FEAT(app): add Sealed Secrets support

- Enable secure secret management - Add SealedSecret configuration
2025-12-06 10:52:14 +09:00
parent 02e7b54020
commit 5e67591d84
4 changed files with 105 additions and 1 deletions
--- a/.github/workflows/create-sealed-secrets.yml.example
+++ b/.github/workflows/create-sealed-secrets.yml.example
@@ -0,0 +1,89 @@
+name: Create Sealed Secrets (Example)
+
+# 이 워크플로우는 예시입니다. 필요에 따라 수정하여 사용하세요.
+# Secrets를 SealedSecrets로 변환하여 Git에 안전하게 저장합니다.
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Target environment (dev/prod)'
+        required: true
+        type: choice
+        options:
+          - dev
+          - prod
+      secret_name:
+        description: 'Secret name to create'
+        required: true
+        type: string
+
+jobs:
+  create-sealed-secret:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install kubeseal
+        run: |
+          KUBESEAL_VERSION="0.26.2"
+          wget "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION}/kubeseal-${KUBESEAL_VERSION}-linux-amd64.tar.gz"
+          tar xfz "kubeseal-${KUBESEAL_VERSION}-linux-amd64.tar.gz"
+          sudo mv kubeseal /usr/local/bin/
+          kubeseal --version
+
+      - name: Download public certificate
+        run: |
+          # infrastructure 레포에서 public cert 가져오기
+          wget https://raw.githubusercontent.com/Mayne0213/infrastructure/main/sealed-secrets/pub-cert.pem -O /tmp/pub-cert.pem
+
+      - name: Create sealed secret for ArgoCD token
+        if: inputs.secret_name == 'argocd-token'
+        run: |
+          NAMESPACE="portfolio"
+          if [ "${{ inputs.environment }}" = "dev" ]; then
+            NAMESPACE="portfolio-dev"
+          fi
+
+          # GitHub Secret에서 값을 가져와서 SealedSecret 생성
+          kubectl create secret generic argocd-token \
+            --from-literal=token="${{ secrets.ARGOCD_TOKEN }}" \
+            --namespace="$NAMESPACE" \
+            --dry-run=client -o yaml | \
+          kubeseal --format=yaml \
+            --cert=/tmp/pub-cert.pem \
+            --scope=strict \
+            > "deploy/k8s/overlays/${{ inputs.environment }}/sealed-argocd-token.yaml"
+
+      - name: Create generic sealed secret
+        if: inputs.secret_name != 'argocd-token'
+        run: |
+          NAMESPACE="portfolio"
+          if [ "${{ inputs.environment }}" = "dev" ]; then
+            NAMESPACE="portfolio-dev"
+          fi
+
+          # 예시: API_KEY와 DATABASE_URL을 포함하는 앱 시크릿
+          kubectl create secret generic "${{ inputs.secret_name }}" \
+            --from-literal=API_KEY="${{ secrets.API_KEY }}" \
+            --from-literal=DATABASE_URL="${{ secrets.DATABASE_URL }}" \
+            --namespace="$NAMESPACE" \
+            --dry-run=client -o yaml | \
+          kubeseal --format=yaml \
+            --cert=/tmp/pub-cert.pem \
+            --scope=strict \
+            > "deploy/k8s/overlays/${{ inputs.environment }}/sealed-${{ inputs.secret_name }}.yaml"
+
+      - name: Commit and push sealed secret
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+          git add "deploy/k8s/overlays/${{ inputs.environment }}/sealed-*.yaml"
+          git commit -m "Add sealed secret ${{ inputs.secret_name }} for ${{ inputs.environment }}"
+          git push
+
+          echo "✅ Sealed secret created and pushed to repository"
+          echo "   ArgoCD will automatically deploy this sealed secret"