studio/docs
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🐛(CI) purge secret from repository

Browse Source 
- Remove *.enc.*
- Adapt helmfile
- Adapt CI
This commit is contained in:
Jacques ROUSSEL
2024-06-06 17:11:57 +02:00
committed by rouja
parent 4e4e2e23e3
commit 37f02893ed
13 changed files with 109 additions and 263 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.github/workflows/deploy.yml vendored
View File

@@ -12,13 +12,24 @@ jobs:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: "impress,secrets"
-
name: Checkout repository
uses: actions/checkout@v2
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets.enc.env
secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Call argocd github webhook

81
.github/workflows/docker-hub.yml vendored
View File

@@ -19,20 +19,31 @@ jobs:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: "impress,secrets"
-
name: Checkout repository
uses: actions/checkout@v2
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: lasuite/impress-backend
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Login to DockerHub
if: github.event_name != 'pull_request'
@@ -52,20 +63,31 @@ jobs:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: "impress,secrets"
-
name: Checkout repository
uses: actions/checkout@v2
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: lasuite/impress-frontend
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Login to DockerHub
if: github.event_name != 'pull_request'
@@ -86,20 +108,31 @@ jobs:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: "impress,secrets"
-
name: Checkout repository
uses: actions/checkout@v2
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: lasuite/impress-y-webrtc-signaling
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Login to DockerHub
if: github.event_name != 'pull_request'

26
.github/workflows/impress.yml vendored
View File

@@ -209,8 +209,26 @@ jobs:
i18n-crowdin:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
-
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: "infrastructure,secrets"
-
name: Checkout repository
uses: actions/checkout@v2
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
- name: Install gettext (required to make messages)
run: |
@@ -229,12 +247,6 @@ jobs:
- name: Generate the translation base file
run: ~/.local/bin/django-admin makemessages --keep-pot --all
- name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:

1
.github/workflows/secrets vendored Submodule

Submodule .github/workflows/secrets added at d5e83b9046

24
.github/workflows/secrets.enc.env vendored
View File

@@ -1,24 +0,0 @@
SOPS_PRIVATE=ENC[AES256_GCM,data:FK3PweZstvwslF18oRQNnqY2vTAdNNBWiTxRpuULnRnJbtyeula/MU5E08pImMGDvMXZulOgbmuXUHrKb31P6HG2Cz5MBFGhqU8=,iv:gYCDkAtBe1ldjSjVV/jDFYJTceqODpDRr4TRE9pxgb4=,tag:U7B3L4+SOoxVLBGW3GtrDg==,type:str]
CROWDIN_API_TOKEN=ENC[AES256_GCM,data:r0niJ4YBSb+s2Fg9EXkqgegw8JeQIwu27pfDTndjhbcVZW0/tihn5IZjercX3k8TpOuzPYei8k0JtmnjfBMi9NY3pYr80YCWDzUGqUKubyw=,iv:fF7SzhfsoiF53xdMm8BdPy668nYWBTA4r2aIfhUAd1Q=,tag:HskvnLyy5QTQnDv99Jmr1g==,type:str]
CROWDIN_BASE_PATH=ENC[AES256_GCM,data:jC8utvhuMmQ=,iv:VmHB9DX52YnGGWZEm1hD+zeUffypsAhwQQpox4t5png=,tag:cbQ24lWq7g33fJduMgmvuA==,type:str]
CROWDIN_PROJECT_ID=ENC[AES256_GCM,data:xz8mo2fB,iv:FcsLzOVUxxhcibXiIubIhtbdjCUXiIQpuGdBdNpSE8I=,tag:CNKUYvSlok0WFyFaKXR5QA==,type:str]
DOCKER_HUB_PASSWORD=ENC[AES256_GCM,data:R9ktuIb579tbe+M=,iv:nmn3wlOc88VL4kGyKLRIRIuVqUu8BuWKtHUjjex+zRg=,tag:fGNtJmMB2iHVGMeLBz5RwQ==,type:str]
DOCKER_HUB_USER=ENC[AES256_GCM,data:LJzr2mftjw==,iv:iwFvXHttIyydyNU11ZZH97oBp/DwTn5hlLQl7CqRWa0=,tag:qntAkpeNG/wOZim5K/8w7A==,type:str]
ARGOCD_WEBHOOK_URL=ENC[AES256_GCM,data:+dzTPg4mVqDLu6ac9xf2D4eccaKIvAosBBXpwp+QHZwTEeWGNm0GRaVzOx0gU4CjBNU9og0buYdi,iv:mhgVc5dBh1A1TVisGe0c/MO4EnXSb0ZQ2NL85QJzwaI=,tag:cT6Sa/GRJ94ss7yiL9pH2g==,type:str]
ARGOCD_WEBHOOK_SECRET=ENC[AES256_GCM,data:meQqbpT5gx5K4fW/WWmIQ9vlHjrQsVfGbdiVWm8YZf6EIm9xHWmTcflYxBqfvgWWen84NKWqt0uzl3+m1eDnLyE=,iv:wyIp0baJsw9jFu4z09xirr6qSpxK8aO907SEvce98/U=,tag:FaW5+x7r+fj3R9yq8ataTw==,type:str]
ARGOCD_PRODUCTION_WEBHOOK_URL=ENC[AES256_GCM,data:9xN9mA1JSw0L2wYxpVfG3uYiLPGo+OuziZTQ8PAMy3Cd+AmDWXcT0AInbhBMQsw5Og==,iv:8mW3YYhXmP9EqA25jwevIT4ccUxfgJU/B17XBasl6Dk=,tag:EMDk1YQj6eEinoBSgRo+7A==,type:str]
ARGOCD_PRODUCTION_WEBHOOK_SECRET=ENC[AES256_GCM,data:Y3pRbqpxtZOJi4VfRRx8WIZKJQuSaVePG0b1kmZ2UxWhfumFsvll91blpZQQIWp42AEgJhUfFz7lgGXtNZc=,iv:GBG4AYYEo50H+GC6Auzdabsj9XGMKStKp6bfqy0iWkE=,tag:qpjnB/K3Glq/Dziav6OXqg==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMkZsNEovb2xpWjIrdUpG\nUzArWFlLejB1UTBDTHNJOENybzdRSHBkVVJzCmdWeW1VYUtxejBaWkhvMjEySFNm\nWmlJZWVVMVA2azJhUlBXZ0VrbnNsRGsKLS0tIHhTU0hFSmVnWW9GZE1UVGZMUDVw\ndE1RdCs2OEh1U2Q1WjFkYVNDOEVYQjgKxHI1W+DT2yMW1+0QUNDVdbeo6IvRVEig\nK1WrTM1VAmsji9xuvJQW9uKvYxmHo7OFZzkkNTbmLcJ4wBSNYilh+A==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3OG05S01xK2J5aklEMitF\nNEtYbSthTVJHMk1oNmxkbjBvUkI0a21heXlrCkNPNjh1ektYYXJNVzVBMWxWKzB6\neHd0blE3U1pQdnpXbVkzZGVOdnh4aFEKLS0tIGUwSmdoZWxwNTdiWDdER3ZNU2lV\nZklBdHVERVkzcHZaZWdoM3pLMHBzSDgKTL1ipaUAFXOtGSu1g+pkfr+W3NlJJXcy\nl/yzxbLzPv2MSR09ZUFS6Km97/aTQDkCodt29paHEvRUDhR+oYCDVg==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_1__map_recipient=age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7
sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUHRTUkpaaFhZUm1tUFRU\nNU5sZkozcHowTUdoejV5ditibHc1T2V6M3lNCit3OS9TeUx5UTZOTFVibjRaaGR3\nNlQ3WlhKZUNzaUJHNWVLajNnZ2U2RnMKLS0tIG9qdVNFVE5jOHAvSWcvcnVla0hn\nMlg1YTg2b2MreE16Qy85R09pa3ZxbEEKoPB1pOmc5FmSKIwQ017l05Lm+LoNH2KC\ndxSUkmw7n1tVkPKGtgbEcoR04mMm+4ANdXNetu3Goih1bvtjgWvUuQ==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_2__map_recipient=age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg
sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaDVPTVBFVzVxU3JPc0RM\ncTFlSUVzUXpKKzFyTmQweGNITVZFNUlheENjCkxtOU5QTGRMRmVRZ2hrQkY5SXM3\nTmZNU0NGc3VSZ2xOZlRIaTBXOSt2TXcKLS0tIEQ0bVhYSml0eXFLS2lCOFMxWGpS\nWE1tRTFDektsRWVYSHp6eTF4MVJQU3MKfskxXtc6JI86/xdjMRsVTmG0x+jLx/tq\necUbexvI56TOVFThd1Iv2QYnfD48OVstpH1QEpM42XQTRLsrj07gPA==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_3__map_recipient=age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3
sops_age__list_4__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aXh5eTVZR21TNlBIbmxO\nR0FPNXlyNklucFNwbng5eStmMlNCNi9VYTJrCkZsejJqNmtxRmJlekN2czg3ZUls\nVTdKVWd2eWtpQUdBbGUzYWR4bXYwVW8KLS0tIEJnS2hDQU5CM2NVc3RsQjlZL1FE\nVGYyYWJ6K2gydVFCbUhYeWNDN2RiWjAKHD7/sZFiGD3+Xz5O/Yajb/gEVREWQB/l\nAsquVroBF4A89QUgbjZSYsHJcWuZ4JZXBX7fGSZwio+8+nhjvy+EhQ==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_4__map_recipient=age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
sops_lastmodified=2024-05-24T13:55:45Z
sops_mac=ENC[AES256_GCM,data:gJViDK19UzUaOT+3b9cUJ+634dgzSkamqcj4031pyhrjCVb7FtRu2B8T7vpZObY3dB3mSCtfJKzKoJRhCjYDTd8YdASIOJyep+6K4JSWvKtliZ46syDQaSSTgPx7WaeLzVRpEpBq0adt6ngKTttbhIvhYZD7Kc3Tz3TcMCmEQhg=,iv:G9tzca7nZrBCNowEYpUkAiraVGxUv2732xwXCizJ8X0=,tag:yYt3ppmVYR+lba//lRNpdg==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.8.1

8
.gitmodules vendored Normal file
View File

@@ -0,0 +1,8 @@
[submodule ".github/workflows/secrets"]
path = .github/workflows/secrets
url = https://github.com/numerique-gouv/secrets.git
branch = main
[submodule "src/helm/secrets"]
path = src/helm/secrets
url = https://github.com/numerique-gouv/secrets.git
branch = main

13
.sops.yaml
View File

@@ -1,13 +0,0 @@
creation_rules:
# Here we have
# - Jacques key-id: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
# - github-repo key-id: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7
# - Anthony Le-Courric key-id: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg
# - Antoine Lebaud key-id: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3
# - argocd key-id: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
- age:
age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x,
age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7,
age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg,
age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3,
age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw

4
scripts/update-git-submodule.sh Executable file
View File

@@ -0,0 +1,4 @@
#!/bin/bash
git submodule update --init --recursive
git submodule foreach 'git fetch origin; git checkout $(git rev-parse --abbrev-ref HEAD); git reset --hard origin/$(git rev-parse --abbrev-ref HEAD); git submodule update --recursive; git clean -dfx'

62
src/helm/env.d/preprod/secrets.enc.yaml
View File

@@ -1,62 +0,0 @@
djangoSuperUserEmail: ENC[AES256_GCM,data:H1jUBjaAYNQyKTx+zB2PQkhQmTTbEcI3eKlc1hM=,iv:NybOri6oWGyPGOkLqumTuWOjWxd3EbgyfEntO1fj48Q=,tag:WbV3r01/D/vgp7oZ2iEauw==,type:str]
djangoSuperUserPass: ENC[AES256_GCM,data:xphbGcEf7V8LUvAkOg==,iv:3lUDI21WUoDmTSKN4X/i39XQPTiL2SRfpeDYVzgEtCY=,tag:2F8Llk4DNVdN+VlbmYxtaQ==,type:str]
djangoSecretKey: ENC[AES256_GCM,data:otw8d6DxHmCYI7NDjG2/8LuHw7opYxA/a2YJRFbRI4q6k5rEm3OZQXhY+a65CjXsLmk=,iv:0LTA6FDXIhOquOhFl3ccf1jB3MM6SMpJZjPc10IH1JY=,tag:s+qHB6EVy8u6LN5joVncFQ==,type:str]
oidc:
clientId: ENC[AES256_GCM,data:8bKg0t3yX7c+yQLxwsS7MdOBjBISQOg7YJqJA45O+BPaq0cN,iv:mIc64r5yG6tZqs8KALtje1OePaHrw0NIrI6wUyxgiho=,tag:xSiJaaZjXrPrpFTrd4fDHQ==,type:str]
clientSecret: ENC[AES256_GCM,data:PyfBgnuhbOzHH9vXoEcofipo+LkSJD/NVv0tNqyn9krWGCmkcIpKoE5PwN0psabJr7OMM8wgdIq7dQOwbo7qlQ==,iv:DJygUtIoMTa/X53pd6J//3eZbeBLCI8cmovjhXyqhew=,tag:O2Cs6Ro6SGkBvJkJArWr8A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTK3JVSUowZUhRemtlbWly
Z3ZEZ203eHNPTTV2dFdnSktiQ0dMcG9ib3pJCkpTSTlIWnFwNFpWRXQ4QldSSlRY
dFJGdEUxTFZ3QUNpQkJXSWpjNHA4MU0KLS0tIFdtSkpoN0h0TEFQWXJlcDgwcVln
dEtiQTh6ZlMvTTZQOUpIaFR3TFJCQk0KaO3OyygbuCWIuFNy8qE5KyePaSYgzdV9
2tOss1evqVR9weI7eH9Ir3bqIyLIPPdKAz1iyEVusI1Ah3SBv5CgEA==
-----END AGE ENCRYPTED FILE-----
- recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Q2x0WjltaE51ckpTaTQv
WDVjVHhKbWFDdys0Ynp3ckdFN05NYzNmU2dzCjBMRXE5YnBpemJGcmlsUHRJQ011
eWl3TGlOaWFQOE9ZOG53UFJHc1pMTncKLS0tIDJIZWdZOE5wTTc2Unl3dEc5WGJv
ejFxeWVVT1NBYWdQYXViL2V1L2l5ZTgK80dqSiXOlokM+aZ429qbsgzrfOxVd3/y
XHSyBN9kTQxR7Dc62B6ynsVbpVXNtrIZ665hoZenG3JGHvbQ55b6HA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyLzlNdkFlWWEwamEybUVC
amlVZm9mL09haktlWkg1UXNLODA5VUtuTUFrCjlGN3JOVnlyTmppQm1ud2k2QStN
T2NJSCszdTJXb1FsclVOdTh2QUJOU00KLS0tIDBVaEcycXhuWlNtYXVLSithaUZp
V052NFpsNGoxZlRra2R5TzVIQ3JKYjAKMzf80YaXkzsl1FtS2w9KDXk/vNO3fP6L
YvJDA2hXap1FyKRFV9cM4NsuxY9ELlsfhduxhH3a11YH95ZTkhs9aQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMSkZPd3lYZXgxYityVDE3
ZDFmQU5lTTFYMDRJYnRNZFVqdDkvTmJ2Z2xFCmR5SGRzd3FqckZKYTR6QjZUY1dI
MTdWWXY1bUlpLytWQVVZdDY1dmRiK2MKLS0tIFFaQXY3K3dMTWo4RnF6VjEvRUd5
UjhkaXpVMm40ZmFBSTYxWUp1ZnBrdFkKhHW1f9liTP4j3wsejMqHCFujbUquhuFY
eADVM66fkjyjQMmzFtneBCJMJ0e+LHoMUMVDO2a3SaZYTaRj/ZRvLg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYalhTWlhocklJN3N0eFBC
c1FjemZlK3cyMWxrbnpEWnp2Nlczalo4RWxVCmtvU0NKdnU3Tk5JdTJIUUhuc0dB
UlBrOWtCMlM3SW1PdEVlM0ludXpicTgKLS0tIGVWVHdXNWdOSENGZmFvNk50bENV
QnlsM3BKYTRFMDJqa1kxL1VtMHlsT0kKiJCMZLjdnIkLZxaZ3ecCxNsirnHApgi1
jgJZWXFCgjAVpuaqDfH2taElVR9Bm9ATjKjQPlvYZhguHdy0iJh++A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-24T12:41:08Z"
mac: ENC[AES256_GCM,data:QYNpy3qpYJgcLShlr0nCGG6XJz8BTkIvSvuGbh2mxO/W+0SlTbsi3hwqpXW0zoiPMy/43BBqa9Vs0y+l+kYLE1A8rRuv1+EljvzDZfvPfwZ+L/mdNNiRExtqbjmaTShKJqqklz8s2k4OvEA6ZI6QCiB7RIb/r6zl91/Yc7BC9Pc=,iv:1jOy/rnFA/Lf2QG7RDXiPbdwT04JdOiB7vHBAFBVGm0=,tag:/5U1/DJA10+4jzdecQKiNQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

62
src/helm/env.d/production/secrets.enc.yaml
View File

@@ -1,62 +0,0 @@
djangoSuperUserEmail: ENC[AES256_GCM,data:N985+amM7QdZ89YOeCEFvwO/aFJmO6Z6thknPT2ncaE=,iv:AqQuXE6EtIrASdHyEhTzYmM2gUrz1N4XFdPsy3OJHz0=,tag:sF3H2JxFbr4yq2+AkSXM+g==,type:str]
djangoSuperUserPass: ENC[AES256_GCM,data:VRPRDysrsHT110GZoijW,iv:dMqFmz4jVC4J0g2xsFD/gKePpKqje9ab0Ugyho8TCfM=,tag:FylXCjsgUK3IQIG+ROjOcQ==,type:str]
djangoSecretKey: ENC[AES256_GCM,data:PcctSlUFDjOlSgh8iSb6JOq4wqr3qDeVs6ew9+53,iv:b0llP1uZ8Mh4WtJ2dUMreA9uE+8+qe5IkYn8uCIP2gs=,tag:kRZUSXvLO5bA0jCQM2GxTQ==,type:str]
oidc:
clientId: ENC[AES256_GCM,data:qgyrML58jGGW4xAD+1pzOBF5EadwYTvDahEquQgoeYIfd7X7,iv:K9KqcrOc+Sfo1KCDYQZmDGseJFB8soG0ulp0ucsQLG8=,tag:GYd3tywb8Row9EzJ8RkWqg==,type:str]
clientSecret: ENC[AES256_GCM,data:Kez5KFNe8s0yIg+rcFGSsxxzPJubAmwGfd3pzi3Er/yF4D983kE8bkHWPd5d3O5UMr779bGcsG+qeY0S9AJ8gw==,iv:bG6pDYz0QS76cvCRUCp2p4BsyE/mjp+897oW4jxAoak=,tag:HpUbfUxzsDBM+VznBTJX7w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VlgySmNuWjVrdmxyODJK
cWcrVGVDM2IzS1JERllEQ1dwR0R3UklxUGlJCjBHdkQ4NEVFNTUwUWt4eXE5Z3Fq
SGVBb29USHAzRXdZN3ZJS1pyVWJZSkUKLS0tIHE5UWVKbGE3NHJ3dWs1YUFzaS8r
RXdmaG1SZzMyYk9UVDlNMDhXM2Rnd3MKWgsYrP5q2vbtMmZ8S0KpPPzjm1QGPmAK
z+TddmJ3KVVyiwcRG262Anq2E/+zCSJICxMEF60YnjYHPdxTkCDLuw==
-----END AGE ENCRYPTED FILE-----
- recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOanh6MkwxVUlSa3ZDVVhN
QzI0MkYwZ2ZNSDZSNHBqQ1VJVzk1MnVIem5jCnFBUXBVVDZ4ZDAwM0V2OXd6MTFU
eWRac1BoK2h4ZmVYWlJlRElqbGROT0UKLS0tIFpXK2xNTnVxODV6TjlTd29Fc0Rj
VnB4bVZvZnU3TEd6NytacGc5OG1yUzAKE10zsCu2KsK+akHMkIIheSjS8Mdmikbv
oLqf06IkB7Pr+jmUF+HO+2vPFdK+C5ugeu8j7plTbflWizYQYPeDzw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0QUpSK1R0bnlCai9RTzEr
ZzZJbWdFdmdINDdOV1Z1SFlUdjNHNHpHU3cwCk1nS0xrL2pvZy9POGRqZDVubjZy
dWFPRjdyd0pSdEt2U2tRaVZzL1JGL28KLS0tIGVyZkd1R0w4Y1FFT1ZVLzZseng4
ZVE0dXVqTWVuNk02WHpNUlp1RUFhUFUKG4HV2XncM+YTG5FQc3jA4YUs07O+kXjW
s0/wBXqIR4cpvj+xvi3OY/odGAq76Iy+RHJmwcnJ5tJwDq9IrYTCtg==
-----END AGE ENCRYPTED FILE-----
- recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONUVna1NDMXNZalpNdUlQ
ZkpmOCtUVmg2SWlHZUJJaURrUFVydFRkOUc4CmViZXdQT0x4K1N2dHZVQm9LMW1r
LzdkREdhSFdhSmkyN2pVMlBZQjhreVEKLS0tIEJSdXo0YW1FWGJpUmRNbDF0WkpF
RTAwZXJFR05ob1ZpdUVnc29USHhIQmMKflq3jyJc2MDRq9Pa4HP25wkyBFctV4q4
pcMM680vUv1v3g9NERM6GGx1d3GfZS0m/g3kYM2DduyXLmYfVZu2SA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbDVBUUdvTjMrRDJHK25h
OVRjK1BpSlRCM0NYekRKZ0ZuSXAzT0U2UG5RCnpSU2NRQWJjVWttQXBEM3hHUFhk
UmkxUG1mZENUNm51K211WnRHTVZlQlUKLS0tICt1a0o2aXlSTXdma2paQnNwZVNs
eTkxalhUQm1OZ1lBSmVzYmtXOG1TMFEK2yaVOVuPZ+07KSA0VB4EQbuewXJkcdjm
IHzP/kAkC7g7cvfBmAGlp0E0DBhrZK8hfWW3G9Kv0/BOXA3+QVaBng==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-24T14:41:41Z"
mac: ENC[AES256_GCM,data:egmz6AP9kquUa+gKnYkV73HmW5ixQrGKL+veoumbogWv7ghnV+9F7MLLJCjx1IyMy00406QTxrbkAXKQ76G1MhA5eF0F8G5PZ0Z4b8SKHONmXWcGpNGWb9lZ1WFbqozjP/EBQOwjieK76DYCar7xcec6H5niy6BDUrO08mEvpb4=,iv:beE/KbWuFvg/YHxP5ca8jhqmtnsQT+UsweFEU+ZQoiE=,tag:94kzwI1HX8h8VcmqGI6TaQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

62
src/helm/env.d/staging/secrets.enc.yaml
View File

@@ -1,62 +0,0 @@
djangoSuperUserEmail: ENC[AES256_GCM,data:hi+ZWcENFGKlU84LR/yli0A=,iv:Zgfz+8x1PLhDL0rHd4idH21hPmAslw8mWXzknC5i9MM=,tag:533v4b/1y1mDD7C2nBqGsw==,type:str]
djangoSuperUserPass: ENC[AES256_GCM,data:AAsV3FuAZJ5QzIlyOw==,iv:YfeWOEqgZHQxmI6IfPOWHPRoMyaej6SJH7OUgj8yDWQ=,tag:VXJ/VhzcqE/WarwjPxzIvg==,type:str]
djangoSecretKey: ENC[AES256_GCM,data:/JVAyc96seMRTiyGEw/0hSSacKfFC4eQXJGo+Nu5ngAicrnHJqPa0fq9pJq63kLfLgU=,iv:gdMfxI8HrzmdcdV4C+VfgxikT/O6SptQFmkRhikS52U=,tag:O7xSA14bQtcxNb8sZwZh9g==,type:str]
oidc:
clientId: ENC[AES256_GCM,data:qFMt3wOxi2N/SLbHsw3nlqYjXCkcW8Dk1tJ1GexM9nlnhuLO,iv:bQpKzMNZv2Kcm6blDWJwbKiSjUAFjVwEUalLqgylaTY=,tag:Wm4NioIktA+p9XWldEWDbw==,type:str]
clientSecret: ENC[AES256_GCM,data:MiYBGSyuJDcf1f8//7p6L1SIY/4f0f7lKA7OLcbojaZ28q8hh8cr0fPU9s+ftfQe4Ztxg/0wSX/QSUEP4DtiXg==,iv:HrbljXaj2Ki6ElINPoVvaZqn4gyThBLT4SKQDJ0oJrA=,tag:N5i1vqqxlMX7nOb2ymGFHg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAreXo5bDRITnYyVE8wODBC
RkVsRlc1V1dZZHltYWg1UTRBcjAwK3pJSkFvCmlmczNPMVVsU1lSRHhTWStiZEN6
ZXFhcFcvaXVEMHJtWXdWV3lDUlhaR3MKLS0tIFZ1R0hHVEttUWY3T1pHTUwrU2Zn
TFJzd2ZHZFFmSFdwY0YyYmd6dnFRQkUKJH+7TZtZvl/L6vRq9gwhDhWj7gmcq8Zn
WlYcRcrqNDBweDwSlER80DhF0xuS0Ero0bh9cr/HiFPwZZ6RxUJoHA==
-----END AGE ENCRYPTED FILE-----
- recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UU9nenMwZDlrTkJOZzZu
dmVvVWlBKy9wTVVlRFlybzJldDJoZ0xjOTBvClIyL3M0TTFtL1UxaitnZUNGZXlO
ZVRYVDBsYXphaTZ4TmdGbXJFOHpMMzQKLS0tIFdJSkk4NnZMYTJtSE5sMVoyYU9Z
bjlkVG1QQnVXUXhuK2JXN2ZnWmtQeE0KGbOeGa2hIPrrDcfQ64GEjTR0ZeCyIIZK
2bxSivdOw+1I96+OOIqjvGaa12FfPI58uizldaI0+hSY77vT4sr/7Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVnhHdmpjK2hsd2d4Mk1Y
UlE4NHdjNHAwbGM4K0ZOVFkzd0JiOTNzYW00Ck9sVnoyRXJFa2F1SnVxemV3b016
MzJzZUNrVVNPYlhkM2hDK0ZiMEpCNmcKLS0tIEdseGhqZ1dLeGh0TE1tSDRldWVk
M0hDVGJaN2Jmc004TFYzSGJOTEVDNVUKB3TenK4RxkoGRAzX2AlcbyCddGfHte3N
mSEUuy0ig2tlF0eL0yA5GR8BIfGEEMQS6tJCliUsKwC6M233mkD0tQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdHFEeVUyL3d4WVdNaTJ1
SU9PaG1vSG5YUXpobFhCbnhhNlpwWGZaaldvCkFrWTBSNWdWOVlBeU1sQWUyTlFy
QVk5QjJ2UmNhRmVVMFgxZ1lpdzNKVmMKLS0tIHF5VjVJcVV3Zk5uUFhIZEljMzAx
SUNyejQ4alppMC9tanRFeCtBcndHaTAKfBO4hj5T/bdwbvK8hbEvcAcjuLA7oxg9
eSWcPZp27LhXMaEwnDlFnLDFEMic/WU6HQBYcSCpt+n98Y4z9T1q2Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UGxFUlhiVDNIRTVhdjNO
ZEZLcDhrUjNNOGZ6a0lvcFRQa0pwMjYyL0hnCmIyQ2tTVXRocFRvNmVkVENXVUEx
YnpySzF5RXA1djlMSlhhcjRVdlliTmsKLS0tIGtwb2x1cmlKMTkzTUxENi9NK2ZI
b2dKNENuQmorTXZtdVhLNGo5UVBPZzgK1gaZkRtxV+BVO1lX25XXAonvyrK7V48d
oAHG/v2OyD7dJJKYmHyIcrWLCRplgQb2r7t6gLSr0llf9rbWQhmkiw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-24T10:35:08Z"
mac: ENC[AES256_GCM,data:A6YUQM3N2DwqjPILfPT4Nc6vlpu52c8qa2+5OJABL2cz6jzvhO2e/0CzJl7P/bOYhlYMpHHeCTX3jk2DMyppuDJsqBN5ouw2oDe/S8WOC9xaKWRxqlgkD93K8ZCYGad9sS58BJN3upBEjln+yu/2trihOsEi6pCQkB/Jrmbe+Qo=,iv:SRgaH9W6FApY8qf8HGfdMpiErx+FOnJJBAd/op93Bxg=,tag:IlDeS9weVroGKhOvU3xwAw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

11
src/helm/helmfile.yaml
View File

@@ -48,7 +48,7 @@ releases:
namespace: {{ .Namespace }}
chart: ./extra
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
- secrets/numerique-gouv/impress/env/{{ .Environment.Name }}/secrets.enc.yaml
- name: impress
version: {{ .Values.version }}
@@ -57,7 +57,7 @@ releases:
values:
- env.d/{{ .Environment.Name }}/values.impress.yaml.gotmpl
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
- {{ ne .Environment.Name "dev" | ternary "secrets/numerique-gouv/impress/env" "env.d" }}/{{ .Environment.Name }}/secrets.enc.yaml
environments:
dev:
@@ -69,15 +69,14 @@ environments:
values:
- version: 0.0.1
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
- secrets/numerique-gouv/impress/env/{{ .Environment.Name }}/secrets.enc.yaml
preprod:
values:
- version: 0.0.1
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
- secrets/numerique-gouv/impress/env/{{ .Environment.Name }}/secrets.enc.yaml
production:
values:
- version: 0.0.1
secrets:
- env.d/{{ .Environment.Name }}/secrets.enc.yaml
- secrets/numerique-gouv/impress/env/{{ .Environment.Name }}/secrets.enc.yaml

1
src/helm/secrets Submodule

Submodule src/helm/secrets added at d5e83b9046