From 009256d8cb982a03db733a8dae09a4e17acbf188 Mon Sep 17 00:00:00 2001
From: djpbessems <danny@bessems.eu>
Date: Wed, 6 Apr 2022 12:07:21 +0200
Subject: [PATCH] Store sealed secrets in version control #2

---
 README.md                                 | 11 ++++++++---
 services/TfState/deploy-TfState.yml       |  7 +++----
 services/TfState/sealedSecret-TfState.yml | 24 +++++++++++++++++++++++
 3 files changed, 35 insertions(+), 7 deletions(-)
 create mode 100644 services/TfState/sealedSecret-TfState.yml

diff --git a/README.md b/README.md
index 103eff7..e4a9a9e 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,5 @@
 *TODO: Files with sensitive data; migrate to SealedSecret*
 ```
-# line ??: services/TfState/deploy-TfState.yml
 # line ??: services/Mastodon/deploy-Mastodon.yml
 ```
 
@@ -299,11 +298,16 @@ kubectl apply -f services/PVR/deploy-Sonarr.yml
 ```shell
 kubectl apply -f services/Shaarli/deploy-Shaarli.yml
 ```
-##### 5.11) [Traefik-Certs-Dumper](https://github.com/ldez/traefik-certs-dumper)    <small>(certificate tooling)</small>
+##### 5.11) [Terraform backend](https://www.terraform.io/language/settings/backends/pg)    <small>(supporting database)</small>
+```shell
+kubectl apply -f services/TfState/deploy-TfState.yml
+kubectl apply -f services/TfState/sealedSecret-TfState.yml
+```
+##### 5.12) [Traefik-Certs-Dumper](https://github.com/ldez/traefik-certs-dumper)    <small>(certificate tooling)</small>
 ```shell
 kubectl apply -f services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml
 ```
-##### 5.12) [Unifi-Controller]()    <small>(wlan AP management)</small>
+##### 5.13) [Unifi-Controller]()    <small>(network infrastructure management)</small>
 ```shell
 kubectl apply -f services/Unifi/deploy-Unifi.yml
 ```
@@ -319,6 +323,7 @@ kubectl rollout restart deployment --namespace unifi unifi
 ssh <username>@<ipaddress>
 sed -e 's|stun://<ipaddress>|stun://<ipaddress>:3479|' -i /etc/persistent/cfg/mgmt
 ```
+
 ### 6) Miscellaneous
 *Various notes/useful links*
 
diff --git a/services/TfState/deploy-TfState.yml b/services/TfState/deploy-TfState.yml
index da7ba1b..cc89981 100644
--- a/services/TfState/deploy-TfState.yml
+++ b/services/TfState/deploy-TfState.yml
@@ -30,12 +30,11 @@ spec:
       - name: postgres
         image: bv11-cr01.bessems.eu/proxy/library/postgres:14-alpine
         env:
-        - name: POSTGRES_USER
-          value: terraform
-        - name: POSTGRES_PASSWORD
-          value: terraform
         - name: POSTGRES_DB
           value: terraform_backend
+        envFrom:
+        - secretRef:
+            name: tfstate-secret
         ports:
           - name: db
             containerPort: 5432
diff --git a/services/TfState/sealedSecret-TfState.yml b/services/TfState/sealedSecret-TfState.yml
new file mode 100644
index 0000000..9a26b6f
--- /dev/null
+++ b/services/TfState/sealedSecret-TfState.yml
@@ -0,0 +1,24 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "tfstate-secret",
+    "namespace": "default",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "tfstate-secret",
+        "namespace": "default",
+        "creationTimestamp": null
+      },
+      "type": "Opaque",
+      "data": null
+    },
+    "encryptedData": {
+      "POSTGRES_PASSWORD": "AgCTsPK7n1PYReT5IjN9nDfPBQN260vAK+iNdeq5ZwZW5YLgnQeVE5YkEcNCWhmyoznHjhdBuaI/n2lQT5lvcQKjKccOQoZdRdsiPBKilGTO/QNJKD80Tvu0Gin9mmN2TEU4vGqgCQAVKJ8VqBP7WhvQii5XptMagRzn7ClsqOXa9oqF7OzFHKBww2YjOPYasDTzWoUcNwfsdJxgyM4UPoo3vv2Yo4bsJzd1WwSM+qQQnn47b68tgZlC7WwKal9NNEbTrjTO1finLURR+HkBg3A33poEBF0qIc55ku2nnQy4Pf+MDpdBTkt31WoQhydwcLtZYj1hLJuCVkSDTN7k/cepnAznqvBIbzUvnx83kgnsprBWIzakKnWrluSh7gdRqsB/ccVbyjzomPxdmySd5HWQxEUkOF99c04yoTnIzdA6si6NQMHHH12naNE2rkwbWO12P8kTuI9mhyIEx9Yi0bQsaXijdo1mk/ZDWnYgo8JagdjBtWBZq05FSMT8a42HkhLg9sAHeOg3nnrohwkCOfJ5RFlGj1A6EZF2bnXbSfS6atvHlwOthrXfHGYRpUL15VIL6Ho6OHEmLEzJDMy6dKnfwIf4mJKvjdKnAoKgNeRV72GSLbPxODMpRIzNA+1riC7s3atyGhK71xZ9emcxuGZ/aWm8nDu5XkEDBKF2ckX4W7GKb3BusdaWLWhUcXZ1GFgDkKdrT4RfNi0=",
+      "POSTGRES_USER": "AgBQe5kF4Fan7Uty+019ak1ATJVUo9ZOJ3if4qnaIvwGOy39EZKVLHMUCuwzdJZbbZS3bgs0rzTDVaxjmSD6ZjSdqIG2FJlVpx6MqBrqKWUEhnBOOLsYF5gpwqDhaUS4f80b9dX8XvkCL+9YjCtoLZalOnBgRMuyFtg1ijc6B/mnE5WrAIQYTe3Y5LV3dmgbHbnLIWshiXpqg/I/lqqZeuLgIPslx2OsY9yk9Zeqj6zbIsGYaI6l993pwW3MhEcDTOJfg4mfdyTaCzWiC+196SGCkUt7ZrWUzLaAdx/6kBpNkPGeO34uW0eEzPcthKswllaVMyiIF/yibEb/cDmDwHUmuqF8EM2AFSbcemg2oF+J4u0Y9DAllnsvR/UCjvESaGmNOZS7FtmpAYjv5bketoBVh6mu0qHhVHid+AdS6XVX/OR/XtX7pJkqdPEb2mQnA93YhrkVwoNWXZ1yqGYGTHr4qzG5KCYB3KVjGWNOioayGL4R18FVcJBKdJRuFFfsj6tSjKt5XZEtkwaxzezkiwXaExtGteyIycd0DbTB/W2GK20Zgwqnz0WLdIg4JdqfhQW8w8s1BaXydE62dC0wbGdHFY55Z3XaoQSiE9RfZ9xS5XHwTBl8WkSvHBtU6b0ak5G7hHULYeOlisr5L8QgH0Kkicy3yTjjURaQQC5AZq4AO+Q9b5bCGwAOVEbcJsRuU/AdINzABaQOJ4A="
+    }
+  }
+}