add cnpg backup key to secrets

2026-03-17 12:38:14 -04:00
parent 27bdb3f674
commit ea27ab3067
4 changed files with 29 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 result
-secrets/
+/secrets/
+test/
--- a/kubernetes/secrets/cloundativepg/s3-backup-creds.nix
+++ b/kubernetes/secrets/cloundativepg/s3-backup-creds.nix
@@ -0,0 +1,18 @@
+{ config, ... }:
+{
+  sops.templates."omni-etcd-key.yaml" = {
+    mode = "0444";
+    content = ''
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: s3-backup-creds
+        namespace: cloudnativepg
+      type: Opaque
+      spec:
+        s3AccessKey: fmRuq5b96EKqQOGR1prs
+        s3SecretKey: ${config.sops.placeholder.cnpg_s3_backup_key}
+    '';
+    path = "/var/lib/rancher/k3s/server/manifests/secrets/cnpg-s3-backup-creds.yaml";
+  };
+}
--- a/kubernetes/secrets/default.nix
+++ b/kubernetes/secrets/default.nix
@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./omni/omni-etcd-key.nix
+  ];
+}
--- a/security/sops_nix.yaml
+++ b/security/sops_nix.yaml
@@ -1,5 +1,6 @@
 pw_williamp: ENC[AES256_GCM,data:HuZKDBB+9FHzoMg8KrCIdQ==,iv:DvCAqtsE/JbCGmlW7czAM9X+tB3aQDvOd1OcTWjNrow=,tag:YBsZG+RKlebJlKPToD+cSQ==,type:str]
 pw_root: ENC[AES256_GCM,data:hbPcqxEFhdH4Y6KOFFCMfujL0B9uHzmNAwNNK4qLEVE=,iv:XrwGEYbc9OWckvoRfrKJmjXjB13BJG6lit5TR+Xarn8=,tag:fWtL0tsXBuCQHGorRlNIfw==,type:str]
+cnpg_s3_backup_key: ENC[AES256_GCM,data:zaMuxcu2XwgkmhkYnYKeZQQwRzSEJGPT2662B7k5JHzCH4e1TEEd+A==,iv:Na2iAuqgx8UNnDvXvP3N+csqVZFTsDwqR6OKeO/b/GY=,tag:jHeFVdRdTwk83XG6T1TwGA==,type:str]
 sops:
    age:
        - recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3
@@ -11,7 +12,7 @@ sops:
            Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t
            F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-23T01:50:31Z"
-    mac: ENC[AES256_GCM,data:wSnhBZDBKDEEFcb8YwBjiopnMEuaVYfeH5Oi1mrlq6sSpvrznUu2saI3l+ktNIK94lw8OyJaj7Nh9AuCouAKeJXbzmBlV/6pTr8Ud08K7UXbd0jqGMku2de3OvMIwrEdhe1H/yxVOFVuRNAgOKmkWB/6Hs+gD0v2FG0ymHacN84=,iv:g8GWfogEPPeGf0cO7PdMLsnffb5GQE1VVuO9s4Ls1Ew=,tag:pBlrcIthHJ1hPtvNbt37SQ==,type:str]
+    lastmodified: "2026-03-17T16:34:22Z"
+    mac: ENC[AES256_GCM,data:41TNxYgscdIZbbNxczTXzmPotyT4/ZsxspRihNf9NAj2c4PdQXNPeIMzS9meuH9LD4CTo9ws/pP7SBpPKnx4PzqdDekPvhdj9qIKdLjpKkJd+N0WfFXEgGEj7nAyc0lR2z6oSPuMB15xk8hIKT1prL9lDjjYRH3aKlhjaqP53LQ=,iv:RZpDhBWkbLL/pgwIuoPYUZd1Pmu0n7zt165DO7+uMHM=,tag:DQhFTgaFCgCV62QLCjozUg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0