From 915731e218bfd021b3b691a09eedcd2a38bf6f5d Mon Sep 17 00:00:00 2001 From: Anthony LC Date: Mon, 3 Jun 2024 09:34:28 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=92=9A(ci)=20improve=20secrets=20for=20k8?= =?UTF-8?q?s=20deployment?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Avoid secrets to be visible from running deployments --- src/helm/desk/templates/secrets.yaml | 9 +++ src/helm/env.d/dev/secrets.enc.yaml | 71 +++++++++++----------- src/helm/env.d/dev/values.desk.yaml.gotmpl | 20 ++++-- 3 files changed, 61 insertions(+), 39 deletions(-) create mode 100644 src/helm/desk/templates/secrets.yaml diff --git a/src/helm/desk/templates/secrets.yaml b/src/helm/desk/templates/secrets.yaml new file mode 100644 index 0000000..011f357 --- /dev/null +++ b/src/helm/desk/templates/secrets.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: backend +stringData: + DJANGO_SUPERUSER_PASSWORD: {{ .Values.djangoSuperUserPass }} + DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }} + OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }} + OIDC_RP_CLIENT_SECRET: {{ .Values.oidc.clientSecret }} diff --git a/src/helm/env.d/dev/secrets.enc.yaml b/src/helm/env.d/dev/secrets.enc.yaml index a962046..ce45b98 100644 --- a/src/helm/env.d/dev/secrets.enc.yaml +++ b/src/helm/env.d/dev/secrets.enc.yaml @@ -1,7 +1,8 @@ -djangoSecretKey: ENC[AES256_GCM,data:06KBEHV/gBgGoB4DXf9yTU5XK1xP9OXfyKEiSdSghV8XIMon3o1ajSWN+WNMRHkRZuU=,iv:ZeP1X4pQF9fVm7quzzVXSm2CSLrqAizwZD5QFmNOoSc=,tag:Dm/b+6CfznSC+CdKj1SCYA==,type:str] +djangoSecretKey: ENC[AES256_GCM,data:9fOtt8oesY2CUahg972UGldDrqqF6Fa1Tn+bKxNpMbfXppQtPY2Jfu4EWKAaqH07X00=,iv:OC0ggDgCcja6h4IK73jVXZGDE1qp5OJfeNg182DKxQ4=,tag:ITMAWmPxW8lNBvm2Xefw/Q==,type:str] +djangoSuperUserPass: ENC[AES256_GCM,data:mkLVMnc=,iv:qYBUdUwJk422RVm23/6CUKubFtBL+lofynSnkJglNQk=,tag:Md5FPXwCe9kl5BkICHszzg==,type:str] oidc: - clientId: ENC[AES256_GCM,data:SZVk5bazY22AptGdO1dIalUk46nmA8fA0ggjOZKSCVrFARUh,iv:tXQ2FHOt5xCq2bV9L2iKcLQImsAiPQdU08va6UOpQj4=,tag:T5e9f7u51xxJXHpcLiAYFQ==,type:str] - clientSecret: ENC[AES256_GCM,data:xwecsL1rRF7b5rmRB9Eg1xQ/QevkD1vJPgOI55oB1bmCjP/2/q7JV5EURvxjWXFzY0mppLv9pWrxGIR8fJH1bQ==,iv:JypgxBJye0zqTJN5m9YmZT/OWG3m4Eu8dgplw2mCnCs=,tag:prLdglhObvRbSzBNqaF4Mg==,type:str] + clientId: ENC[AES256_GCM,data:gcxd+bMz/YdGw/wrCx1HvSOC5pWkUfuLulU4LPEFtMj+z0W8,iv:7enZhQGxQ2voA72bjGWfMl7yf+ArFgQ/eAspAjRa3p0=,tag:A6Im4qDckaPdX8pdS/lyuw==,type:str] + clientSecret: ENC[AES256_GCM,data:AmEnaHhdCzynw1zhPHwotJ+TUI9DJ11X4ScjGzU4ADOyAJeJp8gWLFuU2GG1mWCOBPjtVOEdaN1ZTZNKKHS9qA==,iv:8oIehcSJHiD1a6C7Jv8rJz2ixakQTpOWYRAr7Ifj2yE=,tag:keKNxLl9jChB/pm52gddhA==,type:str] sops: kms: [] gcp_kms: [] @@ -11,59 +12,59 @@ sops: - recipient: age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArdENIcUkwdjFsQlJubW0z - Y2dPeStzVnRjcVlPcjJLQlFIdjBQRnVFcFJRCmU5OXRUQldIYXNWaG1IeVluVXJh - aHowNUMvRlFHZ2J0TE50K2pMOTJBMWsKLS0tIEFwdVo5djJURU16aUdMeEhFeUsy - QTA5bjZFWTIyeG00ZDVTbVY0UWN3WGMKReL4f5v41eEIogPSqMuiSVml1stAAAf3 - nedjWc5s2C5mO3IB+iU7uOWF6P5kIrXU4Tvmwju2E8yw4v2lmsfZLg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOGdBRHB1L1RaVVBBb20z + anpzTS9BNHVYYXhISFNKSGRTTHlGWCtWdDNvCk9pdnIwWW9XTG9iWnAySXB6M3Rm + NDFZV3VCVTh2N1poL2RQeUtiU3VIcWcKLS0tIDdyKzRWYmp4WjZGMlg4eGNkdnNQ + NzdGQWtUaWtlS2xneDVUa21ucUJ3SnMKenloUQTumKE0Q8Zp8hLiFwZiGF+78HtB + lt6aEaOgIu2vc4KC1/9iUK+uPhjQC3ajOQ6G2jcRaoR+BFVlxv1Mug== -----END AGE ENCRYPTED FILE----- - recipient: age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDd2JvVHJUNXc0eGc1TTJi - OGhjSDFkaC93dG9EWDF0WThoQWV2SjE5S25FCkdBRU55MElTdHZnUmU1ZGF5b1gy - aFdyZGJyUzFpQVFRTVBReXp6MXZWbncKLS0tIHZaYmRLeld3UHdwWjc0WGNBQ1k4 - VkMyN1FNNysxc2RMTzlOSGlzd1RSazgKXBumJC7hLOJ3rcG2x80L/mEPGMbWKGbG - En66KslOsgX/LugQmRey82ezDhqhnvpHe+sLWRaf9JfM+zCRg4mUMQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1TlZuVTEyVzVHb1djandk + K2FxZGNlZG9vNllMTnVNZ2pZampnd25pOGxVCkJDUi9YcFVrcVcyOEhKWjBob09M + d0hRc0pkUXhPbTNrS0RSN3NJa2dwbkUKLS0tIG5OSUU4R2s3REV5TWd4Ym5zdWln + ZVcySnhYY2JydmVwOCtEZVhOcTNkQlUKhhZK7CE5bPKbqzmQp7mIL3Lmb8+X+8js + PS55Dv9ivffm+XYKh2tjh3At9+FLNfOECwZBC+KrAQQs0W+vBaXWxQ== -----END AGE ENCRYPTED FILE----- - recipient: age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZW85bDNRUzg2QnZKczly - VXJiRlFLVVJDSk91bjV5ZU5HMzVjWCtnSHpVCllheVh0WE82NlQvTXNwak5mK05n - aFlDNXM5Smw4dHFtSHRnSitUN1hhYWcKLS0tIGQ2akhocXArbCs2ZlhCU1RjUEE2 - aFZoRE5DRC96bTVqWkZ1VmV6TjJjZzAKXfP/7E4bjSoPRENvk0gThEaNuJUgukwR - jpa5By90xamqzIRXSmnrNX20owfWugzzuAUjdE9/kiSz5R6Csi3LuQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqOWlUazJpNmhOQ0xYQ0pM + aVRia3B6anErRHNDSTFKT1hWZnZ2blZEeGhZCjNkSm5BZ2hEMVA0dGlSTGo5cWd3 + U1FZWnNwSkJhSHNRRDc3QVUrakxad2cKLS0tIEV3ZzVVZ0ZJVytKdzFHSEREcHVq + SUtrZXh6TktaUHZqZTdzL3dZbVdiblkKiJliMwXPs/EJVFuEnegqWKvO3axHJEw7 + /Y5qgNPN8MDJrcMtDdcFAKkdrUUUhPgzd1jHeNWlw9tPkqgmoNe1/w== -----END AGE ENCRYPTED FILE----- - recipient: age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2L1JKWlozOUpvTjBkNjRX - V3hBYzdLT3k0dVBGSFJLY2crQUxEeUd1SEN3CkEzM3ZRQm93SnFiTmlianM2VUdL - SVdpTm1DNHVRUlU0Mkd4eUxlMzFrSTQKLS0tIGZ1STFYQjlSc2dpNWVBK0Z0Z2g1 - SlhoUEtZcE5PbTJCM2haME1vR25QelUKmdhCrRs1RzWIx/1Zjmas50oFkGjjhlvD - m5gLBMs6VSe871DczImP/l5ViqCg9w83ZYZI0c2Usn+9i016HOnFBg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWS3YzWjVlazVDRC9iNTM2 + K0VYQ2dQclIvVlFFRmlnbXFhUHVneWl0WHdZCnR1Y2RzMGxzWWRxL2ppYXJVUGhO + TGdld0tLaURiYlMwR3ByL1phZTNnN1UKLS0tIFZ3QVUyVlBpNGZjdHBKL3JHNnFU + YklMbW15Mm9EdnVJbkRLb3drekp3Zm8KrzAAV2EKHHkJzpCBerHkqlI122OUNM/o + 3gIX838hJgatKKOO1FipeuzOTwlWEVOwP/iBnHnMe/QdJdsk6issqQ== -----END AGE ENCRYPTED FILE----- - recipient: age1tl80n23wq6zxegupwn70ew0yp225ua5v4dk800x7g2w6pvlxz46qk592pa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbWVvaWpQZE1CdXFjMVVi - SFFwSmRxTFdxUGtpQWZNNXlWWDQ1cXkzWTFNCm5WRlN0dVlFVW9ONXJQb2lic0oz - dXhMSk1RN25qT2VXZGkyVmY3TTJvT1UKLS0tIHBjK293bnRhLzRCOU9hNXQ4MVNN - K0ErNEhLNWFoc0hXdTE3MnBqT2pLblkKx9ww+qLJKdikom59GGth8/lWWmzKS2k+ - d+4votCaQYJtQbBuHUcKAKUeKFl0jBMJPoRO4XodrprXHtpU1l+nUg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhemxEZWcwTWQrM0lOd2ky + MVNtcGs3UGphSlZleGhtTFh3andSa00xdmhjCml4cGd1bHVYVzk4djA5QndpQ291 + Y0tOSlpoMytvRE41WXliMitEUVZ2ZkkKLS0tIGNoK2xCc3FKNXhhbkErbStyQ0lC + VWpzS04rdkJ3M3BqTTY1T2RyTGd6OTgK0sDGDG3R7fDFwhgn6gdYGDUC9kWFk11e + hn69zBqKXvT7jcQoEWASmbRJ0kYTF/Rg9stWASYfCT+dyEkDfVewPw== -----END AGE ENCRYPTED FILE----- - recipient: age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyOUtTRU5RaEVUaVQvM3Ro - L3FhR3NhK1lHNFI1TjlBUGJCOXowR3F0VnprCnBNL1ZKbHJkcEZhbWpTQzFIUnBX - NmxjTDNCRmVhZnNOM1pwRGdTZTBYZk0KLS0tIDVIcUF4MHNlVXBKVnBGSk1vd3JD - OXBHekx1RlpSYlFnYld3T2Nza0R5bmsKt4mBjr+YP/li9Wq6GL5eJBGrSBi2GcE7 - GjP1pYyt0nsazuRrueKXWE12p4JWz0CI7vUsLfrxd9JiEdrPuC9hrA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyelo4b05STnFVVGNPNUdH + bDdiQjQ4WkNlY1dacTZRU3ZObEU3WkFyRUFjClRmOFAyeHRoT2U5Rzc1OTRmRjho + bUo5WjljZzNtNVQ5RlhrdmVpYjhuOE0KLS0tIE8zWEUwL3dyWDZvamdKQk1qcDVR + b2g2SFNDMHZvSTNOYUQ0Rms1RlVBem8KacFpoySUpdGChbGU9PHkefzE5WTw5X9g + du7vbHxqE8M3sjH3TvbB7psj9ISQ/mJ15yvFrIvQUaZ1nQf91b2nHg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-05T09:43:00Z" - mac: ENC[AES256_GCM,data:B3G5BlUA1Rq1WxOnrPtm+Ag+TMBxgTAGCvGd3YY6GE8gvBZh0u2NqWcI3/dEaY/2hdv8LO011nP6oOHAEU10FzsMTijmaHOVZers31Ov+zr1/X1zOAKA4c5LtgRhVOJ2ugKTwuTeuTcouJj1Gz94YT6Dc4kebnOfOB4RY1poyvc=,iv:raTWQ/u46vNoW3ZlXwct6DChq5/rk9TxqYVQL4hDyug=,tag:fuVgIVSSfJegTNMHAiK4Rg==,type:str] + lastmodified: "2024-04-23T08:10:56Z" + mac: ENC[AES256_GCM,data:9maAsoIjrdzZUKqmbsv9iOrxlH5rRF0XJ8+UBqldevEHmfSywKyiRtstMTDVBeJXey6Y0D5V88nXtpZKerRWTpcR+lu8gzGzf1nLZ9r72ldInxXuJPmalQIo6Y4MD+hrOzCbq0i6IQWfTlHpVVz4KulFeAsNyJlD3KZPFsuD6pY=,iv:pxJfbVRCDO9ikionNoy0JvGLgPG2HV805wGprQMV4OE=,tag:zhH5HjyrS0cVDl6dG/9SkQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/src/helm/env.d/dev/values.desk.yaml.gotmpl b/src/helm/env.d/dev/values.desk.yaml.gotmpl index ba39d44..c576884 100644 --- a/src/helm/env.d/dev/values.desk.yaml.gotmpl +++ b/src/helm/env.d/dev/values.desk.yaml.gotmpl @@ -8,9 +8,15 @@ backend: DJANGO_CSRF_TRUSTED_ORIGINS: https://desk.127.0.0.1.nip.io,http://desk.127.0.0.1.nip.io DJANGO_CONFIGURATION: Production DJANGO_ALLOWED_HOSTS: "*" - DJANGO_SECRET_KEY: {{ .Values.djangoSecretKey }} + DJANGO_SECRET_KEY: + secretKeyRef: + name: backend + key: DJANGO_SECRET_KEY DJANGO_SETTINGS_MODULE: people.settings - DJANGO_SUPERUSER_PASSWORD: admin + DJANGO_SUPERUSER_PASSWORD: + secretKeyRef: + name: backend + key: DJANGO_SUPERUSER_PASSWORD DJANGO_EMAIL_HOST: "mailcatcher" DJANGO_EMAIL_PORT: 1025 DJANGO_EMAIL_USE_SSL: False @@ -19,8 +25,14 @@ backend: OIDC_OP_TOKEN_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/token OIDC_OP_USER_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo OIDC_OP_LOGOUT_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/session/end - OIDC_RP_CLIENT_ID: {{ .Values.oidc.clientId }} - OIDC_RP_CLIENT_SECRET: {{ .Values.oidc.clientSecret }} + OIDC_RP_CLIENT_ID: + secretKeyRef: + name: backend + key: OIDC_RP_CLIENT_ID + OIDC_RP_CLIENT_SECRET: + secretKeyRef: + name: backend + key: OIDC_RP_CLIENT_SECRET OIDC_RP_SIGN_ALGO: RS256 OIDC_RP_SCOPES: "openid email" OIDC_REDIRECT_ALLOWED_HOSTS: https://desk.127.0.0.1.nip.io