From c7cbfc712e75172a9ed7e09343e3e49741c66e67 Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Fri, 24 Apr 2026 10:48:03 +0200 Subject: [PATCH] overlays --- docs/REFERENCE.md | 39 +++++++++++++++---- infra/base/secrets.yaml | 2 +- infra/overlays/upc-prod/kustomization.yaml | 2 +- .../argocd-forte-helm-secret-sealed.yaml | 0 .../argocd-mcp-credentials.yaml | 0 .../argocdmcp-auth-oidc-sealed.yaml | 0 secrets/{upc-dev => base}/dot-ai-secrets.yaml | 0 .../forte10x-app-credentials-sealed.yaml | 0 .../{ => base}/gitea-backup-s3-sealed.yaml | 0 .../{ => base}/gitea-credentials-sealed.yaml | 0 .../{ => base}/gitea-runner-token-sealed.yaml | 0 .../{ => base}/gitea-smtp-secret-sealed.yaml | 0 .../keycloak-credentials-sealed.yaml | 0 secrets/base/kustomization.yaml | 16 ++++++++ .../{ => base}/musicman-auth-oidc-sealed.yaml | 0 .../musicman-credentials.yaml | 0 secrets/{ => base}/renovate-env-sealed.yaml | 0 secrets/dot-ai-secrets-sealed.yaml | 18 --------- secrets/overlays/aks-dev/kustomization.yaml | 4 ++ secrets/overlays/aks-prod/kustomization.yaml | 4 ++ secrets/overlays/eks-dev/kustomization.yaml | 4 ++ secrets/overlays/eks-prod/kustomization.yaml | 4 ++ secrets/overlays/gke-dev/kustomization.yaml | 4 ++ secrets/overlays/gke-prod/kustomization.yaml | 4 ++ secrets/overlays/upc-dev/kustomization.yaml | 4 ++ secrets/overlays/upc-prod/kustomization.yaml | 4 ++ 26 files changed, 81 insertions(+), 28 deletions(-) rename secrets/{ => base}/argocd-forte-helm-secret-sealed.yaml (100%) rename secrets/{upc-dev => base}/argocd-mcp-credentials.yaml (100%) rename secrets/{upc-dev => base}/argocdmcp-auth-oidc-sealed.yaml (100%) rename secrets/{upc-dev => base}/dot-ai-secrets.yaml (100%) rename secrets/{upc-dev => base}/forte10x-app-credentials-sealed.yaml (100%) rename secrets/{ => base}/gitea-backup-s3-sealed.yaml (100%) rename secrets/{ => base}/gitea-credentials-sealed.yaml (100%) rename secrets/{ => base}/gitea-runner-token-sealed.yaml (100%) rename secrets/{ => base}/gitea-smtp-secret-sealed.yaml (100%) rename secrets/{upc-dev => base}/keycloak-credentials-sealed.yaml (100%) create mode 100644 secrets/base/kustomization.yaml rename secrets/{ => base}/musicman-auth-oidc-sealed.yaml (100%) rename secrets/{upc-dev => base}/musicman-credentials.yaml (100%) rename secrets/{ => base}/renovate-env-sealed.yaml (100%) delete mode 100644 secrets/dot-ai-secrets-sealed.yaml create mode 100644 secrets/overlays/aks-dev/kustomization.yaml create mode 100644 secrets/overlays/aks-prod/kustomization.yaml create mode 100644 secrets/overlays/eks-dev/kustomization.yaml create mode 100644 secrets/overlays/eks-prod/kustomization.yaml create mode 100644 secrets/overlays/gke-dev/kustomization.yaml create mode 100644 secrets/overlays/gke-prod/kustomization.yaml create mode 100644 secrets/overlays/upc-dev/kustomization.yaml create mode 100644 secrets/overlays/upc-prod/kustomization.yaml diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index ab162f3..e3ad7bc 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -148,12 +148,30 @@ launchpad/ │ └── auth-sidecar-injector.yaml │ ├── secrets/ # Application secrets (sealed) -│ ├── argocd-mcp-credentials.yaml -│ ├── dot-ai-secrets.yaml -│ ├── gitea-credentials-sealed.yaml -│ ├── gitea-runner-token-sealed.yaml -│ ├── mcp10x-credentials-sealed.yaml -│ └── musicman-credentials.yaml +│ ├── base/ # All SealedSecrets (shared across clouds) +│ │ ├── kustomization.yaml +│ │ ├── argocd-forte-helm-secret-sealed.yaml +│ │ ├── argocd-mcp-credentials.yaml +│ │ ├── argocdmcp-auth-oidc-sealed.yaml +│ │ ├── dot-ai-secrets.yaml +│ │ ├── forte10x-app-credentials-sealed.yaml +│ │ ├── gitea-backup-s3-sealed.yaml +│ │ ├── gitea-credentials-sealed.yaml +│ │ ├── gitea-runner-token-sealed.yaml +│ │ ├── gitea-smtp-secret-sealed.yaml +│ │ ├── keycloak-credentials-sealed.yaml +│ │ ├── musicman-auth-oidc-sealed.yaml +│ │ ├── musicman-credentials.yaml +│ │ └── renovate-env-sealed.yaml +│ └── overlays/ # Per-cloud overlays (reference base) +│ ├── aks-dev/kustomization.yaml +│ ├── aks-prod/kustomization.yaml +│ ├── eks-dev/kustomization.yaml +│ ├── eks-prod/kustomization.yaml +│ ├── gke-dev/kustomization.yaml +│ ├── gke-prod/kustomization.yaml +│ ├── upc-dev/kustomization.yaml +│ └── upc-prod/kustomization.yaml │ ├── scripts/ # Operational helper scripts │ ├── gitea-backup.sh # S3 backup helper (list/download) @@ -706,6 +724,10 @@ spec: **Chart**: `sealed-secrets/sealed-secrets-controller` **Namespace**: `kube-system` +**Directory Structure**: `secrets/base/` contains all SealedSecrets with a `kustomization.yaml`. Per-cloud overlays in `secrets/overlays//` reference the base via Kustomize. The ArgoCD `secrets` Application points to the active overlay (e.g., `secrets/overlays/upc-dev`), and `infra/overlays/upc-prod` patches the path to `secrets/overlays/upc-prod`. + +To add cloud-specific secrets, create a new SealedSecret in the overlay directory and add it to the overlay's `kustomization.yaml`. + **Public Certificate**: ```bash kubeseal --fetch-cert \ @@ -1734,8 +1756,9 @@ To add support for a new cloud (e.g., `oci-dev` for Oracle Cloud): - `opencost-values.yaml` — pricing model or cloud billing integration 3. **Kustomize overlay**: `infra/overlays/oci-dev/kustomization.yaml` — patch `valueFiles[1]` for each Application 4. **App-of-apps**: `_app-of-apps-oci-dev.yaml` — points to `infra/overlays/oci-dev` -5. **Sealed Secrets**: `secrets/oci-dev/` — TLS certs, credentials, backup S3 config -6. **Bootstrap**: `./bootstrap.sh oci-dev` +5. **Secrets overlay**: `secrets/overlays/oci-dev/kustomization.yaml` — references `../../base`, add cloud-specific SealedSecrets if needed +6. **Secrets patch**: Add patch to `infra/overlays/oci-dev/kustomization.yaml` to swap secrets path to `secrets/overlays/oci-dev` +7. **Bootstrap**: `./bootstrap.sh oci-dev` --- diff --git a/infra/base/secrets.yaml b/infra/base/secrets.yaml index 7eb57f9..8bb24e9 100644 --- a/infra/base/secrets.yaml +++ b/infra/base/secrets.yaml @@ -18,7 +18,7 @@ spec: project: default source: repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git - path: secrets/upc-dev + path: secrets/overlays/upc-dev destination: server: https://kubernetes.default.svc namespace: secrets diff --git a/infra/overlays/upc-prod/kustomization.yaml b/infra/overlays/upc-prod/kustomization.yaml index 9242d39..59ae0fa 100644 --- a/infra/overlays/upc-prod/kustomization.yaml +++ b/infra/overlays/upc-prod/kustomization.yaml @@ -56,7 +56,7 @@ patches: patch: | - op: replace path: /spec/source/path - value: secrets/upc-prod + value: secrets/overlays/upc-prod # Enterprise-apps: point to upc-prod overlay - target: diff --git a/secrets/argocd-forte-helm-secret-sealed.yaml b/secrets/base/argocd-forte-helm-secret-sealed.yaml similarity index 100% rename from secrets/argocd-forte-helm-secret-sealed.yaml rename to secrets/base/argocd-forte-helm-secret-sealed.yaml diff --git a/secrets/upc-dev/argocd-mcp-credentials.yaml b/secrets/base/argocd-mcp-credentials.yaml similarity index 100% rename from secrets/upc-dev/argocd-mcp-credentials.yaml rename to secrets/base/argocd-mcp-credentials.yaml diff --git a/secrets/upc-dev/argocdmcp-auth-oidc-sealed.yaml b/secrets/base/argocdmcp-auth-oidc-sealed.yaml similarity index 100% rename from secrets/upc-dev/argocdmcp-auth-oidc-sealed.yaml rename to secrets/base/argocdmcp-auth-oidc-sealed.yaml diff --git a/secrets/upc-dev/dot-ai-secrets.yaml b/secrets/base/dot-ai-secrets.yaml similarity index 100% rename from secrets/upc-dev/dot-ai-secrets.yaml rename to secrets/base/dot-ai-secrets.yaml diff --git a/secrets/upc-dev/forte10x-app-credentials-sealed.yaml b/secrets/base/forte10x-app-credentials-sealed.yaml similarity index 100% rename from secrets/upc-dev/forte10x-app-credentials-sealed.yaml rename to secrets/base/forte10x-app-credentials-sealed.yaml diff --git a/secrets/gitea-backup-s3-sealed.yaml b/secrets/base/gitea-backup-s3-sealed.yaml similarity index 100% rename from secrets/gitea-backup-s3-sealed.yaml rename to secrets/base/gitea-backup-s3-sealed.yaml diff --git a/secrets/gitea-credentials-sealed.yaml b/secrets/base/gitea-credentials-sealed.yaml similarity index 100% rename from secrets/gitea-credentials-sealed.yaml rename to secrets/base/gitea-credentials-sealed.yaml diff --git a/secrets/gitea-runner-token-sealed.yaml b/secrets/base/gitea-runner-token-sealed.yaml similarity index 100% rename from secrets/gitea-runner-token-sealed.yaml rename to secrets/base/gitea-runner-token-sealed.yaml diff --git a/secrets/gitea-smtp-secret-sealed.yaml b/secrets/base/gitea-smtp-secret-sealed.yaml similarity index 100% rename from secrets/gitea-smtp-secret-sealed.yaml rename to secrets/base/gitea-smtp-secret-sealed.yaml diff --git a/secrets/upc-dev/keycloak-credentials-sealed.yaml b/secrets/base/keycloak-credentials-sealed.yaml similarity index 100% rename from secrets/upc-dev/keycloak-credentials-sealed.yaml rename to secrets/base/keycloak-credentials-sealed.yaml diff --git a/secrets/base/kustomization.yaml b/secrets/base/kustomization.yaml new file mode 100644 index 0000000..5c103d2 --- /dev/null +++ b/secrets/base/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- argocd-forte-helm-secret-sealed.yaml +- argocd-mcp-credentials.yaml +- argocdmcp-auth-oidc-sealed.yaml +- dot-ai-secrets.yaml +- forte10x-app-credentials-sealed.yaml +- gitea-backup-s3-sealed.yaml +- gitea-credentials-sealed.yaml +- gitea-runner-token-sealed.yaml +- gitea-smtp-secret-sealed.yaml +- keycloak-credentials-sealed.yaml +- musicman-auth-oidc-sealed.yaml +- musicman-credentials.yaml +- renovate-env-sealed.yaml diff --git a/secrets/musicman-auth-oidc-sealed.yaml b/secrets/base/musicman-auth-oidc-sealed.yaml similarity index 100% rename from secrets/musicman-auth-oidc-sealed.yaml rename to secrets/base/musicman-auth-oidc-sealed.yaml diff --git a/secrets/upc-dev/musicman-credentials.yaml b/secrets/base/musicman-credentials.yaml similarity index 100% rename from secrets/upc-dev/musicman-credentials.yaml rename to secrets/base/musicman-credentials.yaml diff --git a/secrets/renovate-env-sealed.yaml b/secrets/base/renovate-env-sealed.yaml similarity index 100% rename from secrets/renovate-env-sealed.yaml rename to secrets/base/renovate-env-sealed.yaml diff --git a/secrets/dot-ai-secrets-sealed.yaml b/secrets/dot-ai-secrets-sealed.yaml deleted file mode 100644 index 5dd9590..0000000 --- a/secrets/dot-ai-secrets-sealed.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - creationTimestamp: null - name: dot-ai-secrets - namespace: dot-ai -spec: - encryptedData: - anthropic-api-key: AgAdnPQzl2SNSqyAZkoBdEEGEjXfpMJUNMg4e040vxri4jbjoTnmwQ/DjmmIGtoInjhQA3NZRUKcIuDrO7nGMXFOPY9tSfhpdaAMWTji1CVZvmdJnrQwZY1LFBwgbozq3RSZZQQcZd2EPrhhsU5UlmacKk2WpuQdq76twfdU5WVD8xalxbt0H5UDvihuQa3sYX/rUIDZK2Th5IfaFqYZk5JvaxR8PFwBh9IOooGewWXWrsxVT510lxHRotSDIgKt/jl8ymsVA7IpddnbQHr6K77it7BxR6fLvDGaTQeQW0RtPZwsLvB268OTwp338RQ2sjmVuUDErWViLuk1V6UFmj5vhRR0X2dy/EipkWEJwR0Zf8JCW+vAXJ4NFiVFjmOsiTXoLHCYp0k01EwFcPQpnswKSdaQ3tuCEa4Q+rHu2DiXyfSuZ1MnWnTyLSx9H51VYUgIPwQa+BUVoVnAswypw4yLQHrfLu9TSvsNl/OonP0dSmgSGaByTc1RzwpvHBUAaOYII2LuuvkF90oA4cChGkGe1KuYKHFqiBdaT9jrsfeBUpgqFAH0uH9DNjBjU5EjlUtV3bdO7wXDHct9EOBZniKMH7cIbXfT2TBaormeHNqFtXxSRXy1szDpXiDD1QDoAJx0ylrwwqix7XPBlqSt91OZ8N1VPSUPvfnTQf7zirVWJNckU9fW6tsnQ+GDOOEwERPEAhqxWuw6V0HMab4VzpbGgWuvtQY5CsI2bFUYWSZAIJ6H8E5ip3lb8ilWtYadhx8QZD3aKi7k5h4bFWd6M0rg0uj7bfbW8YXauTS6Uz4b9FlvgrAPkmcWG84um/jsmP6a0YhvJDGKHMHoUmY= - auth-token: AgBq/MM/+fqi1H6L5o/xFeKYMfcn6+bmbkepbq97O0Ob+dFKWuyfXmzqM2Dha+NKpXcu47qSBbLpaOdLS5ONq7JDIcZ2byW0ae9khBuL7k2mCa5ZPh96LS46c+v1qNJb6F4NQe+jWSx2H9LIShoihom+lRueBT1/uthW3hnUUUgQMgXU3NYimDNAg6JK6VgX3yKkI7ePLPAet7+ykaL1aPXwcfCAldcobPmls0vxMQDtgd+o4nLqx2sKArFplnwZ9G1SEz2dRXNFm8HI4HhgtOBdv1ISjXO8XGRZWnFqgX3s3BqcwFcPqVuFGHo+2ZvAUW+mdkuAEJOloJEoZXJkFCP+l7/yMV7/FmFAhntqfdTwijEJ+rP/sUbUNSzn6BKM2ITRGXEJkOeNq4xfpgS16AOs+O0DWkIAr0kWCJG+mkn94U7ALCGYQXtKLy0g/87MJ3IwaUU7gowVawHoDmpY0QoAYDJwpbIa9yMnlPOzJANkc99dl85sbLeQMvkkb4RqQlbMc80gkFFhbU5/0kKX483ylqhRi0b4ZjGHgl72s/8+FhxTDkSXJQ2HbrNPGlna+B7TAgxYZ9IS1cpw4wSNzSCk23Rt3STHnXuu/QXRLeMijXGBDFNJgU0JNKLp63JC1gftHcNhqRL6lxK1tLyo5+0Cnh/KJN64b1DpPXZnzdaeR25GQFSDxsymjLm2BFATtufRPJqeIT7tn5TRGTr97fH6LQv/LuJ4VnjS6WLsQoFdUhDuNug2LDuyLHjpKg== - openai-api-key: AgCQR+HezEHwiwFD1pIkla1Byzz91SBoUyaWVTTuBrBDq201KvlLmqahjQwpKWs4YvqhmKkbF/mXKuMSyFut72IwH025tfmzzmTryOD6bOQDxI0Ws5NndnztzKv2qw2Js0c+6lAOJR+lEuo1ynGlG3hfS+bGShShvLZIDcD/hDa8IfhQBh7fKyFslJ52KxKK+zeEFDVQcx6Lrq/zP9IPH2QXz0bVQYlRyrQ4vqONO9h2pjxNAhDxuJ5FPk+Hb4ClGjyRPHFT34ZYsYdvHUgkjL3nOeaOUrc0GGJOKYZChfsK/JrqX8iOqgbE+0vQvMX+q8Tr6Ynr0KRKMcGPr6ak3eCNknJaZ1EABtkyUS2u5TzKqMzYq5DF4kpvPApIvaQW+VS05zD8piTQSZEFNRwwXDpyru/R4MmPvwt7OdSM0SJpQ8kR7tsuRgBPFY2Eduk6fhrDmMVgHze3AoRaqyh87CeqR3Z7/XofbdgZBqEp2vwiY425ArB6yMLpVvO6eB+yoTgCJ/UpfOxBDHE1M6U3goJhk/YeOy9UpTfRD1VyA2OuzJliDNtC784wxnGAsOk3qKk1bjjBqUzwITK41mOWqNLKCn4Ol9lXZtbbqLIiU4lXv4Pl93mVSuPLOIXINLGMRFl0rlvDICEjrrfE+JmwKx6i45sqsk3/hz1Fb+/bKFo7pl9JnAXvr5WfDW/rflwBrokfJVeYsSm6R2yxGWlosrKZIwIRctOut1EbbylurI5pIPp6vHguyIvZDDxwj3Qk3ewU/WVAcI9989aLR++UrZ5FGXt3apMk8BY9bq7DIQOUtgfPO98+cVPdoZSIh5bhQpCHAVPMGcGTdIPkuQbxSai0FsP8ipdHx0fluI6p/4v1Rv/BqZH0X8dnwPQoqUhSD+C575w511Fc8PEzgaG63S9hHx5Azw== - ui-auth-token: AgBgKRwErv5MtWIdqSN5BSQ/deHFE4469gzqL6gwp/3JidtBEiAAyuOIbc9dRCWuJNcdtixKOZT1rKuI8O/e6oJ6ABGAx+ckDfH468VKsR4AJhdZGcxub5j79NKccbNA5MKTnqxlU05zukUOkgw3wdsOyuQr3RnfL31GFbEVyDMej+Xr7Rs0fWrfqpasCi45/PEi8fkofMg45kGc+LMfDgovNtkKla2MAXwYlUk24SA+lgCFoG2DHB50GdTK2byCks4Px4J3jQqqHdLUfC+/gyqimPoVUsVGb5SY0xeNepKfTz7lHEkmDOB9R1wfv7pUaLMapc+eVrVN7reLHKOA47IEedDpnlLm/fyEfPe7ktkejc59tPyIyxBubrN+Vb/+6bDgi7xsXy/N5uD/2sPqWVgI2D7veWOJEjM+GYOYeb2iRbf7KlrokCXD/gRMiQBKqYyUdjWx40MjrhxzPArOa+cL0kb1CUgwuyjmqq5hNIUO2wo6/kkeNtUeT7r067LE5rtMoZG2EAfw/xrL1CI2F+3c72JzRd//aClt1MsSfPPPoFz0TlWSSc7qNDhYHuQf//G/Zd29Nk/Ac52HVwdkl2AXJE/GIFdwi+ypqK5mjmSUTn/JVE0ZaA3OpHOF/01meISuqBo+HuAWCV8sw6en0F8AF+DF8rw8t5hDdexScXep5QuJmm4CYgqThyjz2V5xME9oMmGA+Yiu/MJ4AlkLowijpXkKEWpEOBRpRRhu2q2szhZqmx1oKJw+qJ40CQ== - template: - metadata: - creationTimestamp: null - name: dot-ai-secrets - namespace: dot-ai diff --git a/secrets/overlays/aks-dev/kustomization.yaml b/secrets/overlays/aks-dev/kustomization.yaml new file mode 100644 index 0000000..4e4f197 --- /dev/null +++ b/secrets/overlays/aks-dev/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base diff --git a/secrets/overlays/aks-prod/kustomization.yaml b/secrets/overlays/aks-prod/kustomization.yaml new file mode 100644 index 0000000..4e4f197 --- /dev/null +++ b/secrets/overlays/aks-prod/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base diff --git a/secrets/overlays/eks-dev/kustomization.yaml b/secrets/overlays/eks-dev/kustomization.yaml new file mode 100644 index 0000000..4e4f197 --- /dev/null +++ b/secrets/overlays/eks-dev/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base diff --git a/secrets/overlays/eks-prod/kustomization.yaml b/secrets/overlays/eks-prod/kustomization.yaml new file mode 100644 index 0000000..4e4f197 --- /dev/null +++ b/secrets/overlays/eks-prod/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base diff --git a/secrets/overlays/gke-dev/kustomization.yaml b/secrets/overlays/gke-dev/kustomization.yaml new file mode 100644 index 0000000..4e4f197 --- /dev/null +++ b/secrets/overlays/gke-dev/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base diff --git a/secrets/overlays/gke-prod/kustomization.yaml b/secrets/overlays/gke-prod/kustomization.yaml new file mode 100644 index 0000000..4e4f197 --- /dev/null +++ b/secrets/overlays/gke-prod/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base diff --git a/secrets/overlays/upc-dev/kustomization.yaml b/secrets/overlays/upc-dev/kustomization.yaml new file mode 100644 index 0000000..4e4f197 --- /dev/null +++ b/secrets/overlays/upc-dev/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base diff --git a/secrets/overlays/upc-prod/kustomization.yaml b/secrets/overlays/upc-prod/kustomization.yaml new file mode 100644 index 0000000..4e4f197 --- /dev/null +++ b/secrets/overlays/upc-prod/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../base