davide/fleet-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add SOPS encrypted secrets and enable Flux decryption

Browse Source 
- Add .sops.yaml config with age public key
- Encrypt authelia-users, authelia-secrets, vaultwarden-admin
- Enable SOPS decryption in Flux Kustomization (gotk-sync.yaml)
- Secrets are now safe to store in git (encrypted with age)
This commit is contained in:
Davide Piu
2026-02-19 23:20:58 +00:00
parent 914890b339
commit 51bcdebca8
5 changed files with 103 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
clusters/lab/secrets/authelia-secrets.enc.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: v1
data:
JWT_SECRET: ENC[AES256_GCM,data:gf6LutyW8lciwY/fUrDG38jLflMN2kjhK5vierKwDIhYtgforRpOJyVKZTLfX9s3KzciWGhwfjVDiFm90PnvuDXO/6r8ohGf6w+1cT0Qxwd1hHNZ4HKQ5Q==,iv:1F3sIewYGaNZIHWQQ1i37YuPBGbCiBTenFWqwVV08cE=,tag:QV68W/bTemJgr3IbE5TXkA==,type:str]
SESSION_SECRET: ENC[AES256_GCM,data:xReVn/YIR1iHXaEjzMJhPEdD5Z7Sru0IOHS2wOigm5dbTxJQSxiW10WJ6PW457CxMXw0fkNorTcR6catEia2+SfNktyn2uBXnXXp66t3MbkBZ2RQSyzMgA==,iv:vW2sVq/sNlCZpplzn46zeSqyHcNAb5UbODjDwEfUn5c=,tag:FSLHZMxXOU9W6yPVReDy8A==,type:str]
STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:jZ3u73n+dwdMSMLuvrH3EK4iADQVdJvv0Mfc7L8uKZelahj9dtvQ7dTVMiIi/ghDKch/f9sN+2kiK34/QyrIl74LefKug/2ox0NlbJZwehIdJu1QgJKUkg==,iv:dH/Hd2kkrMvDNvAMaax8OpsqLhmBAl9XwN/sEsZVXPA=,tag:5/1y6J3Ho/0vtIv+SAkxyg==,type:str]
kind: Secret
metadata:
name: authelia-secrets
namespace: flux-system
type: Opaque
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1aq4d879wuczrqj48nnw7ktsddrxfr8y8xaf0j0aqteswmsxnfs7sfs9phj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcGlXanZFWHBJcmt5dEJ6
TjVEcmg4eHFFY0JxTE1WZUNzRk9JNkMvL0g4ClkvQ25SWmlCVXhSQSt1UnlyTEtF
UEVPeFBuNlZHdmwvdm9NS1BpK1hobWcKLS0tIEVBNnlBeVNRSlRCaG1tSG16QVls
RnRuM0RLY0FxTjVyTFIraG9rMGhiS2sKaIsyMoEYTegx6t/ZbtIFwHll7R3kRQEK
MrAw0v/axBy3yBBcYXfkkwAs4Bv4fi4fb7LXvdoo77HyKuyZosyLig==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-19T23:20:44Z"
mac: ENC[AES256_GCM,data:6rcdfoewR56ZdcicTv0C54iR75l8px7WjdbVNdD/Smj9kFyzQpeINyumF7z/ZyqkzKHClLHD0XKwTyeEaTPpHA1niaPvnAEg5ZPDIyTyz+qfS+1HCQIvPaW8Bzqzl874iL8+SqtyWhlLKOe3v5gQYYPP6HND9AcYQGS/nLT6taY=,iv:aZ2KUdKEQ0EQviJWttqhq5qdtjbd2XCDgl7zlWqY/Ng=,tag:fG+BgrRBBtjWRaEP7nLf1Q==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.9.4