From c1fdb2aec20e945fd95ad0e90e42cfc7f2adcb85 Mon Sep 17 00:00:00 2001
From: ytshih <ytshih@konchin.com>
Date: Wed, 30 Jul 2025 15:01:05 +0800
Subject: [PATCH] Feat(amane): sops secret

---
 amane-tanikaze/.sops.yaml             |  4 +++
 amane-tanikaze/kustomization.yaml     |  1 +
 amane-tanikaze/secret.yaml            | 42 +++++++++++++++++++++++++++
 flux-applications/amane-tanikaze.yaml |  4 +++
 4 files changed, 51 insertions(+)
 create mode 100644 amane-tanikaze/.sops.yaml
 create mode 100644 amane-tanikaze/secret.yaml

diff --git a/amane-tanikaze/.sops.yaml b/amane-tanikaze/.sops.yaml
new file mode 100644
index 0000000..2fc872c
--- /dev/null
+++ b/amane-tanikaze/.sops.yaml
@@ -0,0 +1,4 @@
+creation_rules:
+  - path_regex: '.*.yaml'
+    encrypted_regex: '^(data|stringData)$'
+    pgp: A638A6B54530D54E868F9D3238736C662F799E0D
diff --git a/amane-tanikaze/kustomization.yaml b/amane-tanikaze/kustomization.yaml
index 19c7e8a..d32444d 100644
--- a/amane-tanikaze/kustomization.yaml
+++ b/amane-tanikaze/kustomization.yaml
@@ -14,3 +14,4 @@ resources:
   - deploy.amane-backend.yaml
   - svc.amane-backend.yaml
   - ing.amane-tanikaze.yaml
+  - secret.yaml
diff --git a/amane-tanikaze/secret.yaml b/amane-tanikaze/secret.yaml
new file mode 100644
index 0000000..3fe6301
--- /dev/null
+++ b/amane-tanikaze/secret.yaml
@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+    name: amane
+data:
+    ADMIN_ID: ENC[AES256_GCM,data:Ov85MvnAX8sxm1MuxnSakYJcAZzOqfx6,iv:SBXjpG2LG82cQK6ztSOkyqPKlGUBmcE6Smz9u2TxFO4=,tag:ZET34rCcbpmAj3VxNyLnPg==,type:str]
+    DC_CLIENTID: ENC[AES256_GCM,data:HHNWrdiXck0ehURuJ64FNzxduS1iHaKc4za1NA==,iv:VVNQWZEeHSW6h1mCuUXTczDpIuWJ+s1JtqELqbwXF/U=,tag:qfj8Wh26RzyGoP/3r3HFOQ==,type:str]
+    DC_TOKEN: ENC[AES256_GCM,data:kNi2/gdkZgCduG1aR8j4gBz/w/7KVAm1zxBTbzUyqmWfKb8z11V7q7Av32KHYkAIByyLUHo4JRTCOJ412MsmqM1bLZuxdWtahWK4q2i9wHb8vmkVqeOuPJwgsMmaBhDv,iv:amsEnZmR1UAx+CxJVvE7DTA316BN8l7eiyololFyojs=,tag:Hsvz3dDRTgo0Cp1iNV/6yQ==,type:str]
+    MINIO_ACCESSKEY: ENC[AES256_GCM,data:3nG4ugxYAxQ=,iv:Y3fRS3EhfEK+Gt+GIgqRbch38cRh2UnflTVD3ms2rYI=,tag:yrKF0OgKDzyMhoKk/BqZsQ==,type:str]
+    MINIO_SECRETKEY: ENC[AES256_GCM,data:l/VkxGSxymmV6Ds3b3EOIgQQBZgb6TtfjFNtWIh2iBE=,iv:IR98qNFIFGVR6k9A4JQEwQPm2gA9OQ1Ho2BqxUrbYWE=,tag:yd3crplEMGvoQ56fLCStew==,type:str]
+    MONGODB_DB: ENC[AES256_GCM,data:dN0hbuw+NdY=,iv:fEyRNd7wf6VBocTOJ9uSWoEM8EN18MJkZEgYgP+QOMs=,tag:Q3fNnRa8b5k/A+RrQZA/bA==,type:str]
+    MONGODB_HOST: ENC[AES256_GCM,data:ufLiovqackkRLpcSU2gFZqTZ/e+utKmM,iv:nJKnFBCZw2VCSBTE/zlDzn3W0cPuefXsTLM2A+bT4XM=,tag:sz2Yvi7doarqT9F/oCpvoQ==,type:str]
+    MONGODB_PASS: ENC[AES256_GCM,data:/+rZYp64OY3EF9NqsZoXbZNknA9IajwaQ3hiUlQCwMM=,iv:jv1lYVSQ5ziji3uG/b51I67ZUH5odoE7fgJ18oMi/Co=,tag:9QceIo2+BfHlNsGON1rzFQ==,type:str]
+    MONGODB_USER: ENC[AES256_GCM,data:R/c5HyPwjpw=,iv:y1xTcL73WBkOH6JmhsQ8THSFE6seyJoXRo8OozbeSrc=,tag:AKccomi9oKMqeARiebSgkg==,type:str]
+    SECRET: ENC[AES256_GCM,data:tD+rMUEJin3qq5n57mUHnELnlEE=,iv:87Vuqedc5OceJ7BP+pPbBiPccycdWJlZUIipexkrQ+M=,tag:ZOuwTx0baYXi63zlBAI4GA==,type:str]
+sops:
+    lastmodified: "2025-07-30T06:57:45Z"
+    mac: ENC[AES256_GCM,data:e0p1SXUVN1oXmZCWeZwwkjsfo8fdf2jWOsLpeHQ3KiXiMPJlj0MPv3ZRDRQqaHsSnGqJ+kQplCyk3lq7gVZLXjhO5UAAh6rfDxFuGdQryqvZ9qTzL554AI+Bv1mL0t/nwf6cpKhNXMs+NOcDTsuWvULdDz7hKos0vQ++QHsz2S4=,iv:7LUj4LgCPNLpgt6WnyKEV8C+2PwCtvz+k4Tvc+Bg7M0=,tag:Zc5/V/qw0FZL+LyWxViPiw==,type:str]
+    pgp:
+        - created_at: "2025-07-30T06:57:45Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA+nT7MSlwYOAAQ/+L2eRzK2vhZp0RneJgFQeYtPAFODUJWrc8MTL8vfNtFDg
+            lnN13THlcdqPtyqg1CCNOgwopmI37Q9aCyuueSOaeHnEhl9usahm7ANL7DxbI8E9
+            NxnEgWi1U18DsKvMhJ583mdo5hEeOXmGm8PGiafKuf4ApCcGMPxjx6PMj0NCTKUy
+            2ONmn8Q1ia4XNFy2zoj4Bn95ulldzebFqPlvfeOV2FDWBPxB8w4fULg1Aoj1DVVK
+            seLgq6uJsDlvDBHrA4fySF4+CC7RTLuJM4sgNCL9hQXzVy0h4sq1VrHDyKAhcD1H
+            YuN483E6oJNhCn/29Ug2tTsvp41nIVjxIcU7IDTDSQJPGYmbJnbro2pNp83G0ZKE
+            bcX1o386xubC2nMNUGTVeU/klQd9CUW79f/T/q6xigHpX0X3cq9SZ5LsNl8eu23u
+            7cAzv6Sp4QVo/0q2Ixay5xZtSJ5dIRAf83wKBGuzVJODRCJxFNdu+SFy67TAdG9s
+            CTCRWXnWIklQ4yde8R9nAvCc8eUx8Tx7AfVScRhOFDYG2MqYyLm+PBcRlTy4paF1
+            olusJ9/3RprRPiJGn0ZBovJdcCy4OaUPAxffhT6GBDF/GphVceM3O/ubznvvfFsU
+            sQF7sqd34vEQ0VrEyPQVayG4p/RdcV0VyW/yI1jgJt+HasHmnxmu9BKjYZe+21XS
+            XgFZM8uRTSPytwmeDyrk4+kXXGEDD7WWHj1LxFHKPp0m+3W0BSOHU/iT/uUA/bFk
+            HHHlbBDefyCBWH1zAft1syGVTC64D/kL1OBc7nah/GkjzCTpk/lvSXXCrvhPVxw=
+            =+591
+            -----END PGP MESSAGE-----
+          fp: A638A6B54530D54E868F9D3238736C662F799E0D
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
diff --git a/flux-applications/amane-tanikaze.yaml b/flux-applications/amane-tanikaze.yaml
index f5b3560..02869f3 100644
--- a/flux-applications/amane-tanikaze.yaml
+++ b/flux-applications/amane-tanikaze.yaml
@@ -12,3 +12,7 @@ spec:
   sourceRef:
     kind: GitRepository
     name: applications
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg