gravl/k8s/production/sealed-secrets-setup.yaml

# sealed-secrets Installation & Configuration
# Phase 10-07, Task 5: Secrets Management Security Gate
# Status: READY FOR IMPLEMENTATION

---
# Option 1: sealed-secrets via kubeseal
# Installation: kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml

# Add Bitnami Helm repo
# helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
# helm repo update

# Install sealed-secrets controller
# helm install sealed-secrets -n kube-system sealed-secrets/sealed-secrets

---
# After installation, extract sealing key for production backup
# kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/status=active -o jsonpath='{.items[0].data.tls\.crt}' | base64 -d > /secure/location/sealed-secrets-prod.crt
# kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/status=active -o jsonpath='{.items[0].data.tls\.key}' | base64 -d > /secure/location/sealed-secrets-prod.key

---
# Example: Sealing a secret for production
# 1. Create plain secret:
# cat <<EOF | kubectl apply -f -
# apiVersion: v1
# kind: Secret
# metadata:
#   name: gravl-secrets
#   namespace: gravl-prod
# type: Opaque
# data:
#   DATABASE_PASSWORD: $(echo -n 'your-secure-password' | base64)
#   JWT_SECRET: $(openssl rand -hex 64 | base64)
# EOF

# 2. Seal the secret:
# kubeseal --format=yaml < <(kubectl get secret gravl-secrets -n gravl-prod -o yaml) > gravl-secrets-sealed.yaml
# kubectl delete secret gravl-secrets -n gravl-prod (delete plain secret)

# 3. Apply sealed secret:
# kubectl apply -f gravl-secrets-sealed.yaml

---
# Template for sealed secret (encrypted, safe to commit)
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: gravl-secrets
  namespace: gravl-prod
spec:
  encryptedData:
    DATABASE_PASSWORD: AgBvZ... (encrypted blob)
    JWT_SECRET: AgBpR... (encrypted blob)
  template:
    metadata:
      name: gravl-secrets
      namespace: gravl-prod
    type: Opaque
---

# Alternative: External Secrets Operator + AWS Secrets Manager
# For production with AWS infrastructure

apiVersion: v1
kind: Namespace
metadata:
  name: external-secrets
---

# Install External Secrets Operator
# helm repo add external-secrets https://charts.external-secrets.io
# helm install external-secrets external-secrets/external-secrets -n external-secrets --create-namespace

---
# AWS Secret (in AWS Secrets Manager - NOT in Git)
# aws secretsmanager create-secret --name gravl/prod/db-password --secret-string "your-secure-password"
# aws secretsmanager create-secret --name gravl/prod/jwt-secret --secret-string $(openssl rand -hex 64)

---
# IRSA (IAM Role for Service Account) - allows pod to assume AWS role
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gravl-secrets-reader
  namespace: gravl-prod
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/gravl-prod-secrets-reader
---

# External Secret that pulls from AWS Secrets Manager
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: gravl-aws-secrets
  namespace: gravl-prod
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-store
    kind: SecretStore
  target:
    name: gravl-secrets
    creationPolicy: Owner
  data:
  - secretKey: DATABASE_PASSWORD
    remoteRef:
      key: gravl/prod/db-password
  - secretKey: JWT_SECRET
    remoteRef:
      key: gravl/prod/jwt-secret
---

# AWS SecretStore (references IRSA role)
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: aws-secrets-store
  namespace: gravl-prod
spec:
  provider:
    aws:
      service: SecretsManager
      region: eu-west-1
      auth:
        jwt:
          serviceAccountRef:
            name: gravl-secrets-reader