From 8fbc4e936ed778120fea5a6bbe761054faaf89e3 Mon Sep 17 00:00:00 2001 From: Jacques ROUSSEL Date: Tue, 23 Apr 2024 10:53:38 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=92=9A(ci)=20improve=20secrets=20for=20k8?= =?UTF-8?q?s=20deployment?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Avoid secrets to be visible from running deployments --- src/helm/env.d/staging/secrets.enc.yaml | 71 ++++++++++--------- .../env.d/staging/values.desk.yaml.gotmpl | 20 ++++-- src/helm/extra/templates/secrets.yaml | 10 +++ src/helm/helmfile.yaml | 2 + 4 files changed, 64 insertions(+), 39 deletions(-) create mode 100644 src/helm/extra/templates/secrets.yaml diff --git a/src/helm/env.d/staging/secrets.enc.yaml b/src/helm/env.d/staging/secrets.enc.yaml index 97863ef..4d2caec 100644 --- a/src/helm/env.d/staging/secrets.enc.yaml +++ b/src/helm/env.d/staging/secrets.enc.yaml @@ -1,7 +1,8 @@ -djangoSecretKey: ENC[AES256_GCM,data:dVq/508Au7M/Z0KqVKfaAQ1Qv0NR9EixneJXgcQLYPqr1zALAs8YdTfAHO97ObkYguM=,iv:TDVByohsak3njekbj7gPcYqWzBAxFAEn8Y7EpnyZiRM=,tag:Qfsp/PTbJghPNsJJVf5mnQ==,type:str] +djangoSecretKey: ENC[AES256_GCM,data:a2U6gDdfHHCHwHfo6zr4Z3H6CPkFLMwFPHVtaZBaB6aSBtF/bLVXqcnuW1X4E41LUKY=,iv:QIF4j7XRNRCceYro99+KODETLPAcIsz4QRifqPFmqvs=,tag:qZbrTphZSLXs6QhB9pPtnw==,type:str] +djangoSuperUserPass: ENC[AES256_GCM,data:T/OHS1w=,iv:wHVoRx6zeEj0G4CL1en82UH99L55fccZ8dovyFabs0w=,tag:xmpXfxdJlFZqTsEKLytnxQ==,type:str] oidc: - clientId: ENC[AES256_GCM,data:nTlAk7Vr/FmofOBVAzI9cj7PXFHatGyVsM0ujGP9uxiP9Cdt,iv:bPQ8W2jvZ+k+dDTJngCa1iVkWUj5RJhgx+Hm4uNt7Uo=,tag:PyjfXpXvQFw6886GGzS7qQ==,type:str] - clientSecret: ENC[AES256_GCM,data:hSPwOFDXP+ZPDA+kLYhdYTUhHC19qad6oTEuM4tvwN/+ZEmI8TCMadQoMGUdAHHQGogk3fdnnQyNW7CdLwz0Xw==,iv:z30xOFiObn4vPanJrKjeHtpDzUMI9XnivgokoC5zDL4=,tag:+50pbXgqmMZHCWMnnoi7ZQ==,type:str] + clientId: ENC[AES256_GCM,data:we8mFFJU5ykzLCKvFyyKNka1tp2QyA0IdgmQq6sIgfdC7rFf,iv:AQOyxxH5kngAoyJHLG+BKzG0MgiKjveEd8R0/3CDokU=,tag:alAFpbBqVZXtOaQ9u1fugw==,type:str] + clientSecret: ENC[AES256_GCM,data:93dsKs8h+AskewLvLJ8l+z2VYpQPt9GBCrlWAGjzDoGimKzMnj/VaFWxg6khIIfxmsBdrQc93fw3Aw4y9J3dvw==,iv:YwFlgB9DP4NmIGF3lXktyQ+J1kW7H3jB/+Uzn/jcn/o=,tag:1/V5avC3YN2rWH6dSiFfIw==,type:str] sops: kms: [] gcp_kms: [] @@ -11,59 +12,59 @@ sops: - recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYy90Z3ZxbjdldnRoaDJ2 - VHlHeDNQVkY5ejZ0Y0F0NGJ2cE9uNlRkVHdBCkQ4ejdSZmxEWmpodDRvcGFTa2ND - VlpXL2lGUVJncHZURSttbEw4cC9WekkKLS0tIHhrWFpCRDJvNkNOYWZzYnVGb2l2 - M3NoaGpVSlF0N1k2UXNVNFRTWTlNa0EKaGkcGVgeJFTv844UQ6tBY5hT18PoRhh4 - uIL6bH2Bs6P+wIbmuqwKhba8muS9rWbvFJppD8N/htJT2ZzXgmZAvQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOci9hOVdHT3hPeGM0S2k1 + YnBscm96RFBWUjNxZ1JYK3JrRGJSQ0NhaUQ0CmNTdG0wRjhRcVB6dGR3Tm1KVWpp + OU1iZzVwbS9CTml3YTJLcWc2TGpsek0KLS0tIGR3NC8yditKVzhSdWU1VVUxalF5 + bG4wMHZzM2RuT3hCU1FDTVVvZnMvZncKN9B/IgFLDCy1FWtiaCT7pDtYO5sExfJ9 + KygCB0R9UO8eS9LIQbFy2YU5NS5v+pb0TZJdfGYGrNdEE/0C6HU9/Q== -----END AGE ENCRYPTED FILE----- - recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxUkhaS0lEbGRrRkxpa2wz - VUlRMFFYbVJpa0tJSjBKUGlPVXE4NW5XUmdrCjV0SUVTNUJCTXRnbEpIMm44N05L - R1pWTWVZZzZHQ0U2ZGVQdk9kMmpZUncKLS0tIFJhZ2V1aCtYTHJWNFZ3bWpibTBs - QWJ0ajN1U3NjVHVjTE9HWnRVOWdyWEUK+Fu4p4oAwAH5nhaWKo6C/MhdAo7IbkAt - qarRcXRIRlr29K4IpmbbiIZZA/e1uWxMxD1Bafj4pIFppKTQFeIkSQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRNEFva2sxUFY4bWN6U2o1 + RWxPK0ZDcFR3Q0VyZnEwdE5YNmdTODdZenhvCjFuVGhwK2w4TGZTN2tkZVhCWW5W + c2VwS0Y1cGo3V3hCZURXNXhKL0kyd1EKLS0tIEtaTUhsVHQxYnc4VFd1VVZHVkRx + S1A3azhNU1V2VUNCZTlvb2VjYXMyaHMKVQ5zrzKFeaQn3EBAbnjujK0r/nTYPUdN + yrl9v/RhOmlDAkRM/2hvWdGIcZOPOEn4qKljJdXVEwaHcnFd6/VeMg== -----END AGE ENCRYPTED FILE----- - recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWmFBWWhtRlR4emtWRXhG - M2Z2MVZVWFpETU9BTlRZSXljMzNsa3E1dlVnCjdWeXhLYXNPdCs3R2FTK2tiK0VD - WGc5cWYyUEtvMmVJbTRPZ25zdDNzd2cKLS0tIFNJWnd5c2tQZkwrdGx6UE1jOHpO - L0hlY0NLdS9FVk5FdW1md2lmU0lpQmMKZ4vZhT4Fmii9HHhJ+W9/BUkmzmzXnMHg - q8jk+pDfNR9P8Lw+95Q8DjV6uvLpw9XjOkQzm6UCNKk9/M17c4EHeQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJYVF4dTBZbWtUQmRIKzZP + M0tzbHRHZ2tFTklFYjhmaWhvWG5Ba2NjZVRRCmRTczlYVmdpNTlpU05TbEtWUWxB + eXJiUDY0M0FvWW15ZUtsL2JuNm4rNU0KLS0tIE9iYUhsN244aVZXYjZqZFR4akdV + NXNOT3VEcWprbHFMVVpjQUVpdWlkeFEKqwpvWdUqRHVo7dQdMofGRJp52Fzan6UX + eVGjgedyiwRNn3xtA++ZIs5XGbxtnWSppjRKXDXRdc/ho1EVk5qlNQ== -----END AGE ENCRYPTED FILE----- - recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbENsZjZsTlp2ZXo5em5O - U0ZaZWtkZjFFK0I0L3pFZDM2c3dUS09abDJrClV3ejFjU1NwZzZZaEhqNFUvQVNL - K08xMm1pR3dTOHZyY0dYSlo0TG9iRm8KLS0tIGc2ZVBzRzV1WW03VUQ3ZU4wVGZn - YnNmL1pyQk4ySVMxbXh5V1pGdDlaTHcK4R15lD5ryKO7CvgpOGmfSu8i7lbkT9EI - lWC+AXSfKmhAZzXihrgmANcoIk4zitjHOoJN/PK9DAZSskhBqbm8qA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDektxSGU1a2gvc2I1WHRB + ZmdHb1JEcGphWC8zZFJlU0VGb1lNbW13STJzCnlpaXQvRUNBa0lncGRFa1Z5bjRE + VHpJeTdGMEc5VGQ4TDVLUVhFNDhPVk0KLS0tIEJSUDkzL3BadGhFM2FPek1QY0pu + RkNLYzJZM1NoYjUwTkpOamRpcWsrWW8KHhvlWAx/ONMXW/Vk/dh1qECoW9YEaVd3 + MZeP7aUgoKj2ZvAnAIDUzdAbc579K54yvSAPjvkbpeeRUDZnf9CZFg== -----END AGE ENCRYPTED FILE----- - recipient: age1tl80n23wq6zxegupwn70ew0yp225ua5v4dk800x7g2w6pvlxz46qk592pa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqMEJTOG5Jb2pjR3NaQVhV - WkQ1VnY2Ny9UcDlpcTZnc3FFQkRCRlJvY0I4CmNEMjE1Rm9KZ3BzaHhMUWpFczlK - K1JtNlZMcno4cEROMHpYd0R1MC95QzQKLS0tIHBBdWRGRVFyME1tU1hrUk9Ha2pH - eEx6Z2VHSHZOTFZhdWtVVUJWTGpObDgK8MB5SYG4oJswJEqWa274FK6YXlMoFO0k - cGibj3uCo4XWaHdV3ik9GrKg68yo3yrgsc7pyB8aSHfgs47teO6Qhg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWnd4SEhubnNzS2FCSTRq + Qk9UbENjeWFNSHNna0dudnk2MmFMMDNqZHhFCmxTNktBZm1nTGNaNlpLVWtla2x2 + MU5FcE1vK0w4dHVVWjY3a0oxWjVQUGcKLS0tIGM0c0FIZ3psRkV0V2VFU1F6Y2VM + VW5ta2lpTDBFVTdqQnlhd2Nxbng5OVEK1YuJ7r9brpGq2+tQeruDo4RPCGFoURkh + Cm2TTeUhf9YJfEiJeeXMzqVWUxb4OWMQsLeGoRb9FgUCv23noM30PQ== -----END AGE ENCRYPTED FILE----- - recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXakoxT0JQbEdoMUN3L216 - MmRFdFRsTDhSd0tKaUpNTTlFMUptMUtOWDI4CmFnb2hTeXIzUEluTllpbStxcVZI - RytwdmZqeUhKVUQrK3BhUTRybEo3cDAKLS0tIDJXUWN3S0F6SXB1dU4za1IrZmYz - WnJhTHJvZmVuT2NkZDJnMGxBMS83S1EKY6Up5cDbV4vVZLzxm6Z7r+pTRH9Gfoun - Li7lS9Vv9WVs7yLFbJ2Iu0qEIkgkJetzMhV/bo305nai3bcZfvm1bw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTjFEcnUyQ1VWaXpqY2F1 + Q3RQRUZnei9vZWVIb1B3dEtMaDNucWFKZWtJCm1SanNKd3pwd1hyRjJBeG5McnU1 + QVhCNWRsVm5pNmVWb1l5bkNVWnpuY1kKLS0tIHBuZ1ZHdC8zaGFNQ0NUUjA3eWZk + UHdVTWcvbUZDYlNZMzJsNjM4M05ZSVEKok3wFZHGbnRpwCn5S6OZoD/2wVbzhNj7 + X4JL6jWJZ3T8RfdNlIG2mfVmOGkT7Qf9q/VJbYC3B/pK5ocWUdcjBQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-05T09:42:43Z" - mac: ENC[AES256_GCM,data:RHUdOrgnbTCzrcyoWKfz7qC3i81ZUIyxBzBl3xQH/kCXsVbIPhtRUvFLwgd9uhNNiiBjPfx68GwiXatSko8vPf0rj2FVaC+w6yf9RTItxWqGETS18Waf5etsFCMhJ4LYce79DJ8KFtqjB64VYF3BVgX9Cif7wy1jGklbN7cGgjg=,iv:sllxfa74NAQTGHuBufOS6jH7VSOu5JsvwzNfBK5QRKw=,tag:WN6vWKtiPkZdbaJ04Q/VRA==,type:str] + lastmodified: "2024-04-23T08:10:43Z" + mac: ENC[AES256_GCM,data:+6ssKDBr9XwJnQto+x+8Ntq72/b+FLCI8TcMmG+Pbn2sw3ifDMa7CvdQCHeeihLjvXqLnIFvI+eVW4rclUShrx7VG3rdx8c5JDtuuNryf/5r8MZP3YqPcKKGCXEkntw/DW1BazKEqz4waIdOxv+zesvs82n4rMU0N5L7335IisI=,iv:jr6kEuRasIgMuH6t2OfPp2VsHmCJiygRpfURrP951O8=,tag:C/i6cFQcbQr0H0rZaSSr+w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/src/helm/env.d/staging/values.desk.yaml.gotmpl b/src/helm/env.d/staging/values.desk.yaml.gotmpl index be64752..4fe42b2 100644 --- a/src/helm/env.d/staging/values.desk.yaml.gotmpl +++ b/src/helm/env.d/staging/values.desk.yaml.gotmpl @@ -11,9 +11,15 @@ backend: DJANGO_CSRF_TRUSTED_ORIGINS: http://desk-staging.beta.numerique.gouv.fr,https://desk-staging.beta.numerique.gouv.fr DJANGO_CONFIGURATION: Production DJANGO_ALLOWED_HOSTS: "*" - DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }} + DJANGO_SECRET_KEY: + secretKeyRef: + name: backend + key: DJANGO_SECRET_KEY DJANGO_SETTINGS_MODULE: people.settings - DJANGO_SUPERUSER_PASSWORD: admin + DJANGO_SUPERUSER_PASSWORD: + secretKeyRef: + name: backend + key: DJANGO_SUPERUSER_PASSWORD DJANGO_EMAIL_HOST: "snap-mail.numerique.gouv.fr" DJANGO_EMAIL_PORT: 465 DJANGO_EMAIL_USE_SSL: True @@ -22,8 +28,14 @@ backend: OIDC_OP_AUTHORIZATION_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/authorize OIDC_OP_TOKEN_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/token OIDC_OP_USER_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo - OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }} - OIDC_RP_CLIENT_SECRET: {{ .Values.oidc.clientSecret }} + OIDC_RP_CLIENT_ID: + secretKeyRef: + name: backend + key: OIDC_RP_CLIENT_ID + OIDC_RP_CLIENT_SECRET: + secretKeyRef: + name: backend + key: OIDC_RP_CLIENT_SECRET OIDC_RP_SIGN_ALGO: RS256 OIDC_RP_SCOPES: "openid email" OIDC_REDIRECT_ALLOWED_HOSTS: https://desk-staging.beta.numerique.gouv.fr diff --git a/src/helm/extra/templates/secrets.yaml b/src/helm/extra/templates/secrets.yaml new file mode 100644 index 0000000..799bafe --- /dev/null +++ b/src/helm/extra/templates/secrets.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: backend + namespace: {{ .Release.Namespace | quote }} +stringData: + DJANGO_SUPERUSER_PASSWORD: {{ .Values.djangoSuperUserPass }} + DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }} + OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }} + OIDC_RP_CLIENT_SECRET: {{ .Values.oidc.clientSecret }} diff --git a/src/helm/helmfile.yaml b/src/helm/helmfile.yaml index 3b7f11f..482e58a 100644 --- a/src/helm/helmfile.yaml +++ b/src/helm/helmfile.yaml @@ -31,6 +31,8 @@ releases: installed: {{ ne .Environment.Name "dev" | toYaml }} namespace: {{ .Namespace }} chart: ./extra + secrets: + - env.d/{{ .Environment.Name }}/secrets.enc.yaml - name: desk version: {{ .Values.version }}