diff --git a/clusters/staging/davidepa/apps.yaml b/clusters/staging/davidepa/apps.yaml new file mode 100644 index 00000000..1c49b421 --- /dev/null +++ b/clusters/staging/davidepa/apps.yaml @@ -0,0 +1,133 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cloud-deployed-apps + namespace: argocd +spec: + destination: + namespace: argocd + server: https://kubernetes.default.svc + project: default + source: + repoURL: https://github.com/stfc/cloud-deployed-apps.git + targetRevision: david-epa-branch + path: clusters/staging/davidepa + syncPolicy: + automated: + prune: false + selfHeal: true + allowEmpty: true + syncOptions: + - CreateNamespace=true + +--- +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: staging-david-epa-apps + namespace: argocd +spec: + goTemplate: true + goTemplateOptions: ["missingkey=invalid"] + generators: + - list: + elements: + - name: argocd + chartName: argocd + + # NOTE: each chart needs a valuesFile for this to work + # so create one for each chart - even if its empty + + # argocd and all dependencies use the same file "argocd-setup-values.yaml" + namespace: argocd + valuesFile: ../../../clusters/staging/davidepa/argocd-setup-values.yaml + secretsFile: ../../../clusters/staging/davidepa/secrets/apps/argocd.yaml + + - name: logging + chartName: logging + namespace: logging-system + valuesFile: ../../../clusters/staging/davidepa/logging.yaml + secretsFile: ../../../clusters/staging/davidepa/secrets/apps/logging.yaml + + - name: cert-manager + chartName: cert-manager + namespace: cert-manager + valuesFile: ../../../clusters/staging/davidepa/argocd-setup-values.yaml + + - name: cluster-api-addon-provider + chartName: cluster-api-addon-provider + namespace: clusters + valuesFile: ../../../clusters/staging/davidepa/argocd-setup-values.yaml + + - name: ingress-nginx-external + chartName: ingress-nginx-external + namespace: ingress-nginx-external + valuesFile: ../../../clusters/staging/davidepa/ingress-nginx-external-values.yaml + + - name: manila-csi + chartName: manila-csi + namespace: manila-csi + valuesFile: ../../../clusters/staging/davidepa/argocd-setup-values.yaml + secretsFile: ../../../clusters/staging/davidepa/secrets/apps/manila-csi.yaml + + - name: longhorn + chartName: longhorn + namespace: longhorn-system + valuesFile: ../../../clusters/staging/davidepa/argocd-setup-values.yaml + + + syncPolicy: + # Don't remove everything if we remove the appset + preserveResourcesOnDeletion: true + + template: + metadata: + name: "{{.name}}" + namespace: argocd + spec: + project: default + source: + repoURL: "https://github.com/stfc/cloud-deployed-apps.git" + targetRevision: david-epa-branch + path: "charts/staging/{{.chartName}}" + helm: + valueFiles: + - '{{.valuesFile | default "../../../clusters/_shared/dummy.yaml"}}' + - secrets://{{ .secretsFile | default "../../../clusters/_shared/dummy.yaml"}} + + destination: + server: https://kubernetes.default.svc + namespace: "{{.namespace}}" + + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + + # ignore outofsync issues with longhorn CRDs with "preserveUnknownField" + # https://github.com/argoproj/argo-cd/issues/6401#issuecomment-854995249 + ignoreDifferences: + - group: apiextensions.k8s.io + kind: CustomResourceDefinition + jsonPointers: + - /spec/preserveUnknownFields + + templatePatch: | + {{- if eq .name "manila-csi" }} + spec: + ignoreDifferences: + - group: rbac.authorization.k8s.io + kind: ClusterRole + name: manila-csi-openstack-manila-csi-controllerplugin + jsonPointers: + - /rules + - group: rbac.authorization.k8s.io + kind: ClusterRole + name: manila-csi-openstack-manila-csi-nodeplugin + jsonPointers: + - /rules + {{- end }} diff --git a/clusters/staging/davidepa/argocd-setup-values.yaml b/clusters/staging/davidepa/argocd-setup-values.yaml new file mode 100644 index 00000000..4de1c3f3 --- /dev/null +++ b/clusters/staging/davidepa/argocd-setup-values.yaml @@ -0,0 +1,27 @@ +argo-cd: + global: + domain: "argocd.david-epa.nubes.stfc.ac.uk" + + server: + ingress: + ingressClassName: internal-nginx + +stfc-cloud-longhorn: + longhorn: + ingress: + ingressClassName: internal-nginx + host: "longhorn.david-epa.nubes.stfc.ac.uk" + persistence: + # can't be set for RWX + migratable: false + +stfc-cloud-cert-manager: + le-staging: + enabled: true + ingressClassName: ingress-nginx-external + + le-prod: + email: cloud-support@stfc.ac.uk + enabled: true + ingressClassName: ingress-nginx-external + diff --git a/clusters/staging/davidepa/infra-values.yaml b/clusters/staging/davidepa/infra-values.yaml new file mode 100644 index 00000000..f45ec9c8 --- /dev/null +++ b/clusters/staging/davidepa/infra-values.yaml @@ -0,0 +1,94 @@ +stfc-cloud-openstack-cluster: + openstack-cluster: + machineSSHKeyName: k8s-david-epa + cloudCredentialsSecretName: david-epa-cluster-cloud-credentials + + controlPlane: + machineFlavor: dep-l2.tiny + + nodeGroups: + - name: default-md-0 + machineCount: 2 + machineFlavor: l3.nano + + nodeGroupDefaults: + machineFlavor: dep-l2.xsmall + nodeLabels: + # we're running longhorn on this cluster + # set label so worker nodes can host longhorn volumes + longhorn.store.nodeselect/longhorn-storage-node: true + + addons: + ingress: + enabled: true + nginx: + release: + values: + controller: + electionID: ingress-controller-leader + ingressClass: internal-nginx + ingressClassResource: + name: internal-nginx + enabled: true + default: true + controllerValue: "k8s.io/ingress-internal-nginx" + service: + annotations: + # Don't delete the floating ip when deleting loadbalancers + # prevents errors when deleting clusters, leave as true + loadbalancer.openstack.org/keep-floatingip: true + # *.david-epa.nubes.stfc.ac.uk + loadBalancerIP: "130.246.83.76" + + monitoring: + enabled: true + kubePrometheusStack: + release: + values: + prometheus: + prometheusSpec: + externalLabels: + cluster: david-epa-cluster + env: staging + ingress: + ingressClassName: internal-nginx + annotations: + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: basic-auth + nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - David EPA Cluster" + hosts: + - prometheus.david-epa.nubes.stfc.ac.uk + tls: + - hosts: + - prometheus.david-epa.nubes.stfc.ac.uk + secretName: tls-keypair + grafana: + grafana.ini: + server: + root_url: https://grafana.david-epa.nubes.stfc.ac.uk + ingress: + ingressClassName: internal-nginx + hosts: + - grafana.david-epa.nubes.stfc.ac.uk + tls: + - hosts: + - grafana.david-epa.nubes.stfc.ac.uk + secretName: tls-keypair + alertmanager: + enabled: true + ingress: + ingressClassName: internal-nginx + annotations: + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: basic-auth + nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - David EPA Cluster" + hosts: + - alertmanager.david-epa.nubes.stfc.ac.uk + tls: + - hosts: + - alertmanager.david-epa.nubes.stfc.ac.uk + secretName: tls-keypair + etcdDefrag: + release: + values: + schedule: 1 12 * * * # smearing the time for defrag job 1:12pm daily \ No newline at end of file diff --git a/clusters/staging/davidepa/ingress-nginx-external-values.yaml b/clusters/staging/davidepa/ingress-nginx-external-values.yaml new file mode 100644 index 00000000..4bdc3af3 --- /dev/null +++ b/clusters/staging/davidepa/ingress-nginx-external-values.yaml @@ -0,0 +1,20 @@ +ingress-nginx-external: + controller: + metrics: + enabled: true + serviceMonitor: + enabled: true + electionID: external-ingress-controller-leader + ingressClass: ingress-nginx-external + ingressClassResource: + name: ingress-nginx-external + enabled: true + default: false + controllerValue: "k8s.io/ingress-nginx-external" + service: + annotations: + # Don't delete the floating ip when deleting loadbalancers + # prevents errors when deleting clusters, leave as true + loadbalancer.openstack.org/keep-floatingip: true + loadBalancerIP: "130.246.83.62" + allowSnippetAnnotations: true diff --git a/clusters/staging/davidepa/logging.yaml b/clusters/staging/davidepa/logging.yaml new file mode 100644 index 00000000..c10eb298 --- /dev/null +++ b/clusters/staging/davidepa/logging.yaml @@ -0,0 +1,18 @@ +stfc-cloud-logging: + includePrometheusRules: true + opensearchCredentials: + username: writer-staging + fluent-operator: + operator: + disableComponentControllers: fluentd + fluentd: + crdsEnable: false + fluentbit: + output: + loki: + enable: false + opensearch: + logstashPrefix: kube_logs_staging_david-epa + # staging worker opensearch for now, with plans to move it to prod/olaf + host: opensearch.staging.nubes.stfc.ac.uk + port: 443 diff --git a/clusters/staging/davidepa/secrets/apps/.sops.yaml b/clusters/staging/davidepa/secrets/apps/.sops.yaml new file mode 100644 index 00000000..298878bf --- /dev/null +++ b/clusters/staging/davidepa/secrets/apps/.sops.yaml @@ -0,0 +1,10 @@ +creation_rules: + - unencrypted_regex: "^(apiVersion|metadata|kind|type)$" + key_groups: + - age: + # Temporary key for ArgoCD + - age1pwxlgd3pzdkwudzjrx6fun8ddhgdl3m25jr24rd9wc9qh2wpkfaszccvv6 + + # Access Keys + # Staging Access Key + - age1vhunptck6gfu8u2uwrymx6ud0jgwxxjmn0rqh4hftfma6wxjrf6sgdg7dz diff --git a/clusters/staging/davidepa/secrets/apps/argocd.yaml b/clusters/staging/davidepa/secrets/apps/argocd.yaml new file mode 100644 index 00000000..e3907510 --- /dev/null +++ b/clusters/staging/davidepa/secrets/apps/argocd.yaml @@ -0,0 +1,32 @@ +argo-cd: + configs: + secret: + extra: + oidc.irisiam.clientID: ENC[AES256_GCM,data:5FQOmlOi9VcDhKURGh4UDRbr6jVlDMnVTKSGN3QYYSmN9D9O,iv:pcgc5WsUBPEceLnH/zye4XNUdF9xgjPC/JxWOM3W5ow=,tag:k4xyVO4pq+qXjW9fonkBMw==,type:str] + oidc.irisiam.clientSecret: ENC[AES256_GCM,data:x6ycGmAQg0HNEk+He+f8pT4HNkbqSNXdkytmHkkhSgTrascA3jJVlmR34+Ev1C3kSFHKZCm3C/q7xH3cKSGNsZbbMvXJF/MYjCX4+/6PW9TXWM99FV8=,iv:1JP77XJRA6/kRxlEWQ7Nt473ZLnA5JResPgN4YGvXRU=,tag:iu/se72hP1zXQEDxALx16w==,type:str] + #ENC[AES256_GCM,data:CDF4eNTciDrJReEUW1/QUOHPXGj5rqGSs3RJ92sYBwu4lAg=,iv:pZDknmYYLV74RD6bcSScmO8I0ZG5ZWookWhr732DRT4=,tag:2j1Ml6hIbgdqYaOXVR09bA==,type:comment] + argocdServerAdminPassword: ENC[AES256_GCM,data:tTCM3nhOt9Ztwr076FySqqGo/5x2pa/zDCTcNrPBJCuoKSh+wg5FBHQ57VBhxhpzwFCAMWYIOk6uy4FP,iv:h6mNwz3Vrl7W6vEA7qfzZnS9xl7nN7mP0XPDV2t9cTQ=,tag:S1wul+kGBs7KEPKC6nWRJQ==,type:str] +sops: + age: + - recipient: age1pwxlgd3pzdkwudzjrx6fun8ddhgdl3m25jr24rd9wc9qh2wpkfaszccvv6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVi8wQUtqVjRYSWVqeXhS + ejhmajZ5V2I2VHpRQ3lnZWlLOEhlU0RsL25zClZJczhwUGRYRm52QkJJYlpJaUFG + eElZNzJ2bk9zZmR6OHZZS1B6RXdtTnMKLS0tIGpkZy9JZHhjU011Tzc3SVhUSmhB + ZUJPbUwxbXdXb1B2dWc4TFpId2pNNW8KjiK8DA4UZdAjbz0Q46cpoM5c2rvJAN+i + CcFQXJ8dp3SgYCfKcz+usYE1XAscMVEI/0q6XTflHXNupyr7nCIPSA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1vhunptck6gfu8u2uwrymx6ud0jgwxxjmn0rqh4hftfma6wxjrf6sgdg7dz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYai9WV1RvR0p2aVorYU8z + ZGNMTmlEZG1vUnE0OU52TmJUMW1WeVkwbjN3CnhOUzZydzRtakhhM2tqNlJOMjIr + QStUZUtFd0c5NUhFMWl2QzVmTGlqRVEKLS0tIFB5MHNqNnIxMXRLbGVlZ21kUVNP + RXB6VHpxdWRMdDJvYnRia0hEcG41WHcKaa0+3cJsUkptBzBmDJVEK7LmObr37loc + 6PsM+q++S/8Oy73Bo88wS5oN10DnNt92ljNk6sEQNE6Kb17C2rf/eQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-30T12:58:58Z" + mac: ENC[AES256_GCM,data:sb51nM9XR6vYY7ykdwwU/F3SStUD/AvnI2AclhucBxPAFFQRdNrHXbfhD889dF4mnpBA3iuNegP3uERwr0ceQLDVmXnaVEFUY8HlVg30IHikCrxZYlbzSTxNXr54BsHbGaCXzVTHiOFxdmXnuxp973kRC31d9ONNzQQuoXAE8Xg=,iv:XLym1ymS0I9kUobOGyQ8N1HRx2GwSt+nr6MDSBC973I=,tag:e6dxkY4fTTdcfWcEK3DoJA==,type:str] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.11.0 diff --git a/clusters/staging/davidepa/secrets/apps/logging.yaml b/clusters/staging/davidepa/secrets/apps/logging.yaml new file mode 100644 index 00000000..71380ec6 --- /dev/null +++ b/clusters/staging/davidepa/secrets/apps/logging.yaml @@ -0,0 +1,27 @@ +stfc-cloud-logging: + opensearchCredentials: + password: ENC[AES256_GCM,data:NzFWxPbmcNyD5tPsxWFAJO3spes=,iv:wyMIRNr8ED/9dFrhfe1XlnyYg7s9s+iBhCWaovnUnOI=,tag:m+VkErCPqqSADE1ff+uKJA==,type:str] +sops: + age: + - recipient: age1pwxlgd3pzdkwudzjrx6fun8ddhgdl3m25jr24rd9wc9qh2wpkfaszccvv6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqQWNpbEhsZisvenJvTUhI + L3RZUTRVNTZxdmFndWpDUThOekpjb2pLNlJRCkg5ekFpblhkbjd0TXpma0ExL3B2 + NkIrYjdvNHN5ZEJ2VStrZzNsUWNIancKLS0tIE44MzZsdThkVHZHTE9BSVVjY25S + dUw3LzFsbm00Mk9XMjFEYmh2RWNHRTQKoCADHiBSlL38+KXCa/11Qb1YBpGO7eQe + D7ArshFbwxxEWEe3848L0nMIx6nlty8qfxW/I6l7geyLC4cpI83eOQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1vhunptck6gfu8u2uwrymx6ud0jgwxxjmn0rqh4hftfma6wxjrf6sgdg7dz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSR3BtcWtLaEw2UVdSTk9R + ZnN1eXJIbWNRNk5nS09LWjdER2xZdXhRN1JRCnpwS1ZvT25lU1hzaTFscWg2ckI0 + Y1hsSHRycUpQUHROVHo5UGFScCtzd2cKLS0tIHNRczNFMnlIVVg3WDZKeUtidXd4 + bVFzQTI5TkJtYkQ2a29qRkNGQ3FGWTQKu+Y2qvtFmXUtQsw7+UqkE+2z2HLwnn5h + +ukkBCn0aWtsSuKiwBa0v+HS07+vJicCpgFKPTs3eBkfS68LOZEQ1g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-30T12:55:54Z" + mac: ENC[AES256_GCM,data:pj39lfvFgZrdJ+tXfsYebFszSsQCXMyV0Hx6Yz6z7vDmsf85UapgNxD7zUgGS+bLWUbzosL+FyaPM9zEgWa0PAy07AeppRQkNFSJkOQR5+J1jvb9pATdARAuRL3e/tuA2K+yy2TKZ9lr30cxvbJZ3+Px1Q2t/G8U5vMxHIiZCI4=,iv:dx1oNAD1J4OMb4FyrMAHu7e/2dZc8FnpvMUHxOnAWPw=,tag:Y2HiJLL6kxHYJD0pJnfaaA==,type:str] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.11.0 diff --git a/clusters/staging/davidepa/secrets/infra/.sops.yaml b/clusters/staging/davidepa/secrets/infra/.sops.yaml new file mode 100644 index 00000000..72b26510 --- /dev/null +++ b/clusters/staging/davidepa/secrets/infra/.sops.yaml @@ -0,0 +1,10 @@ +creation_rules: + - unencrypted_regex: "^(apiVersion|metadata|kind|type)$" + key_groups: + - age: + # Temporary key for ArgoCD + - age1tgfg98jddwc2crr869aa9phe9ufflnyya4t3mcltqsmcvca0k46q2m04se + + # Access Keys + # Staging Access Key + - age1hsll27prywydttq7dtnqtdnu2jpr8zhaulx00l7n4pqmxkhr55vspqmj6l diff --git a/clusters/staging/davidepa/secrets/infra/api-server-fip.yaml b/clusters/staging/davidepa/secrets/infra/api-server-fip.yaml new file mode 100644 index 00000000..8d3fba0b --- /dev/null +++ b/clusters/staging/davidepa/secrets/infra/api-server-fip.yaml @@ -0,0 +1,28 @@ +stfc-cloud-openstack-cluster: + openstack-cluster: + apiServer: + floatingIP: ENC[AES256_GCM,data:jtfY2U4CbBKc0gtNo5w=,iv:2N/o/Fi7x58zKLTwHzI8xtEjYkcfXeqEssnqIKePPDo=,tag:YVgdN/aQAZmXmOJKSxJmtg==,type:str] +sops: + age: + - recipient: age1tgfg98jddwc2crr869aa9phe9ufflnyya4t3mcltqsmcvca0k46q2m04se + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1OUFOeDFEY3QwZU1BLzRs + eGROZGhMNWQ0dlBpT3lpQUNISVJ1ZE9PRlZvCjl3UXRwMHdraU9RcG1lTnpqNDBn + WGhoUnpEeXJSNFZpL0txd3VBekprbXcKLS0tIE93MS91Zml5WHR1ckV6ayttUVAz + U0REUStKOGhnMnFYRWl1ZnpDVmZQak0KoFD/Kl7Y5OEbPFmOUhbLJvNZkYGrEeLs + KVzDbNb/81B37ACK8xeRsndlzkzScJIou04Rgr4+WRHEbLBYBeebgg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hsll27prywydttq7dtnqtdnu2jpr8zhaulx00l7n4pqmxkhr55vspqmj6l + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQzNidmpBL21nZkc4VXV3 + M0NhQVd5UTdhcVFnU1lSUDNsaXJTRU16czI0CllPVGxkOEh1K3RUMUF5bUdZSzcy + YjBhZFVzY0FsZXU4SVZmTHJEUngxTVEKLS0tIDVtUnI2cU1zcVZpYVRuS0xrdndN + cVpMbDAwSkYrT0FvOXhzZXR1bGRraW8KogXY3MczNKEXEoLnEm8CYs/Nn2+Bn+Au + X+pTLokoKll3OwxMpj1A0JkYRp0Ave4ilxEKbQI+NPXs8dIuwxZURg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-29T14:41:03Z" + mac: ENC[AES256_GCM,data:LBzS8/fgumNOuAV9m9/6wwBg7zjbFtlImVtvHfausTLr4qY2blyKEz55CnfyNvIl3PnWef6Uwhy0JoDLlpzYcvhvm5hQq6wRuuW+NWLxO3YaGq+eSsauROWjyBAMCtNyGB3t12JvURahQerEQICms7B/vgWPVNFo+2B1CImfhhA=,iv:7DhiZTRRwDskAvE+nMU7mlg6X79iC9mmE68wRW8IB8A=,tag:1wa3wL87BljfS94tVCGkLA==,type:str] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.11.0 diff --git a/clusters/staging/davidepa/secrets/infra/app-creds.yaml b/clusters/staging/davidepa/secrets/infra/app-creds.yaml new file mode 100644 index 00000000..5e1230e4 --- /dev/null +++ b/clusters/staging/davidepa/secrets/infra/app-creds.yaml @@ -0,0 +1,36 @@ +stfc-cloud-openstack-cluster: + clouds: + openstack: + auth: + auth_url: ENC[AES256_GCM,data:+NFTd6D0xVNYlDRLT2ZTuNvrJ7V7IR6jQRIWy/IMfiok,iv:2zGAXWbU+SyE2KytaepfSFkQbU4/KMXjObTDQp0mvl8=,tag:aMaMlV7orZgov3+9fmZ8qg==,type:str] + application_credential_id: ENC[AES256_GCM,data:wmPMkJik59BfcstdjEE8SRjWKeQDzWelQOyUb5nx+4o=,iv:hpYI76zw0foxuq3HN9apF/a6rh0ksKEw9ml7w/Xcdxk=,tag:N4FfoM0DInV10BqxW5VVkw==,type:str] + application_credential_secret: ENC[AES256_GCM,data:sHl6VJpXh9XpQFWzdMq/xnVmTrlVu0UgPBCIvIlAOd2rZaRAI4GFMU1YvV59ymFOxjwFzHjxq5Fov+17kleYtPee96z/4gMMSSRo18NP/yKxg7PCP8Y=,iv:SKtx9MLa/9Weoodk4/LRvztaJquuQbDN2ty++69T5ng=,tag:Zd6qsVkWGUkwHwXLImDliQ==,type:str] + project_id: ENC[AES256_GCM,data:xBCg3r4bTiN/ncYPE2QTu2JdjFR52ro2kcB6aCVOCFI=,iv:GbHCfBJyazfZq7Rj+6pJChmddkHmRAwBabvftjtpEWY=,tag:mlxvMscQsgZnvRKeGpGajw==,type:str] + region_name: ENC[AES256_GCM,data:4rglos7h9LUc,iv:le5nAgFwWK+WcMAL4Bzgfl/OcThZKf2WNMmL/2REUpg=,tag:ZqtHq4LhGBtcVHuB5GRQjg==,type:str] + interface: ENC[AES256_GCM,data:r2MYwS5r,iv:rxSvFB2pm7uNZma13LS0EmmHgLhLeW+hN3xogr2tx88=,tag:ladabW38UU5s8OzvI1HsUQ==,type:str] + identity_api_version: ENC[AES256_GCM,data:KQ==,iv:fzh6pOn29SzNyDMivapbfwxsglWh4cGmkW3N2gApIK0=,tag:bD+TG2X1w4eBSqbN1k2eFw==,type:int] + auth_type: ENC[AES256_GCM,data:K4A+WhAXjXBGru08r+1NzdRhzR89FR0=,iv:YH9avEdmQI2ME74hrZo+jr+f7dopwGJxdcPY9uJBrB4=,tag:UYaqwwSbM2xlUYLFQPdPbw==,type:str] +sops: + age: + - recipient: age1tgfg98jddwc2crr869aa9phe9ufflnyya4t3mcltqsmcvca0k46q2m04se + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTXEwbzFJQ1pmOGMrUmJn + MjdIdHJNWnAxZm9wY0MrV0l6QUpycG5TSURFClR3WUtTZ3AyQkdWVVRPb2xwTlVF + M2VTV2tHandrRFk0U3dZWGFXUmNsTlEKLS0tIGNMbDdJTkxua1hscVZlZDJIZE5m + bHRxSlpwVjRWSExoMldJR0Q5Z3RxL00K/jFTieKuOmsCAVbFsS0FcDf4dKzshNWL + sYxn1O29ExaZYXuN3i4ksZ4GUyIXK7pbjaOk9SOvM/mN4gFwnHHYVw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hsll27prywydttq7dtnqtdnu2jpr8zhaulx00l7n4pqmxkhr55vspqmj6l + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHUGFMSkRMTTkxdnJBS0RX + K0xISUdMd2drRWhVVFVJZ2ZqT241TjdKQjJjCk40SFl4MkRxN3Q5MUFyV2hJNytN + UlNMdnVKenFmZjFZcWJwS3R4U1JZdXcKLS0tIER5YUw0b3BCNU5jWlBoZ0NOd2xi + NFRHQTZwcEs1ZkcvU0ZYRVRsVzJaSk0KZmiSLj80QBnrEFNkHSgJXteg8DLMORn9 + uhKzx6kk0Vg6E44J225T2EpxRvkDIH49nv/RrFR0HJjmE9slOu6awA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-29T14:46:13Z" + mac: ENC[AES256_GCM,data:QNGAnzZ2Rwj0iA6sEmYikcozyIFrPjC9JfPDbKr9JOo1mwvy/K/12caw0ljLVBcQJs173zt6K5nXJGVXfiuttskiygkeLw3quLiLX97W9SooX071rpMTuYSfm9gSLuIVAF1LHu4M1I0aLxOIbDrgK1j9GlFEPDs5MROisPpGA8o=,iv:T2NDSkLpd+KSwGIuiq+PtnKL58g5iCV8T5zSVJD3aB0=,tag:AEe0TB2nG3HzyY6lye3OkQ==,type:str] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.11.0 diff --git a/clusters/staging/davidepa/secrets/infra/auth.yaml b/clusters/staging/davidepa/secrets/infra/auth.yaml new file mode 100644 index 00000000..9fb87698 --- /dev/null +++ b/clusters/staging/davidepa/secrets/infra/auth.yaml @@ -0,0 +1,46 @@ +stfc-cloud-openstack-cluster: + openstack-cluster: + addons: + monitoring: + kubePrometheusStack: + release: + values: + grafana: + adminPassword: ENC[AES256_GCM,data:vhWJwiP8TgFqPaRBapf8wgEGrVM=,iv:+pTheO6rc4LIdlB+km6Bb1NW+vFyNvVCPkHbyLSfX5E=,tag:CluG5YaptjCoHKzZ6QrzUw==,type:str] + extraObjects: + - apiVersion: v1 + kind: Secret + metadata: + name: grafana-iris-iam-creds + stringData: + client_id: ENC[AES256_GCM,data:i4H7QCsxjwRcSxNUsOcYGi8dUOveGDtVrLkJG8QAUdTzmd/h,iv:7szNCY58eQhq/36ippTbX92w1i9h/5qUvZiJp7o2hpA=,tag:PGAl3MON5MxaSkD2gvhtmQ==,type:str] + client_secret: ENC[AES256_GCM,data:XGmBArY2VzTqmAE7Cqa5QN/bYvmlJrUn01tA09nJlbVTGWIugiTDjMzUv1C9MPlQ7snxSSEFqvvfkIYKVobcQjKeNQELNEeV5oaSwwhIZymuYhbaM9gW,iv:FkqHTf6T3LN8cPCmVCLEgeSA3yqXFKSLB4B5F6NEs14=,tag:OGw2QM55EpYctl44+HXFAg==,type:str] + prometheus: + extraSecret: + name: ENC[AES256_GCM,data:tSXgZzdUbBnVRQ==,iv:6gK1umHPJX7K/wa1vjh6tch0WVD3R3r3nLsn6ZDtpTQ=,tag:FsmJXJpg6jfJ6mlOx3P+4g==,type:str] + data: + auth: ENC[AES256_GCM,data:DiOAyIuPHNT4ozFV5/A9PoyFM8+qkz2B+mz4Hgy3MFHufhfx8MYVM3fXnw==,iv:Ihty6Ua/WrUWXtziyrBAFNcLV5vQe+UGGSCXQQ2JDyQ=,tag:Ic8ey4Bgm88IZP9wbZIxaA==,type:str] +sops: + age: + - recipient: age1tgfg98jddwc2crr869aa9phe9ufflnyya4t3mcltqsmcvca0k46q2m04se + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBscVFRSzRkTTB5S1VaYWRF + MWtwRWdiSG52T09xQnlyc1hqR2dYeWlvdlcwCjl4YTBxS1d3UzVObyt6SE1HR3p6 + eUZVOUI2SFdWWXZLYkpOdHRwMHJUOXcKLS0tIFlLcUxnekYzSmJNRlZFTW1ka3FI + S1JQSldIUFRXVFVYa0pXMW9DTVJTbVkKS/dJeS/BYzkYqGHsggxBgZ5IkI9aajdR + h6afj/XW5sL7vh0n+SiYuS82acn4cCMvRl/NwvAAzoiJIN/kCtJqgw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hsll27prywydttq7dtnqtdnu2jpr8zhaulx00l7n4pqmxkhr55vspqmj6l + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUVVEbUhRUVQ0VXMzTWh6 + aDd4ZHhOL0Z0c0VxUnlIZzB1WmFMeFk0VlU0CkJZdEIxeWgvWSs0QWRrN0N3RXNh + UnZSTU9TM3oyZWIxVWdpdXVpSzVmVkUKLS0tIGdTQTRacHFnNW1IYXBOdmpSblRX + cXZsS0MwOFlvbzFCRGRGUkQ2OXJoa3MKHrdsvoFjTRVqAFvjDXqbxNENYbiJiUSk + ZVGEnZjivIWmhmcVd/PhivzSo41ai3ODgrchSysR/1qdduLdslLH6g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-30T12:55:08Z" + mac: ENC[AES256_GCM,data:LHQ8j9B5W3XLFRdYdcfcqfKsO4MqU2q79/gpjMdRKE0s339zrB4beaKPoSSd2GH5ckC7Zyr4QDliyYLmDxtCrf0zh50cpVsF+cDAbzBYoHWzDIieAHuou3P94ZEo4e6JEs0aKQ1ipFd556WXWk0NlWvbrhHYZLSSSxY1XEcXa24=,iv:djjuDAPc8nG0zgjGc5LVwGiDRRXRq0qpkrJ49k9ZC64=,tag:mRug8m7GMF162VOo00vJ0g==,type:str] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.11.0