From 8881fd75ecca7e389da2babbae7ca12eacac0f76 Mon Sep 17 00:00:00 2001
From: Kat Inskip <kat@inskip.me>
Date: Sun, 21 Jan 2024 12:45:38 -0800
Subject: [PATCH] ops(dex): add secret

---
 k8s/system/dex/application.yaml               | 38 ++++++----
 k8s/system/dex/manifests/kustomization.yaml   |  4 +
 k8s/system/dex/manifests/sopssecret.yaml      | 76 +++++++++++++++++++
 .../metallb/manifests/kustomization.yaml      |  6 ++
 4 files changed, 108 insertions(+), 16 deletions(-)
 create mode 100644 k8s/system/dex/manifests/kustomization.yaml
 create mode 100644 k8s/system/dex/manifests/sopssecret.yaml
 create mode 100644 k8s/system/metallb/manifests/kustomization.yaml

diff --git a/k8s/system/dex/application.yaml b/k8s/system/dex/application.yaml
index ba3f8135..31f4b058 100644
--- a/k8s/system/dex/application.yaml
+++ b/k8s/system/dex/application.yaml
@@ -5,24 +5,30 @@ metadata:
   namespace: argocd
 spec:
   project: system
-  source:
-    repoURL: "https://charts.dexidp.io"
-    targetRevision: 0.15.*
-    chart: dex
-    helm:
-      valuesObject:
-        volumeMounts:
-        - mountPath: /etc/ssl/certs
-          name: etc-ssl-certs
-          readOnly: true
-        volumes:
-        - name: ca-certs
-          hostPath:
-            path: /etc/dex-ssl
-            type: DirectoryOrCreate
+  sources:
+    - repoURL: "https://charts.dexidp.io"
+      targetRevision: 0.15.*
+      chart: dex
+      helm:
+        valuesObject:
+          configSecret:
+            name: dex-config
+            create: false
+          volumeMounts:
+          - mountPath: /etc/ssl/certs
+            name: etc-ssl-certs
+            readOnly: true
+          volumes:
+          - name: ca-certs
+            hostPath:
+              path: /etc/dex-ssl
+              type: DirectoryOrCreate
+    - repoURL: "https://github.com/gensokyo-zone/infrastructure"
+      path: k8s/system/dex/manifests
+      targetRevision: main
   destination:
     namespace: dex
     name: in-cluster
   syncPolicy:
     syncOptions:
-      - ServerSideApply=true
+      - ServerSideApply=true
\ No newline at end of file
diff --git a/k8s/system/dex/manifests/kustomization.yaml b/k8s/system/dex/manifests/kustomization.yaml
new file mode 100644
index 00000000..dac56f7d
--- /dev/null
+++ b/k8s/system/dex/manifests/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- sopssecret.yaml
\ No newline at end of file
diff --git a/k8s/system/dex/manifests/sopssecret.yaml b/k8s/system/dex/manifests/sopssecret.yaml
new file mode 100644
index 00000000..cf1f8c92
--- /dev/null
+++ b/k8s/system/dex/manifests/sopssecret.yaml
@@ -0,0 +1,76 @@
+apiVersion: isindir.github.com/v1alpha3
+kind: SopsSecret
+metadata:
+    creationTimestamp: null
+    name: dex-config
+    namespace: dex
+spec:
+    suspend: false
+    secretTemplates:
+        - name: ENC[AES256_GCM,data:pZILaH34uFgX7A==,iv:I46DI6jjiRjG1UknTCNHWjodEqBkEOp/rI8kEkJvY/s=,tag:6mAsRl7LQQRu1QE0FwQbTQ==,type:str]
+          data:
+            config.yaml: null
+            storage:
+                type: ENC[AES256_GCM,data:aOZOQtIkkNo=,iv:drig6Zy4ktBhuh+g+VGj3zdKQVOEYjWw15G3JNpzMKQ=,tag:hlP8p2UxLBvaXoGiVp1lPg==,type:str]
+                config:
+                    host: ENC[AES256_GCM,data:SKrsdC88IrqptkgzZHo/Z0iQd0uVitdJ4QiIzaUi,iv:FMJJSxF6O0yNExXKes9gnv2KjQUyFAaVea3rJ3BqO/A=,tag:/VB4K6V5cUO35jQWY8TkgQ==,type:str]
+                    port: ENC[AES256_GCM,data:jXj2GA==,iv:fhH7KIS8wlAXP+ILQUNVirT1CkJy9SBwFRpCvCx0G/Q=,tag:D7NvOPKWWgUjwF1tbWuihw==,type:int]
+                    database: ENC[AES256_GCM,data:9M6k,iv:b7OXT/dIXnS6CrkpA+h/djPZfo0MX8OlitiuTeDB7Fo=,tag:iWTw7IoBcWrOpN5Wr8YOgA==,type:str]
+                    username: ENC[AES256_GCM,data:QdrI,iv:R52SL3rxzf9nqMeJsE9KPUuNLsZX+4tG6TEyucKBlpQ=,tag:QCe/zKNXNIP7dQHuKIMsNg==,type:str]
+                    password: ENC[AES256_GCM,data:NZJ1k4z6qzZkIwDC1DlwA3ysxY4w5Cs/rM4WCiCFcAo=,iv:8PphwCGJn/RvSpAwjSeX0MH55jyDICkg1N3dszF8bHE=,tag:vDT32nN7vMBua3adV+8iYQ==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1nmdv4q8hcyj3s6qevrmc9w2vhd4a8tsj5j5e0cry5utex7vqeprslyjvxz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDUlJzM3lrTVVwSmdEVHNF
+            c2FlUlQ1MnJPZG9INmpQL1phZWFaQXFiMDB3Cnlnd2JEaE1yRURzWTZZMiszWnE3
+            VitRTTF0ZXh4UVplaHRnTnJZRnloWGMKLS0tIEZSYm02eG1xNnhCeDVEY3ZNYnEy
+            UnVLNEt5N1laMWcrRWF0RHNqY3pyUTAKURvlCLdILf5LgU8dmXTIsmTWOnimznv+
+            Dd2iOWPfp//ZIxzRmDDLnIw+wQdB/JSClsVE+655G6YCS4y+lRproQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-21T20:43:09Z"
+    mac: ENC[AES256_GCM,data:3iyE+RcNGKCKR+HDK86+GmTudcUfM0Fc3WhW0mMCqhY2q2Da3TRPHlitKcqvsTUczOY462gKq/UI4wHQqwZqiTYP9R9hZSqAqPwWMp48Cc7aC0QSiNr830S73XdwZHkyiip9aZQIDPx/nI+aBPk6Vk3cB2Kj87nlh/kcfC0OvCA=,iv:Yzda0+qOdLkiXtAoy9yzWXTh1sTLxHa0CqN6/Z8EUZM=,tag:xMJwGD+Ef3y+kLIvkThm5g==,type:str]
+    pgp:
+        - created_at: "2024-01-21T20:42:04Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UAQ//RT5SDeyuUm4Q6vu0D8fhgqqKpW2xD47Zq0SWD49HeMPh
+            EQ4MtKjWzV8u3C3b6US4okln5j04D/BuKXU07NASzsFlR9fyNyjarNIkMHrKDRYp
+            y6Ho4f8mlWaS28SL5wAhQq0tkaK5J2O2dmI7ExHRaQezeyk6uAj+qbjZSng/sU/T
+            4frAHT6LlOQrjfdsT62xOq4uRRu991DNkLk4Bk0CcaVYpYfVnVyezGH58yO1uSd3
+            eoQ0KuNBOTPsI518RZT7YMJIo7abXiyCBJv7gEn6x2w+zXAVm9nDrDoloOAzn4W+
+            e344pFPAJEeBzPtKtfTVAHgYao/CaWX6j6PJFfamo/Wo2zIafn7z+nbOWQMgiEqr
+            EuKPV2wT4QntLBaA6ZQA4ifzZNJiDSgCAr6QcUurWNcN1nKwgU2nJXyT4j/SPk1G
+            No0OYxaslylL7GpQoNBL9z5mXIL7R7XAaAhJAWBaYZgrb9XyQQ1YJa8IEV3ofIRm
+            CKvtMBcWTAGnRVxP1jZk8y7ROgdyWQo5Tdt88j1sKOCGBlNPGEKKJIqxn9G2NW/O
+            NqSAbCmIvg1fuYUQvom1eDM/nhvuTGNMF1t6Gf73ovDSYSiBF95vfUripR5jxUw6
+            JFVAMz/qzpL97KIWMymJy+w3XZDgSYnNAhtbhpVGOg5tiO2olAVt+KWyQzpw6HPS
+            XgFjluZwOdJGSUbGJpIdfXB81kVuVTTDLJSxkjV1y8iqpQN6t14W2caGZGVmwGBu
+            CcpRqN1pp3kfLeNWCqbzfXt9yrnqZ32OqdBObbGniGYUPMRO2ssIsw+KKJ6zgyY=
+            =ieT6
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+        - created_at: "2024-01-21T20:42:04Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA2W9MER3HLb7AQf9GMt2t0wNFZRDN50QW0dbVnKXZ8ky3b6M4mM5CHZkbgtb
+            bfOLr8Z4YvyBqNyvfHtE9JnCmCnFHyllM2u8ft0WKdk1RBT8HLKYiVg3Lr4jQ5Vn
+            oIIn1s5zIBPb9BF+NgT0M2LW9BRkDgXcdJFShNhXl4pqTN/TB2I0BmtvcHNaXk/1
+            TqbESWsbAymdZ73UYtKp5McZM/0OMcOQ3j3Rh5gzkz9/8UKp19jQDNnU4MA6iUuN
+            G+m8FjFn8PHvWyDhDlLSQI14fgKEGKx1reyaYEQxecIl/r4B/T2BdWEP56Zdaa3u
+            70T+1a0NpPrD8cwkHX+IxZOWtRpDdD5+AnzeNDdHvNJeASO8Bwa8yN3hrzXwtWTu
+            Qbu0+8xTCoGrQjKmE4y9sR3bE99T0uEjrqxF1qfE9MIKK/lNMGf2Z+A8Le/v2Jg5
+            lVIfySQe9EaLVcuKkfqnGSBLZWoOjqlfRfBL118prw==
+            =yZNj
+            -----END PGP MESSAGE-----
+          fp: 65BD3044771CB6FB
+    encrypted_suffix: Templates
+    version: 3.8.1
diff --git a/k8s/system/metallb/manifests/kustomization.yaml b/k8s/system/metallb/manifests/kustomization.yaml
new file mode 100644
index 00000000..bb728ad7
--- /dev/null
+++ b/k8s/system/metallb/manifests/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ipaddresspool.yaml
+- l2advertisement.yaml
+- namespace.yaml
\ No newline at end of file