Manage secrets with sealed secrets

README.md

@@ -9,6 +9,28 @@ services, including:
 
 Why isn't my GitLab CI pipeline running yet? Please see our [Deferred Pipelines Documentation](docs/deferred_pipelines.md)
 
+## Secret Management
+
+The kubernetes cluster makes use of [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets), and as such, requires specific steps to be taken in order to create/update secrets.
+
+Sealed secrets are publicly defined encrypted secrets that can only be decrypted within the cluster. Once `SealedSecret` resources are applied to the cluster, the sealed secret controller unseals them, creating a regular secret (same name and namespace) containing the decrypted data.
+
+### Creating a new secret
+To create a new secret, simply copy and un-comment the SealedSecret template (`k8s/production/sealed-secrets/sealed-secret-template.yaml`), or any other existing SealedSecret definition, to the intended file. Convention is to name the file containing your new sealed secrets to be named `sealed-secrets.yaml`.
+
+### Updating a secret
+Once you have a file containing one or more SealedSecret resources, you'll need to add/update its values. To do so, a helper script has been created, which takes the secret file as an argument. It can be used as followed:
+
+```
+./scripts/secrets.py k8s/**/sealed-secrets.yaml
+```
+
+This will prompt you to select the specific secret you want to modify (if several are defined), and which key within the secret's data you want to update (or create a new entry). This prompts you to enter the raw unencrypted value into your shell, which will be sealed, base64 encoded and placed into the file. Comments in the secrets file are not affected by the script, and are encouraged.
+
+Sealed Secrets are *write only*, and as such, cannot be read directly from the definitions in this repository. However, if you have cluster access, you can read the secret value from the cluster.
+
+**Note**: Due to logistical issues with retrieving it on demand, the public certificate is stored in this repository under `k8s/production/sealed-secrets/cert.pem`. This is the *public* part of the public/private key pair, and is **not** sensitive information. The secrets scripts will use this certificate automatically, but if there is ever a need to use a *different* certificate, it can be set with the `SEALED_SECRETS_CERT` environment variable.
+
 ## Restoring from Backup
 
 - Delete the persistent volume (PV) and persistent volume claim (PVC) for the old volume that's being replaced.

k8s/production/cdash/sealed-secrets.yaml

@@ -0,0 +1,19 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: cdash-secrets
+  namespace: cdash
+spec:
+  encryptedData:
+    db-host: AgA6PJwFbaLjj68hJf9RHooykcDn7EjRdiIyYDOSINKAlQTG2U1CSlHZkrWQibHojNc+UaKQhmx8hnBIpK9fZt9WSapgZY4bZvv3cQmEQ/TxC1dXsiVQVvvuuatNaL5wUbB7jbsVQsgPxi40JvwukznxqdcAp1qSKqLabi36+my13pvXqNaVC8XXfz3lF04wfhMwVk+RLlARLDI2E/tYqNSUChSewrUjYPjdS1QUoRAnH8d5mJYGvfFBWOwajMg2ZyVRJC+VoVbXBXLi//9ZonsDzMTDGzdmW+uhMGCBtZ9x3JHBrAm+CP86KKtSLJnQ+RZYC42ITk2fx0+quTrDqBvSpstgnfaSUe8LFmis0Tx9dsZ4FDOsShUoOR42rn4gt0GQPLzv/ElaBl5LGnKDzMGLKl0kpWmhQarSyK/5y9XaHOnhcSTFPzHfD/+66RR23x64q0Zd/RgzUS7nC5RFLQN0wqqLyBntafuJcUS8WtQjekVXmKirT0K4qRY5s8+b7/F4f+M/a9KLSfdo+ReifAApK4nmq6FFPe934hKusqaUs9p3jYrVsOEHsnSSQ7/oxrlRMWXhqlTmPySrOdevk64LprZX/aCFPGuJb6poaCJ+rDuYU/cDlGHzOp+3giaMcLOhFFf7NUbWU1vM+k8gxrT42mq1EPOvniX0bvqOMbclCar4CdfGODkX6RSMmhKI5cjbUIMeplevoSp/AXItb0EXifxpYlav3zZkw3kfrMhpMFp11TwsMGnma/jlia3HnhsjWzEEDYxYVqk=
+    db-login: AgDYv5ZretjhvPv+OJ2svI5LJN8DC5XPw71y2ob1B7dyfqu3OEyktLukn7+l7XQe2WOlV5NZBPmryjn8S/gCObdvyb8v8r3tP10Mcb64UF7q8yeirJ0kAF+ofCXd3OZLWS12ux7v/wqDJCGn1lkC4ULSihjX8W8YAhEsiPS2tvjgGz+SIWM4wfCQf7wJeMdfyIgDG72F3dEkHIfT/j/gJpaDiPFX8+agfOuZzF8Zwu27HNC0dOCgYKASV8T21CKJLyP6ofAh55+hnKeKb53ph8WFSHjGR9flU3eo+fL0GMkv3tmSTMxxJPg9/Wws7nuKJR0oyX65lnw0kiwfZbw8PMX1rVyQDmWLV7EGI4tOcK0nIinvMU8Xeixzu9drn5Cm4zl4x86WeBjEZSCINYs7mdwo0K1YtZ5yJVTiGVooSuhOkFP3dqXaUaGDxLr6kaMV3reiezR+rQjqKAXvf0QmIQM+QEzuKM+OlLhvmlcaGspWJgGrOb6qvEO9IQ9zaEtEbsWJdpTKdB02pJa2wRjEJns3O8ObXK6MNskWAC7DsnggQkQf+2rz2HUHQ3etKAkZIGXGof+q3hQqEFT5yeundxE8woToVPYsHKsj55OSk1j3/pzDfgmB9eBo2eixfP6xE89i0t7/b0s9O6nUZ11HJHP2PKky2QJbOEdHxXTvBurNQW6iqOELofDDZro695K8na7o5YRPZQ==
+    db-name: AgBZAERCPs02SalSsZcYQJI2ANzeMIoml2pU29YD4RpTgx8SOn2NBo3cfk9XzSLp/0/8C9sOJvIDosjmIV02w/8vIGX3TrbGvTJgcBKY5pvlz9kZ/jkKh91nLi/KIG4JSXZGScLchJX2q1BOMBgy6qeoYVQijgGUU8KhkZ4aHN7YFyFtRwddT/+nzPfQ9GQcXjEBJrHubFAnn/9BOsmgCvPa3GhPf+btR5sxCAOCJZAP8akic5bYgoeWWFTapqVklwb08gwHGC/ezDMNjO0IP1zge338XsgXgFF0yaj50tkggk5gCdGkG/JmHuex3dwpXGCr0SGaivd6vXC2Qn68x2RzfKPBb1ij3mf+ZnxRNqAX2d3xf7g8vy0UNmnDXvR1H24voqNlvhTecabev6mDZorlCO91O8CJddK2N07oDp6PVGy8aXWs/hd/zdcR7Gxb3kCLm0/Hgze2KfhziNd5wbF3XADIIVJ4BSsEdlpYh0Jj7zq2pKAnlYpUdkdU77yyx5D2H9RxOODxi3Orq7AgKD7LqUWW5ZhDmZDGMWi8L3BpXqGyV1ntR6NEGjdvtvO7qrpl55+z/zQ5S4R4+YNwGkaaX8PwxUUnvpGcrWUnndZYcmdyiqKsmaxVHmlGSKWuyK9NVSEa5Q11+YCXloDKo2gvQpnihG4h4U4AfEe1LVnBXp7Xgqhds3vM5r5OlAkfJy7Qz2b8DQ==
+    db-password: AgCxBnSuyEdxF7Z/dELpwaaoSk9OC8ua6tci2kXIM6i0mNGpDW2Kj2WFYqPU9ZDkvWXxqiNWgTf5IZbRpfP2Tp056OATT8xMC1SbFf/RPSdPt7aGOSzoUK5yS3CHBlEAgaWFfNblHgMZ9n/ADU+B+/LUdUh+1q7teOCwTdfCj/h/c0JneogLen4hsXUofW21IdA/ZiKJVQRNvxpAixP2BdpkFS/HhTnx+CAO9dP/lSKbLh3IQCKTX5njx1EFEfJznNwkfsIcY1KmfKR5e9jneTITpWwpLEvxbuhe4gW/eyUzgaHwtp47TK3KrcGlxSZbwf30lWJY6/25rILNHxUbm9WoppYJj553FIn2aw7D6zhS8OcPUpx40+D30ycxZpK8/el+DU6FhHdshKgf9cVCCv3AM7OaiY/dO4cqL9cO842aJdaczxQLNCHKhr7Psa446oFm32iRbKT+S6XPcnh2hE/9xbiL4AXM0dujDop7Z+jVr/bxA70B6q9U7XRUSqYszk6NBg6QguIwzwpjkhTDQGglRkjBdaJrA/+yXIlouyCm5yXNjYA8XQwtA6o2WWg/qo/RSugKMSxV3Nb97T0nbdx4+7RGR5CFlUFTHMrxszi8TJ5XxRcLmv3ZdWVAPoyso7tghjtWf6CUZjLDVo2L8+0MzqBcJSnvsKhrWLnPMp2IUhTYuPADNMFxUui2nsF6xVv/XpnbppiLIa3LtuNvIsiATNyU1Q==
+    db-port: AgBw5CFkRPLyGDTEjx3++YksPS3qOsJIA5f+SThJ3XBkoXtR1X6jZSeHTHa3rNLuTb5MqwdIvsw57X7tGNZi/XvET3xnE1B2Nbehz4c7+epCYj+F/zWRXcb+yR3Hh7z9wBtjZplTYr+C0EOcOBS64d4PBdL9jf9sEG9xucahx2ZtRUVzFZFQHsLlek0kolo3eJ9LjeqCvTnprOv6v/0vAa2xhe7eiE5PxPzs8YJd7zbb03olyBqLPftzPWrdeORYeWX4V5vo45IsPpZbNnulSJKEQvvjYhDmpaj90tLbgNn5q/TZ8zZxr2XAXHmd3DbzvCduK13OfENw1irdydKZ24+Q6ehvAJvnVz/2mgVTTvNl2/+tWLd2guuXTGyuw785bw3y9B7d9jesdq+imooxgM1aQVBNR8VSbnHfFl/1VZ/T9yEqdlwlj1qB0+9TVa+fzevC3Ateds9cox9mXiELE6rb5Ilb95IP8cmWHMlSm4I+9RhKKl1KVi1c32OZ5zy9olTPuOTCvUnsY+GRtb9BRD1yyn4UzgeI172Ya7UdVX5izRv0s5V88/ZEfFdkAVPWQN0lVdAqKlyroNrj/qINmUX2t5Bxmv+iFYn5YRyPAdWUtdrGakdkYXUwdXnEiKZnC+kPTB/ARdReHtO/9Vdu3zMl7KjZv0deinS/ue1oq5YRGcKIezyU7TC1XvpGZ3Wk38X7SmD3
+    db-type: AgC8ZdoyqxQ9FBbpQZlm9FLfaBxVRMu0pwGK7yY/bKlveyO3A0h5NozYnlWWidNuWUBj88Du/sSY4yXMkBMkmPHrcqBmP6DKDA+t16GHAREWEUOo+DQ/rE1vULnSb2Qx93AFgn4JJMty+37RBsjtnDk2NHIMa3ZRb3zjzuK2Ps3aD0C5qflisDdTJzh9GSJeI1e9IsFkb8B/dE+H7LmQeEJ+YLGPmIrj0cP7N1DGT9FbGtX/4yzHccHlqWHVeND6rvEdH9NzwhokkMgB939xnTw20yBEpWsXvhNEja0NEWIvtH6r9UerKCDYCHeIb+8xdQaVkqLRI+Lov3BfGODruSUaGtYKbYVadeN+LNJJx9EeqjIIBZLBc2joHR28mFhQyAxBUBosDhn/avnf5LU6nw8Y+nsoZBgz3SUDCPXPYy3Y8k8VIbiMeRGJnjOWL51/MSqOi7rB7uIZFcjs6uNtYfZe5cnM03nlDMTEonnKJ34TS/ImRsol4PCTqczQtrAmSwHliKer+rkWMc8pRONM3pWKaBHfBqL+yPedXINzhfFaqi7GkK+V06Ax6FftCpDAtHSq0toBA2vqekpbjykcyyYU2xgno8r3QwVd7HS3wPtNDigr2GQmYQvpPDTTYTh1C9yOVQcRdZzMHKjTV/yCHZY22B6eQPccnfJF8mhjkVJQ/LW/cfreosaThOIWPwNR8pTLpXn40g==
+    root-password: AgDL/QSNalz3B82APqDrKemz20rF9XlJeudCuz/wXAlLLEPAAABMntcGJXiHoga4KjS125nCpOuKBso2Mz33NJXfSq5aeNRvK6V+G5BxNcoya+eSqS2G9t1MH3pnOv+f13Xw9knvOTWmLSvXYIZofOPXclp949SU4L3maNyAoxlp92XhnDw75qAm5F3SAq3PTfLJuC//MsOuvC5fKtJ/XEzesz0o/cwAtdZQhO7CAvj09THPGb+k0Wzm5d0W81i84PupfCYM4T09T4uA/cCIMjzQaEts1J9I39jwvKRmU/que1EZhNLlK6rZRdPpfPXlFJEtaupinmMXI0VpaNd9qac7nVSAIIIAgHZdkRmn4fYS55/y8/1yLfyNCbVS8TTp+RCRGv7TVIPYVrNJN6Kt9Cel0ZEJ5wfZQsFmOVRZlpoU9YLjbwAOWVGLP+7VCSImj41oBsX5BeTQ5IaR3Zp+GD2dM9i8jEEUxLwEZRZeIqdGytz/RerVT+YgI/OyCcoy38AxDmihETccncMADez/OkQ4WthlFFAG/zndTKeQuGwdJ27Mjx+mLWV74R9NCcgkM7MBCLYuAEE30g8kIi47rwEVEXlZNEV/np7Z4JdTgQUQ8VY62tATvsa6kxRXWK1SbZxThZtsWXI3ZEHa4LBOarHpTpSsLiw2+NixdmSogbjfKXIaV/BjZJYhSE6MV0rslA03jDiVlCJnnCRt43vXasx8
+  template:
+    metadata:
+      annotations:
+        kustomize.toolkit.fluxcd.io/reconcile: disabled
+        sealedsecrets.bitnami.com/managed: "true"

k8s/production/custom/gh-gl-sync/sealed-secrets.yaml

@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: gh-gl-sync
+  namespace: custom
+spec:
+  encryptedData:
+    # This token must have repo:status permissions
+    github-access-token: AgC+PFXWgEdlev7cGlCl5t4jnrnOG94UJrIWURHBR/ioI+N/R/pNRyxhJIoWmH295u0lLdcsRkcICSuJWtV51kFDlYIUWgD06yld29jS4NhSobd97GEC0VBN53GB6iivQYUfazzwTy1nA6/bCcIaawB+0sseu2npIl9tDEI/JTVuyiupAG0OV1rCLka2Ua0OQuDhOURldmTqUI+WPRinYCnDJ49HPF97LZZupIrmbCeLGvHg5OD5KYVkOdZsgT6SmJFZZU3CKS8fA4GgtFRThcuZTlFawQSy6ixC6O7/BB7yS5I72YqS2x+gBq7HtzM+2smSmeeUaKUne3w+ExiTTlNpcif4kbobbR8xtb/lHgT70Aif7PI2mFF79BH7OVus+yC9F449Qr5LeKyoKAFLR1YYan90kBxXKa32ZNKruzguAsddW9KT8DCIdLDuUyM8KyPi8u1X1XEKuTSd/MKcjfzjRQuILMhu20oPeyk7WJjbGDKF1k1Dvjh7AUC6BtOuuX4WKFdckV47kQOC/03WImSulqKlpZWUX8xjP2HZbjzzMOdYyPld6K7ETaiZk/WGlSGxnzbw5P4L9hz/Q0MlA5zuTl4Rd8psTDxvL5dPQ7GbL1GOfViL1fz+GQPeoRPIPRYIGDiWYwuqfaPYtR5TEWGvEh4h0bekO31ahpZdgyGcn2/kAXXtILv5w1eCtk0B3ZIoQxZCPo/C9CXoCV+LgsPW3bJnTHwUah7cy7odrsyEeeX5C5arAY4s
+    gitlab-ssh-key: AgBOg3sj4PYdQRvGEISHOUQVRa1FSEX+oiILWWrvGGUZ5jKrcCX+7vNKJZx/9MQIkMhZGFfkfvCyUjcu7ztehdfljnIZMdnkC3JvYp4l8AmGJhC6S3rJwHbQZaAiv+zWTrHHLztGI5rm9CnhzzLM5eAdWrFy8lPYoF89dzQuRrJgNQ/7eDpfEhtfXVQkNO/pzLTBTlQ4vBjj/eC3d34SuYygfmUXmmJvYMrw/3NsRFOBiUQiywU+m13VA2l+xRG9CNSBMxktyLj1oW7MKLFuIRb0Jnv5hOg6rBoXhRATaHeTj2n4VNr4ztbZtSeq2k/ZL1bgk7nppfSIc/K8crpBXApQBHkORjQnhnGGWSZqii5LC7sU0tRQOUu0987xAtO6V/EvpAa+ZsthhGyCv1E7VK/NemFVHipf+2cO39y7AC5Xk6wUn+FpW18yWPpPofylvIdLjmh5qDlqKPx8ZLgcwx+/1IHjmod7iSKHFw8wWQgX8W0NmAjqWmblHaCoXLrqEEOvQIyT0LH7+VjRJtprEnyPUFTAy75Kk6VFa3UkBkzorsdGw7R2vhEVVzV/WnZSY7rAL//CLdiXP/ut/tf8aHj4A1zezSRo3nm7lXl7DfCa9NAUNg+Y20AGpNKKAGmWRwAcxw92jmK09lrWVmFxAxRoxz3HexzpAvJxb2YEU9/C4gkP0+OYZ1pqKQI+UfISjrzNco3eYWXX9rrTEYqrcHu/FCRKTGp2oKndsAH5ehPONo8nV23uatUS7uhBfZCF0MfqZrfLaPhCMxiMlvuVtFc1WmtzJ4NwxoaBXhrtYgwVP+k2nPXEVYvbwNNG7/1UdGdgdJMhJmvkoPgwXbRF9PddI+9tm4jAp6fXj837yAeVA5Je/kNdXhlw4LmADm7J5E1jNIDMJg6MqGAOZ1aNJypb+YVZ/pbULTUnP963jlzzp1FFuHT/CnaB14/MeXWYCBtqUHiQ5pExxSxgaI4Fjm63loQSEaDiO3+PkghsNWkNQ10liFznAGSoABfiIaOcadnBWsI2zJ+bE1ST2U8mVF2ClvzloJ8lk23p3MvstuliEQqRlKLDWPERAEBIljd5GtQBH2LVq7FsKoHWIqLSXjdUxNE13ns+ngDwCIA5snoKyqxec9IJLpBaTMnyDStMdLbxwuE6PJRVYOoktTa+OV1Ja6yBYmyjAQG5hzJMxY1FBQZTSUlB5K029sT5s35o8aRrpiwatcQLKZuKqw6SI0wtSgKIkL5f3BnuwGeUfeUPveW0IAxHH0dUbQEZkNyqjgQbVq6Oui4LGp9ZLgFLpNYmVC0O62y1cOtJmmo5jztPJS+zJ0zJKbgArKUgsZa7+9BVJefTTmY43C1TttFbVQhg5+O0KY9xuoxfxY6y4tWjuTm3fK3l5e/UrA+8SR+PX0CWm2puADR7eNyvWK1YmogNOf//FA==
+  template:
+    metadata:
+      annotations:
+        kustomize.toolkit.fluxcd.io/reconcile: disabled
+        sealedsecrets.bitnami.com/managed: "true"

k8s/production/custom/gitlab-api-scrape/sealed-secrets.yaml

@@ -0,0 +1,14 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: gitlab-api-scrape
+  namespace: custom
+spec:
+  encryptedData:
+    # gitlab access token (get from https://gitlab.spack.io/spack/spack/-/settings/access_tokens)
+    gitlab-private-token: AgAR18Q8wtEw8j6tfCilT9YugOOB2ensYNh+L81QWEgQ8HVmXw5IX+NtEZXuEV9IqxxHi9bF09paEryXot8I5r4Ddi3OQNsJZ4Z9MGgbAZuUeF11PN/dB3l1KN0eODG5GI5BkbEMtTGIrTDfZz7K4RSwDAKgFvk/Cufe7Agwk9hAl2bTlDOLTpL6hAvMmHQwDkCRSXqpHQhkFxL0xxhsxVOWrNZnDIMftpFe2qmSk5TkjF1L+C86ichw5g+6GsyrrkRes6lG1jYN5ADVXRn3NllEl5d51ViKaggjve5EwN1J0DSxpDpxiKTy3WjPxJzaDUkTzWNUr3/f1ypKCfPCeVJe3ERXe/hfyKlHnVHrLTatxHXRZ8YJwxq6vUAEdGdoDzLaTtT5QfiyWbHa0ZUvWznBvCwIhQEzrSlOZBdLyRDToOCfP2mB1Al+y4uobu0N3BBVUmHkfoW7WMwliSrFW+VRowG/QvL800pCbjLpoE/reYzcW2tJwMq5BZkomZvTBVne2fpqU65MufWTX2yRL695ojcs3g9ZSY9yn3N5IV7R7q+TJgCxbyIJGfhP7o35hPFLE+3Yejk1rJR3YEPGb5VZHtag40cLX+NEXL9N0jRffi4HPKhBvt7ldImbTdkRymeluLdZZRiTKeb6YBGkt5K3CTHqB6sSCEPz84eHWX0mONGk0zD6H490ND+TVaWHHuhTYHdGuuRdHMjOGjJNTprESoBBu8dkvRdlTQ==
+  template:
+    metadata:
+      annotations:
+        kustomize.toolkit.fluxcd.io/reconcile: disabled
+        sealedsecrets.bitnami.com/managed: "true"

k8s/production/custom/gitlab-error-processor/sealed-secrets.yaml

@@ -0,0 +1,24 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: gitlab-error-processor
+  namespace: custom
+spec:
+  encryptedData:
+    # GitLab personal access token with read access to spack/spack repo
+    gitlab-token: AgAoSAnNd5m/Nr8bWWHgvDDS1Kfr0LFXv1q3tvVtCMwpQw0ZtRd4toTiC7gKYZqJq1YHq/7ajpSXPXnb503fO1dnm/N+zsKpNNCAFijvg0RA0WYQQxIGADVl9GeE4k0MCRewLSbIyjgLPWMhizHJjSNBHFygSyqW/OGn23GseYByt20wJ/jd284gCqjgP51CB6/kk6LD5zeQPmswL4HaPoi2+/oEoJuzDKwsNouAwCl2XsTEqAL/aduXvdxo9GnbOtlUpszSDAGbsLRbrRMMtTIPmZZmLEEDw8zrI6qunQJUuCCZnGMQkSJuEvh+uJQM/z7dZ5Cv6PH7nVEN2uNAIEhLDb6UVRj5R/SUXo9GciwVZqUkZImtSedVDSkCgsxIo07ae+0Z+Y0KsC0I2q9XuzwjwOHx8nQhPz2SOqjnIMTuyuG0jwoM5+mBSql1jv+wOAlr+NjGE2YyndS9NC1fb2M59a3Na6kqOzx8yfz450btPJGdc7zRA/OPwA9LZ4NE/y/sMiz2pFR7u35KuQlxt8g1jcxjJF64c9a4euyHWlyF7c0QNZwb3kMWr4hKMjezgL8eCvoPjzx3obxtzpIblLOp0UXN88ZFQZjjndFT0T4FB5xMGfrBv8Ai0U5ohYimZxrPuFspFhnJIStbtjcWbl5DKAqtJ3atwHxc9lS05Zq6lFMlBvsxT9Q6aYfK5EyZBiaZ+0821NM/dEnhuee/6CGHFXddMgFWJ0qJfg==
+    # The endpoint of the opensearch API. Should be the same as the "host" from k8s/logging/secrets.yaml
+    opensearch-endpoint: AgBfmzIyNATaOQNTY3lwA8dJoPXDb5jKJOJRf8vvPLKGGGmCzBNXngP2r3KBya3zpKpd0pcMfmQALR/GbbcdqdwhuaqrJmKTnBNWtBEhndxglaLotoYGeFg4+DGYGvXF7j8DJXEyl/Efmm+90ubk/XIobGr8m2AxXwAK4T2d5L3zuZXLfR2ol8NTXejzoCyQa9DwxGWJeYn0hJLy4kKwW450ucYndhJvSkfvOsQSKO3vrnZRYN5qUMuURv/yX4lKwXG7RwDbFbw+39knQ/hRn4Ts/IxAiRKlRyYzKfY0ZrziP49OT9+PaKJ5A7XSF63LBE9Pkx55KrAChVBwZb6dOK90pDdJ4nmT0nvm3ggBxkRqHQl+Abdf0/q3H2HZ//cprwh5tUEIxU6H1PLJeY3gVd/xqviG1rrOyqrCggmol93RJN6GCji9dRJP3mhT5f6YFyeHOLOXZ8Gv7pTEMGFohnquTJ9hQ87l4VOY+zs5Oe3EZ9KxUXgdFBMlSncmkYWsqcs/2ckctbKDh4C6B9dbdoqx6ZAzZsQG/i5cexpHp6C36ECUyatBCAXP41myC84KHImQS3IJonMNt54DmiVLUyVDbhdfPw4XgFIW93S3e1xbRbh3XOPzLggy1Sn5rU3Hx1IWgfZn7ePq5YX1apo2nvxQdrsZFWPVi5opO1m/2JlpEZyNpUjPhmJ/3RewqV06uVLfgLiNQInm7uPdScV2F56rla+wIIbbj4gMaYltXNu7XzQ7Erihu/n+sBFAiGb78QYUT27mUu3UQLm4tsRXjyXKNZJqiw5zyTDYEg==
+    # Password for the admin account of the OpenSearch cluster. Set using the AWS console.
+    opensearch-password: AgA2I8GIFNDKJuFwTa/kLnMYRJMUsTdOyGui7xzZIswxsTRuPYZJeqxIN7Zq2uOENa6H/diAV0QF8aQhieopMI7JLFTzky3nrjaI86Wsj8JbfbdPA1VSaiovHXQDKDioru21gR2oUI70j+o8gp9kdmL7DYhATZlU5Ix1T1BZXG4f5ZmZBUcL2V731+Se0UFqVoQNLMf7LOLuZwMNpfIVyZ0q7d+HHxoYvpxKI94tj3V8v1r+Takj4Rc9aLffwIym98duhXseVx3fkkcPvrZIxj0AADgfAuMtsSOVnVuR0wqm0MIrUYDo261jwsvmPn167bD3VLMF5qaNBD5RFYZ+JwbRKlytn+NpBN+/Nzk7oEjTB5VX9VIOEDsllhTFrCraIGTxQZD7TONPoxGhGzJvxsN/5zYtKGmsZg6tYhh76nD6RYGF23ixgu5hJ7wYx0Q101mUL/FSJrM/207MgNbrRt1HCw40fJZRyrFkEQxzJXFhVUVVjRslH46lEnNtxA9BNMxdJa1+vAW8r73UJgFSSRICjgSCNYORx8m/+iNOShjrKx4eEM+dWs6/gNnvYN1doj574ZxKULjRI7lGJWQEFI+gXs+zDNy8N0GU2rXeqrlGENyo0c+lBg94x6CGrerk8CLnMJ+0yn7XM9UgdN1bfvkm2VkZsudvS/uLV9cspgeEgo26fALl+QelBxJhbTcgoFtO4UXV87TaqDUGBfSjUhAbzxQVOnuf1m4qdtZl54KOW/O/cJhRwSNLgneUz/fckwRKPysWq/zpfpMSq+0OOZC4
+    # Admin user name for the OpenSearch cluster. Set using the AWS console.
+    opensearch-username: AgAF1yT2IDAVwzdxDQlTwkAx7P42NTNpyHOQYiXpxNhcPVEz+49zU9lOUTZY4W/X3NO1wgiQXKbntOX7cD2+EabkBYN3Oj/uujZTLgnnJoOYYQ0I//OgHgnx37SjfMV7+7pbdx7HTS85U2yQ7xfS9x1jsxjzLOjGTLCF5ymFVf4RxWEmqR0z7LnhQcRh6esNEUrjMbs+S1uQ/ZWvFJ3WMkuRntMKt2MI4cRKvZMRrXXwnOoCUn1vUWYU1sLQTFQFHvO8FCWfm1sfuIRv144odXf7K+ADoQe1pnlLkG8tUfau/qgKEU610W+vQMFRrLLiUg33NNVO2ZX47xxzRrVUwHzgkmDgefqDtxhOW8MkTny3YjeOteeM/yVQseW5S1/exGzJE1vqxfziyegivU+Wzkfp6obTFN3PL4urj33oSTPXvFDXmq6Nf3twvNMqsI0ccu1SiMUvBjJXTLRp6ReWm+vKJDiNU185WNiyjX8jQxM7sVNLzVLVyQW0ZOFEFJxIZXfi8icmzgSvpsS9pKdsnBC/PD+944LUXWG9zeJOiPFSIOvSDw1a7VRALVcZ4sPrXilJLZ4++8UMqDIy56VABg7/c19DxD0xNPdnbhfSHeN7JeNiF2fXcAdqPHeNDbh8SgBctgVD32i7cs2ZgorY10Y9zJSc/Jlcp1mox/XksTtclW6FpH8xk7uBA71ckVri0PesR0MAyg==
+    # The host for the gitlab RDS instance
+    postgresql-gitlab-host: AgAfh3iyCm+WsOgrm/iLkRE+fIcwuEHUvQ8aGXZjOZTmG87uuXTSd0vO0yBIBmJB1QVE4UD/10sWvPa2wKqF/KJ8Va2qpV6aUPSNxGIiJJe9+mFFyLfdN2gt4VZXahUHmVMElOWGhhKJGlTKkG1Uzxcg4CWUtIIyhJ3yG074q7J8T9s3YwB+UALdoita+hbC1wM2BHMNEPpLTvqayEKG7RI1ZLKFJtUayo7w0pArUsxxr1pysKoG7fMDepbrjRj0UBiB//e11jdFQgYVpjrex4LEkXmXpIqjPUysn9fxGbuQNDterAxLHKD04afv5Lf0fjrmZVc34RHrAYIkfySf0cCBfqYUFQhwveyN6PYBm4TQv5TtXXCYX7iw2IHX2XtlgtBNpgu6fQOGwltDp/KZjXQalmdKorDtdFtYz64LJDaSSV352MO7+0YeO9wdnZUd99cA6PwRnjJT36+uLYkecs/ag7OD54wEAB6H/U8H8uXpzcoFUqut9nwJqZZgsoox21hLCapdrhtn0dyhI0f2AY8um34F4mUsX6har7iRxgN+vUcPuwFD0O7aa5iUv0lYoYtEQS++0AkKtmYYVM3UEXEHSHPNaLDHRLAD0ssoyTrAzTkImRjKnkXd83EBamR9ZpCWJzzLl6sLQmJGI+x/c/gtmGUS0uvT2N5wxGPN+xIF29Xvc+cvVffrfuG8La9Iz0pE2IfEYSxoUFJIqq/DQvKm3Xgu6wXHr4YBWVU5wWDQuv2AeJRCJ20vnJIbFd5Js0xxtinJQuAcrjdO
+    # The password for the read-only user on the gitlab RDS instance
+    postgresql-gitlab-ro-user-password: AgBZIPLg2SgyCOwzO99eiXk4IX3uN8JOIt/kHL0w7sCBSy1V7VmfakIzJh8jcNpxMZG8PPsrO5pk/ST8kvRwzywnHh81igoO6oKE1meG7H/9Ht05WyIDqf2lAyArbxodmLOe306VGbUAQlmWkVncBhTlRGIW3QUd8uUjm79YZ8cy+h3HLcHuh9BEenmrfZBn+gU7uOeNNL+izk3QNlIufqBevdV9YuHIIu0SkTHrE1/Q9B+puKDVpa46yfsVTSmjr4fv2LGXZG5uaXWL+Q4eETPYDiJdgNqbuvwn1S1Z7lplFsz0di/Rvfc10tM+YjWWju9Xr07tTSUybkNJPoU4lKxg84v2jTHmNRK3+TJGOOo9FlDJ0Rw6RINdsDf94tyPMdpFZCeeArEyS0SRwOsMb93VfEeCHjw5xysUF4xyQeczfaLf5obkzHDMSs61YpIFk/e19tZikmSCcg4EX066WBkgP7m8Hso15dADJNQhv2NJ856n8l3nUEyl8YpbXXhRdBUvQ/bRCvZTng+7Eb3Ah5wvZeCggsoc2xg42oQcA6k4h8xFPf/9BTSzrryxYel14jjjGxCw+C8sfjW6JzhBEt+dKpsKCnBE5XPFo77N/jChNJADGF9sC+WUU/Qw0gAJxGzAU34ABaaO4ve+TB3SQT+IXG49RCMTkuO2cIbBqPn4k9GYayGwkL//fatBeNVSLtWmbTMx6JMKJg/8yNzLSI3QDWwavLt/uuNUB+C86k2S1hnvNNoBOKdkQJ6tE+fGpO/dqQCoKfCo16wQphI9Kf23
+  template:
+    metadata:
+      annotations:
+        kustomize.toolkit.fluxcd.io/reconcile: disabled
+        sealedsecrets.bitnami.com/managed: "true"