feat: implement secret management with SOPS

pkg/enc/secrets.go.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> mlkem768x25519 cYiJfHWipORzmkN1ltuNeQ+kEmMNZsQO8WGYRNgc5Gzd33AbnzswSzfDC16dfA5xLlu9397QgmSfgRxG6xD8e7N/MFLSUZRX16wVdV6Dl7GpOF/m/0fOwhSpdKKEJKW8NrwR/Ju6CSfzKtgPGL5qsRoWBSdgOLdkA+6W3DlUwfxHArVaJMNYvHP4E5XGnaVAzFUNYkTpGgJgTBATWP8C0M2kpEARMsTNjXgDPmgvjsvk/Xo5H81S6RiqmxdHIt9gN3y/rjNlOwRFAKk3uHxzzfbW5zGRZAisy4RPRdT9G121xWJmajnFGM9bEJcalbwI6N9w8A48oJfRgOGo0ecLCBEnkEq2OHamKzEZMj6CDgByvZL49BycJQpJ9ijNykZBnCgUPaM4SsqTj9affd2gxsLNHcvLNTmN/vUqkKQXD9bllnwyJ0Pz7t5Lg/tbfDfILCzgcgWGY8KtHDjHV1OTNdoROdrW+aEI95mpqtnkT1gzzcVTZ3ozD3Glkzm8sPBwGjhpARNRpI96eeBUnpgN8dYXpQlV3Gqxl5TEsdBkiVOtII0OaQeg/iW8eh2FTU8/Dg8xjWsyen2abhImROt4TnIvqGmhesLdKguyWa/miAh8flr4CazWpB5Pk2kD+DXUIWsEQCyaZMTZRhuGIBpbguyRbOyx2rCxWWTCevTwl99TQdI1nfu8dfR9jB+DhrTnak7rwLJej0D2jD0iQQ4J1KCNP4knQfR86ujVT4A5J6uU4giA7Hu9np/+JXmZjOl0rethtaq035a405a4uBbNAPn9lzefOC2yULMxM0P8GCWbezr3k9chFCNS9bsMZh/FdgtY7kJxqJOW75zlgm/6pos0Bj45/zFwOyM71y30dOgc7Ex51cKeHRBtYtgsItrNVwkM0DfCH9VU6GgRzMVCq4RrnUT0o3xARfIFaEL3zZD/KoarhMaINEva88tvbf+zm2lDZoW1EsrT2dGKEJzMqZdqC0NjJwOrGHJwh6wy1cRdtEZrGR8zzyAfYAW0XqgfHMljJ5QRgRbqBpqrGthP+3r5fdyWA+5z2Z4cWV2nBSpV0FlPVgxGRnxNMG1zgpeBt8JdAkftgat1AvCZzgSIw1jQJP+Win5DRewK+qzBBIdkPYYawwLPOO6aeG0ahwge0pMQY17F96Y3tw5mi5fHmh+/ms7yG6CJ/4WxdxgbvX2kUpUckT5ZLoAVLn9fAm5Jg4XVyj0z1anTKD8Gjyabaogfk8bHeNZByjo7qbEYHpf/apBFEbg0vgoC85JtmiqfpegTLhHuEaux/V0xCgIfNPHPiYOTQs3Ij//8ALWn3ZBbCg2pZ4I6y0wKtI46vcuVHThy8vWL992a7v601WyfPuB2ZAYpcAy0KU3cEJTQ1Jcc5nqTpT01nVJ3MZLQ5D1Zll+l8WtPYLgTlAEc+qulXReT/Z64clLAdJrdn4wwjBAs5S2RcWWF1CKDG9HJfKFiLA/qeTJDthUYbUQt/FBZew
+TIif8yenxheEYQcu8isoeyPZ4GUTSjgR/0UOALrhBo4
+--- ahXiHd/RR2JyVd0AB0/4LC5QBkPbfmuXj77awnvz/eQ
+g»NfL	oÉ’:‡úç�R²^àÌ9§ª^€Œ±º0ðSJ¥Ù&N„%…x ØÙ¥Š,¨Ô'ßë4!‡•íš\<Ó–¦I£=ýD·Ì´ÏR]rœ¨:Çédpµ¬çæÎð%›íÏ´»xh•ã¶w¬ªÌ-pGÖÖºžÒþ„h»á‹yšþû›©“TôÍLÙÐNI]ýÉj$ ætà1%¡GÃ8±ïÆŽ/_¹à
¼U?¨‘i,ΑOhˆöÂüÙØnE‘¥ñS°r§>ðÙ¨dñ˜z¦½•øœ…ί_+¶à6u¾š:µ¸Å61gnçÄ€9•eý¡…ªOøðHª*–

pkg/flux/flux.go

@@ -7,6 +7,7 @@ import (
 	"danicos.dev/daniel/go-kube/pkg/stack"
 	"danicos.dev/daniel/homelab/pkg/root"
 	kz "github.com/fluxcd/kustomize-controller/api/v1"
+	flux_meta "github.com/fluxcd/pkg/apis/meta"
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -28,6 +29,12 @@ func Apps() kz.Kustomization {
 	retryInteval := durMin(1)
 	timeout := durMin(5)
 	spec := kz.KustomizationSpec{
+		Decryption: &kz.Decryption{
+			Provider: root.FLUX_DECRYPTION_PROVIDER,
+			SecretRef: &flux_meta.LocalObjectReference{
+				Name: "sops-age",
+			},
+		},
 		Interval:      durMin(10),
 		RetryInterval: &retryInteval,
 		Timeout:       &timeout,

pkg/linkding/linkding.go

@@ -8,6 +8,16 @@ import (
 	core "k8s.io/api/core/v1"
 )
 
+var Secret = struct {
+	Name                 string
+	SuperUserKey         string
+	SuperUserPasswordKey string
+}{
+	Name:                 root.Linkding.Name,
+	SuperUserKey:         "supe_user_name",
+	SuperUserPasswordKey: "supe_user_password",
+}
+
 var meta kube.Metadata
 var Namespace = kube.Namespace("linkding")
 var srv core.Service
@@ -36,6 +46,10 @@ func deployment() apps.Deployment {
 	envMapping := map[string]string{
 		"LD_CSRF_TRUSTED_ORIGINS": "https://link.danicos.me",
 	}
+	secretMapping := map[string]string{
+		"LD_SUPERUSER_NAME":     Secret.SuperUserKey,
+		"LD_SUPERUSER_PASSWORD": Secret.SuperUserPasswordKey,
+	}
 	pod_spec := core.PodSpec{
 		SecurityContext: &core.PodSecurityContext{
 			RunAsUser:  &root.Linkding.SecurityContextID,
@@ -47,7 +61,7 @@ func deployment() apps.Deployment {
 				Name:            root.Linkding.Name,
 				Image:           root.Linkding.Image,
 				SecurityContext: root.ContainerSecurityContext,
-				Env:             kube.NewEnvVar(envMapping),
+				Env:             kube.NewEnvVarWithSecret(envMapping, secretMapping, Secret.Name),
 				Ports: []core.ContainerPort{{
 					ContainerPort: root.Linkding.Port,
 				}},
@@ -64,4 +78,4 @@ func deployment() apps.Deployment {
 	return kube.NewDeployment(meta, pod_spec)
 }
 
-// kubectl --kubeconfig ~/.kube/hydra -n linkding exec -it linking-67f686679d-2tfrk -- python manage.py createsuperuser --username=daniel --email=danicosme@pm.me
+// kubectl -n linkding exec -it linking-67f686679d-2tfrk -- python manage.py createsuperuser --username=daniel --email=danicosme@pm.me

pkg/root/root.go

@@ -5,15 +5,21 @@ import (
 )
 
 const (
-	HYDRA_CLUSTER  = "hydra"
-	HYDRA_HOSTNAME = "hydra-0" // VPN Host
-	GITEA_HOST     = "danicos.dev"
+	HYDRA_CLUSTER         = "hydra"
+	HYDRA_HOSTNAME        = "hydra-0" // VPN Host
+	GITEA_HOST            = "danicos.dev"
+	TMP_FOLDER            = "./tmp"
+	SECRETS_FOLDER        = TMP_FOLDER + "/secrets"
+	GO_SECRETS_FOLDER     = "./pkg/secrets"
+	GO_ENC_SECRETS_FOLDER = "./pkg/enc"
 )
 
 const (
-	FLUX_NAMESPACE          = "flux-system"
-	FLUX_APPS_HYDRA_PATH    = "./apps/" + HYDRA_CLUSTER
-	FLUX_CLUSTER_HYDRA_PATH = "./clusters/" + HYDRA_CLUSTER
+	FLUX_NAMESPACE               = "flux-system"
+	FLUX_APPS_HYDRA_PATH         = "./apps/" + HYDRA_CLUSTER
+	FLUX_APPS_SECRETS_HYDRA_PATH = "./apps/" + HYDRA_CLUSTER + "/secrets"
+	FLUX_CLUSTER_HYDRA_PATH      = "./clusters/" + HYDRA_CLUSTER
+	FLUX_DECRYPTION_PROVIDER     = "sops"
 )
 
 var (