khuedoan.com / cloudlab
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: reimplement old Ansible secrets management in Terraform

Change-Id: Ibf6ba53364e5def4f83be9696d556494b6312574

Khue Doan 03b78286 ca5cb5d3

+213 -10
+28
infra/modules/secrets/main.tf
··· 1 + locals { 2 + sources = { 3 + for k, v in var.sources : k => v.random ? random_string.random[k].result : v.value 4 + } 5 + } 6 + 7 + resource "random_string" "random" { 8 + for_each = { for k, v in var.sources : k => v if v.random } 9 + 10 + length = 128 11 + } 12 + 13 + resource "kubernetes_secret" "secret" { 14 + for_each = var.destinations 15 + 16 + metadata { 17 + namespace = split("/", each.key)[0] 18 + name = split("/", each.key)[1] 19 + labels = { 20 + "app.kubernetes.io/managed-by" = "Terraform" 21 + } 22 + } 23 + 24 + type = each.value.type 25 + data = { 26 + for k, v in each.value.data : k => local.sources[v] 27 + } 28 + }
+24
infra/modules/secrets/variables.tf
··· 1 + variable "credentials" { 2 + type = object({ 3 + client_certificate = string 4 + client_key = string 5 + cluster_ca_certificate = string 6 + host = string 7 + }) 8 + } 9 + 10 + variable "sources" { 11 + type = map(object({ 12 + random = optional(bool, false) 13 + value = optional(string) 14 + })) 15 + default = {} 16 + } 17 + 18 + variable "destinations" { 19 + type = map(object({ 20 + data = map(string) 21 + type = optional(string, "Opaque") 22 + })) 23 + default = {} 24 + }
+17
infra/modules/secrets/versions.tf
··· 1 + terraform { 2 + required_version = "~> 1.8" 3 + 4 + required_providers { 5 + kubernetes = { 6 + source = "hashicorp/kubernetes" 7 + version = "~> 2.37.1" 8 + } 9 + } 10 + } 11 + 12 + provider "kubernetes" { 13 + host = var.credentials.host 14 + client_certificate = var.credentials.client_certificate 15 + client_key = var.credentials.client_key 16 + cluster_ca_certificate = var.credentials.cluster_ca_certificate 17 + }
+58
infra/production/oracle/secrets/.terraform.lock.hcl
··· 1 + # This file is maintained automatically by "tofu init". 2 + # Manual edits may be lost in future updates. 3 + 4 + provider "registry.opentofu.org/hashicorp/kubernetes" { 5 + version = "2.37.1" 6 + constraints = "~> 2.37.1" 7 + hashes = [ 8 + "h1:UWJPvQZxW9Q6mxtUvIdnapPE8s8o4a2HUo53OInq9p4=", 9 + "zh:22031e9995b3dc7ae497305dc6c5b7bf1a585c378d46446e724601f992cd9e11", 10 + "zh:3614bc188ae5040d892671009c66f56cfcb3859e11f42ed7ffc1cee384b1275b", 11 + "zh:5d925944ac961bbe5fb4917a3e7e6d9bc0bef2f3198f26e8d4cd1793d5eadde3", 12 + "zh:67a86d1576eb67a58cc68f47bffd370b2f834fd909980acdab38a9b9b2c1c809", 13 + "zh:90c34fe321f937b34392bdc6ee1f9fa42db1c5ff93341c58a96a8a0c1f18327f", 14 + "zh:943b0fb6db1ce3b64e177f74ae7931f485ef47713df861f0e98d6838e75087ff", 15 + "zh:9c6f0164bf64b0d7baac29bc74aa0879956cec6dc28a7f52b2582c9deffb8c21", 16 + "zh:b1d555c2977a2d7c689f88b9f4b8db24c104692b9233191719d1b10ca724f159", 17 + "zh:c4d2ce2148a55d7d7dc5986f02119cc71ccb86ec1e96773f4c9430fd2944fda4", 18 + ] 19 + } 20 + 21 + provider "registry.opentofu.org/hashicorp/oci" { 22 + version = "7.10.0" 23 + hashes = [ 24 + "h1:fte2iarPJxuqm8S5AJTgY/eEQnH6LS/qVRxmDkBie4s=", 25 + "zh:03ad7ab20c4aa4a496cedb29cc439cb6e6c6eadcce964a44c227d605a30aec0f", 26 + "zh:08184bf3df20ab6f2bc764f28cefc356090d34bdf02c41ab91939d91f7462c3c", 27 + "zh:0bafa208306be66d0f92d17da7eed0f981543d7d0720462da167795e54f9a1c5", 28 + "zh:14204946c0e462544961eaf8cf07e069c2543c34559efca6a6b8df297c2b9195", 29 + "zh:19c1e56a372167a1a85accc5d0dc9d5db4cbec9e980928d1914c278a8216150c", 30 + "zh:43a10dc7af9ea197a869d24b15013f833c3dc8fa7b90ce0716629df5ee18ef29", 31 + "zh:5bac0be19c09b6537f3db92c60226510b550a074bf1add49b0a8af5314f345e0", 32 + "zh:614d30d3ade2eeda2c2d0e3a03d50b754d48c6f29d952f8a88bc036bdeeccfd5", 33 + "zh:7050fa97d107812799e4c1f708c92fb6e7f2af11f646184937acc8d006a9e911", 34 + "zh:7b6803021b83a39283d06942a349bf6ba5d04107de620f39a3e41730ac303cda", 35 + "zh:85b583aef078998ff5e1b4a147e1c672fd9ce2da3581440c374dbe6fc88217e5", 36 + "zh:8f09b98d0650af0ea1c124ab00d359cc1864f947e6e990f1f51275188ade072f", 37 + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", 38 + "zh:a239d6c426ea34c41e22ef9d997592c0afebebb8154252e6ed0ab0e3e12a0b56", 39 + "zh:ee23f693a06359b453d4a988e21bfd8df96ef82c2403ad7458d2b6b59a114359", 40 + ] 41 + } 42 + 43 + provider "registry.opentofu.org/hashicorp/random" { 44 + version = "3.7.2" 45 + hashes = [ 46 + "h1:cFGCdxTlsrteTiaOV/iOQdql7eJkD3F/vtJxenkj9IE=", 47 + "zh:2ffeb1058bd7b21a9e15a5301abb863053a2d42dffa3f6cf654a1667e10f4727", 48 + "zh:519319ed8f4312ed76519652ad6cd9f98bc75cf4ec7990a5684c072cf5dd0a5d", 49 + "zh:7371c2cc28c94deb9dba62fbac2685f7dde47f93019273a758dd5a2794f72919", 50 + "zh:9b0ac4c1d8e36a86b59ced94fa517ae9b015b1d044b3455465cc6f0eab70915d", 51 + "zh:c6336d7196f1318e1cbb120b3de8426ce43d4cacd2c75f45dba2dbdba666ce00", 52 + "zh:c71f18b0cb5d55a103ea81e346fb56db15b144459123f1be1b0209cffc1deb4e", 53 + "zh:d2dc49a6cac2d156e91b0506d6d756809e36bf390844a187f305094336d3e8d8", 54 + "zh:d5b5fc881ccc41b268f952dae303501d6ec9f9d24ee11fe2fa56eed7478e15d0", 55 + "zh:db9723eaca26d58c930e13fde221d93501529a5cd036b1f167ef8cff6f1a03cc", 56 + "zh:fe3359f733f3ab518c6f85f3a9cd89322a7143463263f30321de0973a52d4ad8", 57 + ] 58 + }
+73
infra/production/oracle/secrets/terragrunt.hcl
··· 1 + include "root" { 2 + path = find_in_parent_folders("root.hcl") 3 + expose = true 4 + } 5 + 6 + terraform { 7 + source = "../../../modules//secrets" 8 + } 9 + 10 + dependency "cluster" { 11 + config_path = "../cluster" 12 + } 13 + 14 + inputs = { 15 + credentials = { 16 + host = dependency.cluster.outputs.credentials.host 17 + client_certificate = dependency.cluster.outputs.credentials.client_certificate 18 + client_key = dependency.cluster.outputs.credentials.client_key 19 + cluster_ca_certificate = dependency.cluster.outputs.credentials.cluster_ca_certificate 20 + } 21 + 22 + sources = { 23 + dex_admin_password_hash = { value = include.root.locals.secrets.dex_admin_password_hash } 24 + dex_argocd_client_secret = { random = true } 25 + dex_grafana_client_secret = { random = true } 26 + dex_kiali_client_secret = { random = true } 27 + dex_temporal_client_secret = { random = true } 28 + silverbullet_user = { value = include.root.locals.secrets.silverbullet_user } 29 + wireguard_config = { value = include.root.locals.secrets.wireguard_config } 30 + } 31 + 32 + destinations = { 33 + "dex/dex-secrets" = { 34 + data = { 35 + "ARGOCD_CLIENT_SECRET" = "dex_argocd_client_secret" 36 + "GRAFANA_CLIENT_SECRET" = "dex_grafana_client_secret" 37 + "KIALI_CLIENT_SECRET" = "dex_kiali_client_secret" 38 + "TEMPORAL_CLIENT_SECRET" = "dex_temporal_client_secret" 39 + "ADMIN_PASSWORD_HASH" = "dex_admin_password_hash" 40 + } 41 + } 42 + "argocd/argocd-secrets" = { 43 + data = { 44 + "oidc.dex.clientSecret" = "dex_argocd_client_secret" 45 + } 46 + } 47 + "monitoring/grafana-secrets" = { 48 + data = { 49 + "SSO_CLIENT_SECRET" = "dex_grafana_client_secret" 50 + } 51 + } 52 + "istio-system/kiali" = { 53 + data = { 54 + "oidc-secret" = "dex_kiali_client_secret" 55 + } 56 + } 57 + "temporal/temporal-web" = { 58 + data = { 59 + "TEMPORAL_AUTH_CLIENT_SECRET" = "dex_temporal_client_secret" 60 + } 61 + } 62 + "notes/silverbullet" = { 63 + data = { 64 + "SB_USER" = "silverbullet_user" 65 + } 66 + } 67 + "wireguard/wireguard-secret" = { 68 + data = { 69 + "wg0.conf" = "wireguard_config" 70 + } 71 + } 72 + } 73 + }
+5 -2
infra/production/secrets.yaml
··· 8 8 oracle_private_key: ENC[AES256_GCM,data:RVXJfU4Hs3/5XDRq9mby4XP81mn0rbgFHThgjtndePfpY3uCD9mRFzcaJah9euxoguRMOokwPFjM5escsruUHK6b6USw8EA4KFXv4tEtuH+1CMV/DhqnkN/UR9NhVkUok4gABOkjKApxz0d49+Cfg50dRoFvZ23iVEnWjJi4WaDaPVcQpxCP0FsILt1gzG+t4dVdDNEbAeWBNYEC8hjDMCMKgsxKFMS2y5jWzW28luRSDfSR247SetjE0bQI2Zga8sfM/LBo0pFr+T0oluqdonAtOBBBOEctyP33W9m9c/YqOD/8kWyiRvNYA8qVcqkSfgLsTKqE2mQSjMb376fqSAomPPVLuAdnnOOak6WaEksIEnPkVTKzei441sv6PXfsm9n8KZ5UrUIImUv+lbIRfOK3va8jPbeIdKZUxvnYoJAWyaHcayL9yCe/uYF20IZk4H+Awh9Z0OgYD+o7AYCZe3MOFmCorDLXZCl0GxRSOvp8z8AjTR3PG87t7EY8vR23NekHkkGXTYICFws3Jlip9c2Wl9pn2ScSpYqQfF0/PEEu3baYSeqdFXR5MpHgBrwvwKHejiYpArUqpkZrvC2nQzVx5qMY6VmWRGWrvnxVi29vQvptXcWAw2/U3ecCaNKNekiGm2W0nZ9rfkZaHOVAt3tiYmyCcWGRq9AYtH3C0ylG75d5RNwoaOi4XBolbUM/9Q3JwadwnhHtjRQWPr7sCcMCAjtlvfYIUph0v5bl81rTkB8NkWIOX4r/qAX/NNQtZsLW4RKJXvQpkTbMXh19nngvaRJ0GJvOi3Dywc+FxOpzjVJBnsbnJHgLFHdAlvpZANRcjCUYjL9+LHZBqDMqAQQqTZ3H+W6TkeTHE85oh+R/MGK+0L38dVdOQSNcf7DBFoVXO94Q01DlKVBcuZSdFVeg9WwNHzWT6P7HcuM6a+5rZReoccJ2cLUKSV/qt22NgxFfEHdmlE23A9KtVuSQ0vShotPhpOzEkb0eTwICSEgPckSFvlxVDUiuheZiGnveIdMKqu4/TFyrZbL4X9OzBI1Oq08D6TOlbI8uelGCz+Hb4Sn/tWwtfxTdiFQaUK5B+hQdtFqgPw0oSYMmesK8DsWmgaII0b+MuYeq406WoXsKDTfx3kN65523TzwZ8wYOwqQ19G07g/YaMnMIHquexXbtREPwq8WCxHuzFC/j9ZOMd+mK0QTAtrCeyVZEPb7QKjm8Ffl8C5ppgWrERRq8BoPBiMX6hqY1s1GJyVZAtQ+iApAL0GKsdy4NpTudIX6bBPxJTs+qUOjKR8Jfp/sBjTdsNeOGKITzmJdbH+do2zYDPw8EKH3XxXOPTVwQl3yN3PQEovV6JDxz4Vr4rtiEgpvVyltEc5MDisj+62pei8X9Bw0C0Pak6UnkScicLcjQ5FCg+Wakylla3MY6knptPANouNJvLRgtjg1r/JAmfVXZe3OoaquU9wNKNbVt41roSYRUjqfoPDDATSutoHvukFfrerDQkI61cJf0wLeuidjPjOr+fL3J+TWoTIMIjMwRfkxhEbh7f7B4eQlYnFx2AZF6fL+BJIVLDjj9ARu810LQZD1KISRVnTQ1BBtdvTl1l8qMUsNhbki3YSIkageXzvnfBILVmsnhVcmAC0JqrqkYhOFWSlEhlEiV9WpUk3IQiagHKsz/DtTenYbpTd1aIQCQ9Q4pr60vHRnONWvqHTitCqHXl7aFMvoSOxhDXclono/0pccDNEUNF3b+qXjNrBCHv3bxLdz5peuuwOP/dWlNnUHD+kRlO6MkPnuMFgWYkIHhpRsfCE6EUusqeJP5iQ1AJ95PkT/aMjTvVFgW5TMdEgBI/QQI+sDPXyM+FHGaNXUXA2U/okWx0Pjf1aSYMPoF2P0nK060B4AJMvrLYq8B2RpDXFv7L4emCTyfomtD+cLPq1pObqlkYwX8fpAXr97N7npH2oMbbW4PePatsItrCkqSZUQjw6ETVnbU+bCBPh4i5wP/aLxeKtsUlaQt4L6T5PskQCDez8vzq5vQd3Q4qSsqFuCWoUnXxfhQ8CE+lgECyy3soOKXFEaFDHV89VTsXyGbww+FKxmTJjztte0J0EYIUp9tN8XRu9F1UTcnm0hXrzYDgxrvajmCN646HwUjDlu0nhv8r/WghPEbdoMWs29AJHZtLPgHqnYuBKz1SoUadW8gOS+KokShjyOw5wQmXT0cEzz8NtZ6Cx8dTaaZFlupR7Rs2eR9VciNXQCfORCBnEUqSDnx4gQOKUdZ55CF2kTV3Gg=,iv:rzCVfuRUc+IV6Oww25g0162gtYUsmrHZerLsUATxYzk=,tag:iRMIkyUWgNVY4c9ZVvtvrQ==,type:str] 9 9 oracle_region: ENC[AES256_GCM,data:Dz1UpFhrPNBDatU=,iv:vR9uUF7hOz/u5ICjm9H0fNF6GooBeOtXCTVmQZi0M7s=,tag:939nIJTpkL5gj3WEFRFb3g==,type:str] 10 10 vault_password: ENC[AES256_GCM,data:FY3I6WBPJluAuy0n8xgO4gSedeaK7+FWz3KmZsPk,iv:zefeS6Tol+j8ukOqmuY4Ne1gqEMmgZuqenaTjbc/wkE=,tag:Y7yGXJMVoJsUGMZ+14Klzw==,type:str] 11 + dex_admin_password_hash: ENC[AES256_GCM,data:qymkS4S1tnnV4Qz9NmU32HmibfXWn9aoAF8bKV/rPQUI0Nil+T6cdviEme5ByQ7XkuGXy0UcLh3XBxQZ,iv:hcl42hlMJAxMKDE+xRLISYQYSUl7g9ZfnXOaSOi2ZvY=,tag:YU4U7LZJ2Ugn/xIFfhn30w==,type:str] 12 + silverbullet_user: ENC[AES256_GCM,data:PNKpELCSPJ/ftGa1krDmhYi0FdId8SflMUCuowlv6QQOn5NEq0awdTHQ96PfMb2WdVU=,iv:uIMeoBgW+wIbT1ZZFLpE6qJvHccRwf/ft/xPv4EZSpg=,tag:PL7DZqyD4gPhuGWNqm3kSg==,type:str] 13 + wireguard_config: ENC[AES256_GCM,data:B/nsGTGCquuuV1KJLql/5iiXmYa9DfdtpPc0lZJz4KS7Vx9lpz2N7wlBuGXdQb5b1B+5RRHL+3BOjnzfCCVLs9cR/+0byM8wv3InW5AeCoLxC0pAUZ+RmniK2ur2Zs76piDSjbcFF8iTe2lDH5rb/c5qkwnxV9ZeXyL0FsRDmj7Q3MeeXXFsK1oUBZVXwa7uqAbtOZs8lJbH6FspHsJGdyity7vZNeQEICRYqME0iIdatjnLnBFbQs/XUWdlz6WTlXPgFSdDK/B9/pXr6yy+LUpuNgR+UNA40/s7ICVjWWx/gs3skVS7Eby2A5d8Sfg6JvoUaQPQEfyHJv8WolptT8OPfFKOLtRSzmXkDkcBd5kqa+2YZAsTzXwLvFNXWZzdsJSEljA2Yv6LfD+tVG99gqhXJCHjyw16CgachEsjNVdejYpIsHxHVBrkyT0oQ62iTnY/bTXnVwHahnY36fvC2BpjDDnXZ31lq1x6pIA9qcrY4D628eMhOZ1Pg+3ps5URBUjn0Yzpo3j/e2C/iE2eaUGscCH1uwpzFTet8PHhjtTUkv+JtUZpSPtXfTYI/un6YETCHgXe8ky/wLKaWA55ZP1IMLIWbFHD27x3fERHuNtt0R3EQEtmfdbPQn+z+YeHLk5N2ucyTfE0RtE0V2mGgsTnVCRk/OKPVE35tTP+0cufVLYsljSnz9NpoZq2BBpn9t13PveDX9vlxP4ytgwQeHHjewpYLVkDfsqQasn6HhqnK2CECLbOSUuiR/HLXgL+wA8y3+agYkMhajyJ945aPh43UPSnYC2cmxYHaygQn6IkEMgFSG+aoTLV7yz+F9vM61p3AOBE2q5jOpuvkKzf2VhYrAfU2yjxF3rXAavR1Gg3rrchhisHU2gc85QAhqhMnFZp55tP1DkXMw4aS3wZ+9wS1WfZt5qmvye0qM1ZOi5iD4pIcdeWHLXDKhxazH5Y4XT6P+EM2i5sKPz15mZSFzyP2dg8wO76AhYD17oX0Lf71dWx4wqSPvuqyeHR14qypTLqNBHscVyG3QBA/P5GPUjTq1nZwdsZTEYRGqq4kYQZqB828TrK06NdVgyedbtN2mpGh7Y9ot3b6nMsFzwtA/nm57MpM93M8Jt+7XUsgbxGxKQiM6GImdkCE+dENUiUUce50dgDfXn0cHFbYf2qW3udJLq416kvwnsGTMniPEsYSjH+DCsR3pgop9z4Rj9zhX6RoIeEs5XmMEFuxJzepuBAKjrxyeQYjRFM6oO4y9yy7UnAzVK3pmdIgpPR6Mv3190JEUD2yDuu8U7RuInN7Tau81S2a6v/XpHPfPq5gDmh9wGnKpgPMvSxEY93gx98nRz+9OGVWGyQWPAukkkJ1UUPnpMK7f0n2c90vNet/9RQlKn+NklVQvk77HWiAzfbUceqn1Rxh7QLQqnia28gSvQ9N0GFWyfypJKLxsvEnXjBxYoSPIWPKIPK6d69+JwJeBIIV6/YVlz/Mud/CXDjBxBaDRbaLYZvlqpRkFK34o+KlvbolaOlrN+sHyKDe7IsLH0xjwJtB5TfX3l4llJgusGiBprMrPjz0CLi1ojJmWS+XgleqVS5toJg2KUjS01qTFVnyU++SP+53D5SrAJMD2bU7ziZPQ+sjieKoQ6OtjGX9MVG14BOI+rtTlVP3eFjUPhDAwY9sDweeg5kzBu19WZ3IsdR9CqIOKcSSfS4,iv:hUPz45+EVIX4YanVxSzGTnnDXS7Epr9AZCy4GiopTDA=,tag:zEHvMQbFOHftYkimEWhjgA==,type:str] 11 14 sops: 12 15 age: 13 16 - recipient: age15c5rpksj0u27sp667525zqh8dhtd70rwrlv7xq2hqhsfaempcdwqu3unel ··· 19 22 bzdTeVZWYVIwM1VyUm5UM0pQZW5KYlUKWw7Fq17anbkfY6U3HCr00OKEfffRL/TM 20 23 zvtvDaWLg2ZilP7kWM7YbqyTi4XqjLXKldOblwIcF7qA5E/OfbbzXw== 21 24 -----END AGE ENCRYPTED FILE----- 22 - lastmodified: "2025-07-01T10:35:18Z" 23 - mac: ENC[AES256_GCM,data:E7y5yCdQea/hv+nCHizI/zThvNarm1R0HEM5mH/ClWZICEzMc0KZxeEwR/jof0qxEKDy6KDw8zkTbRKxJwCP2DQbFQ30GGj4uF8RxlGgltFBt+D95rEjZR/doksk8EGF/yaj141Be2scuHVZyUxCx/sxM6PWGWAkz2xtHh4tIqY=,iv:5rmHrgUC+4KZD7iilB5YIeYOWeFh7E5eiQm2iWudkJI=,tag:59vYe9ZKP8aqb6nmMN042w==,type:str] 25 + lastmodified: "2025-07-21T05:58:36Z" 26 + mac: ENC[AES256_GCM,data:at2rKlGr3Q5hlsMpPLBqUIpoPUKUVe6Nd761wPb40W3Js6KumtpjC1AijVubn4rBTJBRB2GMmxjyYCWK0Bb/+EYSB+AEV8SWr0XtaIddhX49WgomuSFvl4D2IeprE6iNMMFXarJ0lCz6UD4YukWp/nRlQdy/Ku9WXHwqlkw0BkY=,iv:wgtySkWCZORyTATS9EFxTwcOOWXaHcd+KOPn796hDs8=,tag:USSDz5AIepcKbdJNbHIufg==,type:str] 24 27 unencrypted_suffix: _unencrypted 25 28 version: 3.10.2
+8 -8
platform/production/apps.yaml
··· 11 11 elements: 12 12 - namespace: test 13 13 app: example 14 - # - namespace: khuedoan 15 - # app: blog 16 - # - namespace: khuedoan 17 - # app: notes 18 - # - namespace: khuedoan 19 - # app: homelab-docs 20 - # - namespace: finance 21 - # app: actualbudget 14 + # - namespace: khuedoan 15 + # app: blog 16 + # - namespace: khuedoan 17 + # app: notes 18 + # - namespace: khuedoan 19 + # app: homelab-docs 20 + # - namespace: finance 21 + # app: actualbudget 22 22 template: 23 23 metadata: 24 24 name: '{{.namespace}}-{{.app}}'