MAINT: Refactor sops secrets to enable App-specific secrets

clusters/dev/management/apps.yaml

@@ -10,7 +10,7 @@ spec:
   project: default
   source:
     repoURL: https://github.com/stfc/cloud-deployed-apps.git
-    targetRevision: main
+    targetRevision: update-secrets
     path: clusters/dev/management
   syncPolicy:
     automated:
@@ -27,6 +27,8 @@ metadata:
   name: management-apps
   namespace: argocd
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=invalid"]
   generators:
     - list:
         elements:
@@ -56,20 +58,22 @@ spec:
 
   template:
     metadata:
-      name: "{{name}}"
+      name: "{{.name}}"
       namespace: argocd
     spec:
       project: default
       source:
         repoURL: "https://github.com/stfc/cloud-deployed-apps.git"
-        targetRevision: main
-        path: "charts/dev/{{chartName}}"
+        targetRevision: update-secrets
+        path: "charts/dev/{{.chartName}}"
         helm:
           valueFiles:
-            - "{{valuesFile}}"
+            - '{{.valuesFile | default "../../../secrets/dummy-secret.yaml"}}'
+            - secrets://{{ .secretsFile | default "../../../secrets/dummy-secret.yaml"}}
+
       destination:
         server: https://kubernetes.default.svc
-        namespace: "{{namespace}}"
+        namespace: "{{.namespace}}"
 
       syncPolicy:
         automated:
@@ -89,7 +93,7 @@ spec:
   generators:
     - git:
         repoURL: "https://github.com/stfc/cloud-deployed-apps.git"
-        revision: main
+        revision: update-secrets
         files:
           # grab all infra values for all clusters in environment
           - path: "clusters/dev/*/infra-values.yaml"
@@ -108,16 +112,16 @@ spec:
         server: https://kubernetes.default.svc
       source:
         repoURL: https://github.com/stfc/cloud-deployed-apps.git
-        targetRevision: main
+        targetRevision: update-secrets
         path: charts/dev/capi-infra
         helm:
           valueFiles:
-            # Bring in values that are specific to this application
+            # Bring in infra values specific to this cluster 
             - "../../../{{path}}/{{path.filename}}"
-            # Bring in secrets that are specific to this application
-            - "secrets://../../../secrets/{{path[1]}}/{{path[2]}}/api-server-fip.yaml"
-            - "secrets://../../../secrets/{{path[1]}}/{{path[2]}}/app-creds.yaml"
-            - "secrets://../../../secrets/{{path[1]}}/smtp-smarthost.yaml"
+            # Bring in infra secrets specific to this cluster
+            - "secrets://../../../secrets/{{path[1]}}/{{path[2]}}/infra/api-server-fip.yaml"
+            - "secrets://../../../secrets/{{path[1]}}/{{path[2]}}/infra/app-creds.yaml"
+            - "secrets://../../../secrets/{{path[1]}}/_shared/infra/smtp-smarthost.yaml"
 
       syncPolicy:
         automated:

clusters/dev/rwhiting/apps.yaml

@@ -10,7 +10,7 @@ spec:
   project: default
   source:
     repoURL: https://github.com/stfc/cloud-deployed-apps.git
-    targetRevision: main
+    targetRevision: update-secrets
     path: clusters/dev/rwhiting
   syncPolicy:
     automated:
@@ -29,6 +29,7 @@ metadata:
   namespace: argocd
 spec:
   goTemplate: true
+  goTemplateOptions: ["missingkey=invalid"]
   generators:
     - list:
         elements:
@@ -64,11 +65,13 @@ spec:
       project: default
       source:
         repoURL: "https://github.com/stfc/cloud-deployed-apps.git"
-        targetRevision: main
+        targetRevision: update-secrets
         path: "charts/dev/{{.chartName}}"
         helm:
           valueFiles:
-            - "{{.valuesFile}}"
+            - '{{.valuesFile | default "../../../secrets/dummy-secret.yaml"}}'
+            - secrets://{{ .secretsFile | default "../../../secrets/dummy-secret.yaml"}}
+
       destination:
         server: https://kubernetes.default.svc
         namespace: "{{.namespace}}"

clusters/dev/vicmet/apps.yaml

@@ -10,7 +10,7 @@ spec:
   project: default
   source:
     repoURL: https://github.com/stfc/cloud-deployed-apps.git
-    targetRevision: main
+    targetRevision: update-secrets
     path: clusters/dev/vicmet
   syncPolicy:
     automated:
@@ -29,6 +29,7 @@ metadata:
   namespace: argocd
 spec:
   goTemplate: true
+  goTemplateOptions: ["missingkey=invalid"]
   generators:
     - list:
         elements:
@@ -75,11 +76,13 @@ spec:
       project: default
       source:
         repoURL: "https://github.com/stfc/cloud-deployed-apps.git"
-        targetRevision: main
+        targetRevision: update-secrets
         path: "charts/dev/{{.chartName}}"
         helm:
           valueFiles:
-            - "{{.valuesFile}}"
+            - '{{.valuesFile | default "../../../secrets/dummy-secret.yaml"}}'
+            - secrets://{{ .secretsFile | default "../../../secrets/dummy-secret.yaml"}}
+
       destination:
         server: https://kubernetes.default.svc
         namespace: "{{.namespace}}"

clusters/dev/worker/apps.yaml

@@ -10,7 +10,7 @@ spec:
   project: default
   source:
     repoURL: https://github.com/stfc/cloud-deployed-apps.git
-    targetRevision: main
+    targetRevision: update-secrets
     path: clusters/dev/worker
   syncPolicy:
     automated:
@@ -57,7 +57,7 @@ spec:
             chartName: materials-galaxy
             namespace: materials-galaxy
             valuesFile: ../../../clusters/dev/worker/materials-galaxy-values.yaml
-            secretsFile: ../../../secrets/dev/worker/materials-galaxy.yaml
+            secretsFile: ../../../secrets/dev/worker/apps/materials-galaxy.yaml
 
   syncPolicy:
     # Don't remove everything if we remove the appset
@@ -71,12 +71,11 @@ spec:
       project: default
       source:
         repoURL: "https://github.com/stfc/cloud-deployed-apps.git"
-        targetRevision: main
+        targetRevision: update-secrets
         path: "charts/dev/{{.chartName}}"
         helm:
           valueFiles:
-            - "{{.valuesFile}}"
-            # a hack to get optional secrets working
+            - '{{.valuesFile | default "../../../secrets/dummy-secret.yaml"}}'
             - secrets://{{ .secretsFile | default "../../../secrets/dummy-secret.yaml"}}
       destination:
         server: https://kubernetes.default.svc

clusters/prod/management/apps.yaml

@@ -27,6 +27,8 @@ metadata:
   name: management-apps
   namespace: argocd
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=invalid"]
   generators:
     - list:
         elements:
@@ -56,20 +58,22 @@ spec:
 
   template:
     metadata:
-      name: "{{name}}"
+      name: "{{.name}}"
       namespace: argocd
     spec:
       project: default
       source:
         repoURL: "https://github.com/stfc/cloud-deployed-apps.git"
         targetRevision: main
-        path: "charts/prod/{{chartName}}"
+        path: "charts/prod/{{.chartName}}"
         helm:
           valueFiles:
-            - "{{valuesFile}}"
+            - "{{.valuesFile | default '../../../secrets/dummy-secret.yaml'}}"
+            - secrets://{{ .secretsFile | default "../../../secrets/dummy-secret.yaml"}}
+
       destination:
         server: https://kubernetes.default.svc
-        namespace: "{{namespace}}"
+        namespace: "{{.namespace}}"
 
       syncPolicy:
         automated:
@@ -112,12 +116,12 @@ spec:
         path: charts/prod/capi-infra
         helm:
           valueFiles:
-            # Bring in values that are specific to this application
+            # Bring in infra values specific to this cluster 
             - "../../../{{path}}/{{path.filename}}"
-            # Bring in secrets that are specific to this application
-            - "secrets://../../../secrets/{{path[1]}}/{{path[2]}}/api-server-fip.yaml"
-            - "secrets://../../../secrets/{{path[1]}}/{{path[2]}}/app-creds.yaml"
-            - "secrets://../../../secrets/{{path[1]}}/smtp-smarthost.yaml"
+            # Bring in infra secrets specific to this cluster
+            - "secrets://../../../secrets/{{path[1]}}/{{path[2]}}/infra/api-server-fip.yaml"
+            - "secrets://../../../secrets/{{path[1]}}/{{path[2]}}/infra/app-creds.yaml"
+            - "secrets://../../../secrets/{{path[1]}}/_shared/infra/smtp-smarthost.yaml"
 
       syncPolicy:
         automated:

clusters/staging/management/apps.yaml

@@ -27,6 +27,8 @@ metadata:
   name: management-apps
   namespace: argocd
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=invalid"]
   generators:
     - list:
         elements:
@@ -56,20 +58,21 @@ spec:
 
   template:
     metadata:
-      name: "{{name}}"
+      name: "{{.name}}"
       namespace: argocd
     spec:
       project: default
       source:
         repoURL: "https://github.com/stfc/cloud-deployed-apps.git"
         targetRevision: main
-        path: "charts/staging/{{chartName}}"
+        path: "charts/staging/{{.chartName}}"
         helm:
           valueFiles:
-            - "{{valuesFile}}"
+            - "{{.valuesFile | default '../../../secrets/dummy-secret.yaml'}}"
+            - secrets://{{ .secretsFile | default "../../../secrets/dummy-secret.yaml"}}
       destination:
         server: https://kubernetes.default.svc
-        namespace: "{{namespace}}"
+        namespace: "{{.namespace}}"
 
       syncPolicy:
         automated:
@@ -112,12 +115,12 @@ spec:
         path: charts/staging/capi-infra
         helm:
           valueFiles:
-            # Bring in values that are specific to this application
+            # Bring in infra values specific to this cluster 
             - "../../../{{path}}/{{path.filename}}"
-            # Bring in secrets that are specific to this application
-            - "secrets://../../../secrets/{{path[1]}}/{{path[2]}}/api-server-fip.yaml"
-            - "secrets://../../../secrets/{{path[1]}}/{{path[2]}}/app-creds.yaml"
-            - "secrets://../../../secrets/{{path[1]}}/smtp-smarthost.yaml"
+            # Bring in infra secrets specific to this cluster
+            - "secrets://../../../secrets/{{path[1]}}/{{path[2]}}/infra/api-server-fip.yaml"
+            - "secrets://../../../secrets/{{path[1]}}/{{path[2]}}/infra/app-creds.yaml"
+            - "secrets://../../../secrets/{{path[1]}}/_shared/infra/smtp-smarthost.yaml"
 
       syncPolicy:
         automated:

docs/charts.md

@@ -21,6 +21,11 @@ Each chart contains:
 - `requirements.yaml` - this should contain the upstream chart(s) and versions. See [Helm Documentation](https://v2.helm.sh/docs/developing_charts/#managing-dependencies-with-requirements-yaml). (NOTE: `requirements.yaml` is deprecated and will be merged into `Charts.yaml`)
 - `values.yaml` files that applies to all environments, but are tailored to our platform.
 
+Optionally they contain:
+
+- `templates` - any extra kubernetes resources can be defined here and can be configured using helm templating
+- `secrets-templates` - any chart values that need to be secrets are located in this directory. These need to be filled and encrypted by sops 
+
 Note: environment or cluster specific values, e.g. domain names, do not belong here. See [Deploying Apps to a cluster](deploying-apps.md) for more info on cluster/environment-specific values
 We only include values that are generic across all environments here - this allows us to copy the chart from `dev` to `staging` and `prod` without modification.
 

docs/child-clusters.md

@@ -17,6 +17,7 @@ To deploy a new child cluster on an existing environment follow these steps:
 2. Create a new folder under `clusters/<environment>/<cluster-name>`
 3. Create a file in `clusters/<environment>/<cluster-name>/infra-values.yaml` 
 4. Populate the `infra-values.yaml` file with cluster-specific values for the chart in `capi-infra` chart. 
+5. Create an age key for your new cluster to read any app-specific secrets
 
 It could look like this:
 
@@ -51,7 +52,7 @@ openstack-cluster:
 
 ```
 
-5. Create a new folder under `secrets/<environment>/<cluster-name>`
+5. Create a new folder under `secrets/<environment>/<cluster-name>/infra`
 
 6. Create a new `.sops.yaml` file or copy one from another cluster from the same environment 
 See [Secrets](secrets.md) for more information
@@ -110,4 +111,28 @@ This file contains the credentials for creating and managing that cluster on ope
 
 9. Make a PR and get it reviewed.
 
-10.  Once merged, your new cluster should spin into life
+10. Once merged, your new cluster should spin into life
+
+11. Grab the kubeconfig from the management cluster 
+``` clusterctl get kubeconfig <environment>-<cluster-name>-cluster -n clusters > ~/.kube/config ```
+
+12. (Optional) Run the script `./deploy-helm-secret.sh` to deploy your newly generated age key onto the cluster 
+  - only need to run this if the charts you want to deploy require secrets
+
+13. (On completing 12) Create the directory `./secrets/<environment>/<clustername>/apps` and create a `.sops.yaml` file and add the **public** key of your generated age file
+
+14. (On completing 13) Add any other age keys that you want to grant access to these secrets 
+  - (PROD/STAGING ONLY) - only add the relevant singular rotate keys
+  - (DEV ONLY) - add age keys of all cloud-team members - as it's easier to review and make changes
+
+```cd ./scripts; ./deploy-helm-secret.sh <path-to-age-key>```
+
+> [!NOTE] 
+> See deploying apps to deploy ArgoCD and apps to new cluster
+
+
+## Deploying ArgoCD to a fresh cluster
+
+If you want to deploy apps to newly created cluster, you need to follow the steps in [Deploying Apps](./deploying-apps.md) 
+
+Once you complete these steps you will need to run `./scripts/deploy.sh <cluster-name> <environment>` on your cluster to spin up argocd and any apps you've configured to run

docs/clusters.md

@@ -53,7 +53,7 @@ You can optionally copy or create any other cluster subfolders you want to be in
 8. Modify/add any cluster-specific values for any apps you want to manage.
 - see [app-setup](app-setup.md) - "Pre-deployment" Steps
 
-9. Create a new folder `secrets/<your-environment>` and subfolder `secrets/<your-environment>/management` 
+9. Create a new folder `mkdir -p ./secrets/<your-environment>/management/infra`
 You will also need to create another subfolder for each extra cluster subfolder you've copied/added
 
 10. Add secret files `.sops.yaml`, `api-sever-fip.yaml`, and `app-creds.yaml` as above