portfolio/.github/workflows/create-sealed-secrets.yml.example

name: Create Sealed Secrets (Example)

# 이 워크플로우는 예시입니다. 필요에 따라 수정하여 사용하세요.
# Secrets를 SealedSecrets로 변환하여 Git에 안전하게 저장합니다.

on:
  workflow_dispatch:
    inputs:
      environment:
        description: 'Target environment (dev/prod)'
        required: true
        type: choice
        options:
          - dev
          - prod
      secret_name:
        description: 'Secret name to create'
        required: true
        type: string

jobs:
  create-sealed-secret:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install kubeseal
        run: |
          KUBESEAL_VERSION="0.26.2"
          wget "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION}/kubeseal-${KUBESEAL_VERSION}-linux-amd64.tar.gz"
          tar xfz "kubeseal-${KUBESEAL_VERSION}-linux-amd64.tar.gz"
          sudo mv kubeseal /usr/local/bin/
          kubeseal --version

      - name: Download public certificate
        run: |
          # infrastructure 레포에서 public cert 가져오기
          wget https://raw.githubusercontent.com/Mayne0213/infrastructure/main/sealed-secrets/pub-cert.pem -O /tmp/pub-cert.pem

      - name: Create sealed secret for ArgoCD token
        if: inputs.secret_name == 'argocd-token'
        run: |
          NAMESPACE="portfolio"
          if [ "${{ inputs.environment }}" = "dev" ]; then
            NAMESPACE="portfolio-dev"
          fi

          # GitHub Secret에서 값을 가져와서 SealedSecret 생성
          kubectl create secret generic argocd-token \
            --from-literal=token="${{ secrets.ARGOCD_TOKEN }}" \
            --namespace="$NAMESPACE" \
            --dry-run=client -o yaml | \
          kubeseal --format=yaml \
            --cert=/tmp/pub-cert.pem \
            --scope=strict \
            > "deploy/k8s/overlays/${{ inputs.environment }}/sealed-argocd-token.yaml"

      - name: Create generic sealed secret
        if: inputs.secret_name != 'argocd-token'
        run: |
          NAMESPACE="portfolio"
          if [ "${{ inputs.environment }}" = "dev" ]; then
            NAMESPACE="portfolio-dev"
          fi

          # 예시: API_KEY와 DATABASE_URL을 포함하는 앱 시크릿
          kubectl create secret generic "${{ inputs.secret_name }}" \
            --from-literal=API_KEY="${{ secrets.API_KEY }}" \
            --from-literal=DATABASE_URL="${{ secrets.DATABASE_URL }}" \
            --namespace="$NAMESPACE" \
            --dry-run=client -o yaml | \
          kubeseal --format=yaml \
            --cert=/tmp/pub-cert.pem \
            --scope=strict \
            > "deploy/k8s/overlays/${{ inputs.environment }}/sealed-${{ inputs.secret_name }}.yaml"

      - name: Commit and push sealed secret
        run: |
          git config --global user.name "github-actions[bot]"
          git config --global user.email "github-actions[bot]@users.noreply.github.com"

          git add "deploy/k8s/overlays/${{ inputs.environment }}/sealed-*.yaml"
          git commit -m "Add sealed secret ${{ inputs.secret_name }} for ${{ inputs.environment }}"
          git push

          echo "✅ Sealed secret created and pushed to repository"
          echo "   ArgoCD will automatically deploy this sealed secret"