diff --git a/.gitignore b/.gitignore index ff13bd65..b0776c75 100644 --- a/.gitignore +++ b/.gitignore @@ -193,3 +193,10 @@ $RECYCLE.BIN/ # Drawio *.drawio.bkp + +# helm +./charts/hopps/charts + +# unencrypted secrets +*decrypted.env +age.agekey diff --git a/charts/hopps/values.yaml b/charts/hopps/values.yaml index ec669079..bf556620 100644 --- a/charts/hopps/values.yaml +++ b/charts/hopps/values.yaml @@ -66,6 +66,7 @@ azDocumentAi: serviceAccount: create: true annotations: {} + # ToDo: make fallback name unique name: az-document-ai automount: false # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/kubernetes/hopps/base/hopps/helm-repository.yaml b/kubernetes/hopps/base/hopps/helm-repository.yaml new file mode 100644 index 00000000..4651bfa1 --- /dev/null +++ b/kubernetes/hopps/base/hopps/helm-repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: hopps +spec: + interval: 1h + url: oci://ghcr.io/hopps-app/hopps + type: oci diff --git a/kubernetes/hopps/base/hopps/kustomization.yaml b/kubernetes/hopps/base/hopps/kustomization.yaml new file mode 100644 index 00000000..305e2fff --- /dev/null +++ b/kubernetes/hopps/base/hopps/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helm-repository.yaml \ No newline at end of file diff --git a/kubernetes/hopps/overlays/.sops.yaml b/kubernetes/hopps/overlays/.sops.yaml new file mode 100644 index 00000000..dae27393 --- /dev/null +++ b/kubernetes/hopps/overlays/.sops.yaml @@ -0,0 +1,6 @@ +creation_rules: + - path_regex: .*.yaml + encrypted_regex: ^(data|stringData)$ + age: age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s + - age: >- + age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s diff --git a/kubernetes/hopps/overlays/dev/helm-release.yaml b/kubernetes/hopps/overlays/dev/helm-release.yaml new file mode 100644 index 00000000..84e805f6 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/helm-release.yaml @@ -0,0 +1,223 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: hopps +spec: + chart: + spec: + chart: hopps + sourceRef: + kind: HelmRepository + name: hopps + version: 0.0.4 + interval: 1m0s + values: + azDocumentAi: + image: + tag: 239 + envFrom: + - secretRef: + name: az-document-ai + envVars: + # ToDo: url should automatically be calculated, dependent on the name of the release-name + - name: kafka.bootstrap.servers + value: hopps-kafka:9092 + org: + image: + tag: 239 + envFrom: + - secretRef: + name: org + envVars: + # ToDo: url should automatically be calculated, dependent on the name of the release-name + # OpenFGA + - name: QUARKUS_OPENFGA_URL + value: http://hopps-openfga:8080 + - name: QUARKUS_OPENFGA_STORE + value: hopps + # Database secrets + - name: quarkus.datasource.jdbc.url + value: jdbc:postgresql://postgres-cluster:5432/org?loggerLevel=OFF&sslmode=require + - name: quarkus.datasource.username + valueFrom: + secretKeyRef: + name: hopps-dev.org.postgres-cluster.credentials.postgresql.acid.zalan.do + key: username + - name: quarkus.datasource.password + valueFrom: + secretKeyRef: + name: hopps-dev.org.postgres-cluster.credentials.postgresql.acid.zalan.do + key: password + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/cors-allow-origin: "https://${DOMAIN_2}" + nginx.ingress.kubernetes.io/rewrite-target: /$2 + ingressClassName: nginx + path: /org(/|$)(.*) + pathType: ImplementationSpecific + hosts: + - api.${DOMAIN_2} + tls: + - secretName: api-tls + hosts: + - api.${DOMAIN_2} + postgresql-org: + enabled: false + fin: + image: + tag: 239 + envFrom: + - secretRef: + name: fin + envVars: + # ToDo: url should automatically be calculated, dependent on the name of the release-name + # OpenFGA + - name: QUARKUS_OPENFGA_URL + value: http://hopps-openfga:8080 + - name: QUARKUS_OPENFGA_STORE + value: hopps + # Database secrets + - name: quarkus.datasource.jdbc.url + value: jdbc:postgresql://postgres-cluster:5432/fin?loggerLevel=OFF&sslmode=require + - name: quarkus.datasource.username + valueFrom: + secretKeyRef: + name: hopps-dev.fin.postgres-cluster.credentials.postgresql.acid.zalan.do + key: username + - name: quarkus.datasource.password + valueFrom: + secretKeyRef: + name: hopps-dev.fin.postgres-cluster.credentials.postgresql.acid.zalan.do + key: password + # kafka + # ToDo: url should automatically be calculated, dependent on the name of the release-name + - name: kafka.bootstrap.servers + value: hopps-kafka:9092 + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/cors-allow-origin: "https://${DOMAIN_2}" + nginx.ingress.kubernetes.io/rewrite-target: /$2 + ingressClassName: nginx + path: /fin(/|$)(.*) + pathType: ImplementationSpecific + hosts: + - api.${DOMAIN_2} + tls: + - secretName: api-tls + hosts: + - api.${DOMAIN_2} + postgresql-fin: + enabled: false + frontend: + image: + tag: 180 + envFrom: + - secretRef: + name: frontend + podSecurityContext: + fsGroup: 1000 + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + ingressClassName: nginx + hosts: + - ${DOMAIN_2} + tls: + - secretName: frontend-tls + hosts: + - ${DOMAIN_2} + kafka: + controller: + replicaCount: 1 + resourcesPreset: "none" + volumePermissions: + resourcesPreset: "none" + # disable authentication for kafka for now + listeners: + client: + protocol: PLAINTEXT + kafka-ui: + enabled: true + yamlApplicationConfig: + kafka: + clusters: + - name: yaml + # ToDo: url should automatically be calculated, dependent on the name of the release-name + bootstrapServers: hopps-kafka:9092 + auth: + type: disabled + management: + health: + ldap: + enabled: false + ingress: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + # basic auth + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: kafka-ui-auth + nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - Kafka' + # configure oauth2-proxy security ToDo: waiting for keycloak GitHub integration for SSO + #nginx.ingress.kubernetes.io/auth-response-headers: x-auth-request-user, x-auth-request-email + #nginx.ingress.kubernetes.io/auth-signin: https://${OAUTH_PROXY_DOMAIN}/oauth2/start?rd=$scheme://$host$request_uri + #nginx.ingress.kubernetes.io/auth-url: https://${OAUTH_PROXY_DOMAIN}/oauth2/auth + tls: + enabled: true + secretName: kafka-tls + # ToDo: mask domain + host: kafka-ui.${DOMAIN_2} + openfga: + # ToDo: check why enabled attribute isn't working + #enabled: true + # only run one pod for now + replicaCount: 1 + # configure securityContext + podSecurityContext: + fsGroup: 2000 + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + # use postgresql-database + datastore: + engine: postgres + uriSecret: openfga + # https://github.com/openfga/helm-charts/issues/100 + migrationType: "initContainer" + postgresql: + enabled: false + # use already available keycloak + keycloak: + enabled: true + resourcesPreset: "none" + postgresql: + enabled: false + externalDatabase: + host: postgres-cluster + database: keycloak + post: 5432 + existingSecret: hopps-dev.keycloak.postgres-cluster.credentials.postgresql.acid.zalan.do + existingSecretUserKey: "username" + existingSecretPasswordKey: "password" + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hostname: id.${DOMAIN_2} + ingressClassName: nginx + tls: true diff --git a/kubernetes/hopps/overlays/dev/kustomization.yaml b/kubernetes/hopps/overlays/dev/kustomization.yaml new file mode 100644 index 00000000..cf623024 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/kustomization.yaml @@ -0,0 +1,34 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: hopps-dev +resources: + - ../../base/hopps + - namespace.yaml + - helm-release.yaml + - postgresql.yaml +# create all needed secrets with fix name +generatorOptions: + disableNameSuffixHash: true +secretGenerator: + - name: fin + envs: + - secrets/fin-secret-encrypted.env + - name: org + envs: + - secrets/org-secret-encrypted.env + - name: az-document-ai + envs: + - secrets/az-document-ai-secret-encrypted.env + - name: frontend + envs: + - secrets/frontend-secret-encrypted.env + - name: openfga + envs: + - secrets/openfga-secret-encrypted.env + - name: postgres-operator-secret + envs: + - secrets/postgres-cluster-secret-encrypted.env + # basic auth for kafka-ui + - name: kafka-ui-auth + envs: + - secrets/kafka-ui-secret-encrypted.env diff --git a/kubernetes/hopps/overlays/dev/namespace.yaml b/kubernetes/hopps/overlays/dev/namespace.yaml new file mode 100644 index 00000000..77a03634 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/namespace.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: hopps-dev + labels: + # postgres-cluster can't be configured to be pss "restricted" profile + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: v1.31 + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: v1.31 + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: v1.31 diff --git a/kubernetes/hopps/overlays/dev/postgresql.yaml b/kubernetes/hopps/overlays/dev/postgresql.yaml new file mode 100644 index 00000000..462eeaf3 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/postgresql.yaml @@ -0,0 +1,37 @@ +apiVersion: "acid.zalan.do/v1" +kind: postgresql +metadata: + name: postgres-cluster +spec: + teamId: "hopps" + postgresql: + version: "17" + parameters: + # depending on application that can cause issues + password_encryption: scram-sha-256 + numberOfInstances: 1 + volume: + size: "50Gi" + storageClass: "longhorn" + allowedSourceRanges: # load balancers' source ranges for both master and replica services + - 10.0.0.0/16 + # requests: + # cpu: 100m + # memory: 100Mi + # limits: + # cpu: 500m + # memory: 500Mi + # create users + users: + # namespace.name: roles + hopps-dev.org: [ ] + hopps-dev.fin: [ ] + hopps-dev.openfga: [ ] + hopps-dev.keycloak: [ ] + databases: + # name: owner (namespace.name) + # namespace notation is part of user name + org: hopps-dev.org + fin: hopps-dev.fin + openfga: hopps-dev.openfga + keycloak: hopps-dev.keycloak diff --git a/kubernetes/hopps/overlays/dev/secrets/az-document-ai-secret-encrypted.env b/kubernetes/hopps/overlays/dev/secrets/az-document-ai-secret-encrypted.env new file mode 100644 index 00000000..d2ebe240 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/secrets/az-document-ai-secret-encrypted.env @@ -0,0 +1,8 @@ +APP_HOPPS_AZ_DOCUMENT_AI_AZURE_ENDPOINT=ENC[AES256_GCM,data:+edt3T40kOE0doDYokkP985ahKAeEIXg8tnBeuqsAKWSnxD++OZx+sUfky1KbRrgTiD7+I+hfw==,iv:Rf+x1l5cRk0+So+/x/f7xtE3Wi+OMNBuZNuKuoyZKsc=,tag:A+jLejhTAoKfxkvL5vNa7g==,type:str] +APP_HOPPS_AZ_DOCUMENT_AI_AZURE_KEY=ENC[AES256_GCM,data:X1BHnZm53e3L6Nn0lODbOa5b5FKLd6Zt/WnpUEJsozg=,iv:mkf01qFUWJL+Y2Yt22TbrjpoOEQxT01HomDYTHsz8Q4=,tag:5q3r3IyoanVz4erOp1x9Yw==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsYURMeFhkMWI4T0FxSy9W\na3B1MUw4cG1ydEFuYTduekxSeW05YkZjM1M0CkprcDBoTHQ5aHRJYjBIMFJYb3hS\nRy9YaXZPdVNweVA5UnRUVGUxZkc3ZU0KLS0tIE9Lak5pczlsQ01WY2hCRXA5aXZv\nNWg5Vmg3Qm81Wit1aW5mNWpSZVpOOXMKlaPu98Iz57EF0FNkRjUkYxk+R8uStbZ+\nocdP9o+xyifc/R/HrveooBKrwibvEi53Fq6LlB/OPkWvSChGiMYzkw==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s +sops_lastmodified=2025-01-06T13:28:06Z +sops_mac=ENC[AES256_GCM,data:CYd4sfrC95VcCC8efBM9NiZmdbshFf3WlEjb3OjSu25eNxP7OzGq4HmIsbAzPXNMeMZRUA9SDPvNHGxy4JFFUR8Ef2wYsXvB5iniV8tUHItxCAVpy0m+44EZQf2QkbS88VE+fYgSTrSN5d5YvoF+5V5BM6ELbf61l8DlFwADI5U=,iv:nXBOk826o+eCCyMq4fIG4sPnbPLkUl21cGPE9Anq1Gk=,tag:D7dIKR+IPMWUxEd6AGgmSQ==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.9.2 diff --git a/kubernetes/hopps/overlays/dev/secrets/fin-secret-encrypted.env b/kubernetes/hopps/overlays/dev/secrets/fin-secret-encrypted.env new file mode 100644 index 00000000..a6909e33 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/secrets/fin-secret-encrypted.env @@ -0,0 +1,9 @@ +QUARKUS_OIDC_AUTH_SERVER_URL=ENC[AES256_GCM,data:fb2ziAhB69XZzsKLyxOzOpDwD90LMfNOQnI0KzsxEQk6ujMz,iv:RlpdtUgQOE7wrYMkxbowmRBIYNDif/w9W6xjt3IlwbU=,tag:YSnT//aCcS+HyKInKV52YA==,type:str] +QUARKUS_OIDC_CLIENT_ID=ENC[AES256_GCM,data:nZELclNr,iv:VeKFi/LcWI5zcL8CfD/PDvr47vni7wT9bVIJSyJkUgo=,tag:vF9h9YKSxp/y1Avpi7G2/Q==,type:str] +QUARKUS_OIDC_CREDENTIALS_SECRET=ENC[AES256_GCM,data:4ZRCeQ4jnJtRac28OjTMph41SvtvDM/C38w74Dnlbcw=,iv:OifUqjxjzow2CUv0q7qEY/WEc72c9/iE4v9II+DsBjg=,tag:N+7VgY4vIN2nv/I76XWDnw==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0dWYvNjhDSkJFR1BSd1FC\neDZDeE1pZjVybHhWTmtXWHNnMjU4RjJRY2cwCmQ4MVB6NlZQM1hwWGNSZTJ5aHJo\nOUR0REhaZXJTMm9rd3VTSTRQMmhBSWcKLS0tIEZReUQwNS9oSVpheVcwTHVSWDlQ\nSlJXUEJVTkprald4UW1hVkdkRnd3YmMKlv8jU1LlyZVm2zBs1/jHbWWuebEXoY6S\ni+SOIOMotqbqcNLGmbJ8tuewSMiJRfjeKQG9gjHNYxE5pn1Pf1O0iQ==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s +sops_lastmodified=2025-01-12T15:54:01Z +sops_mac=ENC[AES256_GCM,data:dOGI5P7yDSRoDl8Yi/A2F/7CvtNJJwNamr9W0u7/u0RfW6dCiJI9hhCpWmp2AjmL6mN9AQEgBTykTI2KUhstNsuKmSuCnSqByhr8mZjHFtVSxXlOHOrHomBwbQX/jcDhzgwuUHXUqpjGXrrKy9buURfTtT+tXt/34FikSJlI9i0=,iv:dzhxO8USAGHm9mSG9fk3S4SdnJPu9tGoKOEz8dDb1fc=,tag:Eu13S2uy8VlSyya8dFWrmg==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.9.2 diff --git a/kubernetes/hopps/overlays/dev/secrets/frontend-secret-encrypted.env b/kubernetes/hopps/overlays/dev/secrets/frontend-secret-encrypted.env new file mode 100644 index 00000000..d4eae9a0 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/secrets/frontend-secret-encrypted.env @@ -0,0 +1,11 @@ +VITE_KEYCLOAK_URL=ENC[AES256_GCM,data:dZlUm9DMJjyC28ACLBYu2MszlXBqDg==,iv:GqV8OCoduYOCYND6Sg5uYDfVMSlzcxZsZJBYOA/gCF4=,tag:gxiNOI6O0LA9mwW6cILKfg==,type:str] +VITE_KEYCLOAK_REALM=ENC[AES256_GCM,data:fYbDpBk=,iv:1QluHnOejxFUGPe0c7IWUjgPPUfM9l05GUgRLMvRpGQ=,tag:zRYChmOabgXY3TjHh5yVzg==,type:str] +VITE_KEYCLOAK_CLIENT_ID=ENC[AES256_GCM,data:2s3XRBD/ho8+FHNG84M=,iv:hqPmOp1n7M+MhBrhd2xFygkubK8yu9fes9y/j6KTu7Q=,tag:Ma2cCIyf2tx2OjgqTZDGSw==,type:str] +VITE_API_FIN_URL=ENC[AES256_GCM,data:UG2g4rpS+bL68qRd5ncDn5EjFoJXKI6aVZ5P,iv:HUScPVe0SVgUvq3/wsNDqSo+O1FWqsv60aDjhUJD2bM=,tag:+BCKqv6OlZtk+f9nmCsbPg==,type:str] +VITE_API_ORG_URL=ENC[AES256_GCM,data:UZ1dzzTwLERAlvkV1YYE8tlY+akCc6qlnvtW,iv:HaDkNcnscdmNkkDLbiXVaVUZQpa1hjGM/QKQGwxAuvE=,tag:yVisuxwPAXLMzyjZTLXazw==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSNlk4MkNTVDdMUk1KQ1Z4\neXB1TU9VVCsxSFdiN3F1SlVoUkxKYWZZcWcwCkhlS3BLczJ0MDJ3UCtZZFQwRmZK\neU5qMm0vYXIrc1ZkRnBpRGdoRnFpMWMKLS0tIEdGZ3VoQ3paakw3QmxRSTlzZUN1\nN2ZIQitVeGl1akFidmpQV1Q0cE0yTmsK4VG6kzPnnLirVdEGCV4RO1ZY9v7LGlK0\nRWXK6fX7MSq8oujKNdsqeP+3lkDU5+yoUrXHwRzfAV7MCtsZcL8b5w==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s +sops_lastmodified=2025-01-06T12:56:10Z +sops_mac=ENC[AES256_GCM,data:A0JWmvk0x/33lF0sPCEyHQqlUaVgS2H9PhbdfXmcq5KOWsybinXJc6/QuWpHTBhrZbbqm4fBjDLRKlpE1dYU3IthNkcWBuIcXeou9FImj1bn/ZC6Dv1UI1EiLrCy350GFcrIWLAvM4HvICz4fC/1Pc67PPAl2pGj30+E/VJf16w=,iv:yDoipX/O5Smv7fqpYkMxMuZqodqAQNAkU9QdL+n/Rs4=,tag:FL8ysTJm/0yeiP2QaFNoog==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 diff --git a/kubernetes/hopps/overlays/dev/secrets/kafka-ui-secret-encrypted.env b/kubernetes/hopps/overlays/dev/secrets/kafka-ui-secret-encrypted.env new file mode 100644 index 00000000..69d263ac --- /dev/null +++ b/kubernetes/hopps/overlays/dev/secrets/kafka-ui-secret-encrypted.env @@ -0,0 +1,7 @@ +auth=ENC[AES256_GCM,data:kwhxfFdp3+EgCYtNUJwvn2lPF1s2bt9B2hMZJHujiA/M+199olW+Emnx0A==,iv:3OfPMTFsZjKkJIjUOdat1jBWrovV1NReEJXRScLTejw=,tag:ONko/NriMNfAxMh9vKoCOg==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMDRub0l4SWdkeVVOcjBO\nYUEwQzFHbjc4RjdNRnZqV3VaZ1cxcyt6ZXdvCmhtbnhjeHUrbHV0K3gvekZGc2lK\nZWtmNEZLa3gyek95YlBVNHVGWVdzdlUKLS0tIDBNdXN0elVFQlhFR28xVjRGcjBr\nbnFzS3dXWW4reHlxd3k5MFFudnYyM0kKuu5eP0SELJeISAUC4Cl4jagICrh0gumS\ngCwE+HrzHIVMdLHLGGSCp6aWd0GgBXIUYdY9y3vNA7VVmJNhfhHnXg==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s +sops_lastmodified=2024-12-18T21:13:15Z +sops_mac=ENC[AES256_GCM,data:f4JbURgxgRaFPmzELjLqLAeBc2ITDO2II5BNHDQ8mEqPFvi/0tSzjh0Z/L7ZWQd4+ADRHQZMHZ3n8sHKl+6bC4I8OnkvKLExQ+zhSPQoyLJ0H5X0nXRrXsql4hOM1W2Wd8DcNlIyUgA1f8ZB7qFoAtpHuPmhHn5N5YBNI70gwMs=,iv:qnDOOThcTkC+5y6h2nBrYyjwxkfYrjb9a6zX8EGm//k=,tag:DJ5yeROIMBCKxKXmdPqkzg==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 diff --git a/kubernetes/hopps/overlays/dev/secrets/openfga-secret-encrypted.env b/kubernetes/hopps/overlays/dev/secrets/openfga-secret-encrypted.env new file mode 100644 index 00000000..3ba62521 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/secrets/openfga-secret-encrypted.env @@ -0,0 +1,7 @@ +uri=ENC[AES256_GCM,data:2DPudSRROl7ECpui938OcWmxzLNtaxpPy4b3ww2OtE5D4wMMUKZNlh3DYvk774a3LqLbScOjmSrIC4SgSLdf1W5CwZyXocAaVbd/VEdffZydmGKeBisozPhR3hvWNrqmgiSkV6Uuva5PpMAibjD36CVXSW7gvC85d6JuPqQhNtP/RLYgGTSLdVkw5w==,iv:rm8azi6y765zP4nOsgvH9Lkqa53rLdQAMMJ2H2UIGMA=,tag:t88aXyZAoREujOn7gstRww==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyRzFhOTQrcG5sZ3FucUFU\nMm1vc1JwZmN1bDRXL0owcXVhekplcTNWU0ZBCkhVT3phMFJCZldCTm81U21abFhn\nRFdSblNFT1M5MlVnNlRZbjNwdiswYTgKLS0tIHdRM1FkdU1KN0x2YklISitKR01W\nTlRENFUvQkdQU2xvR3BzMXFKaTdsR1UKYWIgrxYOMQVVNlXCsCLIGxUHAH4SeHxZ\nZwjH8eq5xUNFh9tshDJ1PQZ8QT9NWZKkyNvzp67H8udL8hve3Hujog==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s +sops_lastmodified=2024-11-25T21:11:35Z +sops_mac=ENC[AES256_GCM,data:ELg0s8d4ItMFWs7umjBWsyLtbaILmOjShSnmOmkMj1lHWGkmm2hZMp1V0FI5dZbR5MenAY2rrnPPcKnGHe17X/YCZCE2iUyIQS0QxxJOfn3Fieanj3sFhEyWNv8ZOOZA8c4l7yCZH2shAh3B6P36H8TYfMOuEbcU+7Eq6Hffjqo=,iv:OsaDMjAx93QrwtwHB84HwnGB3Bj1R12/30vl/nxJjVQ=,tag:rvqSk2a0w1Jhx16i+uJcLw==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 diff --git a/kubernetes/hopps/overlays/dev/secrets/org-secret-encrypted.env b/kubernetes/hopps/overlays/dev/secrets/org-secret-encrypted.env new file mode 100644 index 00000000..c64ff820 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/secrets/org-secret-encrypted.env @@ -0,0 +1,15 @@ +QUARKUS_OIDC_AUTH_SERVER_URL=ENC[AES256_GCM,data:xA673hEvt7Seouf1k6Zitk5ZChF1o9Ct6E4uj9HvwVyXmoTa,iv:qbXDFoAgqCwHuzfXQTyj/qjvtqb54gSwfEFYHpdJwuY=,tag:ChDZVNH5g/aQNktGHtn+bA==,type:str] +QUARKUS_OIDC_CLIENT_ID=ENC[AES256_GCM,data:9K++UX88,iv:kTr8q5d+OYNmy83L0oBiawBlX45r71Cx2K8ou6rGPr4=,tag:/B7GSi2YN8pa5N8q3LXbAA==,type:str] +QUARKUS_OIDC_CREDENTIALS_SECRET=ENC[AES256_GCM,data:drNPMTCzROgXQV2Gh0fNU7Ju5TwY2FjXxGwpaclkK2s=,iv:umA0A38UCyBCfaeIBfsALoQ2oqMEIrx54DprHewFz3w=,tag:/irDFWGAenbCJTuGQoGPiA==,type:str] +QUARKUS_KEYCLOAK_ADMIN_CLIENT_SERVER_URL=ENC[AES256_GCM,data:g0+OzXR+lRtQ+BdbAgfB38c9eoTdRg==,iv:yuUb2W1lnhrObJfO0jtnZkcTYw61TWhljevCFl2lt8Y=,tag:Df3zjjdHsh1YvceemMrtIg==,type:str] +QUARKUS_KEYCLOAK_ADMIN_CLIENT_REALM=ENC[AES256_GCM,data:5lweKos=,iv:GEmtsH6+gA5oCpv7p3vZEsHF5ZjObeKyjkJCMIycx5A=,tag:wuxf8aeMT5qqiowz5a3VIg==,type:str] +QUARKUS_KEYCLOAK_ADMIN_CLIENT_CLIENT_ID=ENC[AES256_GCM,data:UNrCHdA=,iv:YjUM3xDp4zQNydxrlIVkCyfrEN0vlKzwME2C2HWsyLQ=,tag:F3ti320bts38eZ/7YP++Pw==,type:str] +QUARKUS_KEYCLOAK_ADMIN_CLIENT_CLIENT_SECRET=ENC[AES256_GCM,data:01KOO38sk3g7uMMet76y9zZl2njXc/HkuHWdbWStOQw=,iv:jmgrVZLufxhWBA7Dvo2jiGX7jw4WoQ63ZhkCQvqFzcE=,tag:j+QDJie2Nufq2E4t5HhFjw==,type:str] +QUARKUS_KEYCLOAK_ADMIN_CLIENT_GRANT_TYPE=ENC[AES256_GCM,data:lCINnC4yut4W9ndDyQG4WbwL,iv:F7g76kqKGlGeYi+SlrpwNj/Cpibm69ykEKLjPoyBrJo=,tag:7HtYqNvDjNtK42ZFyBgH7Q==,type:str] +APP_HOPPS_ORG_AUTH_REALM_NAME=ENC[AES256_GCM,data:LMEW7Gg=,iv:h5nF/x2XH1FlVNaPOT6bg7RGIt/sX5rsCi/my0VJTps=,tag:0XE5osc2fSC/QWLXLoZsWQ==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSmFZU05UcE5Sb3BqUldS\ndkc2Z1lmMUxXZzNxUUV5ZkF4SzVGNGVkZUc0CmRJWFBsWmszOHA1QUR5MUthdlpt\nMUZFenJ4ell6MHdOSVRkWTJtSHlMelEKLS0tIFVzVWhhcEdiaHVQcHN0TEJnbzRm\nQ05BZHlJWTlhaGVzNEE5TEhXQXlLemcKmHQEyb6MtxyzJ+twpZkZQ8nHTE1igSO5\n/l7IwEqmQcruZCpb/6YIt93oZGVk2BTyCIWiRjKGH392P+ztMExtjA==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s +sops_lastmodified=2025-01-12T18:26:32Z +sops_mac=ENC[AES256_GCM,data:veTPN2xkucTwZcKMp0WIi7u9ScbWxXjtGZHZVvRKT3VlBjidkgIi1KG7O9zGiD3GuwrlxXmk2ZrvAvdoaOXQGbRgU0rslk03sgBqNyjKt3cyUkZMGaPLM1fHWSaX5C3kJPPnjJWImahlttokSE05Rlgg4qAJZ8anhgN6JjFzE/o=,iv:3XsAwkSHUXwRu2y0VCpxTtpLmcunMXow7bChhBeFraQ=,tag:LbPvgP8A+UdZwIE1z69pVA==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.9.2 diff --git a/kubernetes/hopps/overlays/dev/secrets/postgres-cluster-secret-encrypted.env b/kubernetes/hopps/overlays/dev/secrets/postgres-cluster-secret-encrypted.env new file mode 100644 index 00000000..24674e17 --- /dev/null +++ b/kubernetes/hopps/overlays/dev/secrets/postgres-cluster-secret-encrypted.env @@ -0,0 +1,8 @@ +AWS_ACCESS_KEY_ID=ENC[AES256_GCM,data:8g==,iv:vs285td1wKGv5q/1NSv3rkwm/Dz00jWOUaHYPXPHC40=,tag:CECroZh5x7J03ja8UBFcXQ==,type:str] +AWS_SECRET_ACCESS_KEY= +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEN3JRUTJkWHNOZWNrYjZ3\nY3B5bHg0dlhsWHpKK0EweDdEN0U4UlhaV1FnCkNrM2UvWm1IZ1I5bGZyRVhyMnBG\nMEQ5VnJLMGQydTJUbEU4Z3B5MDZGSXcKLS0tIGhoR1NQanhydVRxVEI1Mk9BWFYr\nVllKQmR0QUVISDBybWN1NkY2ck5OaGsK6wiyqIAQh8R5hvs85bAIMBK30QY/nZjf\nL8m7NJ8/xW1t+0TLNj1w3xFSnhZ8fOoOVqJXv39wIvu3sp+QIoQmCQ==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s +sops_lastmodified=2024-11-25T21:07:37Z +sops_mac=ENC[AES256_GCM,data:9YmNxKJMPncAG2DUwfnudEkrp4VFl0gto/oyRM/BtiHITIV1mHRj1x+6L/9WFhbAJQWmT49KetMkywvCH5e/XOe/9mxPm2L1zwCml+QKa7hMAG41KOV7X2A1e07w4NcOD5+6fNV3YoqMKQzfMPUD2FalGUX35yH+bgC4VuBqZL0=,iv:EAD8vTA75Gsjd5PHI+lIiy4IxI3dJCwX+fFTOWVUFYc=,tag:+l1Ai1LopNYlINEwjmPW9g==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1