Sealed secrets

.gitignore

@@ -0,0 +1 @@
+*.key

README.md

@@ -31,6 +31,26 @@ kubectl apply -f application-longhorn-kaisers-info.yaml
 ```
 kubectl apply -f application-gitops-kaisers-info.yaml
 ```
+### Sealed-Secrets
+#### Own Certificates
+https://github.com/bitnami-labs/sealed-secrets/blob/main/docs/bring-your-own-certificates.md
+
+```
+export PRIVATEKEY="k8-kaisers-info-sealedsecret.key"
+export PUBLICKEY="k8-kaisers-info-sealedsecret.crt"
+export NAMESPACE="sealed-secrets"
+export SECRETNAME="k8-kaisers-info-sealedsecret"
+
+openssl req -x509 -nodes -newkey rsa:4096 -keyout "$PRIVATEKEY" -out "$PUBLICKEY" -subj "/CN=sealed-secret/O=sealed-secret"
+kubectl -n "$NAMESPACE" create secret tls "$SECRETNAME" --cert="$PUBLICKEY" --key="$PRIVATEKEY"
+kubectl -n "$NAMESPACE" label secret "$SECRETNAME" sealedsecrets.bitnami.com/sealed-secrets-key=active
+kubectl -n "$NAMESPACE" delete pod -l name=app.kubernetes.io/name=sealed-secrets 
+kubectl -n "$NAMESPACE" logs -l name=sealed-secrets-controller
+```
+#### Sealing a secret
+```
+kubeseal --cert "./${PUBLICKEY}" --scope cluster-wide < mysecret.yaml | kubectl apply -f-
+```
 
 ## Services
 ### Services

gitops-kaisers-info/k8-kaisers-info-sealedsecret.crt

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE3DCCAsQCCQCsG9gJvmZ1XjANBgkqhkiG9w0BAQsFADAwMRYwFAYDVQQDDA1z
+ZWFsZWQtc2VjcmV0MRYwFAYDVQQKDA1zZWFsZWQtc2VjcmV0MB4XDTIyMDUzMTE2
+MDIwN1oXDTIyMDYzMDE2MDIwN1owMDEWMBQGA1UEAwwNc2VhbGVkLXNlY3JldDEW
+MBQGA1UECgwNc2VhbGVkLXNlY3JldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBAMB988b3SmVJKeWmMgaCzLkO/iWiXofsl6jzpHTMbFuctLJQvnXLzZ8b
+0lEL50KVE/KBvt+1p+0eWObNREAHva2zQh07BwjHjkxR6Z086lnUGeacOyx4wd13
+/H6yxZpZahbKruE+Awd6sspti71LZ7PcafLw8+HjGiftF+jeLj3A5a3U1yE1WVIk
+eB4ypxf7XRScZBjrL0LNN7S63lsc0vrjmphmj47hhWsVkAEDOrP5RSGu6R7d/caO
+ECCxXBx+NCKf7ARdTxo0gGPOCa2TnVsFkncUXolGpHEQwLAWMubv94SE4PMcGSbU
+xZbSd+/y9yHTBmYSz1xxpx0iDLmjuhD7axZpvwFW8/u5kbWIvIp1a2kIPOdfUgbM
+emxYyVCBcgfNBv0274n0bI4KmImY60/QdTifLiVujUP7R0h721FckqlLwZ8sskte
+dQZ0LTMMNjaGqKhWKeCxNbbH1VQDbMAJZR2omamK7VbXa2BX9z6c4ILtDf9vBCuS
+4x+V99iQJNVeqCLhq0hykMxKrCUccRd+IXw1PUAp1Ng05VasDul3znpKA1x6hxvV
+S+o8w6vC2yNkmvgy86S4TJlwzikDXS55B4TqOgrj6IhnFzcdp/HTxeAzqT8ETZ32
+gfT2pvWZDKnYbyWgMd/N4pQv6W7DlrPib/0YiXPvGfGZEU6e7j5JAgMBAAEwDQYJ
+KoZIhvcNAQELBQADggIBAJKYhggjjhbavqiukBAeXyH2u9y/Ush60K0uAVcs6ZtG
+gh0Bz5kERAIpgrUD7oFuHknPQ8LsLzzwxMGzXBj2jHNNkKR0SWZdq5KHO/cluby/
+qBfUOGEI8Em5KLFVxa1YnQnPZZrhmHxd3t/cL0QG8c89hhohG8C1IlJT8WN5zM0h
+LXyXUPwfynXW0W0IILPWlNWkxBS3aDTWyoZo3gKu2YKQRH/4VV3yXoGVJWyETz7X
+MRPaatqqK56mxa+ZDrjoA9Ff+lmO3ixSbGX9bWesUiaOdzXZLzv1SRCu5vlLO3QJ
+z6gbJa8StmwFg5VGkBM66WnV0PE7dmiU48VjFRM1Ptp/BSTuhoZPJb8ccFIRMro7
+Q+Aopc2Vp0hvx/gGgDSHLfh23j60QC41kCRp8Y7cAvYmyl0TO0yw+CqIz+/LqBIU
+GwXGFIG+gju5JBAKD/NvAD0IT1c5DPAIEJBB9hk5SF9/CxNOD8VPGfQqAhofN3gD
+fA4/65xAQRWjTwvCuCwYkKfBjAEv3+43ixDjO+DZhI1H5o5uEQgyFXGvitobDhAP
+zJZZJiWWY+tr9feUkaEMwGJn4X38A/ocI7J44vWqLk0WcakUd2sykMeZTEL9c9Oj
+MPutKHHEIOWybWzUut4c3O9TZwdq77mRzWCXhNBxvly6L3o5wly356jOOvlxC0Rw
+-----END CERTIFICATE-----

services-kaisers-info/templates/authentik.yaml

@@ -22,6 +22,9 @@ spec:
       releaseName: "authentik"
       values: |
         authentik:
+          env: {
+            AK_ADMIN_PASS: 'SIMON'
+          }
           secret_key: "qlfgmSJ8GT/EoE3JsphrM81KzyYqoDYif7u59m/sVL4EQ6MO"
           # This sends anonymous usage-data, stack traces on errors and
           # performance data to sentry.beryju.org, and is fully opt-in