FEAT(app): add Sealed Secrets support

- Enable secure secret management - Add SealedSecret configuration
2025-12-06 10:52:14 +09:00
parent 02e7b54020
commit 5e67591d84
4 changed files with 105 additions and 1 deletions
--- a/.github/workflows/create-sealed-secrets.yml.example
+++ b/.github/workflows/create-sealed-secrets.yml.example
@@ -0,0 +1,89 @@
+name: Create Sealed Secrets (Example)
+
+# 이 워크플로우는 예시입니다. 필요에 따라 수정하여 사용하세요.
+# Secrets를 SealedSecrets로 변환하여 Git에 안전하게 저장합니다.
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Target environment (dev/prod)'
+        required: true
+        type: choice
+        options:
+          - dev
+          - prod
+      secret_name:
+        description: 'Secret name to create'
+        required: true
+        type: string
+
+jobs:
+  create-sealed-secret:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install kubeseal
+        run: |
+          KUBESEAL_VERSION="0.26.2"
+          wget "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION}/kubeseal-${KUBESEAL_VERSION}-linux-amd64.tar.gz"
+          tar xfz "kubeseal-${KUBESEAL_VERSION}-linux-amd64.tar.gz"
+          sudo mv kubeseal /usr/local/bin/
+          kubeseal --version
+
+      - name: Download public certificate
+        run: |
+          # infrastructure 레포에서 public cert 가져오기
+          wget https://raw.githubusercontent.com/Mayne0213/infrastructure/main/sealed-secrets/pub-cert.pem -O /tmp/pub-cert.pem
+
+      - name: Create sealed secret for ArgoCD token
+        if: inputs.secret_name == 'argocd-token'
+        run: |
+          NAMESPACE="portfolio"
+          if [ "${{ inputs.environment }}" = "dev" ]; then
+            NAMESPACE="portfolio-dev"
+          fi
+
+          # GitHub Secret에서 값을 가져와서 SealedSecret 생성
+          kubectl create secret generic argocd-token \
+            --from-literal=token="${{ secrets.ARGOCD_TOKEN }}" \
+            --namespace="$NAMESPACE" \
+            --dry-run=client -o yaml | \
+          kubeseal --format=yaml \
+            --cert=/tmp/pub-cert.pem \
+            --scope=strict \
+            > "deploy/k8s/overlays/${{ inputs.environment }}/sealed-argocd-token.yaml"
+
+      - name: Create generic sealed secret
+        if: inputs.secret_name != 'argocd-token'
+        run: |
+          NAMESPACE="portfolio"
+          if [ "${{ inputs.environment }}" = "dev" ]; then
+            NAMESPACE="portfolio-dev"
+          fi
+
+          # 예시: API_KEY와 DATABASE_URL을 포함하는 앱 시크릿
+          kubectl create secret generic "${{ inputs.secret_name }}" \
+            --from-literal=API_KEY="${{ secrets.API_KEY }}" \
+            --from-literal=DATABASE_URL="${{ secrets.DATABASE_URL }}" \
+            --namespace="$NAMESPACE" \
+            --dry-run=client -o yaml | \
+          kubeseal --format=yaml \
+            --cert=/tmp/pub-cert.pem \
+            --scope=strict \
+            > "deploy/k8s/overlays/${{ inputs.environment }}/sealed-${{ inputs.secret_name }}.yaml"
+
+      - name: Commit and push sealed secret
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+          git add "deploy/k8s/overlays/${{ inputs.environment }}/sealed-*.yaml"
+          git commit -m "Add sealed secret ${{ inputs.secret_name }} for ${{ inputs.environment }}"
+          git push
+
+          echo "✅ Sealed secret created and pushed to repository"
+          echo "   ArgoCD will automatically deploy this sealed secret"
--- a/deploy/k8s/base/kustomization.yaml
+++ b/deploy/k8s/base/kustomization.yaml
@@ -4,6 +4,7 @@ kind: Kustomization
 resources:
  - deployment.yaml
  - service.yaml
+  - sealed-argocd-token.yaml

 commonLabels:
  app.kubernetes.io/name: portfolio
--- a/deploy/k8s/base/sealed-argocd-token.yaml
+++ b/deploy/k8s/base/sealed-argocd-token.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: argocd-token
+  namespace: portfolio
+spec:
+  encryptedData:
+    token: AgA6ns/ylNLMLS9mxTuLK77+lRSErBQJD/UTNkVTFEA/DJMWtrttbZ8qbl80P1FEMTrL5t6ZPErxNVc5oeIbpcng6WCR+jTWv6pNsP+YVTCRZarTpn3fIkV5yc1G6YgGIlhVGr3KeNvOhYcKgFg9ivPsZSrDXgixUjppcYLnsdwKJuFZNAQ5KInCDDyK7POhSYMjHbevxS2m+hhApj74g4Ns+RHnS2U5QdLLyXnTsTaj/AeIigGf7rScgMXd2nis3KI4VuZ+YHA/oCC8F+TBM2Qys+oD+MsGgDi+q/Ix+U6GlPy0StXiTNXUytuvfsW0XR8PuXszWMv2o8KXHaFTw3vFSHjcStJzhWbXTNvAJL/dsIWGJiizIfCIvpg3FOh+3rzF21kgNqQczdLXmoLuwR8TRifuWlGmKOwL2Y1Z7njlJuxyhl2LWgjw+Ih9VByWdNi3WzlzAFceslpVYYDdwPv3PwqAz5l5QEEhMpTKsGmPE/gRLRVz1+clymsn28AW3nf4SBPVeu0jsEsdVZOYRmT+AyyIhOonytP7fJ1KhNNmUHJPmPODj83p24PSs3F6NDwbcYYipIA1TcF16VJsjzge7d4EDVAyHo6QHrz17sIt90CBjhYwHDHRJzZciY3U51EmPxeYnMZSlM46uv0ulVs9BXcyz0hDTf0iiTmhfubtLK+lGZI9nM6j4Uwr8z9Ra0aAaaxuI9wJ9FqjboAMQynjvongsQ+5
+  template:
+    metadata:
+      name: argocd-token
+      namespace: portfolio
+    type: Opaque
--- a/deploy/k8s/overlays/dev/kustomization.yaml
+++ b/deploy/k8s/overlays/dev/kustomization.yaml
@@ -14,7 +14,7 @@ commonLabels:
 # 이미지 태그 설정
 images:
  - name: ghcr.io/mayne0213/portfolio
-    newTag: develop-sha-9ac2eca62ac141be49c9a418cdd08ea8222f65c0
+    newTag: develop-sha-5b67e3ecc973bd95ac4fdeedaf4661dc467154df

 patchesStrategicMerge:
  - deployment-patch.yaml