Stop tracking talos kubeconfig; remove Authentik token from git; add Newt kubeseal example

Remove committed talos/kubeconfig (cluster admin credentials). Ignore talos/kubeconfig at repo root. Replace hardcoded LDAP outpost token with AUTHENTIK_LDAP_OUTPOST_TOKEN from .env. Document Sealed Secrets workflow for Newt (kubeseal script + README updates). Clarify Talos secrets use talsecret/SOPS, not Sealed Secrets. Made-with: Cursor
2026-03-28 01:19:58 -04:00
parent a5e624f542
commit a65b553252
10 changed files with 54 additions and 24 deletions
--- a/clusters/noble/apps/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh
+++ b/clusters/noble/apps/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Emit a SealedSecret for newt-pangolin-auth (namespace newt).
+# Prerequisites: sealed-secrets controller running; kubeseal client (same minor as controller).
+# Rotate Pangolin/Newt credentials in the UI first if they were exposed, then set env vars and run:
+#
+#   export PANGOLIN_ENDPOINT='https://pangolin.example.com'
+#   export NEWT_ID='...'
+#   export NEWT_SECRET='...'
+#   ./kubeseal-newt-pangolin-auth.sh > newt-pangolin-auth.sealedsecret.yaml
+#   kubectl apply -f newt-pangolin-auth.sealedsecret.yaml
+#
+set -euo pipefail
+kubectl apply -f "$(dirname "$0")/../../newt/namespace.yaml" >/dev/null 2>&1 || true
+kubectl -n newt create secret generic newt-pangolin-auth \
+  --dry-run=client \
+  --from-literal=PANGOLIN_ENDPOINT="${PANGOLIN_ENDPOINT:?}" \
+  --from-literal=NEWT_ID="${NEWT_ID:?}" \
+  --from-literal=NEWT_SECRET="${NEWT_SECRET:?}" \
+  -o yaml | kubeseal -o yaml