From a926eccff57ae12294da50538f0f9c1c19fda52a Mon Sep 17 00:00:00 2001 From: Vitor Hideyoshi Date: Fri, 7 Nov 2025 15:05:24 -0300 Subject: [PATCH 1/2] feat: adds encryption key for kubernetes secrets --- config.tf | 10 ++++++++++ github/config.tf | 5 +++++ github/github.tf | 7 +++++++ main.tf | 6 ++++++ 4 files changed, 28 insertions(+) diff --git a/config.tf b/config.tf index 43beb7e..0727ff5 100644 --- a/config.tf +++ b/config.tf @@ -97,4 +97,14 @@ variable "github_repositories" { "storage-hideyoshi.com", "infra-hideyoshi.com", ] +} + +variable "gpg_private_key_encryption" { + type = string + sensitive = true +} + +variable "gpg_public_key_encryption" { + type = string + sensitive = true } \ No newline at end of file diff --git a/github/config.tf b/github/config.tf index cba3f0d..37653be 100644 --- a/github/config.tf +++ b/github/config.tf @@ -14,4 +14,9 @@ variable "github_repositories" { variable "cluster_kubeconfig" { type = string sensitive = true +} + +variable "gpg_public_key_encryption" { + type = string + sensitive = true } \ No newline at end of file diff --git a/github/github.tf b/github/github.tf index ccb8867..bcd6a02 100644 --- a/github/github.tf +++ b/github/github.tf @@ -18,4 +18,11 @@ resource "github_actions_organization_secret" "cluster_kubeconfig" { selected_repository_ids = [for repo in data.github_repository.repos : repo.repo_id] secret_name = "PORTFOLIO_KUBECONFIG" plaintext_value = chomp(var.cluster_kubeconfig) +} + +resource "github_actions_organization_secret" "gpg_public_key" { + visibility = "selected" + selected_repository_ids = [for repo in data.github_repository.repos : repo.repo_id] + secret_name = "PORTFOLIO_GPG_PUBLIC_KEY" + plaintext_value = chomp(var.gpg_public_key_encryption) } \ No newline at end of file diff --git a/main.tf b/main.tf index 7c10689..e2ac545 100644 --- a/main.tf +++ b/main.tf @@ -101,10 +101,16 @@ module "github" { github_owner = var.github_owner github_repositories = var.github_repositories cluster_kubeconfig = module.kubernetes.cluster_kubeconfig + gpg_public_key_encryption = var.gpg_public_key_encryption } output "cluster_kubeconfig" { value = module.kubernetes.cluster_kubeconfig sensitive = true +} + +output "gpg_private_key_encryption" { + value = var.gpg_private_key_encryption + sensitive = true } \ No newline at end of file From 2f124b4f14b54fd4985cbbac66452c9d6cb6e15d Mon Sep 17 00:00:00 2001 From: Vitor Hideyoshi Date: Fri, 7 Nov 2025 15:13:21 -0300 Subject: [PATCH 2/2] fix: fixes encryption key for kubernetes secrets --- github/config.tf | 2 +- github/github.tf | 4 ++-- main.tf | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/github/config.tf b/github/config.tf index 37653be..f537630 100644 --- a/github/config.tf +++ b/github/config.tf @@ -16,7 +16,7 @@ variable "cluster_kubeconfig" { sensitive = true } -variable "gpg_public_key_encryption" { +variable "gpg_private_key_encryption" { type = string sensitive = true } \ No newline at end of file diff --git a/github/github.tf b/github/github.tf index bcd6a02..b86412b 100644 --- a/github/github.tf +++ b/github/github.tf @@ -23,6 +23,6 @@ resource "github_actions_organization_secret" "cluster_kubeconfig" { resource "github_actions_organization_secret" "gpg_public_key" { visibility = "selected" selected_repository_ids = [for repo in data.github_repository.repos : repo.repo_id] - secret_name = "PORTFOLIO_GPG_PUBLIC_KEY" - plaintext_value = chomp(var.gpg_public_key_encryption) + secret_name = "PORTFOLIO_GPG_PRIVATE_KEY" + plaintext_value = chomp(var.gpg_private_key_encryption) } \ No newline at end of file diff --git a/main.tf b/main.tf index e2ac545..97951b5 100644 --- a/main.tf +++ b/main.tf @@ -101,7 +101,7 @@ module "github" { github_owner = var.github_owner github_repositories = var.github_repositories cluster_kubeconfig = module.kubernetes.cluster_kubeconfig - gpg_public_key_encryption = var.gpg_public_key_encryption + gpg_private_key_encryption = var.gpg_private_key_encryption } @@ -110,7 +110,7 @@ output "cluster_kubeconfig" { sensitive = true } -output "gpg_private_key_encryption" { - value = var.gpg_private_key_encryption +output "gpg_public_key_encryption" { + value = var.gpg_public_key_encryption sensitive = true } \ No newline at end of file