Configure postgresql database for benji

Issue #274

infrastructure/base/benji/release.yaml

@@ -28,7 +28,6 @@ spec:
         pullPolicy: IfNotPresent
       configuration:
         configurationVersion: '1'
-        databaseEngine: sqlite:////tmp/benji.sqlite
         storages:
           - name: storage-1
             storageId: 1
@@ -90,3 +89,16 @@ spec:
           command:
             - benji-command
             - cleanup
+    postgresql:
+      enabled: true
+      postgresqlUsername: benji
+      postgresqlDatabase: benji
+  valuesFrom:
+    - kind: Secret
+      name: postgresql-password
+      valuesKey: data
+      targetPath: postgresql.postgresqlPassword
+    - kind: Secret
+      name: postgresql-path
+      valuesKey: data
+      targetPath: benji.configuration.databaseEngine

infrastructure/dev/benji-secrets.yaml

@@ -0,0 +1,124 @@
+# yamllint disable rule:indentation
+---
+apiVersion: v1
+data:
+    keyring: ENC[AES256_GCM,data:fCL0MIZmE7lsMwJqMy5R/oQG5mYXK4mOC/00NyD8R+odU2b7GXJB9bhvYQATYJWokwzdroEI19OhMzr2KVLtObtPwBM1QCNpzPMe+VOIwNPkbLf3,iv:iN7i3Ti3rIdjfEWsLtye0RMzmEVKRdWdUDQs6RkhOiQ=,tag:MXK7XKh1m+v1j8O0wZpaTw==,type:str]
+kind: Secret
+metadata:
+    creationTimestamp: null
+    name: ceph-keyring
+    namespace: benji
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-08-24T07:01:15Z"
+    mac: ENC[AES256_GCM,data:OZNOS7YZTQH1DM3OvzIp6U9VY8ujUI46uL1hPb7+nmogdPUZtLXdU1rS0jOB7z6K3DWo9/5XxKLx1Ik59UFua+bDmtP5YTWPr5Xkb/QlOrgEBXcv/Dg3XL1nx1zQI1NCsZxh6ugO4LySVSvuDkNGgvb6Kik1s0kHB3L/AfT2SHI=,iv:iZcDEsUS/U+KW0Wfb5hynnsiEkWqauv1HhoAPcDmmjU=,tag:Dg0UCsuW+t9kHRwrA69wYQ==,type:str]
+    pgp:
+        - created_at: "2021-08-24T06:01:16Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwS2ffBZfHTuARAAn7royO6YRfPjh+8x5B1wjiU3p0RE+rPi2FT54OgzHdKk
+            leYd0oro4GDX5MEgdpsvMKQ9mnT0t5OQs0WdBMr4tNElDnRBJTlimZ6InXFaH78/
+            fHQ+FTJlxw4R3A5IfkBo5sfA1t361K1nM8kD/Es+ERmWoLt4pEVhynTFB2MAJa2C
+            V1sZk99j2MSB0ufnro4QXJrE3dl2ELp1YdmFZdoPqmEKl4QumtDC8eILD2SgBuQq
+            +BcsFmIS6TgnlU6ZjRLXNNm0Zf8qxK/RUvqmV+a7kkg/t+OWmnESxMFfPOMrxsae
+            oFi76/AVn2GT16sSm2fqEXT1hvy/nwuncemxavSmgMJPlo+53fRcVd/ze5YRzgOR
+            QWnsvaOiRFB3SQ/byLPlb095yyLY/mnkZmMeDVC28D7kGuT4cAS8vI5/dT/0MU+f
+            OfzCHNSrvqLeJY/301kUt1+Rgxqx4INg/l2JSwRLBHR51hut/mKOvaBlHqU7xna0
+            ZBvRo49EZg+9dWO8Cc2htpRmL292rT125Qwq5Gn1E3PUij1jwUzhn+3F+p+6i5co
+            8VtHQsQArOtRsJrM8OBn1fDnGFY6qUcMQYXIWUOnKvf9vcJzEbjXKxpOzA36rw+K
+            xOB7CmtPEwxandVL+5g4xbb9oC9yggufu/lMM+UyPRKgL+Ed5VdYr5reRo6XRqDU
+            ZgEJAhVDUgOpJov7svIm9j87wb9SJjBd8AWVr0awZReQNrMxcifQiia3wVq/xwGV
+            DUz8oosxEwOE+l2dEbdvdzDvYg+X+gS/hs3mX9MeEhSFM+g8mT4c2L87FpJSD6lo
+            SbfUCLQepA==
+            =S8PK
+            -----END PGP MESSAGE-----
+          fp: B1A8C6842B46D1C8CCBA1F7E3A259C447D9BEDC8
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1
+---
+apiVersion: v1
+data:
+    data: ENC[AES256_GCM,data:v82unIkmT7vS4MNg/oBtlcI6WWdtGJcGc0v3TA==,iv:7W9eQZtKi454r27eEUiZ5ehKYM/J2MhHsyiOxKW9tIM=,tag:LDCEJMNRuvzDNMCmer/nZA==,type:str]
+kind: Secret
+metadata:
+    creationTimestamp: null
+    name: postgreqsql-password
+    namespace: benji
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-08-24T07:01:15Z"
+    mac: ENC[AES256_GCM,data:OZNOS7YZTQH1DM3OvzIp6U9VY8ujUI46uL1hPb7+nmogdPUZtLXdU1rS0jOB7z6K3DWo9/5XxKLx1Ik59UFua+bDmtP5YTWPr5Xkb/QlOrgEBXcv/Dg3XL1nx1zQI1NCsZxh6ugO4LySVSvuDkNGgvb6Kik1s0kHB3L/AfT2SHI=,iv:iZcDEsUS/U+KW0Wfb5hynnsiEkWqauv1HhoAPcDmmjU=,tag:Dg0UCsuW+t9kHRwrA69wYQ==,type:str]
+    pgp:
+        - created_at: "2021-08-24T06:01:16Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwS2ffBZfHTuARAAn7royO6YRfPjh+8x5B1wjiU3p0RE+rPi2FT54OgzHdKk
+            leYd0oro4GDX5MEgdpsvMKQ9mnT0t5OQs0WdBMr4tNElDnRBJTlimZ6InXFaH78/
+            fHQ+FTJlxw4R3A5IfkBo5sfA1t361K1nM8kD/Es+ERmWoLt4pEVhynTFB2MAJa2C
+            V1sZk99j2MSB0ufnro4QXJrE3dl2ELp1YdmFZdoPqmEKl4QumtDC8eILD2SgBuQq
+            +BcsFmIS6TgnlU6ZjRLXNNm0Zf8qxK/RUvqmV+a7kkg/t+OWmnESxMFfPOMrxsae
+            oFi76/AVn2GT16sSm2fqEXT1hvy/nwuncemxavSmgMJPlo+53fRcVd/ze5YRzgOR
+            QWnsvaOiRFB3SQ/byLPlb095yyLY/mnkZmMeDVC28D7kGuT4cAS8vI5/dT/0MU+f
+            OfzCHNSrvqLeJY/301kUt1+Rgxqx4INg/l2JSwRLBHR51hut/mKOvaBlHqU7xna0
+            ZBvRo49EZg+9dWO8Cc2htpRmL292rT125Qwq5Gn1E3PUij1jwUzhn+3F+p+6i5co
+            8VtHQsQArOtRsJrM8OBn1fDnGFY6qUcMQYXIWUOnKvf9vcJzEbjXKxpOzA36rw+K
+            xOB7CmtPEwxandVL+5g4xbb9oC9yggufu/lMM+UyPRKgL+Ed5VdYr5reRo6XRqDU
+            ZgEJAhVDUgOpJov7svIm9j87wb9SJjBd8AWVr0awZReQNrMxcifQiia3wVq/xwGV
+            DUz8oosxEwOE+l2dEbdvdzDvYg+X+gS/hs3mX9MeEhSFM+g8mT4c2L87FpJSD6lo
+            SbfUCLQepA==
+            =S8PK
+            -----END PGP MESSAGE-----
+          fp: B1A8C6842B46D1C8CCBA1F7E3A259C447D9BEDC8
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1
+---
+apiVersion: v1
+data:
+    data: ENC[AES256_GCM,data:mXqTuDr36/QezlB/6BCsk9knIdbyeqocfH5Us7GE/Xrj5/1t6nGPWk/CVhp2CUvf4Dh/i5XkC7SD7dZRk+npDKQ5L4CU1plRb/5OL03O5StafnnH,iv:enWFQTiBkAoZLvm3RZlA/lM7EYT8wTJIprlFNw2Y8hk=,tag:xnYH2Ca9Pnq3RyQQSElp4g==,type:str]
+kind: Secret
+metadata:
+    creationTimestamp: null
+    name: postgresql-path
+    namespace: benji
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-08-24T07:01:15Z"
+    mac: ENC[AES256_GCM,data:OZNOS7YZTQH1DM3OvzIp6U9VY8ujUI46uL1hPb7+nmogdPUZtLXdU1rS0jOB7z6K3DWo9/5XxKLx1Ik59UFua+bDmtP5YTWPr5Xkb/QlOrgEBXcv/Dg3XL1nx1zQI1NCsZxh6ugO4LySVSvuDkNGgvb6Kik1s0kHB3L/AfT2SHI=,iv:iZcDEsUS/U+KW0Wfb5hynnsiEkWqauv1HhoAPcDmmjU=,tag:Dg0UCsuW+t9kHRwrA69wYQ==,type:str]
+    pgp:
+        - created_at: "2021-08-24T06:01:16Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwS2ffBZfHTuARAAn7royO6YRfPjh+8x5B1wjiU3p0RE+rPi2FT54OgzHdKk
+            leYd0oro4GDX5MEgdpsvMKQ9mnT0t5OQs0WdBMr4tNElDnRBJTlimZ6InXFaH78/
+            fHQ+FTJlxw4R3A5IfkBo5sfA1t361K1nM8kD/Es+ERmWoLt4pEVhynTFB2MAJa2C
+            V1sZk99j2MSB0ufnro4QXJrE3dl2ELp1YdmFZdoPqmEKl4QumtDC8eILD2SgBuQq
+            +BcsFmIS6TgnlU6ZjRLXNNm0Zf8qxK/RUvqmV+a7kkg/t+OWmnESxMFfPOMrxsae
+            oFi76/AVn2GT16sSm2fqEXT1hvy/nwuncemxavSmgMJPlo+53fRcVd/ze5YRzgOR
+            QWnsvaOiRFB3SQ/byLPlb095yyLY/mnkZmMeDVC28D7kGuT4cAS8vI5/dT/0MU+f
+            OfzCHNSrvqLeJY/301kUt1+Rgxqx4INg/l2JSwRLBHR51hut/mKOvaBlHqU7xna0
+            ZBvRo49EZg+9dWO8Cc2htpRmL292rT125Qwq5Gn1E3PUij1jwUzhn+3F+p+6i5co
+            8VtHQsQArOtRsJrM8OBn1fDnGFY6qUcMQYXIWUOnKvf9vcJzEbjXKxpOzA36rw+K
+            xOB7CmtPEwxandVL+5g4xbb9oC9yggufu/lMM+UyPRKgL+Ed5VdYr5reRo6XRqDU
+            ZgEJAhVDUgOpJov7svIm9j87wb9SJjBd8AWVr0awZReQNrMxcifQiia3wVq/xwGV
+            DUz8oosxEwOE+l2dEbdvdzDvYg+X+gS/hs3mX9MeEhSFM+g8mT4c2L87FpJSD6lo
+            SbfUCLQepA==
+            =S8PK
+            -----END PGP MESSAGE-----
+          fp: B1A8C6842B46D1C8CCBA1F7E3A259C447D9BEDC8
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1

scripts/setup-sops.sh

@@ -48,6 +48,8 @@ fi
 KEY_ID=$(gpg --list-secret-keys --keyid-format LONG  "${KEY_NAME}" | awk '/^      [A-Z0-9]{40}/{if (length($1) > 0) print $1}')
 SOPS_KEY_FP=${KEY_ID##*/}
 
+# Key can be imported with something like:
+# kubectl get secret sops-gpg -n flux-system -o jsonpath="{.data.sops\.asc}" | base64 --decode | gpg --import /dev/stdin
 gpg --export-secret-keys --armor "${SOPS_KEY_FP}" | kubectl create secret generic "${SECRET_NAME}" --namespace="${SECRET_NAMESPACE}" --from-file=${SECRET_KEY}=/dev/stdin
 echo Exporting key id "${SOPS_KEY_FP}"
 echo Secret key created at "${SECRET_NAMESPACE}/${SECRET_NAME}"