From 7dfeda268eae7a9c2d9949c58ca39041b5eb6ec3 Mon Sep 17 00:00:00 2001 From: Florian RICHER Date: Tue, 17 Jun 2025 12:05:51 +0200 Subject: [PATCH] Update example conf for supabase to use dedicated secret --- sealed_secrets/README.md | 14 +++++++++++++- supabase/README.md | 6 ++++++ supabase/src-secret.yaml | 29 +++++++++++++++++++++++++++++ supabase/values.yaml | 40 +++++++++++++++++++++++----------------- 4 files changed, 71 insertions(+), 18 deletions(-) create mode 100644 supabase/src-secret.yaml diff --git a/sealed_secrets/README.md b/sealed_secrets/README.md index ffa9ff6..6809241 100644 --- a/sealed_secrets/README.md +++ b/sealed_secrets/README.md @@ -7,7 +7,7 @@ helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets ``` ```console -helm install sealed-secrets sealed-secrets/sealed-secrets -f helm/values +helm install sealed-secrets sealed-secrets/sealed-secrets -f helm/values.yml ``` 2. Create a secret @@ -29,12 +29,24 @@ echo -n "MySecret" | kubeseal --raw --name \ -n ``` +OR + +``` +cat | kubeseal -n -o yaml +``` + 3. Validate encrypted data ``` cat | kubeseal --validate --controller-name=sealed-secrets --controller-namespace= ``` +OR + +``` +kubectl kustomize | yq '. | select(.kind == "SealedSecret")' --yaml-output | kubeseal --validate --controller-name=sealed-secrets --controller-namespace= +``` + 4. Check status of sealed secret ``` diff --git a/supabase/README.md b/supabase/README.md index 66395a3..512d722 100644 --- a/supabase/README.md +++ b/supabase/README.md @@ -8,6 +8,12 @@ git clone https://github.com/supabase-community/supabase-kubernetes ``` +2. Create secret + +``` +cat src-secret.yaml | kubeseal -o yaml --controller-name=sealed-secrets --controller-namespace=default | kubectl apply -f - +``` + 2. Install Supabase ``` diff --git a/supabase/src-secret.yaml b/supabase/src-secret.yaml new file mode 100644 index 0000000..9ee90c1 --- /dev/null +++ b/supabase/src-secret.yaml @@ -0,0 +1,29 @@ +# The secrets it's just for testing, it's not used in production +apiVersion: v1 +kind: Secret +metadata: + name: supabase-app-secret +type: Opaque +data: + # WyXn60h#H1FlK%;&UDAj"BjAZuEC.=s\zwJ>n`~JHs)NM`bYc10PDe.&b>K>$+nQg.)Z>X@*n]bkQ=NA6#J=@as+9g]^'009_xqb + ANALYTICS_API_KEY: V3lYbjYwaCNIMUZsSyU7JlVEQWoiQmpBWnVFQy49c1x6d0o+bmB+SkhzKU5NYGJZYzEwUERlLiZiPks+JCtuUWcuKVo+WEAqbl1ia1E9TkE2I0o9QGFzKzlnXV4nMDA5X3hxYg== + # supabase + DASHBOARD_USERNAME: c3VwYWJhc2U= + # *Q2tYxC`Y2G0;qlU#8Y$z?r`9[[MGr"t + DASHBOARD_PASSWORD: KlEydFl4Q2BZMkcwO3FsVSM4WSR6P3JgOVtbTUdyInQ= + # postgres + DATABASE_NAME: cG9zdGdyZXM= + # postgres + DATABASE_USERNAME: cG9zdGdyZXM= + # o"D?"Kz&OZd=PkDwK{RhKO"m+@4V?t#2 + DATABASE_PASSWORD: byJEPyJLeiZPWmQ9UGtEd0t7UmhLTyJtK0A0Vj90IzI= + # eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJhbm9uIiwKICAgICJpc3MiOiAic3VwYWJhc2UtZGVtbyIsCiAgICAiaWF0IjogMTY0MTc2OTIwMCwKICAgICJleHAiOiAxNzk5NTM1NjAwCn0.dc_X5iR_VP_qT0zsiyj_I_OZ2T9FtRU2BBNWN8Bu4GE + JWT_ANON_KEY: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5QWdDaUFnSUNBaWNtOXNaU0k2SUNKaGJtOXVJaXdLSUNBZ0lDSnBjM01pT2lBaWMzVndZV0poYzJVdFpHVnRieUlzQ2lBZ0lDQWlhV0YwSWpvZ01UWTBNVGMyT1RJd01Dd0tJQ0FnSUNKbGVIQWlPaUF4TnprNU5UTTFOakF3Q24wLmRjX1g1aVJfVlBfcVQwenNpeWpfSV9PWjJUOUZ0UlUyQkJOV044QnU0R0U= + # eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJzZXJ2aWNlX3JvbGUiLAogICAgImlzcyI6ICJzdXBhYmFzZS1kZW1vIiwKICAgICJpYXQiOiAxNjQxNzY5MjAwLAogICAgImV4cCI6IDE3OTk1MzU2MDAKfQ.DaYlNEoUrrEn2Ig7tqibS-PHK5vgusbcbo7X36XVt4Q + JWT_SERVICE_KEY: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5QWdDaUFnSUNBaWNtOXNaU0k2SUNKelpYSjJhV05sWDNKdmJHVWlMQW9nSUNBZ0ltbHpjeUk2SUNKemRYQmhZbUZ6WlMxa1pXMXZJaXdLSUNBZ0lDSnBZWFFpT2lBeE5qUXhOelk1TWpBd0xBb2dJQ0FnSW1WNGNDSTZJREUzT1RrMU16VTJNREFLZlEuRGFZbE5Fb1VyckVuMklnN3RxaWJTLVBISzV2Z3VzYmNibzdYMzZYVnQ0UQ== + # 9`JVAG$EN]3aXAv%C#"nz$iE`tmI)?38 + JWT_SECRET: OWBKVkFHJEVOXTNhWEF2JUMjIm56JGlFYHRtSSk/Mzg= + # contact@example.com + SMTP_USERNAME: Y29udGFjdEBleGFtcGxlLmNvbQ== + # ;|[ot!`QREZM#.R2i2hLae=+vsUP!G$g + SMTP_PASSWORD: O3xbb3QhYFFSRVpNIy5SMmkyaExhZT0rdnNVUCFHJGc= diff --git a/supabase/values.yaml b/supabase/values.yaml index c8f46e0..8708841 100644 --- a/supabase/values.yaml +++ b/supabase/values.yaml @@ -1,20 +1,30 @@ secret: jwt: - anonKey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJhbm9uIiwKICAgICJpc3MiOiAic3VwYWJhc2UtZGVtbyIsCiAgICAiaWF0IjogMTY0MTc2OTIwMCwKICAgICJleHAiOiAxNzk5NTM1NjAwCn0.dc_X5iR_VP_qT0zsiyj_I_OZ2T9FtRU2BBNWN8Bu4GE - serviceKey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJzZXJ2aWNlX3JvbGUiLAogICAgImlzcyI6ICJzdXBhYmFzZS1kZW1vIiwKICAgICJpYXQiOiAxNjQxNzY5MjAwLAogICAgImV4cCI6IDE3OTk1MzU2MDAKfQ.DaYlNEoUrrEn2Ig7tqibS-PHK5vgusbcbo7X36XVt4Q - secret: your-super-secret-jwt-token-with-at-least-32-characters-long + secretRef: "supabase-app-secret" + secretRefKey: + anonKey: JWT_ANON_KEY + serviceKey: JWT_SERVICE_KEY + secret: JWT_SECRET smtp: - username: your-mail@example.com - password: example123456 + secretRef: "supabase-app-secret" + secretRefKey: + username: SMTP_USERNAME + password: SMTP_PASSWORD dashboard: - username: supabase - password: this_password_is_insecure_and_should_be_updated + secretRef: "supabase-app-secret" + secretRefKey: + username: DASHBOARD_USERNAME + password: DASHBOARD_PASSWORD db: - username: postgres - password: example123456 - database: postgres + secretRef: "supabase-app-secret" + secretRefKey: + username: DATABASE_USERNAME + password: DATABASE_PASSWORD + database: DATABASE_NAME analytics: - apiKey: your-super-secret-and-long-logflare-key + secretRef: "supabase-app-secret" + secretRefKey: + apiKey: ANALYTICS_API_KEY db: enabled: true @@ -50,12 +60,8 @@ auth: environment: API_EXTERNAL_URL: http://example.com GOTRUE_SITE_URL: http://example.com - GOTRUE_EXTERNAL_EMAIL_ENABLED: "true" - GOTRUE_MAILER_AUTOCONFIRM: "true" - GOTRUE_SMTP_ADMIN_EMAIL: "your-mail@example.com" - GOTRUE_SMTP_HOST: "smtp.example.com" - GOTRUE_SMTP_PORT: "587" - GOTRUE_SMTP_SENDER_NAME: "your-mail@example.com" + GOTRUE_EXTERNAL_EMAIL_ENABLED: "false" + GOTRUE_MAILER_AUTOCONFIRM: "false" rest: image: