diff --git a/apps/portfolio/base/deployment.yaml b/apps/portfolio/base/deployment.yaml index 82bb7c6..872be03 100644 --- a/apps/portfolio/base/deployment.yaml +++ b/apps/portfolio/base/deployment.yaml @@ -19,4 +19,6 @@ spec: ports: - containerPort: 8080 name: http + imagePullSecrets: + - name: registry-credentials restartPolicy: Always diff --git a/apps/portfolio/overlays/prod-sites/kustomization.yaml b/apps/portfolio/overlays/prod-sites/kustomization.yaml index 1fd29f2..d386e71 100644 --- a/apps/portfolio/overlays/prod-sites/kustomization.yaml +++ b/apps/portfolio/overlays/prod-sites/kustomization.yaml @@ -2,8 +2,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ../../base -- ./ingress.yaml + - ../../base + - ./ingress.yaml + +generators: + - ./secret-generator.yaml + images: -- name: registry.int.nc.landry.land/portfolio-site - newTag: latest + - name: registry.int.nc.landry.land/portfolio-site + newTag: latest diff --git a/apps/portfolio/overlays/staging-sites/kustomization.yaml b/apps/portfolio/overlays/staging-sites/kustomization.yaml index 198caf8..d7a1b40 100644 --- a/apps/portfolio/overlays/staging-sites/kustomization.yaml +++ b/apps/portfolio/overlays/staging-sites/kustomization.yaml @@ -2,8 +2,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ../../base -- ./ingress.yaml + - ../../base + - ./ingress.yaml + +generators: + - ./secret-generator.yaml + images: -- name: registry.int.nc.landry.land/portfolio-site - newTag: staging + - name: registry.int.nc.landry.land/portfolio-site + newTag: staging diff --git a/apps/portfolio/overlays/staging-sites/secret-generator.yaml b/apps/portfolio/overlays/staging-sites/secret-generator.yaml new file mode 100644 index 0000000..5585ab1 --- /dev/null +++ b/apps/portfolio/overlays/staging-sites/secret-generator.yaml @@ -0,0 +1,14 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + # Specify a name + name: registry-credentials-secret-generator + annotations: + config.kubernetes.io/function: | + exec: + # if the binary is in your PATH, you can do + path: ksops + # otherwise, path should be relative to manifest files, like + # path: ../../../ksops +files: + - ./secret.enc.yaml diff --git a/apps/portfolio/overlays/staging-sites/secret.enc.yaml b/apps/portfolio/overlays/staging-sites/secret.enc.yaml new file mode 100644 index 0000000..0998557 --- /dev/null +++ b/apps/portfolio/overlays/staging-sites/secret.enc.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +data: + .dockerconfigjson: ENC[AES256_GCM,data:RIimNUrojlf4Zpni6l0TICs9z02YbzCCgYZDPy6xOXtI3PTGWUYvE86pKTZCHAkqX6uLOr7fSIYlbjqfCPcVSGse94899ogREzYeg9T0Zp+WgDiZ6PekYbf3Z/rFElD5cFisbF/KR6Rjj1dcOOLQwdmJUBW9zAkub7f4cK9RvSuXIpLObpEW9E5Xn0W6clltsIW0FpZehpF/IHFb9j+IWvplStvP0j8TgqKgQw6CFBlINQpFHSFfcM5bveo=,iv:+XJZfDKZtmDcSBkB5xdm1LCy+Y1xh2decMBde68l1Ig=,tag:exTR3cIab5O3c01Y8XERiA==,type:str] +kind: Secret +metadata: + name: registry-credentials +type: kubernetes.io/dockerconfigjson +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1y26vr5qt6th3wu92rnsgkqcpxxah3pqkqa4khcjjycm3kg40aqyqjgfzx9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNGRXSFo1dWVZM01Pbmwr + TXdPOFJkRFpXc1M3enJZN1pLM2pKVEpYRzNVCjY3bTBIUE1zYkFnZnF1cDFiVHo3 + LzFJWUF1Uit4b0lnNjlaM1JKemhaalEKLS0tIGZwQVhBQTlwdWp3OHlNUzkxZTBa + TUZpMW5oUzZFNmVGS3JFQmtpVlduOUEKuFEpnT+4k3RyECGvNFQJnmTUdaHvKCdt + iJ0H9Ssjot7MeZZQoljwbyQiDeU1UH0iAIdVV7ldjErx34MKJRu79A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-19T16:19:04Z" + mac: ENC[AES256_GCM,data:wqC8cswdI0vBcFtkUpkIIv9ywuxiU4uTdMUTstDDeqWnsvQumdhLmO5wffpOfqumekGDgqnJQJVj9c7XvDm3iyJmJ0rQ6zS8Rpgexn0X1C8X+D8yzapFAeScHL+5dbUgHgUlxhOAP4xBecGWCkauWf7vml4X1OjRt7QA13Bg214=,iv:4425rHJIP43zWTmBHmJlhOyk0ja1mb4b5P7dEs6Q9/w=,tag:oTSlNqYPFJt7wZ+uxWvLGA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1