180 lines
5.0 KiB
YAML
180 lines
5.0 KiB
YAML
# IMPORTANT: This is a template file for secrets configuration
|
|
# DO NOT commit actual secret values to version control
|
|
# Use kubectl create secret or external secret management tools
|
|
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: wifi-densepose-secrets
|
|
namespace: wifi-densepose
|
|
labels:
|
|
app: wifi-densepose
|
|
component: secrets
|
|
type: Opaque
|
|
data:
|
|
# Database credentials (base64 encoded)
|
|
# Example: echo -n "your_password" | base64
|
|
DATABASE_PASSWORD: <BASE64_ENCODED_DB_PASSWORD>
|
|
DATABASE_URL: <BASE64_ENCODED_DATABASE_URL>
|
|
|
|
# Redis credentials
|
|
REDIS_PASSWORD: <BASE64_ENCODED_REDIS_PASSWORD>
|
|
REDIS_URL: <BASE64_ENCODED_REDIS_URL>
|
|
|
|
# JWT and API secrets
|
|
SECRET_KEY: <BASE64_ENCODED_SECRET_KEY>
|
|
JWT_SECRET: <BASE64_ENCODED_JWT_SECRET>
|
|
API_KEY: <BASE64_ENCODED_API_KEY>
|
|
|
|
# External service credentials
|
|
ROUTER_SSH_KEY: <BASE64_ENCODED_SSH_PRIVATE_KEY>
|
|
ROUTER_PASSWORD: <BASE64_ENCODED_ROUTER_PASSWORD>
|
|
|
|
# Monitoring credentials
|
|
GRAFANA_ADMIN_PASSWORD: <BASE64_ENCODED_GRAFANA_PASSWORD>
|
|
PROMETHEUS_PASSWORD: <BASE64_ENCODED_PROMETHEUS_PASSWORD>
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: postgres-secret
|
|
namespace: wifi-densepose
|
|
labels:
|
|
app: wifi-densepose
|
|
component: postgres
|
|
type: Opaque
|
|
data:
|
|
# PostgreSQL credentials
|
|
POSTGRES_USER: <BASE64_ENCODED_POSTGRES_USER>
|
|
POSTGRES_PASSWORD: <BASE64_ENCODED_POSTGRES_PASSWORD>
|
|
POSTGRES_DB: <BASE64_ENCODED_POSTGRES_DB>
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: redis-secret
|
|
namespace: wifi-densepose
|
|
labels:
|
|
app: wifi-densepose
|
|
component: redis
|
|
type: Opaque
|
|
data:
|
|
# Redis credentials
|
|
REDIS_PASSWORD: <BASE64_ENCODED_REDIS_PASSWORD>
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: tls-secret
|
|
namespace: wifi-densepose
|
|
labels:
|
|
app: wifi-densepose
|
|
component: tls
|
|
type: kubernetes.io/tls
|
|
data:
|
|
# TLS certificate and key (base64 encoded)
|
|
tls.crt: <BASE64_ENCODED_TLS_CERTIFICATE>
|
|
tls.key: <BASE64_ENCODED_TLS_PRIVATE_KEY>
|
|
|
|
---
|
|
# Example script to create secrets from environment variables
|
|
# Save this as create-secrets.sh and run with proper environment variables set
|
|
|
|
# #!/bin/bash
|
|
#
|
|
# # Ensure namespace exists
|
|
# kubectl create namespace wifi-densepose --dry-run=client -o yaml | kubectl apply -f -
|
|
#
|
|
# # Create main application secrets
|
|
# kubectl create secret generic wifi-densepose-secrets \
|
|
# --namespace=wifi-densepose \
|
|
# --from-literal=DATABASE_PASSWORD="${DATABASE_PASSWORD}" \
|
|
# --from-literal=DATABASE_URL="${DATABASE_URL}" \
|
|
# --from-literal=REDIS_PASSWORD="${REDIS_PASSWORD}" \
|
|
# --from-literal=REDIS_URL="${REDIS_URL}" \
|
|
# --from-literal=SECRET_KEY="${SECRET_KEY}" \
|
|
# --from-literal=JWT_SECRET="${JWT_SECRET}" \
|
|
# --from-literal=API_KEY="${API_KEY}" \
|
|
# --from-literal=ROUTER_SSH_KEY="${ROUTER_SSH_KEY}" \
|
|
# --from-literal=ROUTER_PASSWORD="${ROUTER_PASSWORD}" \
|
|
# --from-literal=GRAFANA_ADMIN_PASSWORD="${GRAFANA_ADMIN_PASSWORD}" \
|
|
# --from-literal=PROMETHEUS_PASSWORD="${PROMETHEUS_PASSWORD}" \
|
|
# --dry-run=client -o yaml | kubectl apply -f -
|
|
#
|
|
# # Create PostgreSQL secrets
|
|
# kubectl create secret generic postgres-secret \
|
|
# --namespace=wifi-densepose \
|
|
# --from-literal=POSTGRES_USER="${POSTGRES_USER}" \
|
|
# --from-literal=POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" \
|
|
# --from-literal=POSTGRES_DB="${POSTGRES_DB}" \
|
|
# --dry-run=client -o yaml | kubectl apply -f -
|
|
#
|
|
# # Create Redis secrets
|
|
# kubectl create secret generic redis-secret \
|
|
# --namespace=wifi-densepose \
|
|
# --from-literal=REDIS_PASSWORD="${REDIS_PASSWORD}" \
|
|
# --dry-run=client -o yaml | kubectl apply -f -
|
|
#
|
|
# # Create TLS secrets from certificate files
|
|
# kubectl create secret tls tls-secret \
|
|
# --namespace=wifi-densepose \
|
|
# --cert=path/to/tls.crt \
|
|
# --key=path/to/tls.key \
|
|
# --dry-run=client -o yaml | kubectl apply -f -
|
|
#
|
|
# echo "Secrets created successfully!"
|
|
|
|
---
|
|
# External Secrets Operator configuration (if using external secret management)
|
|
apiVersion: external-secrets.io/v1beta1
|
|
kind: SecretStore
|
|
metadata:
|
|
name: vault-secret-store
|
|
namespace: wifi-densepose
|
|
spec:
|
|
provider:
|
|
vault:
|
|
server: "https://vault.example.com"
|
|
path: "secret"
|
|
version: "v2"
|
|
auth:
|
|
kubernetes:
|
|
mountPath: "kubernetes"
|
|
role: "wifi-densepose"
|
|
serviceAccountRef:
|
|
name: "wifi-densepose-sa"
|
|
|
|
---
|
|
apiVersion: external-secrets.io/v1beta1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: wifi-densepose-external-secrets
|
|
namespace: wifi-densepose
|
|
spec:
|
|
refreshInterval: 1h
|
|
secretStoreRef:
|
|
name: vault-secret-store
|
|
kind: SecretStore
|
|
target:
|
|
name: wifi-densepose-secrets
|
|
creationPolicy: Owner
|
|
data:
|
|
- secretKey: DATABASE_PASSWORD
|
|
remoteRef:
|
|
key: wifi-densepose/database
|
|
property: password
|
|
- secretKey: REDIS_PASSWORD
|
|
remoteRef:
|
|
key: wifi-densepose/redis
|
|
property: password
|
|
- secretKey: JWT_SECRET
|
|
remoteRef:
|
|
key: wifi-densepose/auth
|
|
property: jwt_secret
|
|
- secretKey: API_KEY
|
|
remoteRef:
|
|
key: wifi-densepose/auth
|
|
property: api_key |