From 37f02893edc381f9df300c359d0aed29cbfcf44b Mon Sep 17 00:00:00 2001 From: Jacques ROUSSEL Date: Thu, 6 Jun 2024 17:11:57 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B(CI)=20purge=20secret=20from=20repo?= =?UTF-8?q?sitory?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove *.enc.* - Adapt helmfile - Adapt CI --- .github/workflows/deploy.yml | 17 ++++- .github/workflows/docker-hub.yml | 81 +++++++++++++++------- .github/workflows/impress.yml | 26 +++++-- .github/workflows/secrets | 1 + .github/workflows/secrets.enc.env | 24 ------- .gitmodules | 8 +++ .sops.yaml | 13 ---- scripts/update-git-submodule.sh | 4 ++ src/helm/env.d/preprod/secrets.enc.yaml | 62 ----------------- src/helm/env.d/production/secrets.enc.yaml | 62 ----------------- src/helm/env.d/staging/secrets.enc.yaml | 62 ----------------- src/helm/helmfile.yaml | 11 ++- src/helm/secrets | 1 + 13 files changed, 109 insertions(+), 263 deletions(-) create mode 160000 .github/workflows/secrets delete mode 100644 .github/workflows/secrets.enc.env create mode 100644 .gitmodules delete mode 100644 .sops.yaml create mode 100755 scripts/update-git-submodule.sh delete mode 100644 src/helm/env.d/preprod/secrets.enc.yaml delete mode 100644 src/helm/env.d/production/secrets.enc.yaml delete mode 100644 src/helm/env.d/staging/secrets.enc.yaml create mode 160000 src/helm/secrets diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index adb8c88c..35bfa2ef 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -12,13 +12,24 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: "impress,secrets" + - + name: Checkout repository + uses: actions/checkout@v2 + with: + submodules: recursive + token: ${{ steps.app-token.outputs.token }} - name: Load sops secrets uses: rouja/actions-sops@main with: - secret-file: .github/workflows/secrets.enc.env + secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env age-key: ${{ secrets.SOPS_PRIVATE }} - name: Call argocd github webhook diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml index 7ef3341e..e9e722bc 100644 --- a/.github/workflows/docker-hub.yml +++ b/.github/workflows/docker-hub.yml @@ -19,20 +19,31 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: "impress,secrets" + - + name: Checkout repository + uses: actions/checkout@v2 + with: + submodules: recursive + token: ${{ steps.app-token.outputs.token }} + - + name: Load sops secrets + uses: rouja/actions-sops@main + with: + secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env + age-key: ${{ secrets.SOPS_PRIVATE }} - name: Docker meta id: meta uses: docker/metadata-action@v5 with: images: lasuite/impress-backend - - - name: Load sops secrets - uses: rouja/actions-sops@main - with: - secret-file: .github/workflows/secrets.enc.env - age-key: ${{ secrets.SOPS_PRIVATE }} - name: Login to DockerHub if: github.event_name != 'pull_request' @@ -52,20 +63,31 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: "impress,secrets" + - + name: Checkout repository + uses: actions/checkout@v2 + with: + submodules: recursive + token: ${{ steps.app-token.outputs.token }} + - + name: Load sops secrets + uses: rouja/actions-sops@main + with: + secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env + age-key: ${{ secrets.SOPS_PRIVATE }} - name: Docker meta id: meta uses: docker/metadata-action@v5 with: images: lasuite/impress-frontend - - - name: Load sops secrets - uses: rouja/actions-sops@main - with: - secret-file: .github/workflows/secrets.enc.env - age-key: ${{ secrets.SOPS_PRIVATE }} - name: Login to DockerHub if: github.event_name != 'pull_request' @@ -86,20 +108,31 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: "impress,secrets" + - + name: Checkout repository + uses: actions/checkout@v2 + with: + submodules: recursive + token: ${{ steps.app-token.outputs.token }} + - + name: Load sops secrets + uses: rouja/actions-sops@main + with: + secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env + age-key: ${{ secrets.SOPS_PRIVATE }} - name: Docker meta id: meta uses: docker/metadata-action@v5 with: images: lasuite/impress-y-webrtc-signaling - - - name: Load sops secrets - uses: rouja/actions-sops@main - with: - secret-file: .github/workflows/secrets.enc.env - age-key: ${{ secrets.SOPS_PRIVATE }} - name: Login to DockerHub if: github.event_name != 'pull_request' diff --git a/.github/workflows/impress.yml b/.github/workflows/impress.yml index d850c4a9..8698e9d6 100644 --- a/.github/workflows/impress.yml +++ b/.github/workflows/impress.yml @@ -209,8 +209,26 @@ jobs: i18n-crowdin: runs-on: ubuntu-latest steps: - - name: Checkout repository + - + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: "infrastructure,secrets" + - + name: Checkout repository uses: actions/checkout@v2 + with: + submodules: recursive + token: ${{ steps.app-token.outputs.token }} + - + name: Load sops secrets + uses: rouja/actions-sops@main + with: + secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env + age-key: ${{ secrets.SOPS_PRIVATE }} - name: Install gettext (required to make messages) run: | @@ -229,12 +247,6 @@ jobs: - name: Generate the translation base file run: ~/.local/bin/django-admin makemessages --keep-pot --all - - name: Load sops secrets - uses: rouja/actions-sops@main - with: - secret-file: .github/workflows/secrets.enc.env - age-key: ${{ secrets.SOPS_PRIVATE }} - - name: Setup Node.js uses: actions/setup-node@v4 with: diff --git a/.github/workflows/secrets b/.github/workflows/secrets new file mode 160000 index 00000000..d5e83b90 --- /dev/null +++ b/.github/workflows/secrets @@ -0,0 +1 @@ +Subproject commit d5e83b9046fff0a0af12088f61cf237aa5573d54 diff --git a/.github/workflows/secrets.enc.env b/.github/workflows/secrets.enc.env deleted file mode 100644 index cb03d95a..00000000 --- a/.github/workflows/secrets.enc.env +++ /dev/null @@ -1,24 +0,0 @@ -SOPS_PRIVATE=ENC[AES256_GCM,data:FK3PweZstvwslF18oRQNnqY2vTAdNNBWiTxRpuULnRnJbtyeula/MU5E08pImMGDvMXZulOgbmuXUHrKb31P6HG2Cz5MBFGhqU8=,iv:gYCDkAtBe1ldjSjVV/jDFYJTceqODpDRr4TRE9pxgb4=,tag:U7B3L4+SOoxVLBGW3GtrDg==,type:str] -CROWDIN_API_TOKEN=ENC[AES256_GCM,data:r0niJ4YBSb+s2Fg9EXkqgegw8JeQIwu27pfDTndjhbcVZW0/tihn5IZjercX3k8TpOuzPYei8k0JtmnjfBMi9NY3pYr80YCWDzUGqUKubyw=,iv:fF7SzhfsoiF53xdMm8BdPy668nYWBTA4r2aIfhUAd1Q=,tag:HskvnLyy5QTQnDv99Jmr1g==,type:str] -CROWDIN_BASE_PATH=ENC[AES256_GCM,data:jC8utvhuMmQ=,iv:VmHB9DX52YnGGWZEm1hD+zeUffypsAhwQQpox4t5png=,tag:cbQ24lWq7g33fJduMgmvuA==,type:str] -CROWDIN_PROJECT_ID=ENC[AES256_GCM,data:xz8mo2fB,iv:FcsLzOVUxxhcibXiIubIhtbdjCUXiIQpuGdBdNpSE8I=,tag:CNKUYvSlok0WFyFaKXR5QA==,type:str] -DOCKER_HUB_PASSWORD=ENC[AES256_GCM,data:R9ktuIb579tbe+M=,iv:nmn3wlOc88VL4kGyKLRIRIuVqUu8BuWKtHUjjex+zRg=,tag:fGNtJmMB2iHVGMeLBz5RwQ==,type:str] -DOCKER_HUB_USER=ENC[AES256_GCM,data:LJzr2mftjw==,iv:iwFvXHttIyydyNU11ZZH97oBp/DwTn5hlLQl7CqRWa0=,tag:qntAkpeNG/wOZim5K/8w7A==,type:str] -ARGOCD_WEBHOOK_URL=ENC[AES256_GCM,data:+dzTPg4mVqDLu6ac9xf2D4eccaKIvAosBBXpwp+QHZwTEeWGNm0GRaVzOx0gU4CjBNU9og0buYdi,iv:mhgVc5dBh1A1TVisGe0c/MO4EnXSb0ZQ2NL85QJzwaI=,tag:cT6Sa/GRJ94ss7yiL9pH2g==,type:str] -ARGOCD_WEBHOOK_SECRET=ENC[AES256_GCM,data:meQqbpT5gx5K4fW/WWmIQ9vlHjrQsVfGbdiVWm8YZf6EIm9xHWmTcflYxBqfvgWWen84NKWqt0uzl3+m1eDnLyE=,iv:wyIp0baJsw9jFu4z09xirr6qSpxK8aO907SEvce98/U=,tag:FaW5+x7r+fj3R9yq8ataTw==,type:str] -ARGOCD_PRODUCTION_WEBHOOK_URL=ENC[AES256_GCM,data:9xN9mA1JSw0L2wYxpVfG3uYiLPGo+OuziZTQ8PAMy3Cd+AmDWXcT0AInbhBMQsw5Og==,iv:8mW3YYhXmP9EqA25jwevIT4ccUxfgJU/B17XBasl6Dk=,tag:EMDk1YQj6eEinoBSgRo+7A==,type:str] -ARGOCD_PRODUCTION_WEBHOOK_SECRET=ENC[AES256_GCM,data:Y3pRbqpxtZOJi4VfRRx8WIZKJQuSaVePG0b1kmZ2UxWhfumFsvll91blpZQQIWp42AEgJhUfFz7lgGXtNZc=,iv:GBG4AYYEo50H+GC6Auzdabsj9XGMKStKp6bfqy0iWkE=,tag:qpjnB/K3Glq/Dziav6OXqg==,type:str] -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMkZsNEovb2xpWjIrdUpG\nUzArWFlLejB1UTBDTHNJOENybzdRSHBkVVJzCmdWeW1VYUtxejBaWkhvMjEySFNm\nWmlJZWVVMVA2azJhUlBXZ0VrbnNsRGsKLS0tIHhTU0hFSmVnWW9GZE1UVGZMUDVw\ndE1RdCs2OEh1U2Q1WjFkYVNDOEVYQjgKxHI1W+DT2yMW1+0QUNDVdbeo6IvRVEig\nK1WrTM1VAmsji9xuvJQW9uKvYxmHo7OFZzkkNTbmLcJ4wBSNYilh+A==\n-----END AGE ENCRYPTED FILE-----\n -sops_age__list_0__map_recipient=age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x -sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3OG05S01xK2J5aklEMitF\nNEtYbSthTVJHMk1oNmxkbjBvUkI0a21heXlrCkNPNjh1ektYYXJNVzVBMWxWKzB6\neHd0blE3U1pQdnpXbVkzZGVOdnh4aFEKLS0tIGUwSmdoZWxwNTdiWDdER3ZNU2lV\nZklBdHVERVkzcHZaZWdoM3pLMHBzSDgKTL1ipaUAFXOtGSu1g+pkfr+W3NlJJXcy\nl/yzxbLzPv2MSR09ZUFS6Km97/aTQDkCodt29paHEvRUDhR+oYCDVg==\n-----END AGE ENCRYPTED FILE-----\n -sops_age__list_1__map_recipient=age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7 -sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUHRTUkpaaFhZUm1tUFRU\nNU5sZkozcHowTUdoejV5ditibHc1T2V6M3lNCit3OS9TeUx5UTZOTFVibjRaaGR3\nNlQ3WlhKZUNzaUJHNWVLajNnZ2U2RnMKLS0tIG9qdVNFVE5jOHAvSWcvcnVla0hn\nMlg1YTg2b2MreE16Qy85R09pa3ZxbEEKoPB1pOmc5FmSKIwQ017l05Lm+LoNH2KC\ndxSUkmw7n1tVkPKGtgbEcoR04mMm+4ANdXNetu3Goih1bvtjgWvUuQ==\n-----END AGE ENCRYPTED FILE-----\n -sops_age__list_2__map_recipient=age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg -sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaDVPTVBFVzVxU3JPc0RM\ncTFlSUVzUXpKKzFyTmQweGNITVZFNUlheENjCkxtOU5QTGRMRmVRZ2hrQkY5SXM3\nTmZNU0NGc3VSZ2xOZlRIaTBXOSt2TXcKLS0tIEQ0bVhYSml0eXFLS2lCOFMxWGpS\nWE1tRTFDektsRWVYSHp6eTF4MVJQU3MKfskxXtc6JI86/xdjMRsVTmG0x+jLx/tq\necUbexvI56TOVFThd1Iv2QYnfD48OVstpH1QEpM42XQTRLsrj07gPA==\n-----END AGE ENCRYPTED FILE-----\n -sops_age__list_3__map_recipient=age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3 -sops_age__list_4__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aXh5eTVZR21TNlBIbmxO\nR0FPNXlyNklucFNwbng5eStmMlNCNi9VYTJrCkZsejJqNmtxRmJlekN2czg3ZUls\nVTdKVWd2eWtpQUdBbGUzYWR4bXYwVW8KLS0tIEJnS2hDQU5CM2NVc3RsQjlZL1FE\nVGYyYWJ6K2gydVFCbUhYeWNDN2RiWjAKHD7/sZFiGD3+Xz5O/Yajb/gEVREWQB/l\nAsquVroBF4A89QUgbjZSYsHJcWuZ4JZXBX7fGSZwio+8+nhjvy+EhQ==\n-----END AGE ENCRYPTED FILE-----\n -sops_age__list_4__map_recipient=age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw -sops_lastmodified=2024-05-24T13:55:45Z -sops_mac=ENC[AES256_GCM,data:gJViDK19UzUaOT+3b9cUJ+634dgzSkamqcj4031pyhrjCVb7FtRu2B8T7vpZObY3dB3mSCtfJKzKoJRhCjYDTd8YdASIOJyep+6K4JSWvKtliZ46syDQaSSTgPx7WaeLzVRpEpBq0adt6ngKTttbhIvhYZD7Kc3Tz3TcMCmEQhg=,iv:G9tzca7nZrBCNowEYpUkAiraVGxUv2732xwXCizJ8X0=,tag:yYt3ppmVYR+lba//lRNpdg==,type:str] -sops_unencrypted_suffix=_unencrypted -sops_version=3.8.1 diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 00000000..8c162859 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,8 @@ +[submodule ".github/workflows/secrets"] + path = .github/workflows/secrets + url = https://github.com/numerique-gouv/secrets.git + branch = main +[submodule "src/helm/secrets"] + path = src/helm/secrets + url = https://github.com/numerique-gouv/secrets.git + branch = main diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index e1f75002..00000000 --- a/.sops.yaml +++ /dev/null @@ -1,13 +0,0 @@ -creation_rules: - # Here we have - # - Jacques key-id: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x - # - github-repo key-id: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7 - # - Anthony Le-Courric key-id: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg - # - Antoine Lebaud key-id: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3 - # - argocd key-id: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw - - age: - age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x, - age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7, - age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg, - age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3, - age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw diff --git a/scripts/update-git-submodule.sh b/scripts/update-git-submodule.sh new file mode 100755 index 00000000..670cfef8 --- /dev/null +++ b/scripts/update-git-submodule.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +git submodule update --init --recursive +git submodule foreach 'git fetch origin; git checkout $(git rev-parse --abbrev-ref HEAD); git reset --hard origin/$(git rev-parse --abbrev-ref HEAD); git submodule update --recursive; git clean -dfx' diff --git a/src/helm/env.d/preprod/secrets.enc.yaml b/src/helm/env.d/preprod/secrets.enc.yaml deleted file mode 100644 index d9a010ee..00000000 --- a/src/helm/env.d/preprod/secrets.enc.yaml +++ /dev/null @@ -1,62 +0,0 @@ -djangoSuperUserEmail: ENC[AES256_GCM,data:H1jUBjaAYNQyKTx+zB2PQkhQmTTbEcI3eKlc1hM=,iv:NybOri6oWGyPGOkLqumTuWOjWxd3EbgyfEntO1fj48Q=,tag:WbV3r01/D/vgp7oZ2iEauw==,type:str] -djangoSuperUserPass: ENC[AES256_GCM,data:xphbGcEf7V8LUvAkOg==,iv:3lUDI21WUoDmTSKN4X/i39XQPTiL2SRfpeDYVzgEtCY=,tag:2F8Llk4DNVdN+VlbmYxtaQ==,type:str] -djangoSecretKey: ENC[AES256_GCM,data:otw8d6DxHmCYI7NDjG2/8LuHw7opYxA/a2YJRFbRI4q6k5rEm3OZQXhY+a65CjXsLmk=,iv:0LTA6FDXIhOquOhFl3ccf1jB3MM6SMpJZjPc10IH1JY=,tag:s+qHB6EVy8u6LN5joVncFQ==,type:str] -oidc: - clientId: ENC[AES256_GCM,data:8bKg0t3yX7c+yQLxwsS7MdOBjBISQOg7YJqJA45O+BPaq0cN,iv:mIc64r5yG6tZqs8KALtje1OePaHrw0NIrI6wUyxgiho=,tag:xSiJaaZjXrPrpFTrd4fDHQ==,type:str] - clientSecret: ENC[AES256_GCM,data:PyfBgnuhbOzHH9vXoEcofipo+LkSJD/NVv0tNqyn9krWGCmkcIpKoE5PwN0psabJr7OMM8wgdIq7dQOwbo7qlQ==,iv:DJygUtIoMTa/X53pd6J//3eZbeBLCI8cmovjhXyqhew=,tag:O2Cs6Ro6SGkBvJkJArWr8A==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTK3JVSUowZUhRemtlbWly - Z3ZEZ203eHNPTTV2dFdnSktiQ0dMcG9ib3pJCkpTSTlIWnFwNFpWRXQ4QldSSlRY - dFJGdEUxTFZ3QUNpQkJXSWpjNHA4MU0KLS0tIFdtSkpoN0h0TEFQWXJlcDgwcVln - dEtiQTh6ZlMvTTZQOUpIaFR3TFJCQk0KaO3OyygbuCWIuFNy8qE5KyePaSYgzdV9 - 2tOss1evqVR9weI7eH9Ir3bqIyLIPPdKAz1iyEVusI1Ah3SBv5CgEA== - -----END AGE ENCRYPTED FILE----- - - recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Q2x0WjltaE51ckpTaTQv - WDVjVHhKbWFDdys0Ynp3ckdFN05NYzNmU2dzCjBMRXE5YnBpemJGcmlsUHRJQ011 - eWl3TGlOaWFQOE9ZOG53UFJHc1pMTncKLS0tIDJIZWdZOE5wTTc2Unl3dEc5WGJv - ejFxeWVVT1NBYWdQYXViL2V1L2l5ZTgK80dqSiXOlokM+aZ429qbsgzrfOxVd3/y - XHSyBN9kTQxR7Dc62B6ynsVbpVXNtrIZ665hoZenG3JGHvbQ55b6HA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyLzlNdkFlWWEwamEybUVC - amlVZm9mL09haktlWkg1UXNLODA5VUtuTUFrCjlGN3JOVnlyTmppQm1ud2k2QStN - T2NJSCszdTJXb1FsclVOdTh2QUJOU00KLS0tIDBVaEcycXhuWlNtYXVLSithaUZp - V052NFpsNGoxZlRra2R5TzVIQ3JKYjAKMzf80YaXkzsl1FtS2w9KDXk/vNO3fP6L - YvJDA2hXap1FyKRFV9cM4NsuxY9ELlsfhduxhH3a11YH95ZTkhs9aQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMSkZPd3lYZXgxYityVDE3 - ZDFmQU5lTTFYMDRJYnRNZFVqdDkvTmJ2Z2xFCmR5SGRzd3FqckZKYTR6QjZUY1dI - MTdWWXY1bUlpLytWQVVZdDY1dmRiK2MKLS0tIFFaQXY3K3dMTWo4RnF6VjEvRUd5 - UjhkaXpVMm40ZmFBSTYxWUp1ZnBrdFkKhHW1f9liTP4j3wsejMqHCFujbUquhuFY - eADVM66fkjyjQMmzFtneBCJMJ0e+LHoMUMVDO2a3SaZYTaRj/ZRvLg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYalhTWlhocklJN3N0eFBC - c1FjemZlK3cyMWxrbnpEWnp2Nlczalo4RWxVCmtvU0NKdnU3Tk5JdTJIUUhuc0dB - UlBrOWtCMlM3SW1PdEVlM0ludXpicTgKLS0tIGVWVHdXNWdOSENGZmFvNk50bENV - QnlsM3BKYTRFMDJqa1kxL1VtMHlsT0kKiJCMZLjdnIkLZxaZ3ecCxNsirnHApgi1 - jgJZWXFCgjAVpuaqDfH2taElVR9Bm9ATjKjQPlvYZhguHdy0iJh++A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-24T12:41:08Z" - mac: ENC[AES256_GCM,data:QYNpy3qpYJgcLShlr0nCGG6XJz8BTkIvSvuGbh2mxO/W+0SlTbsi3hwqpXW0zoiPMy/43BBqa9Vs0y+l+kYLE1A8rRuv1+EljvzDZfvPfwZ+L/mdNNiRExtqbjmaTShKJqqklz8s2k4OvEA6ZI6QCiB7RIb/r6zl91/Yc7BC9Pc=,iv:1jOy/rnFA/Lf2QG7RDXiPbdwT04JdOiB7vHBAFBVGm0=,tag:/5U1/DJA10+4jzdecQKiNQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/src/helm/env.d/production/secrets.enc.yaml b/src/helm/env.d/production/secrets.enc.yaml deleted file mode 100644 index eca9c955..00000000 --- a/src/helm/env.d/production/secrets.enc.yaml +++ /dev/null @@ -1,62 +0,0 @@ -djangoSuperUserEmail: ENC[AES256_GCM,data:N985+amM7QdZ89YOeCEFvwO/aFJmO6Z6thknPT2ncaE=,iv:AqQuXE6EtIrASdHyEhTzYmM2gUrz1N4XFdPsy3OJHz0=,tag:sF3H2JxFbr4yq2+AkSXM+g==,type:str] -djangoSuperUserPass: ENC[AES256_GCM,data:VRPRDysrsHT110GZoijW,iv:dMqFmz4jVC4J0g2xsFD/gKePpKqje9ab0Ugyho8TCfM=,tag:FylXCjsgUK3IQIG+ROjOcQ==,type:str] -djangoSecretKey: ENC[AES256_GCM,data:PcctSlUFDjOlSgh8iSb6JOq4wqr3qDeVs6ew9+53,iv:b0llP1uZ8Mh4WtJ2dUMreA9uE+8+qe5IkYn8uCIP2gs=,tag:kRZUSXvLO5bA0jCQM2GxTQ==,type:str] -oidc: - clientId: ENC[AES256_GCM,data:qgyrML58jGGW4xAD+1pzOBF5EadwYTvDahEquQgoeYIfd7X7,iv:K9KqcrOc+Sfo1KCDYQZmDGseJFB8soG0ulp0ucsQLG8=,tag:GYd3tywb8Row9EzJ8RkWqg==,type:str] - clientSecret: ENC[AES256_GCM,data:Kez5KFNe8s0yIg+rcFGSsxxzPJubAmwGfd3pzi3Er/yF4D983kE8bkHWPd5d3O5UMr779bGcsG+qeY0S9AJ8gw==,iv:bG6pDYz0QS76cvCRUCp2p4BsyE/mjp+897oW4jxAoak=,tag:HpUbfUxzsDBM+VznBTJX7w==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2VlgySmNuWjVrdmxyODJK - cWcrVGVDM2IzS1JERllEQ1dwR0R3UklxUGlJCjBHdkQ4NEVFNTUwUWt4eXE5Z3Fq - SGVBb29USHAzRXdZN3ZJS1pyVWJZSkUKLS0tIHE5UWVKbGE3NHJ3dWs1YUFzaS8r - RXdmaG1SZzMyYk9UVDlNMDhXM2Rnd3MKWgsYrP5q2vbtMmZ8S0KpPPzjm1QGPmAK - z+TddmJ3KVVyiwcRG262Anq2E/+zCSJICxMEF60YnjYHPdxTkCDLuw== - -----END AGE ENCRYPTED FILE----- - - recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOanh6MkwxVUlSa3ZDVVhN - QzI0MkYwZ2ZNSDZSNHBqQ1VJVzk1MnVIem5jCnFBUXBVVDZ4ZDAwM0V2OXd6MTFU - eWRac1BoK2h4ZmVYWlJlRElqbGROT0UKLS0tIFpXK2xNTnVxODV6TjlTd29Fc0Rj - VnB4bVZvZnU3TEd6NytacGc5OG1yUzAKE10zsCu2KsK+akHMkIIheSjS8Mdmikbv - oLqf06IkB7Pr+jmUF+HO+2vPFdK+C5ugeu8j7plTbflWizYQYPeDzw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0QUpSK1R0bnlCai9RTzEr - ZzZJbWdFdmdINDdOV1Z1SFlUdjNHNHpHU3cwCk1nS0xrL2pvZy9POGRqZDVubjZy - dWFPRjdyd0pSdEt2U2tRaVZzL1JGL28KLS0tIGVyZkd1R0w4Y1FFT1ZVLzZseng4 - ZVE0dXVqTWVuNk02WHpNUlp1RUFhUFUKG4HV2XncM+YTG5FQc3jA4YUs07O+kXjW - s0/wBXqIR4cpvj+xvi3OY/odGAq76Iy+RHJmwcnJ5tJwDq9IrYTCtg== - -----END AGE ENCRYPTED FILE----- - - recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONUVna1NDMXNZalpNdUlQ - ZkpmOCtUVmg2SWlHZUJJaURrUFVydFRkOUc4CmViZXdQT0x4K1N2dHZVQm9LMW1r - LzdkREdhSFdhSmkyN2pVMlBZQjhreVEKLS0tIEJSdXo0YW1FWGJpUmRNbDF0WkpF - RTAwZXJFR05ob1ZpdUVnc29USHhIQmMKflq3jyJc2MDRq9Pa4HP25wkyBFctV4q4 - pcMM680vUv1v3g9NERM6GGx1d3GfZS0m/g3kYM2DduyXLmYfVZu2SA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbDVBUUdvTjMrRDJHK25h - OVRjK1BpSlRCM0NYekRKZ0ZuSXAzT0U2UG5RCnpSU2NRQWJjVWttQXBEM3hHUFhk - UmkxUG1mZENUNm51K211WnRHTVZlQlUKLS0tICt1a0o2aXlSTXdma2paQnNwZVNs - eTkxalhUQm1OZ1lBSmVzYmtXOG1TMFEK2yaVOVuPZ+07KSA0VB4EQbuewXJkcdjm - IHzP/kAkC7g7cvfBmAGlp0E0DBhrZK8hfWW3G9Kv0/BOXA3+QVaBng== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-24T14:41:41Z" - mac: ENC[AES256_GCM,data:egmz6AP9kquUa+gKnYkV73HmW5ixQrGKL+veoumbogWv7ghnV+9F7MLLJCjx1IyMy00406QTxrbkAXKQ76G1MhA5eF0F8G5PZ0Z4b8SKHONmXWcGpNGWb9lZ1WFbqozjP/EBQOwjieK76DYCar7xcec6H5niy6BDUrO08mEvpb4=,iv:beE/KbWuFvg/YHxP5ca8jhqmtnsQT+UsweFEU+ZQoiE=,tag:94kzwI1HX8h8VcmqGI6TaQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/src/helm/env.d/staging/secrets.enc.yaml b/src/helm/env.d/staging/secrets.enc.yaml deleted file mode 100644 index 5cb1d4d6..00000000 --- a/src/helm/env.d/staging/secrets.enc.yaml +++ /dev/null @@ -1,62 +0,0 @@ -djangoSuperUserEmail: ENC[AES256_GCM,data:hi+ZWcENFGKlU84LR/yli0A=,iv:Zgfz+8x1PLhDL0rHd4idH21hPmAslw8mWXzknC5i9MM=,tag:533v4b/1y1mDD7C2nBqGsw==,type:str] -djangoSuperUserPass: ENC[AES256_GCM,data:AAsV3FuAZJ5QzIlyOw==,iv:YfeWOEqgZHQxmI6IfPOWHPRoMyaej6SJH7OUgj8yDWQ=,tag:VXJ/VhzcqE/WarwjPxzIvg==,type:str] -djangoSecretKey: ENC[AES256_GCM,data:/JVAyc96seMRTiyGEw/0hSSacKfFC4eQXJGo+Nu5ngAicrnHJqPa0fq9pJq63kLfLgU=,iv:gdMfxI8HrzmdcdV4C+VfgxikT/O6SptQFmkRhikS52U=,tag:O7xSA14bQtcxNb8sZwZh9g==,type:str] -oidc: - clientId: ENC[AES256_GCM,data:qFMt3wOxi2N/SLbHsw3nlqYjXCkcW8Dk1tJ1GexM9nlnhuLO,iv:bQpKzMNZv2Kcm6blDWJwbKiSjUAFjVwEUalLqgylaTY=,tag:Wm4NioIktA+p9XWldEWDbw==,type:str] - clientSecret: ENC[AES256_GCM,data:MiYBGSyuJDcf1f8//7p6L1SIY/4f0f7lKA7OLcbojaZ28q8hh8cr0fPU9s+ftfQe4Ztxg/0wSX/QSUEP4DtiXg==,iv:HrbljXaj2Ki6ElINPoVvaZqn4gyThBLT4SKQDJ0oJrA=,tag:N5i1vqqxlMX7nOb2ymGFHg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAreXo5bDRITnYyVE8wODBC - RkVsRlc1V1dZZHltYWg1UTRBcjAwK3pJSkFvCmlmczNPMVVsU1lSRHhTWStiZEN6 - ZXFhcFcvaXVEMHJtWXdWV3lDUlhaR3MKLS0tIFZ1R0hHVEttUWY3T1pHTUwrU2Zn - TFJzd2ZHZFFmSFdwY0YyYmd6dnFRQkUKJH+7TZtZvl/L6vRq9gwhDhWj7gmcq8Zn - WlYcRcrqNDBweDwSlER80DhF0xuS0Ero0bh9cr/HiFPwZZ6RxUJoHA== - -----END AGE ENCRYPTED FILE----- - - recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UU9nenMwZDlrTkJOZzZu - dmVvVWlBKy9wTVVlRFlybzJldDJoZ0xjOTBvClIyL3M0TTFtL1UxaitnZUNGZXlO - ZVRYVDBsYXphaTZ4TmdGbXJFOHpMMzQKLS0tIFdJSkk4NnZMYTJtSE5sMVoyYU9Z - bjlkVG1QQnVXUXhuK2JXN2ZnWmtQeE0KGbOeGa2hIPrrDcfQ64GEjTR0ZeCyIIZK - 2bxSivdOw+1I96+OOIqjvGaa12FfPI58uizldaI0+hSY77vT4sr/7Q== - -----END AGE ENCRYPTED FILE----- - - recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVnhHdmpjK2hsd2d4Mk1Y - UlE4NHdjNHAwbGM4K0ZOVFkzd0JiOTNzYW00Ck9sVnoyRXJFa2F1SnVxemV3b016 - MzJzZUNrVVNPYlhkM2hDK0ZiMEpCNmcKLS0tIEdseGhqZ1dLeGh0TE1tSDRldWVk - M0hDVGJaN2Jmc004TFYzSGJOTEVDNVUKB3TenK4RxkoGRAzX2AlcbyCddGfHte3N - mSEUuy0ig2tlF0eL0yA5GR8BIfGEEMQS6tJCliUsKwC6M233mkD0tQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdHFEeVUyL3d4WVdNaTJ1 - SU9PaG1vSG5YUXpobFhCbnhhNlpwWGZaaldvCkFrWTBSNWdWOVlBeU1sQWUyTlFy - QVk5QjJ2UmNhRmVVMFgxZ1lpdzNKVmMKLS0tIHF5VjVJcVV3Zk5uUFhIZEljMzAx - SUNyejQ4alppMC9tanRFeCtBcndHaTAKfBO4hj5T/bdwbvK8hbEvcAcjuLA7oxg9 - eSWcPZp27LhXMaEwnDlFnLDFEMic/WU6HQBYcSCpt+n98Y4z9T1q2Q== - -----END AGE ENCRYPTED FILE----- - - recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UGxFUlhiVDNIRTVhdjNO - ZEZLcDhrUjNNOGZ6a0lvcFRQa0pwMjYyL0hnCmIyQ2tTVXRocFRvNmVkVENXVUEx - YnpySzF5RXA1djlMSlhhcjRVdlliTmsKLS0tIGtwb2x1cmlKMTkzTUxENi9NK2ZI - b2dKNENuQmorTXZtdVhLNGo5UVBPZzgK1gaZkRtxV+BVO1lX25XXAonvyrK7V48d - oAHG/v2OyD7dJJKYmHyIcrWLCRplgQb2r7t6gLSr0llf9rbWQhmkiw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-24T10:35:08Z" - mac: ENC[AES256_GCM,data:A6YUQM3N2DwqjPILfPT4Nc6vlpu52c8qa2+5OJABL2cz6jzvhO2e/0CzJl7P/bOYhlYMpHHeCTX3jk2DMyppuDJsqBN5ouw2oDe/S8WOC9xaKWRxqlgkD93K8ZCYGad9sS58BJN3upBEjln+yu/2trihOsEi6pCQkB/Jrmbe+Qo=,iv:SRgaH9W6FApY8qf8HGfdMpiErx+FOnJJBAd/op93Bxg=,tag:IlDeS9weVroGKhOvU3xwAw==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/src/helm/helmfile.yaml b/src/helm/helmfile.yaml index 2e0cba8a..15bfcfdb 100644 --- a/src/helm/helmfile.yaml +++ b/src/helm/helmfile.yaml @@ -48,7 +48,7 @@ releases: namespace: {{ .Namespace }} chart: ./extra secrets: - - env.d/{{ .Environment.Name }}/secrets.enc.yaml + - secrets/numerique-gouv/impress/env/{{ .Environment.Name }}/secrets.enc.yaml - name: impress version: {{ .Values.version }} @@ -57,7 +57,7 @@ releases: values: - env.d/{{ .Environment.Name }}/values.impress.yaml.gotmpl secrets: - - env.d/{{ .Environment.Name }}/secrets.enc.yaml + - {{ ne .Environment.Name "dev" | ternary "secrets/numerique-gouv/impress/env" "env.d" }}/{{ .Environment.Name }}/secrets.enc.yaml environments: dev: @@ -69,15 +69,14 @@ environments: values: - version: 0.0.1 secrets: - - env.d/{{ .Environment.Name }}/secrets.enc.yaml + - secrets/numerique-gouv/impress/env/{{ .Environment.Name }}/secrets.enc.yaml preprod: values: - version: 0.0.1 secrets: - - env.d/{{ .Environment.Name }}/secrets.enc.yaml + - secrets/numerique-gouv/impress/env/{{ .Environment.Name }}/secrets.enc.yaml production: values: - version: 0.0.1 secrets: - - env.d/{{ .Environment.Name }}/secrets.enc.yaml - + - secrets/numerique-gouv/impress/env/{{ .Environment.Name }}/secrets.enc.yaml diff --git a/src/helm/secrets b/src/helm/secrets new file mode 160000 index 00000000..d5e83b90 --- /dev/null +++ b/src/helm/secrets @@ -0,0 +1 @@ +Subproject commit d5e83b9046fff0a0af12088f61cf237aa5573d54