💚(ci) improve secrets for k8s deployment

Avoid secrets to be visible from running deployments
2024-06-03 09:34:28 +02:00
parent c534048e97
commit 915731e218
3 changed files with 61 additions and 39 deletions
--- a/src/helm/desk/templates/secrets.yaml
+++ b/src/helm/desk/templates/secrets.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: backend
+stringData:
+  DJANGO_SUPERUSER_PASSWORD: {{ .Values.djangoSuperUserPass }}
+  DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }}
+  OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }}
+  OIDC_RP_CLIENT_SECRET: {{ .Values.oidc.clientSecret }}
--- a/src/helm/env.d/dev/secrets.enc.yaml
+++ b/src/helm/env.d/dev/secrets.enc.yaml
@@ -1,7 +1,8 @@
-djangoSecretKey: ENC[AES256_GCM,data:06KBEHV/gBgGoB4DXf9yTU5XK1xP9OXfyKEiSdSghV8XIMon3o1ajSWN+WNMRHkRZuU=,iv:ZeP1X4pQF9fVm7quzzVXSm2CSLrqAizwZD5QFmNOoSc=,tag:Dm/b+6CfznSC+CdKj1SCYA==,type:str]
+djangoSecretKey: ENC[AES256_GCM,data:9fOtt8oesY2CUahg972UGldDrqqF6Fa1Tn+bKxNpMbfXppQtPY2Jfu4EWKAaqH07X00=,iv:OC0ggDgCcja6h4IK73jVXZGDE1qp5OJfeNg182DKxQ4=,tag:ITMAWmPxW8lNBvm2Xefw/Q==,type:str]
+djangoSuperUserPass: ENC[AES256_GCM,data:mkLVMnc=,iv:qYBUdUwJk422RVm23/6CUKubFtBL+lofynSnkJglNQk=,tag:Md5FPXwCe9kl5BkICHszzg==,type:str]
 oidc:
-    clientId: ENC[AES256_GCM,data:SZVk5bazY22AptGdO1dIalUk46nmA8fA0ggjOZKSCVrFARUh,iv:tXQ2FHOt5xCq2bV9L2iKcLQImsAiPQdU08va6UOpQj4=,tag:T5e9f7u51xxJXHpcLiAYFQ==,type:str]
-    clientSecret: ENC[AES256_GCM,data:xwecsL1rRF7b5rmRB9Eg1xQ/QevkD1vJPgOI55oB1bmCjP/2/q7JV5EURvxjWXFzY0mppLv9pWrxGIR8fJH1bQ==,iv:JypgxBJye0zqTJN5m9YmZT/OWG3m4Eu8dgplw2mCnCs=,tag:prLdglhObvRbSzBNqaF4Mg==,type:str]
+    clientId: ENC[AES256_GCM,data:gcxd+bMz/YdGw/wrCx1HvSOC5pWkUfuLulU4LPEFtMj+z0W8,iv:7enZhQGxQ2voA72bjGWfMl7yf+ArFgQ/eAspAjRa3p0=,tag:A6Im4qDckaPdX8pdS/lyuw==,type:str]
+    clientSecret: ENC[AES256_GCM,data:AmEnaHhdCzynw1zhPHwotJ+TUI9DJ11X4ScjGzU4ADOyAJeJp8gWLFuU2GG1mWCOBPjtVOEdaN1ZTZNKKHS9qA==,iv:8oIehcSJHiD1a6C7Jv8rJz2ixakQTpOWYRAr7Ifj2yE=,tag:keKNxLl9jChB/pm52gddhA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -11,59 +12,59 @@ sops:
        - recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArdENIcUkwdjFsQlJubW0z
-            Y2dPeStzVnRjcVlPcjJLQlFIdjBQRnVFcFJRCmU5OXRUQldIYXNWaG1IeVluVXJh
-            aHowNUMvRlFHZ2J0TE50K2pMOTJBMWsKLS0tIEFwdVo5djJURU16aUdMeEhFeUsy
-            QTA5bjZFWTIyeG00ZDVTbVY0UWN3WGMKReL4f5v41eEIogPSqMuiSVml1stAAAf3
-            nedjWc5s2C5mO3IB+iU7uOWF6P5kIrXU4Tvmwju2E8yw4v2lmsfZLg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOGdBRHB1L1RaVVBBb20z
+            anpzTS9BNHVYYXhISFNKSGRTTHlGWCtWdDNvCk9pdnIwWW9XTG9iWnAySXB6M3Rm
+            NDFZV3VCVTh2N1poL2RQeUtiU3VIcWcKLS0tIDdyKzRWYmp4WjZGMlg4eGNkdnNQ
+            NzdGQWtUaWtlS2xneDVUa21ucUJ3SnMKenloUQTumKE0Q8Zp8hLiFwZiGF+78HtB
+            lt6aEaOgIu2vc4KC1/9iUK+uPhjQC3ajOQ6G2jcRaoR+BFVlxv1Mug==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDd2JvVHJUNXc0eGc1TTJi
-            OGhjSDFkaC93dG9EWDF0WThoQWV2SjE5S25FCkdBRU55MElTdHZnUmU1ZGF5b1gy
-            aFdyZGJyUzFpQVFRTVBReXp6MXZWbncKLS0tIHZaYmRLeld3UHdwWjc0WGNBQ1k4
-            VkMyN1FNNysxc2RMTzlOSGlzd1RSazgKXBumJC7hLOJ3rcG2x80L/mEPGMbWKGbG
-            En66KslOsgX/LugQmRey82ezDhqhnvpHe+sLWRaf9JfM+zCRg4mUMQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1TlZuVTEyVzVHb1djandk
+            K2FxZGNlZG9vNllMTnVNZ2pZampnd25pOGxVCkJDUi9YcFVrcVcyOEhKWjBob09M
+            d0hRc0pkUXhPbTNrS0RSN3NJa2dwbkUKLS0tIG5OSUU4R2s3REV5TWd4Ym5zdWln
+            ZVcySnhYY2JydmVwOCtEZVhOcTNkQlUKhhZK7CE5bPKbqzmQp7mIL3Lmb8+X+8js
+            PS55Dv9ivffm+XYKh2tjh3At9+FLNfOECwZBC+KrAQQs0W+vBaXWxQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZW85bDNRUzg2QnZKczly
-            VXJiRlFLVVJDSk91bjV5ZU5HMzVjWCtnSHpVCllheVh0WE82NlQvTXNwak5mK05n
-            aFlDNXM5Smw4dHFtSHRnSitUN1hhYWcKLS0tIGQ2akhocXArbCs2ZlhCU1RjUEE2
-            aFZoRE5DRC96bTVqWkZ1VmV6TjJjZzAKXfP/7E4bjSoPRENvk0gThEaNuJUgukwR
-            jpa5By90xamqzIRXSmnrNX20owfWugzzuAUjdE9/kiSz5R6Csi3LuQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqOWlUazJpNmhOQ0xYQ0pM
+            aVRia3B6anErRHNDSTFKT1hWZnZ2blZEeGhZCjNkSm5BZ2hEMVA0dGlSTGo5cWd3
+            U1FZWnNwSkJhSHNRRDc3QVUrakxad2cKLS0tIEV3ZzVVZ0ZJVytKdzFHSEREcHVq
+            SUtrZXh6TktaUHZqZTdzL3dZbVdiblkKiJliMwXPs/EJVFuEnegqWKvO3axHJEw7
+            /Y5qgNPN8MDJrcMtDdcFAKkdrUUUhPgzd1jHeNWlw9tPkqgmoNe1/w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2L1JKWlozOUpvTjBkNjRX
-            V3hBYzdLT3k0dVBGSFJLY2crQUxEeUd1SEN3CkEzM3ZRQm93SnFiTmlianM2VUdL
-            SVdpTm1DNHVRUlU0Mkd4eUxlMzFrSTQKLS0tIGZ1STFYQjlSc2dpNWVBK0Z0Z2g1
-            SlhoUEtZcE5PbTJCM2haME1vR25QelUKmdhCrRs1RzWIx/1Zjmas50oFkGjjhlvD
-            m5gLBMs6VSe871DczImP/l5ViqCg9w83ZYZI0c2Usn+9i016HOnFBg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWS3YzWjVlazVDRC9iNTM2
+            K0VYQ2dQclIvVlFFRmlnbXFhUHVneWl0WHdZCnR1Y2RzMGxzWWRxL2ppYXJVUGhO
+            TGdld0tLaURiYlMwR3ByL1phZTNnN1UKLS0tIFZ3QVUyVlBpNGZjdHBKL3JHNnFU
+            YklMbW15Mm9EdnVJbkRLb3drekp3Zm8KrzAAV2EKHHkJzpCBerHkqlI122OUNM/o
+            3gIX838hJgatKKOO1FipeuzOTwlWEVOwP/iBnHnMe/QdJdsk6issqQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1tl80n23wq6zxegupwn70ew0yp225ua5v4dk800x7g2w6pvlxz46qk592pa
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbWVvaWpQZE1CdXFjMVVi
-            SFFwSmRxTFdxUGtpQWZNNXlWWDQ1cXkzWTFNCm5WRlN0dVlFVW9ONXJQb2lic0oz
-            dXhMSk1RN25qT2VXZGkyVmY3TTJvT1UKLS0tIHBjK293bnRhLzRCOU9hNXQ4MVNN
-            K0ErNEhLNWFoc0hXdTE3MnBqT2pLblkKx9ww+qLJKdikom59GGth8/lWWmzKS2k+
-            d+4votCaQYJtQbBuHUcKAKUeKFl0jBMJPoRO4XodrprXHtpU1l+nUg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhemxEZWcwTWQrM0lOd2ky
+            MVNtcGs3UGphSlZleGhtTFh3andSa00xdmhjCml4cGd1bHVYVzk4djA5QndpQ291
+            Y0tOSlpoMytvRE41WXliMitEUVZ2ZkkKLS0tIGNoK2xCc3FKNXhhbkErbStyQ0lC
+            VWpzS04rdkJ3M3BqTTY1T2RyTGd6OTgK0sDGDG3R7fDFwhgn6gdYGDUC9kWFk11e
+            hn69zBqKXvT7jcQoEWASmbRJ0kYTF/Rg9stWASYfCT+dyEkDfVewPw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyOUtTRU5RaEVUaVQvM3Ro
-            L3FhR3NhK1lHNFI1TjlBUGJCOXowR3F0VnprCnBNL1ZKbHJkcEZhbWpTQzFIUnBX
-            NmxjTDNCRmVhZnNOM1pwRGdTZTBYZk0KLS0tIDVIcUF4MHNlVXBKVnBGSk1vd3JD
-            OXBHekx1RlpSYlFnYld3T2Nza0R5bmsKt4mBjr+YP/li9Wq6GL5eJBGrSBi2GcE7
-            GjP1pYyt0nsazuRrueKXWE12p4JWz0CI7vUsLfrxd9JiEdrPuC9hrA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyelo4b05STnFVVGNPNUdH
+            bDdiQjQ4WkNlY1dacTZRU3ZObEU3WkFyRUFjClRmOFAyeHRoT2U5Rzc1OTRmRjho
+            bUo5WjljZzNtNVQ5RlhrdmVpYjhuOE0KLS0tIE8zWEUwL3dyWDZvamdKQk1qcDVR
+            b2g2SFNDMHZvSTNOYUQ0Rms1RlVBem8KacFpoySUpdGChbGU9PHkefzE5WTw5X9g
+            du7vbHxqE8M3sjH3TvbB7psj9ISQ/mJ15yvFrIvQUaZ1nQf91b2nHg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-05T09:43:00Z"
-    mac: ENC[AES256_GCM,data:B3G5BlUA1Rq1WxOnrPtm+Ag+TMBxgTAGCvGd3YY6GE8gvBZh0u2NqWcI3/dEaY/2hdv8LO011nP6oOHAEU10FzsMTijmaHOVZers31Ov+zr1/X1zOAKA4c5LtgRhVOJ2ugKTwuTeuTcouJj1Gz94YT6Dc4kebnOfOB4RY1poyvc=,iv:raTWQ/u46vNoW3ZlXwct6DChq5/rk9TxqYVQL4hDyug=,tag:fuVgIVSSfJegTNMHAiK4Rg==,type:str]
+    lastmodified: "2024-04-23T08:10:56Z"
+    mac: ENC[AES256_GCM,data:9maAsoIjrdzZUKqmbsv9iOrxlH5rRF0XJ8+UBqldevEHmfSywKyiRtstMTDVBeJXey6Y0D5V88nXtpZKerRWTpcR+lu8gzGzf1nLZ9r72ldInxXuJPmalQIo6Y4MD+hrOzCbq0i6IQWfTlHpVVz4KulFeAsNyJlD3KZPFsuD6pY=,iv:pxJfbVRCDO9ikionNoy0JvGLgPG2HV805wGprQMV4OE=,tag:zhH5HjyrS0cVDl6dG/9SkQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/src/helm/env.d/dev/values.desk.yaml.gotmpl
+++ b/src/helm/env.d/dev/values.desk.yaml.gotmpl
@@ -8,9 +8,15 @@ backend:
    DJANGO_CSRF_TRUSTED_ORIGINS: https://desk.127.0.0.1.nip.io,http://desk.127.0.0.1.nip.io
    DJANGO_CONFIGURATION: Production
    DJANGO_ALLOWED_HOSTS: "*"
-    DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }}
+    DJANGO_SECRET_KEY:
+      secretKeyRef:
+        name: backend
+        key: DJANGO_SECRET_KEY
    DJANGO_SETTINGS_MODULE: people.settings
-    DJANGO_SUPERUSER_PASSWORD: admin
+    DJANGO_SUPERUSER_PASSWORD:
+      secretKeyRef:
+        name: backend
+        key: DJANGO_SUPERUSER_PASSWORD
    DJANGO_EMAIL_HOST: "mailcatcher"
    DJANGO_EMAIL_PORT: 1025
    DJANGO_EMAIL_USE_SSL: False
@@ -19,8 +25,14 @@ backend:
    OIDC_OP_TOKEN_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/token
    OIDC_OP_USER_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo
    OIDC_OP_LOGOUT_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/session/end
-    OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }}
-    OIDC_RP_CLIENT_SECRET: {{ .Values.oidc.clientSecret }}
+    OIDC_RP_CLIENT_ID:
+      secretKeyRef:
+        name: backend
+        key: OIDC_RP_CLIENT_ID
+    OIDC_RP_CLIENT_SECRET:
+      secretKeyRef:
+        name: backend
+        key: OIDC_RP_CLIENT_SECRET
    OIDC_RP_SIGN_ALGO: RS256
    OIDC_RP_SCOPES: "openid email"
    OIDC_REDIRECT_ALLOWED_HOSTS: https://desk.127.0.0.1.nip.io