🔐 weaveworks secrets

2025-09-17 18:24:14 +02:00 · 2023-09-14 13:46:43 +02:00
parent 0c193d4f53
commit 608837d803
6 changed files with 26 additions and 34 deletions
--- a/kubernetes/apps/flux-system/addons/notifications/github/externalsecret.yaml
+++ b/kubernetes/apps/flux-system/addons/notifications/github/externalsecret.yaml
@@ -0,0 +1,20 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+    name: flux
+    namespace: flux-system
+spec:
+    secretStoreRef:
+        kind: ClusterSecretStore
+        name: onepassword-connect
+    target:
+        name: github-notification-token
+        creationPolicy: Owner
+        template:
+            engineVersion: v2
+            data:
+                token: '{{ .GITHUB_NOTIFICATION_WEBHOOK_TOKEN }}'
+    dataFrom:
+        - extract:
+            key: weaveworks
--- a/kubernetes/apps/flux-system/addons/notifications/github/kustomization.yaml
+++ b/kubernetes/apps/flux-system/addons/notifications/github/kustomization.yaml
@@ -3,5 +3,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ./externalsecret.yaml
  - ./notification.yaml
-  - ./secret.sops.yaml
--- a/kubernetes/apps/flux-system/addons/notifications/github/notification.yaml
+++ b/kubernetes/apps/flux-system/addons/notifications/github/notification.yaml
@@ -9,7 +9,7 @@ spec:
  type: github
  address: https://github.com/auricom/home-ops
  secretRef:
-    name: github-token
+    name: github-notification-token
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/alert_v1beta2.json
 apiVersion: notification.toolkit.fluxcd.io/v1beta1
--- a/kubernetes/apps/flux-system/addons/notifications/github/secret.sops.yaml
+++ b/kubernetes/apps/flux-system/addons/notifications/github/secret.sops.yaml
@@ -1,28 +0,0 @@
-# yamllint disable
-apiVersion: v1
-kind: Secret
-metadata:
-    name: github-token
-    namespace: flux-system
-stringData:
-    token: ENC[AES256_GCM,data:MijeX3Zk62v/9zLNbXCRKv/qCcW60y6doQeMwVbGEEgd1x2GK0M5Sg==,iv:5dRwHdb40jD/hyNow9iZco4WglmzcbSEOTN0iI3kHyc=,tag:+mBUypMeV1rvh9HsxyTkMw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQ0wxZy9rTERQZzRhVkJQ
-            azZDZ3dxMzZMTGovQWhSNHFiblB0OGRFRnhrCjZFRTVXaWNoSHF3VnRJNE1vRVhi
-            Sm92RWtVOFZWQldiaER2TnBXcldTclkKLS0tIDk5bkNwem5SOE14T3VKWTdISzMr
-            c0xvS1hoZ2ZUbyswUDJmWTQ5cUJIL00KOzoh9t/QtMJ3DXzagZNz5MbuqK8mtx2N
-            apAGT2tSzS9e2Pl8OruH57SGs972wHJQ9pnIHdbzhHkviIChUVApmg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-09-12T22:06:51Z"
-    mac: ENC[AES256_GCM,data:HNY3DtP5mX1ivOOnuv8hBnKhQIXiH7NLLiRh7rloHNMhq5NY1a1BnaS7FMhUq3vxcE9XMgvG7A/gLKI3diezS779vaiSrpnHS3cbb45J0hGB1bqOrkhAV+BQgOiPL6hrv2ouA2VK1VOin9z7kBzXCIOh9UnZmNi0H/Qy6e/45X4=,iv:5fbAnwGoKAYFcFhf5Di6epWvNZgwyX71QJQSN/Krt/k=,tag:Mu+KOOea1XkYJtO1HawxPA==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3
--- a/kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml
+++ b/kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml
@@ -15,7 +15,7 @@ spec:
    template:
      engineVersion: v2
      data:
-        token: "{{ .GITHUB_WEBHOOK_TOKEN }}"
+        token: "{{ .GITHUB_SYNC_WEBHOOK_TOKEN }}"
  dataFrom:
    - extract:
-        key: flux
+        key: weaveworks
--- a/kubernetes/apps/flux-system/weave-gitops/app/externalsecret.yaml
+++ b/kubernetes/apps/flux-system/weave-gitops/app/externalsecret.yaml
@@ -15,7 +15,7 @@ spec:
    template:
      engineVersion: v2
      data:
-        adminPassword: "{{ .WEAVE_GITOPS_ADMIN_PASSWORD }}"
+        adminPassword: "{{ .password }}"
  dataFrom:
    - extract:
-        key: flux
+        key: weaveworks