feat: add registry sealed secret for avoid hard-coded one

so1s · Nov 27, 2022 · 8f3f67e · 8f3f67e
1 parent 63e4abb
commit 8f3f67e
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -63,12 +63,19 @@ Temporary Items
 
 # End of https://www.toptal.com/developers/gitignore/api/macos,visualstudiocode
 
+# Sealed-secrets related
+
 secrets.env
 secrets.json
 
+registry.env
+registry-secret.json
+
 docker-config.json
 docker-pull-secret.json
 
 cert.yaml
 
+# Helm template temporary output
+
 *-template.yaml
diff --git a/charts/backend/templates/registry-secret.yaml b/charts/backend/templates/registry-secret.yaml
@@ -0,0 +1,20 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: "true"
+  creationTimestamp: null
+  name: default-registry
+  namespace: backend
+spec:
+  encryptedData:
+    password: AgAWHAPPGChEadKCRiUYTgql9pwPKhdFeKViSd1YoYDOEiJ+KNNKmLBOQRIORnyiNH5Tz8BOO5QtjBhJ+XG3Q7MVpIrJX9mEnN+zFpIjYSXSZH2f0O9xKsdvr3XllNg0rK+vJtG8UBBmtf9Gv8T9Wm8FAp+0WAaTMIKcMnPYz21e6IVdX4RLzdZfrXDyEQyNR+L0DKL0M2zYTGt9WHRxLES7g/aHa7Sbgs4ju5fubf5nupNmgO2rf3cuUoUXmWHtxzVH1Y4yhtRGodhQKKGTcS+2CvMcAfY7JXda6soRPdxM2lpxSRTUwN1pHKPKlOcz72NLJp7T7w4FKVo/ltEg0eLlTHvMWaaqL0UzBP/bp1qk5ofOABDZBJKvtE0DjzB1Tr36aTIuKkncAAmw7ncrm7lWMLqvtlGYlZKBv9PvRfMv4fUJxLaqNwIRj+6TtkZsX9JNUcICivbqPje20tlQhXI5Duql0/Vmr7W7OjsR1wtyNasgbmsi/MRx0JrDG/hokIqg/R6NKRVo2GB4VdRtFl7WWD3fvwQd+5WzfDrygL3tNAYEMLWV4ThQ1Blj8VSYgJk2Y6dDj3o5eyo1JFNCRiULdSErgsHhuc+MMJV4HIOldQRs69KWDMOF21ZR5kfNORwjBuprpqZcSy4HWb4DqxztzssKQrk2/gZ8bkafJcnZuIWx0xMr5ngzWNBwhxEKXw+G+VW/cWm9W2gDGNyhdYUxO30VuogWIhb/wJDngyX1MOMTkhk=
+    username: AgCgDtCYLcqsBCgsoAAL2um8PMoRuqpMORAmYQXjqiZ7sf4OXuPcDCeeLGi0MNvxoK5urYFsmXlV6rWORLf0onaMoqG5+vhKz7jfuQwmN0mAyGuKWe//BdQSwCt2/X41hqPP27a/mfT1XP4nTeZOJOZtlgXQtq8cNwDf7hvuJb7YxDpETLUrtBowSeh6BEuuEi2Mk2S/d1wfbJMb2Hy23vLPB4y+M+sc0AWj3w1mMBtkfOs1PSmgT522p6JBPioFkOpIFaTW7TNTDeYVnMFnBHZe20+/5ZSguD+ZH8C7uvUhZW9/3n0v7sKNNwF6UyDXb5ak6qNIv6DsWbJcUTNQLW8wpScvv4y+TEdNiozmyxC/ngymkR36kXgN5LvUcIVfezZlQYESiCtlZj5QCUWLJET4vKUYS6NmgFEB2mjrua5nGQALEpPw0d8meXMOcB0kwZek4hrf/v2lFOR0ZGq3qXsCKReJZ9dG8sLBEyAjXp9UPo06ueJuCSWq+oWJpwFJYipjLxvdP8RwG/pIxMKVeauU42p6zldXQ3D9rQU810es97KUzvIjHtGajsa8ZQDbu1AIBP6CfyRi+kR1FEcEeK+dVz4PvzepNcns12V7iD9oxQO4CDXC7Hp44R4G+kpKTGmuJLmQEOvjOs8Nkc+3PskryZDPsXfxwBgWAw6kgNyqeG0qarZtO8uf5X3f2cCmgqlgkfS6
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/cluster-wide: "true"
+      creationTimestamp: null
+      name: default-registry
+      namespace: backend
+
diff --git a/generate-sealed-secrets.sh b/generate-sealed-secrets.sh
@@ -1,7 +1,10 @@
 kubectl create secret generic application-secret --dry-run=client --from-env-file=./secrets.env -o json > secrets.json
 kubeseal --controller-name so1s-sealed-secrets --controller-namespace sealed-secrets --scope cluster-wide -o yaml < secrets.json > sealed-secret.yaml
 
+kubectl create secret generic default-registry --dry-run=client --from-env-file=./registry.env -n backend -o json > registry-secret.json
+kubeseal --controller-name so1s-sealed-secrets --controller-namespace sealed-secrets --scope cluster-wide -o yaml < registry-secret.json > registry-secret.yaml
+
 kubectl create secret docker-registry so1s --dry-run=client --from-file=.dockerconfigjson=./docker-config.json -o json > docker-pull-secret.json
 kubeseal --controller-name so1s-sealed-secrets --controller-namespace sealed-secrets --scope cluster-wide -o yaml < docker-pull-secret.json > docker-pull-secret.yaml
 
-mv sealed-secret.yaml docker-pull-secret.yaml ./charts/backend/templates/
+mv sealed-secret.yaml docker-pull-secret.yaml registry-secret.yaml ./charts/backend/templates/