updates
This commit is contained in:
rUv
180
k8s/secrets.yaml
Normal file
180
k8s/secrets.yaml
Normal file
@@ -0,0 +1,180 @@
|
||||
# IMPORTANT: This is a template file for secrets configuration
|
||||
# DO NOT commit actual secret values to version control
|
||||
# Use kubectl create secret or external secret management tools
|
||||
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: wifi-densepose-secrets
|
||||
namespace: wifi-densepose
|
||||
labels:
|
||||
app: wifi-densepose
|
||||
component: secrets
|
||||
type: Opaque
|
||||
data:
|
||||
# Database credentials (base64 encoded)
|
||||
# Example: echo -n "your_password" | base64
|
||||
DATABASE_PASSWORD: <BASE64_ENCODED_DB_PASSWORD>
|
||||
DATABASE_URL: <BASE64_ENCODED_DATABASE_URL>
|
||||
|
||||
# Redis credentials
|
||||
REDIS_PASSWORD: <BASE64_ENCODED_REDIS_PASSWORD>
|
||||
REDIS_URL: <BASE64_ENCODED_REDIS_URL>
|
||||
|
||||
# JWT and API secrets
|
||||
SECRET_KEY: <BASE64_ENCODED_SECRET_KEY>
|
||||
JWT_SECRET: <BASE64_ENCODED_JWT_SECRET>
|
||||
API_KEY: <BASE64_ENCODED_API_KEY>
|
||||
|
||||
# External service credentials
|
||||
ROUTER_SSH_KEY: <BASE64_ENCODED_SSH_PRIVATE_KEY>
|
||||
ROUTER_PASSWORD: <BASE64_ENCODED_ROUTER_PASSWORD>
|
||||
|
||||
# Monitoring credentials
|
||||
GRAFANA_ADMIN_PASSWORD: <BASE64_ENCODED_GRAFANA_PASSWORD>
|
||||
PROMETHEUS_PASSWORD: <BASE64_ENCODED_PROMETHEUS_PASSWORD>
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: postgres-secret
|
||||
namespace: wifi-densepose
|
||||
labels:
|
||||
app: wifi-densepose
|
||||
component: postgres
|
||||
type: Opaque
|
||||
data:
|
||||
# PostgreSQL credentials
|
||||
POSTGRES_USER: <BASE64_ENCODED_POSTGRES_USER>
|
||||
POSTGRES_PASSWORD: <BASE64_ENCODED_POSTGRES_PASSWORD>
|
||||
POSTGRES_DB: <BASE64_ENCODED_POSTGRES_DB>
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: redis-secret
|
||||
namespace: wifi-densepose
|
||||
labels:
|
||||
app: wifi-densepose
|
||||
component: redis
|
||||
type: Opaque
|
||||
data:
|
||||
# Redis credentials
|
||||
REDIS_PASSWORD: <BASE64_ENCODED_REDIS_PASSWORD>
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: tls-secret
|
||||
namespace: wifi-densepose
|
||||
labels:
|
||||
app: wifi-densepose
|
||||
component: tls
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
# TLS certificate and key (base64 encoded)
|
||||
tls.crt: <BASE64_ENCODED_TLS_CERTIFICATE>
|
||||
tls.key: <BASE64_ENCODED_TLS_PRIVATE_KEY>
|
||||
|
||||
---
|
||||
# Example script to create secrets from environment variables
|
||||
# Save this as create-secrets.sh and run with proper environment variables set
|
||||
|
||||
# #!/bin/bash
|
||||
#
|
||||
# # Ensure namespace exists
|
||||
# kubectl create namespace wifi-densepose --dry-run=client -o yaml | kubectl apply -f -
|
||||
#
|
||||
# # Create main application secrets
|
||||
# kubectl create secret generic wifi-densepose-secrets \
|
||||
# --namespace=wifi-densepose \
|
||||
# --from-literal=DATABASE_PASSWORD="${DATABASE_PASSWORD}" \
|
||||
# --from-literal=DATABASE_URL="${DATABASE_URL}" \
|
||||
# --from-literal=REDIS_PASSWORD="${REDIS_PASSWORD}" \
|
||||
# --from-literal=REDIS_URL="${REDIS_URL}" \
|
||||
# --from-literal=SECRET_KEY="${SECRET_KEY}" \
|
||||
# --from-literal=JWT_SECRET="${JWT_SECRET}" \
|
||||
# --from-literal=API_KEY="${API_KEY}" \
|
||||
# --from-literal=ROUTER_SSH_KEY="${ROUTER_SSH_KEY}" \
|
||||
# --from-literal=ROUTER_PASSWORD="${ROUTER_PASSWORD}" \
|
||||
# --from-literal=GRAFANA_ADMIN_PASSWORD="${GRAFANA_ADMIN_PASSWORD}" \
|
||||
# --from-literal=PROMETHEUS_PASSWORD="${PROMETHEUS_PASSWORD}" \
|
||||
# --dry-run=client -o yaml | kubectl apply -f -
|
||||
#
|
||||
# # Create PostgreSQL secrets
|
||||
# kubectl create secret generic postgres-secret \
|
||||
# --namespace=wifi-densepose \
|
||||
# --from-literal=POSTGRES_USER="${POSTGRES_USER}" \
|
||||
# --from-literal=POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" \
|
||||
# --from-literal=POSTGRES_DB="${POSTGRES_DB}" \
|
||||
# --dry-run=client -o yaml | kubectl apply -f -
|
||||
#
|
||||
# # Create Redis secrets
|
||||
# kubectl create secret generic redis-secret \
|
||||
# --namespace=wifi-densepose \
|
||||
# --from-literal=REDIS_PASSWORD="${REDIS_PASSWORD}" \
|
||||
# --dry-run=client -o yaml | kubectl apply -f -
|
||||
#
|
||||
# # Create TLS secrets from certificate files
|
||||
# kubectl create secret tls tls-secret \
|
||||
# --namespace=wifi-densepose \
|
||||
# --cert=path/to/tls.crt \
|
||||
# --key=path/to/tls.key \
|
||||
# --dry-run=client -o yaml | kubectl apply -f -
|
||||
#
|
||||
# echo "Secrets created successfully!"
|
||||
|
||||
---
|
||||
# External Secrets Operator configuration (if using external secret management)
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: SecretStore
|
||||
metadata:
|
||||
name: vault-secret-store
|
||||
namespace: wifi-densepose
|
||||
spec:
|
||||
provider:
|
||||
vault:
|
||||
server: "https://vault.example.com"
|
||||
path: "secret"
|
||||
version: "v2"
|
||||
auth:
|
||||
kubernetes:
|
||||
mountPath: "kubernetes"
|
||||
role: "wifi-densepose"
|
||||
serviceAccountRef:
|
||||
name: "wifi-densepose-sa"
|
||||
|
||||
---
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: wifi-densepose-external-secrets
|
||||
namespace: wifi-densepose
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRef:
|
||||
name: vault-secret-store
|
||||
kind: SecretStore
|
||||
target:
|
||||
name: wifi-densepose-secrets
|
||||
creationPolicy: Owner
|
||||
data:
|
||||
- secretKey: DATABASE_PASSWORD
|
||||
remoteRef:
|
||||
key: wifi-densepose/database
|
||||
property: password
|
||||
- secretKey: REDIS_PASSWORD
|
||||
remoteRef:
|
||||
key: wifi-densepose/redis
|
||||
property: password
|
||||
- secretKey: JWT_SECRET
|
||||
remoteRef:
|
||||
key: wifi-densepose/auth
|
||||
property: jwt_secret
|
||||
- secretKey: API_KEY
|
||||
remoteRef:
|
||||
key: wifi-densepose/auth
|
||||
property: api_key
|
||||
Reference in New Issue
Block a user