From 07e2602bd104265bdc354f7bc826ed261fae264c Mon Sep 17 00:00:00 2001
From: Edward Cheng <edward@cheng.sydney>
Date: Mon, 10 Jun 2024 16:29:31 +1000
Subject: [PATCH] Use gpg to encrypt the cert-manager-secrets

---
 .sops.yaml                                    |  2 +-
 .../app/cert-manager-secrets.yaml             | 55 +++++++++++--------
 .../apps/cert-manager/cert-manager.yaml       |  2 +-
 3 files changed, 35 insertions(+), 24 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml
index 132ff53..fdffc81 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,4 +1,4 @@
 creation_rules:
   - path_regex: \.ya?ml$
     encrypted_regex: ^(data|stringData)$
-    age: age1d47q8mlty404pxx378q49hr93aqexca4mkeqtdm00w4gjd09xd0qhxcdcz
+    pgp: 6CEA91DDB1964869C94DCEC7AF6E3BB1B44F669B
diff --git a/kubernetes/apps/cert-manager/app/cert-manager-secrets.yaml b/kubernetes/apps/cert-manager/app/cert-manager-secrets.yaml
index dccef40..91a6680 100644
--- a/kubernetes/apps/cert-manager/app/cert-manager-secrets.yaml
+++ b/kubernetes/apps/cert-manager/app/cert-manager-secrets.yaml
@@ -1,28 +1,39 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: cert-manager-secrets
+    name: cert-manager-secrets
 type: Opaque
 stringData:
-  email: ENC[AES256_GCM,data:Xw/DA/QTahksfab9o/XImDyJiQ==,iv:SUGIiGcRNW3pTWIlyndKaY2gkLNPpbL76/TOdgqcFF8=,tag:6Z1P6XM0tBLiGs8N0zVoQw==,type:str]
-  cert-manager-dns01: ENC[AES256_GCM,data:g5UrPhYrktJgDw8LONrvm3h/UktN9UKVj8x7mGLSnhiefjT85sS5yg==,iv:BsDhztKm97ASx4TIun0Wb8u5LHdurD8cPjI9quaHIik=,tag:e8k26dyJPxkdLXeWwTLgVw==,type:str]
+    email: ENC[AES256_GCM,data:4yYrxxURWxhSPzDr5JCXQ6aipg==,iv:lLJTPVCZkD+GYU9j5zcYwHOjILqSNO4MqB4wSzFwFA0=,tag:gAwdnDMcZTOVYZedXSzZww==,type:str]
+    cert-manager-dns01: ENC[AES256_GCM,data:8i+sGAKVXScv9qH9J37r6ahp+qIQlGS+JT3ki8al6MZCGkCIsKyrWg==,iv:z7odOx8pokcgSoE9PUt41KxRo+O+HukjSjKna/bVnRg=,tag:hBXit0BxbBYVnJ4f1NJpgA==,type:str]
 sops:
-  kms: []
-  gcp_kms: []
-  azure_kv: []
-  hc_vault: []
-  age:
-    - recipient: age1d47q8mlty404pxx378q49hr93aqexca4mkeqtdm00w4gjd09xd0qhxcdcz
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZHZoMEZwdmhCRFdtc2Zk
-        Rm1ZTWloQkJpVWpUeTdqMTJvZDcrOENpYjFJCmQwNWk5emNyaGpweXZyNEZyWnFv
-        RU5mQ2dUSjBQbHBQY3B5SkxWZUdESk0KLS0tIDQwWm5BVStDM2REb1lES3VhODRr
-        aG5mUXBRTlJwMVdiZTF1N2krczMrSDgKLsi0MxNuhDarP4jUGoZzsr/d4ImHOEAR
-        Yj/WU7xy/LUY1JEhPLrByuUj0i0N127EmLdBQ8KN47xAdsa69t0y/Q==
-        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-06-10T02:25:43Z"
-  mac: ENC[AES256_GCM,data:8VdnAOpbpEBGjnGR1x2wejQ/zv8Q9IHZiawKGFS4wvrBt3e9Jb1d1Eiwv59ix0BnswJLPPoZiiYXcYy8DBYRAilaQ/URxFTzP1o0QlAoadUab84NEn0ysYoRz22pQ6fdZXFkZithQD81Le37tI8gkcddP0PsPg/6LfkaPHsLQgs=,iv:/EzcGl8quaMZwUcDO+hSnnhrnNLExllB5Ly+Y4n9jZY=,tag:Hery5vjzHXuYaAAweMjwvg==,type:str]
-  pgp: []
-  encrypted_regex: ^(data|stringData)$
-  version: 3.8.1
\ No newline at end of file
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-06-10T06:28:00Z"
+    mac: ENC[AES256_GCM,data:GGiFM5tkN3G+zbn0hmu3uLK9PYuWSW/SoDyqP18ci6K/BXeWBeWIgKbB1NSnwZuCAdze6vFtoEN9pvdcJaO5Jq6d+XF1Ky3Intcg7I+K0Chzrj9jrGNZ3D4tb8ZPffMXOemSqrYdU7hlcNZ8pCRi2LfIuAuDTRP5Sid050edIRs=,iv:sEkzsO0wqRRlfJMuOd8HJHXNTfJFrw1VZXRiIaEblNI=,tag:uSrBP0GQMOOZQXIhKUJZBQ==,type:str]
+    pgp:
+        - created_at: "2024-06-10T06:28:00Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzYPaSpJSocKARAAg2VRKoT7Vrmm/3RoSkj68oWuTg8WQ4VHk1wzELG45b/o
+            mnmHwEN1AiqLQq/NxTN0/0SJTD5AJwdUS+Ps8Tet3I6UxcPdXEEP4MdSRwMzlWsP
+            VFT4WCAdth1nhHj41UhLDqIgKg8scoKD5TE3mt7W51wYpN20xo60UnkMUFKjtHTU
+            /gJe0VY3MXkhziExOq6Wx8ZlU+2XXEACaq6O4st6RIdeBJSxmsb+rkpcFfhbkley
+            V0tVx3KLVo4R1VC/V4vr/tP8dp503150Us18oXTiVU88dvttwz2Vc7dD5sifIoKh
+            yz5WsPMFhC63aXHNLC7x+QcNgb+uD9MDQCuEyxFSLBZ3ZHOMCnrfCCkdIxh4rmuz
+            OgJd4SHYiCTSzBa8OETw6v0ag0GG8GtJ6ApKNWEU4Y06iMCY2peDsUUmu9/QXiGf
+            Z/xv9Z+xwOXaDJUN6/4kl9FU9FSQ+P208aHT04i8A9Nw7OmbrMPzZf9gzRjfUldS
+            ++XSmTKDhe7/SHRET+wQj2nwbi3B+QQAZrKKHfn5d0hXm32LADsZ1u+UWLVMBWc4
+            kXmjO2WnknOO7giPb95cGRF7LGepRn0I+Jl+l3d77M+RZ4xYPKtGkrIu+ipljHeS
+            ichpt/wvdP+cupyoE4A8OgxRwpoAv1jENRV8agueyY4J2MHMEW8YLmRX11b+lYLS
+            XgGrYNlK+BZNjOmQkTO8bjXt//uV7hc1kgqFspx5UWLRAleeylyw27+srQXHhwct
+            brMmGKDonTag8frdCAzs9roTykkYxHyoq4mBAakUYFReO9x3ia6UykLOO0dRSO8=
+            =WgIw
+            -----END PGP MESSAGE-----
+          fp: 6CEA91DDB1964869C94DCEC7AF6E3BB1B44F669B
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1
diff --git a/kubernetes/apps/cert-manager/cert-manager.yaml b/kubernetes/apps/cert-manager/cert-manager.yaml
index 867c17d..32eac01 100644
--- a/kubernetes/apps/cert-manager/cert-manager.yaml
+++ b/kubernetes/apps/cert-manager/cert-manager.yaml
@@ -14,7 +14,7 @@ spec:
   decryption:
     provider: sops
     secretRef:
-      name: sops-age
+      name: sops-pgp
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization