diff --git a/.sops.yaml b/.sops.yaml index e053c26..b6de4e8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,4 +1,9 @@ creation_rules: + # Platform secrets + - path_regex: platform/.*/.*secret.*\.yaml$ + encrypted_regex: ^(data|stringData|password|token|apiKey|secret|key|auth|\.dockerconfigjson)$ + age: age1c7ke5ajhtzua7lrvzsg2p7krnnqv5jhvafh4lsl2s022j46jggnss4rxry + # Bootstrap secrets - path_regex: bootstrap/.*\.yaml$ encrypted_regex: ^(data|stringData|password|token|apiKey|secret|key)$ diff --git a/platform/mcp-servers/Chart.yaml b/platform/mcp-servers/Chart.yaml index 31e8ecd..5081ddd 100644 --- a/platform/mcp-servers/Chart.yaml +++ b/platform/mcp-servers/Chart.yaml @@ -19,61 +19,61 @@ sources: dependencies: - name: mcp-gateway version: "1.0.0" - repository: "file://../mcp-gateway" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: mcp-gateway.enabled - name: n8n-mcp version: "1.0.0" - repository: "file://../n8n-mcp" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: n8n-mcp.enabled - name: playwright-mcp version: "1.0.0" - repository: "file://../playwright-mcp" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: playwright-mcp.enabled - name: kubernetes-mcp version: "1.0.0" - repository: "file://../kubernetes-mcp" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: kubernetes-mcp.enabled - name: github-mcp version: "1.0.0" - repository: "file://../github-mcp" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: github-mcp.enabled - name: postgresql-mcp version: "1.0.0" - repository: "file://../postgresql-mcp" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: postgresql-mcp.enabled - name: sqlite-mcp version: "1.0.0" - repository: "file://../sqlite-mcp" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: sqlite-mcp.enabled - name: prometheus-mcp version: "1.0.0" - repository: "file://../prometheus-mcp" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: prometheus-mcp.enabled - name: slack-mcp version: "1.0.0" - repository: "file://../slack-mcp" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: slack-mcp.enabled - name: s3-mcp version: "1.0.0" - repository: "file://../s3-mcp" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: s3-mcp.enabled - name: filesystem-mcp version: "1.0.0" - repository: "file://../filesystem-mcp" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: filesystem-mcp.enabled - name: puppeteer-mcp version: "1.0.0" - repository: "file://../puppeteer-mcp" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: puppeteer-mcp.enabled - name: fetch-mcp version: "1.0.0" - repository: "file://../fetch-mcp" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: fetch-mcp.enabled - name: memory-mcp version: "1.0.0" - repository: "file://../memory-mcp" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: memory-mcp.enabled - name: gitea-mcp version: "1.0.0" - repository: "file://../gitea-mcp" + repository: "oci://images.caffeinetux.com/mcp-charts" condition: gitea-mcp.enabled diff --git a/platform/mcp-servers/harbor-secret.enc.yaml b/platform/mcp-servers/harbor-secret.enc.yaml new file mode 100644 index 0000000..43a7dc9 --- /dev/null +++ b/platform/mcp-servers/harbor-secret.enc.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: harbor-registry-secret + namespace: flux-system +type: kubernetes.io/dockerconfigjson +stringData: + .dockerconfigjson: ENC[AES256_GCM,data:BkaiHpVTfTZRrP8+OMYyW99VJukKX4YaBqZ2W5+kPPHPGHUOR1B29JZGANuRRcWXyZKpwdnKchmMuPt4tvNXc8as+aXzjPqrFSHgoN/OW741rCUJJFlPSG+yIRzW0SRt9lcV+MguopAIRKukDNTM85HLBGnnBErGAgDDC2ebkQb66cmeDqBfXzq/kXu2tdsI+vVAoOBAr7gqFKMREYuaZEzM/h9c/Mn9NTASiAM=,iv:pkjoSBKKI1xd5rXIAmUXHrB2y1GULVo6lCL71ZbA5/Y=,tag:hqciSQi6NzYrysKZp7LZ4Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1c7ke5ajhtzua7lrvzsg2p7krnnqv5jhvafh4lsl2s022j46jggnss4rxry + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkTmV2M216RDRUMXVwRnlC + d1F1ZEl2ZS9pNSs5Y2F0bjJqNHFoQXpieWpJCmtiNTJVenloNEJYRUFPN2JIMEN2 + blRvMDBiZ3pCaDRZTzhDWm1kZjZPNncKLS0tIE5OMGl0S0I4VXF0YXBqeWxGUGFv + bDlMZHNKcE9CNFBucG1oYXJyWWxLTVEKDV05XZgG0+fKzKYDiFuU0TD5Ml/fno41 + UQcxgkiBTabv0ajtsGBUQ1/A5D+vL0SwPo7PHzH+drE63PVxekTl3w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-11-16T08:04:02Z" + mac: ENC[AES256_GCM,data:JdAT1Hm2DpNQcPWNYC/BI/0yuzWAFyCDZ4SwLR0eZOelYV28R83oYKC4tnCNTwEKm8/tgACLkq0ndfAei0N3cNFGr5o0gCReeN1KQFu1/URENYxLVVofg033AVZEeK8R/TAZkXndhd6HUYhHQatX1l5ro6hLrcItPAYl1s0AFBI=,iv:AfHDa+p1O3/cpcXTG/+CXq0yzlFJ9QBUBAh1UCj+pwo=,tag:a9gaISxT7iJ/1RcHoFwPgg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData|password|token|apiKey|secret|key|auth|\.dockerconfigjson)$ + version: 3.9.2 diff --git a/platform/mcp-servers/helmrelease.yaml b/platform/mcp-servers/helmrelease.yaml index 371d32d..e7a6890 100644 --- a/platform/mcp-servers/helmrelease.yaml +++ b/platform/mcp-servers/helmrelease.yaml @@ -8,10 +8,11 @@ spec: timeout: 5m chart: spec: - chart: ./platform/mcp-servers + chart: mcp-umbrella + version: "1.0.0" sourceRef: - kind: GitRepository - name: flux-system + kind: HelmRepository + name: mcp-charts namespace: flux-system interval: 5m diff --git a/platform/mcp-servers/helmrepository.yaml b/platform/mcp-servers/helmrepository.yaml new file mode 100644 index 0000000..83afb8c --- /dev/null +++ b/platform/mcp-servers/helmrepository.yaml @@ -0,0 +1,11 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: mcp-charts + namespace: flux-system +spec: + type: oci + url: oci://images.caffeinetux.com/mcp-charts + interval: 5m + secretRef: + name: harbor-registry-secret diff --git a/platform/mcp-servers/kustomization.yaml b/platform/mcp-servers/kustomization.yaml index 9e3f968..bc1e2eb 100644 --- a/platform/mcp-servers/kustomization.yaml +++ b/platform/mcp-servers/kustomization.yaml @@ -1,11 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: mcp - resources: - namespace.yaml - secrets.enc.yaml + - harbor-secret.enc.yaml + - helmrepository.yaml - helmrelease.yaml # SOPS decryption for encrypted secrets