLIENT_SECRET OIDC_RP_SIGN_ALGO: RS256 OIDC_RP_SCOPES: "openid email" OIDC_REDIRECT_ALLOWED_HOSTS: https://impress-staging.beta.numerique.gouv.fr diff --git a/src/helm/extra/templates/secrets.yaml b/src/helm/extra/templates/secrets.yaml new file mode 100644 index 00000000..011f357d --- /dev/null +++ b/src/helm/extra/templates/secrets.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: backend +stringData: + DJANGO_SUPERUSER_PASSWORD: {{ .Values.djangoSuperUserPass }} + DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }} + OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }} + OIDC_RP_CLIENT_SECRET: {{ .Values.oidc.clientSecret }} diff --git a/src/helm/helmfile.yaml b/src/helm/helmfile.yaml index 35a94ff9..aeba2b45 100644 --- a/src/helm/helmfile.yaml +++ b/src/helm/helmfile.yaml @@ -32,6 +32,8 @@ releases: installed: {{ ne .Environment.Name "dev" | toYaml }} namespace: {{ .Namespace }} chart: ./extra + secrets: + - env.d/{{ .Environment.Name }}/secrets.enc.yaml - name: impress version: {{ .Values.version }}