From 3d5ae9c25f4f56aacc5856217f2b3e249183947c Mon Sep 17 00:00:00 2001 From: Alex Corvin Date: Fri, 8 Mar 2024 10:50:21 -0500 Subject: [PATCH 1/2] Add argocd-related encrypted files to the repo --- bootstrap/.sops.yaml | 3 ++ bootstrap/argocd/argocd-cluster-secret.yaml | 39 +++++++++++++++++++ .../datahub-ocp4-argocd-cluster-secret.yaml | 39 +++++++++++++++++++ bootstrap/argocd/ksops-pgp-key-secret.yaml | 34 ++++++++++++++++ 4 files changed, 115 insertions(+) create mode 100644 bootstrap/.sops.yaml create mode 100644 bootstrap/argocd/argocd-cluster-secret.yaml create mode 100644 bootstrap/argocd/datahub-ocp4-argocd-cluster-secret.yaml create mode 100644 bootstrap/argocd/ksops-pgp-key-secret.yaml diff --git a/bootstrap/.sops.yaml b/bootstrap/.sops.yaml new file mode 100644 index 00000000..d46207e3 --- /dev/null +++ b/bootstrap/.sops.yaml @@ -0,0 +1,3 @@ +creation_rules: + - encrypted_regex: "^(data|stringData|tls)$" + pgp: "EFDB9AFBD18936D9AB6B2EECBD2C73FF891FBC7E" diff --git a/bootstrap/argocd/argocd-cluster-secret.yaml b/bootstrap/argocd/argocd-cluster-secret.yaml new file mode 100644 index 00000000..acbc04e8 --- /dev/null +++ b/bootstrap/argocd/argocd-cluster-secret.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + labels: + argocd.argoproj.io/secret-type: cluster + name: argocd-gpc-ocp-hub-prod-cluster + namespace: internal-data-hub--argocd +stringData: + config: ENC[AES256_GCM,data:6lQ8CjpG+Dvg8L3BmUxScYPhIDNikkobhb9Sy8GgWan5jYg9WOVFEN1lHCPWGW7kEOWpZCV7VRsm3RBIJbnqERaIaEhyuar1/nzqNdj1ICuNMFhYYKKDRUoLHsfzz/PC4TinVGSWJwA6FpQje371gv+WxUHikinWdGPHyaU3QVPow+5p340idNIMMOgm9u5Gx2QoCAh+odSUquW8Y8sOy7lms+30xtDFq66Qtu8+Rzs55mSV0tbptIQmWywmOWfZB8zb2YuDv4dBMKJBovTrKB13aiuJeuG6oPU85f2VXSlXhtVszWNwambebmCJqZuAycYumyrmAKcELRAXnBCxDr4ZTJ3cws6Iv/FWQxmzn7LKc7KyoDDP0juxYJQK3cdcvFtp+Kj+EMHUQrKDA+yUjkrRhPmdjOUw+Yp36usNkpCtPAKL93FBk1m++JdtUJFnGTxd83FqjdFILOfKenf1l5NNu8LGexJ59xuT5mjU7yTZkZITdPcuyTGSyaHHUCenwW76isaH9M+AFZAfj9OMY4YVLEsJ7ZCB9aXpz26Dxl1JcLxTvymlrq8PMC8T3+7/Y/rVjLqCoeN0tS4d2HczcQ1rW4+4PRceRogrlrTMgjQ5wXVKmv/3NZiwMXgNtnd4VIrAkEmeKa2a8LOK/pBhgHNbjM5UKFxMzOKrdr0CJJCCIQU9gucSGnp9vsNLzGVMOhiqUnYqxYxy/5Owhva+K66qreXhFB0zYud3shFClkbHVUQlPun7+rpPLYGgBWeQ+coPyrZVi42Ab6D/7PUvnCpzc/diEm0hwTT0eX3zUqrIh3aCJbcaVSjveDED7PdnOnNVRtTbhTEp6NUMOGDO/igV255+jkljzhmKBXLeSnWpuMH35owc4AwBHgOqx31aCp6Q9mFd/PNNlgpHl8ca4OxhaW3HY3mEAz3QKNxUBbXRPIE5tt4NW953ov8uA0NKWMfQChmnTv7nORgp5n7yyKAv0jZvEWC+OTKev27XSWBPRGZnXJRbSut7yt3tNP6I1xFaMTeeaKRlLzKnRP3gsj3RTJt3uMwOee6S+YM6hpH4Kv+qIR/4khPhWim6K2o1TuQJueNBBPH1zn97vlvajaYkbtA+wcXAkdvO19R05h1u2nDH1u8Me+PT+oheZS202dJCSIGlZ2fqogK8O1cO1yL3/sn0MCM1Yn/G/uT5HvSDzDO1o04gxCjTtTc7fa7cI7fFivoL5Dxs3WPgENS7YzjG3irMFHgawlexQHICXlYnUH7mJ18g5pWxZK8jVsnwUYIvDu6/WtIuHdMn8+UbWjfUUkqie80kIppnz90C1luSOVKRDfnc68p5IIHtBCSpHqTJ/f3diEmwMxEH8GXpjYFNnrP1RMwnpZ1iEU3u+zQF22XyA3tt/sbnbZNHgbkLyABH0WC6tY/P3tPDBQ/rxMGYYKaLWYH6p/Nn6dfJ,iv:zIWOj3VvoOQzfIzGPTn8PNG3vK+hA6y8uUdmPohUVFQ=,tag:/l8aA13My1oc3zPoZdFY5g==,type:str] + namespaces: ENC[AES256_GCM,data:/RuchO9prWJZ4vSem/a3qYdEHF96azoBnH6ZV9YDRpD8NSnORwUnM+nYtIipO/RrWZXm47mr1yrNHg5Q1jtNy3R92yHSxwCjM1FkoGNOpgkqxfZQo6okVBMO083G9gH/Sv8RSO6eQCRHLwHkQOcqY9fAxQSkINZr/Zwq4LdeLRA0sA6QDxjZXPyCmLl9RIwgcPL/4Fpb2nQfyQNWkhxyWmM9fRAlVDFSl2mDGcwaZSnNl0udJ+Zvges0QNr/DkZdqp0oTWLiWI/Ai8mXMvWYiZFyK6AJh7EwVEzokYUrpus=,iv:jCM7jvDMTtxhMDuPpibi9B60rw0bfvd5ByQtFHNveqg=,tag:f7eRevDe2icbGm5sQeTBXQ==,type:str] + server: ENC[AES256_GCM,data:qcwuVS17usuR/xxr6fdR0pRSUu0S5ztcU9BYyhm7qJ3S012lCeVlFcpTSHwFLTpb,iv:NPYJ0jPfaIrRwbyDgTMTf54ffxUnd8JvTmVpGSwHGhE=,tag:cT7azpMmLWVD6EELnTdulw==,type:str] + name: ENC[AES256_GCM,data:j349oY68WwXdgkWusFWSwqQnA+Qihx9ufV/LO8SfA20h9I8=,iv:/+OkZswwCmiTX5UPhEiIX30FDgr+NDx2L0j/m7jt+Q0=,tag:PIfCPafUefwi3ZCETR78Ww==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-03-08T15:49:57Z" + mac: ENC[AES256_GCM,data:H7JB0kwueyc5VjBsApcv9awA92rylKBsIT7T+6I0WR+yU1zrLdw2NdhTIexT2krVNE2AypX+lvDTL+COkHt46Yt2JYwDDXAJb2B483xRG4ZArxFyD/FxXLQXEgyxWPw3DCosmqSDEFX9vsJIMzmCfR55rHtFnoillJMyqOf5jTw=,iv:zTkTV2dV4a3Ndr9HzD41vbcmqMlcLczMG+Z132LVPDY=,tag:mfm7QPA8S81TK6pyOgfssw==,type:str] + pgp: + - created_at: "2024-03-08T15:49:57Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA/irrHa183bxAQgAoBDbYzhBkrRsZwsPFeOrHEocrcmFIVgL36/gS/puV9HG + 9g73lge2X8EGzOKh1lm66DAYvyOEypVUYU6PLv93VMgGBx6qqpoBaQ/+D7B9zft1 + fzUx8G4GPhMkP8hOnCEDbU0euCc0rBVBACgz57DSuGV3gnmlZQeAtWAfvQLx9FF6 + VsDuqGV8VSq+ENOOKtkLnl+oMmuZkJGV16w+jY8yOopVKKf7G5+dQ8Ws0kbJfHPK + 76p0JPX82Z3s+6YNmQO/XvE68vqGHSoDGnVTdxG4yGILx9Ki48T4rpgw1Z9W5r9p + OtfuOD4Xxj05wxVXU3wHuS0h07OiLerDFrsZhZEEltJcAULFsmLgJGKTxug5Lu4b + aejeGWKS6Tr8xUmvSNM/umgDK2G/Uz7jNFYu+cx66rw4VMjNlepg5ilmrRutF9K1 + 7a9Ifia8HPkZY32a0OzOEIHJSHVnRA8CFn0dm4M= + =Uyi1 + -----END PGP MESSAGE----- + fp: EFDB9AFBD18936D9AB6B2EECBD2C73FF891FBC7E + encrypted_regex: ^(data|stringData|tls)$ + version: 3.8.1 diff --git a/bootstrap/argocd/datahub-ocp4-argocd-cluster-secret.yaml b/bootstrap/argocd/datahub-ocp4-argocd-cluster-secret.yaml new file mode 100644 index 00000000..2f482298 --- /dev/null +++ b/bootstrap/argocd/datahub-ocp4-argocd-cluster-secret.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + labels: + argocd.argoproj.io/secret-type: cluster + name: argocd-datahub-ocp4-cluster + namespace: internal-data-hub--argocd +stringData: + config: ENC[AES256_GCM,data:5/TRW1uty5iatV/UVShzVjUO7OrGomKNqOc+Qg7/erxb/XZKd3VnksUMhdkU+WQ5HXwt1k8pAFsyxTEhIf8zt/f/CNVf7y/S8QYHPb4a48dA0bvXPVzkhGUjRCqXAQgUNAuaO7LCS33qgZHkYqyTlz207rCu0ZlHg4AE4wy3tbyiN2bcmOW3ufE3tEc1W9e3HNET8EMHrVY5ySSEOdWXQ6f8xT9t3bsuEexqI9vF1cJlMYYxQdLXADIuqzpXj1YRub6lYp/YsiIYs/76GgZwpp1AEirDlIjq/lsxvVvvzgvZRe8ko1tllnk/9jlz52WM3dWNCbu+PfRM6Yas4LGiYvMOI+hiFGWVihAl2DXVNIJJEz4Ybiu88m/0OsiQrFvlzC3pH+WUJf9pvvIyWKo3gs4xculMtQnt6+c4/wfbfdM7RjquUp5+xbrgTpcdlO6vwxUhlD8zLd78wZ+HXmsUmZ2ElxrjUekMQrWMktCecQ+jP7GWsjY/o/uydUQRhDMT3WO6SkRfdj+sCGUs8FCXAx1cvj9Y6zUPUwXmIHh+Y4FcSLlAubG/RW2RGZjlR6eEVSStjkmNQeztel6weNb73WBqW/Fst7x2AcI3EqBp5Xu9AmnqdxtlA/ydqSkAuLVlQ/2MNsk48nBXOOHjzUo3SujeeMdFYsM5bEmsE0a2c5QlWDynsyJmozkiBdsr1wQ7YP82YZWkvi0TVMp9hXxT1i7IdDo817K9WQD+EdgT8hrrkUmhgPlp6rVBaXgUnDerFRbWQvKhSbHQ9lQAy/ia7CZLNsnpOsoTii/+VYm/rXHjJvMHLIiQfkNoooxiqabh7Z8rmE+tgsZ/756ul60cQ5NTyABNCmo0Gnn15uIoRo2VRhPPyhQREa2PVbiBzyxAbi4x+APmwBhpEAGFZhRVYiN4MwXwAdGeLh6wHilQ/khUQJmKcw980O2snOzwYbk2sD7Z5EmAaLU+44QIKJfBFerPgIHw/cPPaVOSfHlre4oS2alqISQLa7gxs09wKS6wTfHDO/XHVuwvPC0U0c8on+Mlcoo3At5IMivmMaGAiK2M5Nyv4nc8aoTF1uEfPuHHPF2DEldX5AiPndwg1BLPGuWeqHuBwG44HujRfD2meoQUZ7S7ZkqdutMdP9aEJC6XhPWJY2BhHW/uDGuRezoNIQ7ux2yoTmrhkNlpF42BnVWgS1RZbYKiSBIEQ+JZ95inJCOWhZ6hjxlXYnK3nvySkqn7/olEOfl+pwCbRYNl7O/BVPPlHvau24nvAfBObG00pQ+ySfNa1bbXi14/k3bpI3QAIALN3UjqDMw5g6jBpxLg9hHuFuxv62neQhazdj+IbZKUfphxG5DrQIgEjyQs8DWiEGdqzYZ3H73ExzqqW9AL++HIplLINYMFfb+ovWSkRjXbb7XXXkjqN4Kg7HPz5Fn8aJF4YEKaSPdWDa4z6CisgRmfGg5EcNeiOu3XvlrsfE/8FtYqieFH8h33Tx5A6hRX9mlNChkizrewCEh99OfI1ouhEBTT4Zf4BHoDrE842S+kwF0qoCjI9TJrIcJJbey4c2ociDwra5G+lc3XjHAYiH82Lgt4DrMTIVGmyHX7ozuaG+VKOt57e2Gd4tbhYvRUzbxgby0Mx6czXTqg45VU3j+dxic3YV0dhgs6MrIfP+sgrtUYqdfgQUEY71xBTW/wXUnyaGKiLH+/xg8oFaXu4RfMIPeaei7tqGxd0N0AAEOckL2cMCcf0klRAVHZN4TanUsdFqfOuXZsd1Zlwi0a0L4AYL1UOpRTf97+F+4ikPQ=,iv:uYe5jI8XzdGjBdoZiXsRwgYEsqfIZOxX//pK1y03gQ0=,tag:SZUi/Cx/P0cp5SsdRfv5hw==,type:str] + namespaces: ENC[AES256_GCM,data:zNOQT9c2UQBtJA3qXULNE39kt/HWqFjBvL8I7BNogkpGNU/8PBcFJAzkRTkxKwt4d9kJ1YLtztf9QzcqhJ8r,iv:ItmTfNnRDwSzh4kK/8RXPUg3r4MEaYB/hbQ1P92UeDM=,tag:duzVpY2WK6cJZZLDsFDwxQ==,type:str] + server: ENC[AES256_GCM,data:n/yjUUoOB2P5hUw0QG/l760Hr0322hi8w4w5pcOqqpwMASV0Ayy7lHosRBR4sarkwQ==,iv:DS3vx7vrhdQM6U+2HpPUQXXNHgCV19h+/Q6F5ev7Ud4=,tag:dGaVtJWtmvbz84IqnA+Zyg==,type:str] + name: ENC[AES256_GCM,data:9qchzjl7bP18QvzZfrobr4ZjqgfJGM/WkLDW,iv:HTUUFn3rHQIDx5w0zJYgZq5H24AV4dsRtSQgMt+TF2w=,tag:ICNI40iOcda2/HuYgWEUXg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-03-08T15:49:38Z" + mac: ENC[AES256_GCM,data:8xyiKu5HfkL7df7TX2zL86c9Ue/340TBi+3HrKtbAnAoou8IOKHxTQt762fJ4qVf5Sswelez+K22hDr6ehx37apD2EUVZQrvak68Qb/r4gKNDMdrYTv2m8htHkS6sRwsoFXblLto2gCPG8PC07cLUmcnbD3Q5tMF2PRV/APtNSY=,iv:TrEKzr9Nq8nrnP5cEjxjC/PcoQQ/4HN35LoL3inrK6o=,tag:n/tQJrVCMWveX1G9wY8jtA==,type:str] + pgp: + - created_at: "2024-03-08T15:49:38Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA/irrHa183bxAQf+IrKqOPDs1KR/6tUXjU7eyOr0mPgqq5jDnvSvDUttlL/U + VNUxtKNbrq4hku6PqNl9KEuuiMTMa5iYgEo4PosE7u/5WDRz6kGoPy9emyF2y4Ps + VUHYW/MTTCr6EQPanmthjV0CIfL11f00JiWB2c9EMeTwcGHIDT4KSH+F7Fqt33ld + xQKMPX/cf5OGmlWOsGr4l68/EvzAbni1ntakEeFLq9QTyzSMvROptQKq3KSiG+Ft + WDpwtPViEEXA61Ch2+sjkybcrQcvsnNDv5kTvX1CsEoWBbDDjSx8UZzt8xq1OhOf + nIbdhqCyjvwi2gDqZ1sCTbnCX6j2fG6l5Zs9qwEbbdJcAQeArKYuo+zX5XalYhYm + CDZ+u5vNeqR7rHWln1va4mK0ebfqIeZCPCYcm/c0Gsl4yh6FMYlvKvFj/Uk/s10S + ErSj7NG0MZ1USIpeXV09ggD8Vh97ZzinuVktGvk= + =swfe + -----END PGP MESSAGE----- + fp: EFDB9AFBD18936D9AB6B2EECBD2C73FF891FBC7E + encrypted_regex: ^(data|stringData|tls)$ + version: 3.8.1 diff --git a/bootstrap/argocd/ksops-pgp-key-secret.yaml b/bootstrap/argocd/ksops-pgp-key-secret.yaml new file mode 100644 index 00000000..dab40f6a --- /dev/null +++ b/bootstrap/argocd/ksops-pgp-key-secret.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Secret +metadata: + name: ksops-pgp-key + namespace: internal-data-hub--argocd +type: Opaque +data: + private.key: ENC[AES256_GCM,data:NMBlQooc48E0QPGvdVgNwfArXT61mrlwvMDh2RgyrQ6imJ8CcgkcyqvfD+aofAjleVIOmvAAq3YJzRJ1C3DBTqnpotG2tiw0I9Zs1CTA54Dr9B8t3qF8EzvZFtyfeGsjVCE6s5AAoIONm9KKhbCooHYpmNxXKcW7MZqCTJcTUNnmzOP5tBfMG0jFQNnAFaqQ1Ffcr6dlaU8Zho1NGsD4UaZ+D4ytbfLM/JKd8fQQEzw6hNuRkC+AdxQsWWriYgRt/JducAKqC1k9u5HFNNmu/eaa4YF+xfqQaVFZN7OafVw/hZol7LKtIBagV7j6AmPFOk8kqWQjPB50viieAROzHwf5aOqSpl10P9UB4pb1Xe/2+OyQHbpVyRJat4eQn9GsfNYaJ/xotPhxMPy92jZtE+t9pxjMlWGD9CsUvqkVellI0ENdBrpGkhsYvGsg53Z5Len2kY3fUeVfjJebTyqCP3eHsScsDAbrS/VKtwH+HGA4bP1Q18nCdkuURXV/Mnt1znXeYPSWN2gUufBY4Wj7hO9DE7n/Q/OnhPEqFMmHAOgiwXQOxli7mcLROxO1g6Q9ksVpV8x0PgHyl34Z5Q9n1J5TcJW5WpRVHGVMglHHV226hsQoyBxixxZizhRMKhmYAe8l7TzjawX5jYOQhYCa0YgiZfVouJu8zlwU5+p3zZw9X0seKsVWT6582mIm+0QAtrWFyLrWJL58z7F8VSlhOdl/TPeVdxKmXR0gGEQDXCDV4FUUu+v+q4H1s6STXRS1HdFq+7bmz1ej/pTf9ee1nxwavVZDV20OLen3x6MVWkdI+xWBmCOOhxsTdZ9dmRiCiVXwe9IfOmMCR0ndxWFWQROQatU5RmEH7rQ6QAs2GZpJVeu9wg+v9QUrwPRmSs85wg0tSW4MCku5A041MajaBPCNBId6xhq+Y8Lu2m9QnbGzLRc+E528Xs/Rjxpai0rqbGg6lICE1IIGfWdTNJW35nksPT+m2O2e8QXwGtzJfFSwLXM19iuGEY4H7FKQu1NczzfzZnGktIbeiJxIpaNHB1Drnydhj4SGmEzUj2aXLD1v5/ghVcORkppCb4Ep1RowJfBw7FDn0gnz613He8PNZehiwVclgQCIYCa+eRq762frcBHjG1kdLBQx66FcpVcDO4MCkZl0Xvt9CDEkbSwlO4apjNQ3b1HqcF5hZ3AV7B1iaffXhdav3+evO2S5QevrdlsH4a8RMkctt748MgeA4DZHERG5viFkbL5lfkBSBiHmXkr4KWRW94hBOtRcJwidAYsGUI0hTUuDIsMg0HP1pLPb9tvO5zBvupAAQvsk1OPbYwPahVE1AmFWzc9wDHE35TLJK/EZCdY4ZN4DOUpY2MJrBDcxsjP/PFcEixCWeG5t3cHR56Q1LhGzsYFjB9zpUwCB060ohLD2jgLKxtvIzLfvHR3bUsw7HCdvpVd+nd/U6mrRf5yK5WB1FA//OsQ5V0vhBZ7MtHDl5vC+yGqqXVss8h+xesNw+TgAY53SZVgJI3n9RN+0Qrxod8Zdlrex7Wl6AoBsFskPLJSw4QQDPPAHjdWi1IullLSFozGsW9qlZHVTYmhqMwWO6+5j4KA0O8ImEx9r+Vyp9S/S+GU9C5oqjXy51dVaMDqUs7UMzHChh9DZ6FDa8D9zSo5C60e6JPYhKl8bubN2YAbuVozeIKn0Tzv+zI+CLwtstmKJCLCOdbyUz/sWMCEaB3tDZpuMyK7uVQ0YKSf2c4imi4Z0gWpmCSthpbXL3sv1KabTv5BYHRSs6NsVWAjA2jKofKW0kpKLZXqq4YwQRVaqVtJhIXm7leoqjGp4x57q+k4RPjYmrdoc/L+hsmbVB2+7dsSrLB/31oiTaGQ2+Ik2PJbhlsrNgtlux8jU4aWRKC3JQLrggSSYkJrqGSjjUbpbnO8HfYJO+/c3JkJnPBhfC2slgbxpm4mA69RNkWrlnYZOj3KcJd/wUZGEGCJ+/HA8O1GO3R+/hTBxiIk9jG1x5P2uYOTwuonKf94vqGPTBA7fcA//zMp0//6lOj1xb4X+zmA4Iy5bwOGN8dpt5N2QbERrghytVJLOxKUxxIo5vxcQsFgszCD3GuM+Qe81CiHA7OUw5A2ftfLK0yMbsIrwFbfLjukB7MEU3FqP7wwkNyjLFW7rkaGTVhvYJjjTvVCcZOp/hDVJO0bQmX3lyoTxxTqusOZEfESiAyN9+CJXa5lM3+DBK1DcwiOAGJjcbPZoaKCJfJGAtYeFWXBj+dIOIh+4crTSmnEMv9WbJbFw2e4IznFrTkWevzVFFhXsAhUIr6K1qlW1XnVRdcnnevvQO4F/4p+CH5NI8hIbbdmVog0puh7YX4QISIpV0FH1ahZd4Zv+VgTT7xKNDeac17j7WfoWctzzInUB/eJU84IrtC0ifEOozC92m+nJYARiUbuAMTDXJCAl99EYpP/Hv0N/2jqx3NRdDuJaUfj+49wtHiiDRvBTkkK0Qa8Ij72hJ9Q7jHciwAWRXVVU79PWIrqkczrxXvd4BDbKC25tNfJjJQbJnxLP2KEuFawHTrA6xgYN7azAAJyg2gf6xB59HWRICNlW5RaZ14NS4ZR2DGnaPTJ7u4NluvBYL4OEUaC4xST4xxLXpfT+WvCS2QqNZV4d3T4bUDscy8WpvKDSHmXpo7IVdfA7CtztsMp2rSd4ofWEM5WPL+dx20U/4jbwqVZewbDECodvqr2LdowXZp8o+2XQ5jGVF3s46rjpLbtHfTk8hy7Kh2/Ltaaogn62UpHUwfkqNhdBdOj3RS5Wnid2mkiRZ5ZVB/c8CMBrCvamIN2zn1y21QbM9OCjG41kXTQsiHMOmU0YsBQG6Y3rymmt7KXIGavMfRyXJEmI4Vq+AFEXdRAOjGRCEydujsL8K9/nHw2xKX3MrZ7h6iECM3SXiWmc6pbpEbpuCuNn5g5BJ0fvdtufmt2R//SAlUYH51eOCJFAKsXJAozqowrO4boWLwh0M4xs2tOnmof7MZ7+43odroSYmVmqRkirbahC/jjRZTvkZ0rZhsMxiculPz+sTn2Bs+8fZupnXozPY2uYwHj8gx32YPRpr5hcLqrDCXWpGSZESudpAb3O0/Nxu3xPFilM5DdxOoWbgSjTQwBZAO++z/WYkG014YVKF63S+3azjeArBOK5EHKbIqVqna1vWnMBfeQ+i4zamhuUQ+jRqhtkvl837uJl0RtLLMpAvaz80MEIwsTNuRHN4US5mfXZpG39KPQfmUY1lmR8OVLM0nl98TaDp9y5ZXMCRi8hZ8Y9VaLtTlB6nMqDDqgLL9Fdl06p6YUDcKkbcIuM639dmLeg0LJozk5zJar1wlt8giul4LAv/x3DtiOHJy8Y38Np9sGEIU8/PDTa07kcggV3Z4Hy5khQ9d2cNngIkmynoMyur0ur5+VpMB6UxD1I5Jx00r623SYhohE0RsFvn8JX2c4nMLvNwainTy7jEce+DGvKfk2LM0NtC2vTU53s1E+tpQCUN9KT8BGs8Z7koW4wVzSln0levsFRGbsb+49I3L0oAsOeTnBzFb+bfSAID2M+AYR2JyBPyVevuoy/x4VVf57I0O/uBOBh114AKhsHXtOOpOzgimyDrzoYoYsOcaEJuNpvE3d/N0WAuEKWGXF6CIVTBXLwmD+Vx80obwbzc3CC5pZ/JrQmcSlzFCF0LP9X9Hez7M/hRgvUQ4nLhIf8/NwW207LQajr1Gr+35cEkeY4za7XNwwmvmryPdgnCLjjDnWUVijl+K23pTvhEVwYV3qJH3/SrnaEHLEWCDEamIHs48z3vwPq/6qCnPbSt8iNwjUYONMpxMkQHIIElF6eQIFFrm+jMdKGR699WPW8I1w0yBcNQQDVzAacMguSMmim7Ed0dihS72L9u+kzb7+obIYxwuG0j5sbMAhWYqRHLQ4Eo0tlavHGoye2q8tTvQ/TKDtqMYsuRtjhYjbB1W4RV3i6pOzhe5nji7JL9QIK7S0qdwpxIKRjPV7p0q9QkeHZJRhj4xOE75X696b3zeO6tnsviWSpGzrWPy9csigwDMKnI92Ql3XfIowz6R5fjSCEBBTphmrW6HYBpb+gXA9qbu5OYmVgzUReDvGyo4tuiQl4xvM/XtYJhzVGOWgQ/TeqmSlTYcaRW33jaPGRNSIK0c/ELGPjZrOQsxE/UNsw890kRzj4huVOBDfYGrHq3E3YbWAqkOnYUsjdEpI1KU8fbSYjIYuN4zeBmRwmOP2K2mHhuH1eU8Je4UG+ZCi/dGD7kd1/1OgRSE1h7tA6+TTSw0tr3314zsWgKj14zTsobNLP/kj0daTqntoPFiLW3+/eZw4OpFDufHmZJjPIUO519+NnHMmXISQ6Kg2Y1E3oNEvrnTgefMTDhFKojEl38+C9k7fHx82WJ+mza5Mh0tkurJOOD2DzasrCCXyP3lzpCevxObjYkfagyoArlfC4S1S6uqYGUapslofYP7R969iDypUka7PND6ERHQ6O1qylxHSN3mXbv7XWDdXrso9kpGILtA==,iv:HIbeKnb33BbXN3dSJ3jwlCLxAtlFBLiWuUIphmfa+mU=,tag:/lFa9IfJZJlc3UF6vv9xbg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-03-08T15:49:17Z" + mac: ENC[AES256_GCM,data:q1HbJLAPAvs3PXBoKIro6JlOhEN5Jxzp2MWfzAsmfOnq08/6dfo1UiPa32Qos3EU3hP9NSS7WLsOG4apXRjJzFByrP8M/b/IknZUyfNRci7AouTIEVDVlnkeVw+O1tw68OL/7gQaWzSZ8ZFUqSC5ytzkSsiK/muI8x53tFX9lBo=,iv:C4b02ex5GATEZpLgdro9gVYo8ieK+kc9txqZlM6f/FA=,tag:acgmI49/W5AuIs7/TILtew==,type:str] + pgp: + - created_at: "2024-03-08T15:49:17Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA/irrHa183bxAQgAmB9EmPG8Gjffo/w7B3xCYup8BK8Be118LKUv4Wou0fG6 + 7r41Wbm4jMDQFQ7MGF4mw4/XIc5tVSEOLYzIG/0ecnwwi6yX6GP08z6Zf7PgjTUN + 3Qpp7lB6KWoTFR/Z/uF8ZZR4l9yADqV3Uxb00j0g6TdjdXOMuxHmxb6EZAg6H5sj + SsjOE69WcTvy2V0po1QIMfl/49f4EMXVZLetFJ9kY8yqSAbT5cybtEAlZsQYckQf + wwl+tijfceAwditEqxy4Pu0ajNGQsSZOet9NK4QHbIy0ZMHC3884YolIZBA9i2I6 + rdkDuLN3CL9gIY3btvms22PU6mIms0rDeqqvabxUh9JeARwz7gYyWBxwSnUlX32q + FCT9oVcUeSmZ3KnGNg6i/k5Oyn6X+ApZWctd1FACl/o+5WU/kYsEKvWrPxsJBrj3 + elRQcdgZLncTj2OXSQjdm4/sPAyUFWMKWAN8QmLRtw== + =Ulqt + -----END PGP MESSAGE----- + fp: EFDB9AFBD18936D9AB6B2EECBD2C73FF891FBC7E + encrypted_regex: ^(data|stringData|tls)$ + version: 3.8.1 From 27a2507fd49e7a46b512ef5e5af73eb0f88999d2 Mon Sep 17 00:00:00 2001 From: Alex Corvin Date: Fri, 8 Mar 2024 11:04:21 -0500 Subject: [PATCH 2/2] Add instructions on bootstrap information --- bootstrap/README.md | 106 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 bootstrap/README.md diff --git a/bootstrap/README.md b/bootstrap/README.md new file mode 100644 index 00000000..8b24a4ee --- /dev/null +++ b/bootstrap/README.md @@ -0,0 +1,106 @@ +This `bootstrap` directory contains all of the artifacts that must be +manually created for an initial deployment of the Internal Data Hub platform. + +These artifacts were created to facilitate the migration of the IDH to the new +Red Hat IT-managed multi-tenant Managed Platform (MP+) OpenShift cluster. + +Information about how to administer deployments in the MP+ environment can be +found [here](https://source.redhat.com/departments/it/devit/it-infrastructure/itcloudservices/itocp/managedplatformplushub/mppluswiki/user_tenant_onboarding_and_administration) + +Follow the instructions below to manually create cluster objects for: +* The central ArgoCD instance that will automate GitOps deployment of all + IDH applications +* Namespaces for all IDH applications +* Rolebindings for ArgoCD to deploy applications into target namespaces +* Network egress policies for application namespaces +* Tenant user groups + +# Creating namespaces + +In the MP+ environment, namespaces are created by creating `TenantNamespace` objects. +When the namespaces are created, the resulting namespace will be named `--`. +Our `tenant name` is `internal-data-hub`. Therefore, for a `TenantNamespace` named `argocd`, the resulting +OpenShift namespace will be `internal-data-hub--argocd`. + +For each `TenantNamespace` object file in the [namespaces/](namespaces/) subdirectory, +run `oc apply -f $FILE` to create the `TenantNamespace` object on the target MP+ +OpenShift cluster. + +# Configuring MP+ Egress Rules + +Perform the following to set up additional things requried by the MP+ environment: + +* Create our user group giving us permission to create TenantEgress (network egress) rule + objects: + ``` + oc apply -f tenantgroups/internal-data-hub-tenant-egress-admins-tenantgroup.yaml + ``` + +* We need to define `TenantEgress` objects to specify network endpoints that our applications + are permitted to connect to. Run the following to apply all of our `TenantEgress` objects: + ``` + oc apply -f tenantegresses/* + ``` + +* We configure the managed platform to sync various Rover/LDAP groups into the cluster, so that we can + use those groups to control access to our applications. Run the following command to configure all of the + `LdapGroup` objects: + ``` + oc apply -f ldapgroups/* + ``` + +* ArgoCD's service user needs access to all of our `TenantNamespace` namespaces to deploy our applications. Run + the following command to apply the necessary `RoleBindings`: + ``` + oc apply -f rolebindings/* + ``` + +# Decrypting secure files + +Some files needed by ArgoCD contain sensitive information and are therefore stored in Git encrypted +using KSops. Before applying the objects onto the cluster (in the next section), you must decrypt these files. +In order to do so, your local GPG keychain will need to contain the private key with fingerprint +`EFDB9AFBD18936D9AB6B2EECBD2C73FF891FBC7E`. You can get this key from another member of the IDH team. +Information on how to install the Sops tool can be found [here](https://github.com/getsops/sops) + +``` +sops -d -i ksops-pgp-key-secret.yaml +sops -d -i argocd-cluster-secret.yaml +sops -d -i datahub-ocp4-argocd-cluster-secret.yaml +``` + +# Deploying ArgoCD + +We use ArgoCD to manage GitOps deployments of all IDH applications. We depend on the +Red Hat OpenShift GitOps operator to deploy our ArgoCD instance (the MP+ admin team +is responsible for installing this operator on our MP+ cluster). The deploy and configure +ArgoCD: + +* Create the ArgoCD instance by running the following command from within this `bootstrap` directory: + ``` + oc apply -f argocd/internal-data-hub-argocd.yaml + ``` +* Create the `internal-data-hub` Application project by running the following command from within this `bootstrap` directory: + ``` + oc apply -f argocd/internal-data-hub-appproject.yaml + ``` +* Create the ArgoCD service user: + ``` + oc apply -f argocd-serviceaccount.yml + ``` +* Create the cluster secrets so that ArgoCD can deploy applications onto the target OpenShift clusters: + ``` + oc apply -f argocd-cluster-secret.yaml + oc apply -f datahub-ocp4-argocd-cluster-secret.yaml + ``` +* Create the ArgoCD TLS certs configmap so that ArgoCD can trust connections to endpoints with certs signed + by the Red Hat internal CA (e.g. internal gitlab): + ``` + oc apply -f argocd-tls-certs-cm-configmap.yaml + ``` +* Create the secret containing the IDH sops key so that ArgoCD can decrypt files stored encrypted in Git using Ksops: + ``` + oc apply -f ksops-pgp-key-secret.yaml + ``` +* Create all of the ArgoCD Applications by running `oc apply -f $FILE` for each file in the + [argocd/applications/](argocd/applications/) subdirectory.