jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/config/templates/secure.yaml.example
Jesús Pérez 6a59d34bb1
chore: update provisioning configuration and documentation 
Update configuration files, templates, and internal documentation
for the provisioning repository system.

Configuration Updates:
- KMS configuration modernization
- Plugin system settings
- Service port mappings
- Test cluster topologies
- Installation configuration examples
- VM configuration defaults
- Cedar authorization policies

Documentation Updates:
- Library module documentation
- Extension API guides
- AI system documentation
- Service management guides
- Test environment setup
- Plugin usage guides
- Validator configuration documentation

All changes are backward compatible.
2025-12-11 21:50:42 +00:00

224 lines
7.5 KiB
Plaintext
Raw Blame History

# Secure Configuration Template
# This file demonstrates which fields should be encrypted
#
# Usage:
# 1. Copy this file: cp secure.yaml.example secure.yaml
# 2. Fill in your actual secrets
# 3. Encrypt: provisioning config encrypt secure.yaml --in-place
# 4. Verify: provisioning config is-encrypted secure.yaml
# ============================================================================
# Cloud Provider Credentials (ENCRYPT THIS FILE!)
# ============================================================================
providers:
aws:
# AWS credentials (SENSITIVE - must be encrypted)
access_key_id: "AKIAIOSFODNN7EXAMPLE"
secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
session_token: "" # Optional for temporary credentials
region: "us-east-1"
# KMS key for SOPS encryption (not sensitive, can be plain)
kms_key_arn: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
upcloud:
# UpCloud credentials (SENSITIVE - must be encrypted)
username: "your-upcloud-username"
password: "your-upcloud-password"
zone: "de-fra1"
local:
# SSH keys for local provider (SENSITIVE - must be encrypted)
ssh_private_key_path: "/home/user/.ssh/id_rsa"
ssh_public_key_path: "/home/user/.ssh/id_rsa.pub"
# ============================================================================
# Database Credentials (ENCRYPT THIS FILE!)
# ============================================================================
databases:
postgres:
host: "db.example.com"
port: 5432
database: "provisioning"
# Credentials (SENSITIVE - must be encrypted)
username: "db_admin"
password: "SuperSecretPassword123!"
ssl_mode: "require"
# Connection pool settings (not sensitive)
max_connections: 100
min_connections: 10
redis:
host: "redis.example.com"
port: 6379
# Redis password (SENSITIVE - must be encrypted)
password: "RedisSecretPassword456!"
database: 0
ssl: true
# ============================================================================
# API Keys and Tokens (ENCRYPT THIS FILE!)
# ============================================================================
api_keys:
# GitHub API token (SENSITIVE - must be encrypted)
github:
token: "ghp_1234567890abcdefghijklmnopqrstuvwxyz"
# Slack webhook (SENSITIVE - must be encrypted)
slack:
webhook_url: "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXX"
# Monitoring service (SENSITIVE - must be encrypted)
datadog:
api_key: "1234567890abcdefghijklmnopqrstuv"
app_key: "abcdefghijklmnopqrstuvwxyz1234567890abcd"
# Container registry (SENSITIVE - must be encrypted)
docker_hub:
username: "dockeruser"
password: "DockerHubPassword789!"
# ============================================================================
# SSH Keys (ENCRYPT THIS FILE!)
# ============================================================================
ssh_keys:
# Private SSH key (SENSITIVE - must be encrypted)
production:
private_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
... (full private key here) ...
-----END OPENSSH PRIVATE KEY-----
public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC... user@host"
# Deployment key (SENSITIVE - must be encrypted)
deployment:
private_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
... (deployment key here) ...
-----END OPENSSH PRIVATE KEY-----
# ============================================================================
# TLS/SSL Certificates (ENCRYPT THIS FILE!)
# ============================================================================
certificates:
# Server certificate (SENSITIVE - must be encrypted)
server:
cert: |
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKL0UG+mRKtjMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
... (full certificate here) ...
-----END CERTIFICATE-----
# Private key (SENSITIVE - must be encrypted)
key: |
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7VJTUt9Us8cKj
... (full private key here) ...
-----END PRIVATE KEY-----
# CA certificate (not sensitive if public CA, but encrypt for consistency)
ca:
cert: |
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKL0UG+mRKtjMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
... (CA certificate here) ...
-----END CERTIFICATE-----
# ============================================================================
# OAuth/OIDC Configuration (ENCRYPT THIS FILE!)
# ============================================================================
oauth:
google:
# OAuth client (SENSITIVE - must be encrypted)
client_id: "123456789012-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com"
client_secret: "GOCSPX-abcdefghijklmnopqrstuvwxyz"
redirect_uri: "https://app.example.com/auth/callback"
github:
# GitHub OAuth (SENSITIVE - must be encrypted)
client_id: "Iv1.1234567890abcdef"
client_secret: "1234567890abcdefghijklmnopqrstuvwxyz1234"
# ============================================================================
# Secret Keys and Salts (ENCRYPT THIS FILE!)
# ============================================================================
secrets:
# Application secret key (SENSITIVE - must be encrypted)
app_secret_key: "supersecretkey123456789abcdefghijklmnopqrstuvwxyz"
# JWT signing key (SENSITIVE - must be encrypted)
jwt_secret: "jwtsecret123456789abcdefghijklmnopqrstuvwxyz"
# Encryption key (SENSITIVE - must be encrypted)
encryption_key: "encryptionkey123456789abcdefghijklmnopqrstuvwxyz"
# Password salt (SENSITIVE - must be encrypted)
password_salt: "salt123456789abcdefghijklmnopqrstuvwxyz"
# ============================================================================
# Webhooks (ENCRYPT THIS FILE!)
# ============================================================================
webhooks:
# Webhook secret for signature verification (SENSITIVE - must be encrypted)
github:
secret: "webhook_secret_github_123456789"
gitlab:
token: "glpat-1234567890abcdefghij"
# ============================================================================
# SOPS Metadata (automatically added after encryption)
# ============================================================================
# After encryption, SOPS will add metadata at the end:
#
# sops:
# kms: []
# gcp_kms: []
# azure_kv: []
# hc_vault: []
# age:
# - recipient: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# enc: |
# -----BEGIN AGE ENCRYPTED FILE-----
# ...
# -----END AGE ENCRYPTED FILE-----
# lastmodified: "2025-10-08T10:00:00Z"
# mac: ENC[AES256_GCM,data:...,iv:...,tag:...,type:str]
# pgp: []
# unencrypted_suffix: _unencrypted
# version: 3.10.2
# ============================================================================
# Important Notes
# ============================================================================
# 1. NEVER commit this file to git without encryption!
# 2. After filling in secrets, immediately encrypt:
# provisioning config encrypt secure.yaml --in-place
#
# 3. Verify encryption:
# provisioning config is-encrypted secure.yaml
#
# 4. Only encrypted files with SOPS metadata are safe to commit
#
# 5. To edit encrypted file:
# provisioning config edit-secure secure.yaml
#
# 6. File naming conventions for auto-encryption:
# - secure.yaml (in workspace/config/)
# - *.enc.yaml (anywhere)
# - *credentials*.toml (in providers/)
# - *secret*.yaml (in platform/)
Reference in New Issue View Git Blame Copy Permalink