feat: op inject secrets (close #368)

{{cookiecutter.project_slug}}/Makefile

@@ -122,13 +122,34 @@ shell-frontend:
 secure:  ## Analyze dependencies for security issues
 	$(KUBECTL_EXEC_BACKEND) -c "safety check"
 
-sandbox-secrets: ## Substitute with secrets template with env variable and run kubeseal
-	@echo "Sealing secrets from sandbox template to $$(kubectl config current-context)"
-	NAMESPACE={{ cookiecutter.project_dash }}-sandbox envsubst < k8s/templates/secrets.yaml.template | kubeseal --format yaml > k8s/sandbox/secrets.yaml
+DEBUG ?= false
+secrets:
+	@$(call check_var,ENVIRONMENT)
+	@echo "Creating sealed secrets for $$(kubectl config current-context) cluster"
+	kubectl config get-contexts --no-headers | \
+		grep {{ cookiecutter.project_slug }}-$(ENVIRONMENT) && \
+		kubectl config use-context admin@{{ cookiecutter.project_slug }}-$(ENVIRONMENT)
+	ENVIRONMENT=$(ENVIRONMENT) \
+	envsubst < k8s/templates/secrets.yaml.template | op inject | if [ "$(DEBUG)" = "true" ]; then cat; else kubeseal -n {{ cookiecutter.project_slug }}-$(ENVIRONMENT) --format yaml > k8s/$(ENVIRONMENT)/secrets.yaml; fi
+
+sandbox-secrets: ## Create sealed secrets for sandbox
+	$(MAKE) secrets ENVIRONMENT=sandbox
+
+debug-sandbox-secrets: ## Debug sandbox secrets
+	$(MAKE) secrets ENVIRONMENT=sandbox DEBUG=true
+
+staging-secrets: ## Create sealed secrets for sandbox
+	$(MAKE) secrets ENVIRONMENT=sandbox
+
+debug-staging-secrets: ## Debug sandbox secrets
+	$(MAKE) secrets ENVIRONMENT=sandbox DEBUG=true
+
+prod-secrets: ## Create sealed secrets for prod
+	$(MAKE) secrets ENVIRONMENT=prod
+
+debug-prod-secrets: ## Create sealed secrets for prod
+	$(MAKE) secrets ENVIRONMENT=prod DEBUG=true
 
-prod-secrets: ## Substitute with secrets template with env variable and run kubeseal
-	@echo "Sealing secrets from prod template to $$(kubectl config current-context)"
-	NAMESPACE={{ cookiecutter.project_dash }}-prod envsubst < k8s/templates/secrets.yaml.template | kubeseal --format yaml > k8s/prod/secrets.yaml
 
 argocd-app:
 	envsubst < k8s/templates/argocd.application.yaml.template | kubeseal --format yaml > k8s/argocd/application.yaml

{{cookiecutter.project_slug}}/k8s/templates/secrets.yaml.template

@@ -1,14 +1,14 @@
 apiVersion: v1
 stringData:
-  AWS_S3_ACCESS_KEY_ID: $AWS_S3_ACCESS_KEY_ID
-  AWS_S3_SECRET_ACCESS_KEY: $AWS_S3_SECRET_ACCESS_KEY
-  AWS_SES_ACCESS_KEY_ID: $AWS_SES_ACCESS_KEY_ID
-  AWS_SES_SECRET_ACCESS_KEY: $AWS_SES_SECRET_ACCESS_KEY
-  POSTGRES_PASSWORD: $POSTGRES_PASSWORD
-  DATABASE_URL: $DATABASE_URL
-  DJANGO_SECRET_KEY: $DJANGO_SECRET_KEY
+  AWS_S3_ACCESS_KEY_ID: op://{{ cookiecutter.project_name }}/$ENVIRONMENT secrets/AWS_S3_ACCESS_KEY_ID
+  AWS_S3_SECRET_ACCESS_KEY: op://{{ cookiecutter.project_name }}/$ENVIRONMENT secrets/AWS_S3_SECRET_ACCESS_KEY
+{%- if cookiecutter.mail_service == 'Amazon SES' %}
+  AWS_SES_ACCESS_KEY_ID: op://{{ cookiecutter.project_name }}/$ENVIRONMENT secrets/AWS_SES_ACCESS_KEY_ID
+  AWS_SES_SECRET_ACCESS_KEY_ID: op://{{ cookiecutter.project_name }}/$ENVIRONMENT secrets/AWS_SES_SECRET_ACCESS_KEY_ID{% endif %}
+  DJANGO_SECRET_KEY: op://{{ cookiecutter.project_name }}/$ENVIRONMENT secrets/DJANGO_SECRET_KEY
 {%- if cookiecutter.mail_service == 'Mailgun' %}
-  MAILGUN_API_KEY: $MAILGUN_API_KEY{%- endif %}
+  MAILGUN_API_KEY: op://{{ cookiecutter.project_name }}/$ENVIRONMENT secrets/MAILGUN_API_KEY"{%- endif %}
+
 kind: Secret
 metadata:
   name: secrets-config