ops(k8s): attempt to add sops operator

.sops.yaml

@@ -7,6 +7,7 @@ keys:
 - &tei_osh age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
 - &mediabox_osh age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489
 - &kuwubernetes_osh age1q2yjpxlqkfhsfxumtmax6zsyt669vlr9ffjks3dpkjf3cqdakcwqt2nt66
+- &kuwubernetes_cluster age1nmdv4q8hcyj3s6qevrmc9w2vhd4a8tsj5j5e0cry5utex7vqeprslyjvxz
 creation_rules:
 - path_regex: 'nixos/secrets/.+\.yaml$'
   shamir_threshold: 1
@@ -57,3 +58,9 @@ creation_rules:
   shamir_threshold: 1
   key_groups:
   - pgp: *pgp_common
+- path_regex: 'k8s/[^/]+/secret.yaml'
+  shamir_threshold: 1
+  key_groups:
+  - pgp: *pgp_common
+    age:
+      *kuwubernetes_cluster

k8s/bootstrap.sh

@@ -1,12 +0,0 @@
-#!/usr/bin/env -S nix shell nixpkgs#kubernetes-helm --command bash
-echo "Installing flannel (CNI/Network Fabric)"
-kubectl create ns kube-flannel
-kubectl label --overwrite ns kube-flannel pod-security.kubernetes.io/enforce=privileged
-helm repo add flannel https://flannel-io.github.io/flannel/
-helm install flannel --set podCidr="10.42.0.0/16" --namespace kube-flannel flannel/flannel
-echo "Installing CoreDNS (Cluster DNS)"
-helm repo add coredns https://coredns.github.io/helm
-helm --namespace=kube-system install coredns coredns/coredns --set service.clusterIP=10.43.0.2
-echo "Installing ArgoCD (GitOps)"
-helm repo add argo https://argoproj.github.io/argo-helm
-helm install argocd argo/argo-cd --namespace argocd --create-namespace

k8s/bootstrap/.gitignore

@@ -0,0 +1,2 @@
+keys.txt
+sops-age-key-file.yaml

k8s/bootstrap/bootstrap.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env -S nix shell nixpkgs#kubernetes-helm nixpkgs#rage --command bash
+echo "Installing flannel (CNI/Network Fabric)"
+kubectl create ns kube-flannel
+kubectl label --overwrite ns kube-flannel pod-security.kubernetes.io/enforce=privileged
+helm repo add flannel https://flannel-io.github.io/flannel/
+helm install flannel --set podCidr="10.42.0.0/16" --namespace kube-flannel flannel/flannel
+echo "Installing CoreDNS (Cluster DNS)"
+helm repo add coredns https://coredns.github.io/helm
+helm --namespace=kube-system install coredns coredns/coredns --set service.clusterIP=10.43.0.2
+echo "Installing ArgoCD (GitOps)"
+helm repo add argo https://argoproj.github.io/argo-helm
+helm install argocd argo/argo-cd --namespace argocd --create-namespace
+echo "Generating an age keyfile for sops-secrets-operator, the next line will be the public key, please add it to .sops.yaml"
+rage-keygen -o keys.txt 2>&1 | awk '{ print $3 }'
+kubectl create ns sops
+kubectl create secret generic sops-age-key-file --from-file=keys.txt -o yaml --dry-run=client -n sops > sops-age-key-file.yaml
+kubectl apply -f sops-age-key-file.yaml -n sops
+echo "Installing sops-secrets-operator"
+helm repo add sops-secrets-operator https://inloco.github.io/sops-secrets-operator
+helm install sops-secrets-operator sops-secrets-operator/sops-secrets-operator --namespace sops --values sops-values.yaml

k8s/bootstrap/sops-values.yaml

@@ -0,0 +1,6 @@
+secretsAsFiles:
+  - mountPath: /etc/sops-age-key-file
+    secretName: sops-age-key-file
+extraEnv:
+  - name: SOPS_AGE_KEY_FILE
+    value: /etc/sops-age-key-file/sops.key

k8s/system/sops-secrets-operator/application.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: sops-secrets-operator
+  namespace: argocd
+spec:
+  project: system
+  source:
+    repoURL: "https://isindir.github.io/sops-secrets-operator/"
+    targetRevision: 0.18.0
+    chart: sops-secret-operator
+    helm:
+      valuesObject:
+        secretsAsFiles:
+          - mountPath: /etc/sops-age-key-file
+            secretName: sops-age-key-file
+        extraEnv:
+          - name: SOPS_AGE_KEY_FILE
+            value: /etc/sops-age-key-file/sops.key
+  destination:
+    namespace: sops
+    name: in-cluster
+  syncPolicy:
+    syncOptions:
+      - ServerSideApply=true