argocd: keep admin passwords in git

README.md

@@ -24,10 +24,9 @@ done
 ```
 
 Create a new argocd local user for the admin (`argocd/users.yaml`).
-An existing admin will need to generate a password for the new admin.
-
 Add the new user to the admin group (`argocd/argo-cd-rbac.yaml`).
+Have the new user create a password for accessing argocd and hash it with e.g. `htpasswd -n -B adminusername`. Add it to `argocd/argocd-secret.enc.yaml`.
 
-Have the new user create a password for accessing metrics and hash it with `htpasswd -n -B adminusername`. Add it to `monitoring/user-auth.enc.yaml`.
+Have the new user create a password for accessing metrics and hash it with e.g. `htpasswd -n -B adminusername`. Add it to `monitoring/user-auth.enc.yaml`.
 
 Add the admin's PGP key to `mtls/files/admin_seeds/` (and update the list in `mtls/kustomization.yaml`)

argocd/argocd-secret.enc.yaml

@@ -0,0 +1,169 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: argocd-secret
+    annotations:
+        kustomize.config.k8s.io/behavior: merge
+type: Opaque
+stringData:
+    accounts.benharri.password: ENC[AES256_GCM,data:qEOLoBq4dTXyuxVCjsacb/bIReU1rWC7o/LCBoweMcN6XrCy1UqynqufYRzDmzSbxQ8e5217JmF26CvC,iv:TOM+kzSDwyd20zGkT77VH1ypDjnYxKGWYmBc0cpQZSU=,tag:Xc7VOGYIjbTZj6xrtIg8SQ==,type:str]
+    accounts.benharri.passwordMtime: ENC[AES256_GCM,data:wdrVeIzHf6nM+90FylFLcWDIbkI=,iv:NyVjprj714T6AwBDO22slifEcClrEZfgLCKPMe3noyM=,tag:ONvR88dK8fn6IIPTCfZGDg==,type:str]
+    accounts.daurnimator.password: ENC[AES256_GCM,data:Wb8bwB1SMQ14TYYc2TGZyoNl+FpJRNfjOQe1ihTvqOfQ2yDKAPz34phtlen8PzhMW91D1cjOWx9Yar8M,iv:t5xHzxeQ+uTvfPbNnIMx8WKkoOWQOw//0Lh6MMBbEWY=,tag:wM2abPWC+hPwwxjTxWl+DQ==,type:str]
+    accounts.daurnimator.passwordMtime: ENC[AES256_GCM,data:/+0kNXtmcd63vfOXgzPigrYNmwU=,iv:79OzPrhLyteTEuO8bu55JewMMcmQwSlU0YzFNITKfDw=,tag:XpCXizg909S4lwG5qA24sg==,type:str]
+    accounts.dpflug.password: ENC[AES256_GCM,data:Ep9LykD+C6xFsmcNjHOnvVXUmAf2exLxfyAV7CGKsYMc3L100COM6cIZC6OjwCnQRrBIkGqcPabNcNH5,iv:U9tpUtidnnDaDu3wu456N7bo9n4ti5OUDahkg4J6rJ0=,tag:3R3zR0rM5BdCArJLUiZoUg==,type:str]
+    accounts.dpflug.passwordMtime: ENC[AES256_GCM,data:mmV9QOw8TfOXZB+yfVHWUlrIo/E=,iv:CU/1p6iVzL6gJQ7TVacTSZjwKUWt/aJihQqA3cJ5b4Q=,tag:5dqQUDRpkMn1/KEImJ2QRQ==,type:str]
+    accounts.drgrove.password: ENC[AES256_GCM,data:0Td783XdXNFZUCagcJYJA9eum9ul1TvCbeziUVAVEKyGtrMghEO64VVyKD28Owcd5U8NtqBCOY3DCy7x,iv:Nx7fJUf2LhQyP+lnk7M5APc9oVvmtaVM5XeaSgkL7gA=,tag:VYGlKsbDjJ70xqlbNTl77A==,type:str]
+    accounts.drgrove.passwordMtime: ENC[AES256_GCM,data:3f4fuY6dJ02NhtqhFyAgpP5eYu0=,iv:hiHvJ6joLMNEyetHBuIa9zyr04ViylCxXuq8iYlAJ5U=,tag:HptnkbHpc0XIuDQBUCHU2Q==,type:str]
+    accounts.ryan.password: ENC[AES256_GCM,data:ZEo2Vdc3s/qRgNXnVhEOU6cD9DuqcIcJnvzi9LjIhMUb1R6suBQ+CRkSPEEjVrXPIjpFPSEfYZ0i3KYF,iv:J6A5Igy+N6l9rq7uglRqS0A6ex+TYOoUvccQI6Yx500=,tag:AxQeSnjVWpgPq7pSHHm1TA==,type:str]
+    accounts.ryan.passwordMtime: ENC[AES256_GCM,data:b3+Kc1I7hMg3Eugw5bSF5FneTWk=,iv:ryzukGqXUVqKLKMCY/MEHJkc7O4DEMTAKAl2q1bGD8U=,tag:el2340cMdkV1JK0oAL9CCw==,type:str]
+    webhook.github.secret: ENC[AES256_GCM,data:SufXmazp5KhM6lJz4+KpoK8w82xVPclWFnEf4Fl6IAtnxoZckTxIAQ==,iv:SSMYbrJ2Tz32n3MCmeAJUY5LP1mvb+FuZyO11KQsAB0=,tag:KU8YzsLekSe1nfQwpprlSw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    lastmodified: '2020-06-23T14:00:35Z'
+    mac: ENC[AES256_GCM,data:JvcbHR7bVsrwchVtdTk1MoN4+Qbe54uborQb11MvAgoNG/TQRyhxbqlC2CyNIluQBrk2kCk4wNWN741VS1zCRnmkRdrG73HoJKoFxUO9SSu9w7uzTshKsKM70cKwyvwSwQk7twcnTGjOmZYd50+9YWukWzh0OJcbKeoT8m91R+I=,iv:Pk6+ocGoI1HZ2q0ZgPPPgeZHfD93HQ1K3yxBo62XzV8=,tag:IkvBsEqQJQNoyKRriZ8ugw==,type:str]
+    pgp:
+    -   created_at: '2020-06-23T13:38:01Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA4FedWMNSzdLARAAwDtoZzL6ew3k3fbNOKoEtgzEAVh79VEHr/RdiQASr7UW
+            nrpIFaQuTeZz9VcMxh9ME9tEkTQew33/3PoubplSUeZLq5rUed98abrp9OwZ93qm
+            k6yadicW0bVyswbyleKvi1cH/pCxD22s7pyOFYAQa9Lc+n3XQhSw11ysZ96rKH8y
+            VoCXgYOZpDmdSp5HDnf9OovYVwzHY2q29TXTwtNyR+dtvTB7b6hIWpIB+YFPs0me
+            aw9p6m3tBdc5AUGLn8ZtfU99mX1mGPD5Lo6aw697T8PcbGTPY7YTJVHOoRDhQWYC
+            2WhTccV9PltDi0f4Wg1Y1tlSg57eAGYPCm+zeQbWewwI//fCfTkJ475vTQrz/XjK
+            TfvveOYGC6/GTp1E4D0/OcrJeiEBZB8weKL7ZcNkGVB38x+bL1YqchEmLfdf2cZ9
+            ou0cIzHk9W1+u+LHH5kbiqF4DyOcyVSarHOAxjuGzsLKcaHRqZl3/vpKJ+1HcCdx
+            OxLl1tPDThGe9VRynaaAyAbIzpC40KAEKY0CZTbpOm7tDOCemLBqFZY1hnFisAu4
+            f6NflKzSoEohsltsF+eSB/hsENnyCLZnbChCCr/s/hHiElU/mjvd2EGys7TCZDWy
+            e9BjDTrQzozWSd9bFgz5CB2kfV1+Q9QFjP4dC5zi/+SWxIumWALfVD/yfN94ETPS
+            4AHkAs9UnO0JrDb1yZ2Rkr+BhuHQwOAs4KDhlVzgceJCWbjG4DTllXzCm8X1PKG9
+            0MNTljJuVDKoCXzfpgriM7y0zHIG6fXgkOQ9JkCNXJIcu87Ac2i6P9eW4kX4orbh
+            ESEA
+            =QEix
+            -----END PGP MESSAGE-----
+        fp: 954A3772D62EF90E4B31FBC6C91A9911192C187A
+    -   created_at: '2020-06-23T13:38:01Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMA4SNlT+wHnqoAQgAPVF1+DGtnjaM8nSdvOjU15kGI38719Dh0xigGqAvMoTy
+            9Lnhl2mtAoaAxGiFcWLck0zuL3/uJtfGWzIbbxDzydHRGMBPP2w54TDFtE6aYXGW
+            UJsvBPKMZVKTUk7dGdasKeVWpuXE58nBR/soUdZMwkkhoKuKNTlCh4R+7rvlemgY
+            i33Gnc0pXF0YetCdthkHqcDwMBc8XID0fbV5GQh7cn9n3Kbm6+LzM6QPmWOfRw5E
+            6VDwPKUihSJld5mu6gEIcDr3Ncn3Qca36k+IX3yENqwnLcdinVJkH0KTNYiBGstO
+            ExxWGfnTTyu4OAd1lVHWd+MCuHJYn04YQLrDN7EfStLgAeQXEf4PgbEARZYKY/oX
+            R2834Q2X4GHgjOGw9eAn4kWj3X7gh+V6xCj29ULhfZi3+Y6sZUxmRwN2rDOm+bQp
+            6feElrRIeuCz5Mlv5+YnDPTEeitQQbxGvmbiqtzvR+GFAwA=
+            =/x7x
+            -----END PGP MESSAGE-----
+        fp: 8333F292B1BBD334A61E6F566785F7AF28DE7081
+    -   created_at: '2020-06-23T13:38:01Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA82rPM2mSf/aARAAumOoqg8QuK35c2u4wrmV9N+7xH99ieYyYhJLVYkI9abz
+            d3qEkCpjhIsEPR5Zm3XEA7LBqfH/INO6SAzSDPSQjjON+8KDz3FUOLEYNd3vZhfh
+            Vk4OU/PVrNHw1zRFQpbvKHwGfyWDdWkZ+nQRbh94RXb7zteMGF5En+Rd6M3h0gjI
+            JVQdW6pH0BJ2ycsCjNTXAQ/nFy9biVkJgutriKGsH+GjNzAxUkrQDrsOrlHkryjs
+            ONt98dByE7tedzN2bMSMd8p9EYfqxnNrOVcY1vEHBierpVW0KKI52m3tuMM25Lvs
+            tx+fdyfSpTXxATCe/icQEE/2kKcUwrcJQfBBXJQcr5dd23oAu/bMeXbyxauk9/r1
+            5RfnP3rHVC2Dbzg7Zeh57Z10I2ILgMYFF/M043nvoVLQCZFtTfn+1dL5TyVC/Lny
+            /9D41tVx/FhuohmQMyckuhB3qM6UreJAZVvoa22sGX0fnzphIxK/MhAh7Q6dEhu0
+            OlrC3pwBa6JM29p4uAfu01JkF7iVRo2uLgu+ju3r2Te+tC17N9Mo/e57Ts3kmZDK
+            gM2QYBKfWQ4hZ0CLN/uGOv7Gg6AddavunsJYnn9rIbybEdnFOZydBNFFvIiJeNcP
+            GFrmUM+4FPmG1dHrMDTNQ8Nh/3/faKp0S10/7QeyuN1l50fiRJ9UIEolovG25sHS
+            4AHkw9fwU/v6n7k5Q+QbSCosI+GuWuCz4KXh4hTg5eLG88pA4Nnl9P/jMf3HZSSP
+            mEWRZoF4OxRggVQUcc/asw2sHjQRw27gZOR/tcKzzhISVFqDDqK9VOkp4isked7h
+            RSgA
+            =wCO7
+            -----END PGP MESSAGE-----
+        fp: 6B61ECD76088748C70590D55E90A401336C8AAA9
+    -   created_at: '2020-06-23T13:38:01Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA6dhVUuTLV7oARAAYDvGZtlebl9GsjDvRhYJaOLYiekMmBpN9LLiZMaKozsL
+            Gl5lYxUmX6Z1X97Zri0xw4c1Rq0S3nBCU4EEmWqb7fAmsP2j4LQx9A37F+QUssLb
+            ThIHLPIEIQdAe2GLe0l1z+9dZun8k7MT0JHc1u5CM1cUlTDQ7P+KAagcCNuD4Xgp
+            rV1yhPGO3piDI1gmMgSgnWrlnRavPKTHQgExZ1UaPOKRs+w64Mgi8o+zkeEdv9/2
+            Ek6lOqXufM9reeZ32Ax3406+Dr/qfWpXzUhMxd2EkM7gZ55mlJBn+TfasTUPdp+E
+            Z3Tp+9G9G9kIe29gIto95kqOez6OoS9k1XMPrILnEvqbhcdYdMETV6TH2o8OAMk6
+            Coem+sxwh5UXF2toVGf6ioy17cYpCkNYMGN6o2KxWs7+QXV55stGnj/ZVZVlNuW2
+            OlhmNiW6Q/01qjwW2ISiODkVnIcF1dAbwRDqLAPYbrqtobYz815nPAZ/cj6znEMw
+            bTkiD1y+00FRBJSewstjrpa7Y5ZImxFljl4ZnyUPyo9EqjOqMW79JzVaSnCr22H3
+            FSijnofKkJfeWMfhmAVNzV7DILAirTlz4tUG/RB+ogRK7tzGbTCckdgp+rh0opc9
+            xZxBaWwpYlwikA+r5Xs6LnPWJGdDrpo3xnMF/SBKtuwdcOh9yGM6JcTnxg6Y52rS
+            4AHkWUfYjmEXhNDT04Q88cn2teF80uCz4MvhXxjgE+JG5+0Z4GPlJQW/KlDu1QSK
+            j7mXov/4VS6f57JWiefQvY2iTszAcbTgwuTv+yFnuxMveC0l0x89xc+g4i1Dyw/h
+            rm8A
+            =8zfZ
+            -----END PGP MESSAGE-----
+        fp: FC2255B7BBC7EABD4EFAFA1068907D8BCCD85A5A
+    -   created_at: '2020-06-23T13:38:01Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA8KRInHl7Vz+ARAAGgy/DVy2n0paNje96XOSi+hP09zwJ5tPxBc5cxmBjgMt
+            /JOmx8z2bQ6Su87tkgOVmbYL4fRXbzBEUgUzm+890f5uydhGWWWE//w0/sENQ48V
+            XL7+6ppQuFWm/5DXZT6b9r6GIcXliSEPwlkEgA2KrTVKDBfnFwQuoRg+NX6/mvIV
+            q8LVyCY4HcHpMnQQlX/sh4b4eRZRZlbArJEQ51QSx/OQprKdPyoitL/ECuNp6zIi
+            jIhoJThbXCKl60qgzuDVzThYDx2ASxT1R88Byov21zR++d121QdJm0zL7YZAnTtp
+            6Yax+a+dTBohQc00yKWua1+WEC79NmvbNjpMSczeXNcXqQXE39J1AMjxEZDA0kzN
+            fKV/LxrpUpBq+KWRZSEYbfUi4ndgbvQj2UfcPJHNmjO0zzCqzqZkFGi3oi1yH3nD
+            aQ/b4v60S/G6ZeabHWuS0/OaYh5LCGtV53N8H8ICgh/XzzoDUrfsSaPEyp40GTr8
+            u0JT1QKp3X1ihljPvGnq9Ctxz6s3ncTlFDkfi28yi2gg+YbS3q383Pl6ScC69E0E
+            gMh6O+OosRTcs0oZ1C9KNmXhUMgPT1QsAzJxitxu7x6Vmxa4mRhdnV4jRtFCkLEv
+            lxHitv8JLp1143ZQFefGwYZ9d+k8wVlDqk0zZ/y3AKQfPTuacHvQMLRMIx6EFdLS
+            4AHkkeNHQi0igudi0NAUEzGaCuEu6+Ak4OfhACfgxeKQofDV4HHln+deTmMseF23
+            RUAe5hskF4u5bPPi0YDUVR7CDO1S2Y/gdOQMgVbLfBbG8QYC9k9hJZY24gtYXqDh
+            nG4A
+            =1bVB
+            -----END PGP MESSAGE-----
+        fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD
+    -   created_at: '2020-06-23T13:38:01Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA/AOBFOW6Hm2ARAAq2P2xZrJecaA52Fa4Qt0id1bMXhR0UNV1QeVVw04zQ0u
+            fbtlzsOKILAInoreyxwqMdXoi8oHgcYrbKmssr8FkYLsygMmDq8VLC2aPSbZl1NR
+            Tr2ehImyaEyFg/ypD0lZ6g6ujlxwAgTgXNK8thcUhI4SYPuqMRh9iedCq+QRGnz0
+            x1glJYkNjaLCc0UFwhr4699Dm/iOWZ5BbpFok/wXgiueEjQxnBfsY5bGXyoM5LRX
+            sVT+J9zqXZSOJsHHo8tCJTTpWzpbiPMX/Q/fXHCrZmhL6IfyfZzfx335K1CtoHSK
+            bXgpDrUFrA9w6LdA3I9RF4e57oNenqFWMrxfchmkbDbM066t0kEjxnulazsuAhHa
+            UrwlMNTMzPQFnnllk4kDgjbId1OVnCG/2xiHIFdvWl5jS4doEGDUk9IwXJrufpYw
+            K1ocZLRcM1rB9IIBIUYbAn6PCmPKrRexvlCGzk6ryaWDgyBJYIJgFCLgfEkYruXb
+            zp+ghjj7NB4TGwLRtWybUe0xCTTLZLTHucuR69Ok/hDjDMaC1vw27hAbZfEr6Czo
+            B36DmN9DeJsq2gwB2jH3qJtc3cIY1RkGWfQPTRTfjZ9tJYsAzaPNClLOYn3DuCu4
+            c6G+J9XiQkoV4eX4zfy0iMlh2ofjwblqE5LVAOacMdUcmjb+OgtKAvHf0LfOQPvS
+            4AHkd/nJiCfGukdUfJFPdC2zseFGVODT4PvhD7/geuLfZDMM4NXlduZ2E3MCAvtP
+            NVWSCf/PbzAGLRQA1GpdVor/jmMmK4jgG+S1VNFQ83e+H3knswFcJTBa4iO59Ofh
+            8eoA
+            =QMpr
+            -----END PGP MESSAGE-----
+        fp: F2B7999666D83093F8D4212926CDD32189AA2885
+    -   created_at: '2020-06-23T13:38:01Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA+pWRuJw67SWARAAcUfFZirxGFwlQqZVf3pHLUBGgh7HnguVlav08GDevlGU
+            djguUhLkGsE0mf17p+3ToKyE5NG2YRas9+fYtm/Df5rVpIvCTNmV5Xfh9iqz8fZh
+            hqhQLtph2mKoG9Xl5cqnQbm6ZlhG+gfj+5VHve9H2GrQaZ0syQos2p/dZKih7Gzq
+            BfF0EOTOTGqqtso77h8pDoXIPEXCASQkLsXSj6enz8lXmQBziohDZ30SNYdFGk17
+            KmUMtX5LoOSKy8eAtQ/4INyc0CeTL2UFYxhAPI/kaOini8+BUH47VBzwgPEiRi/W
+            mgsVxrMyZwkaQVojbcwAPRPW4rivDWiSVeTmO8YXRtOIfI7oRvdKcN7wVJhUtwxy
+            7bizeClcuOoiN+rgpgIS01BHMNS8pytXAtsQBrpkbE7fwlsi0jM2OzXs270Dz8Wu
+            a9vjSQjiqxsEbpMfaJgUEwVt2p1eXODZNtC9mGUM/0IFKowDljFuBtyDtlWMEjCS
+            RzXSOAOc5SYGKd8doPwhw5cT/IzgVXWZz/TXw+EpOxHjdE8OPxFI6ADRnYKgXaDs
+            nNlkQc8kvGVN8Z7IvzBG8dEEB7kntu9ZXKF346/2huLPwBn77JQmQnXgcv6p3vZn
+            DfA8xi8hjrCHnF3irhqdd87tscErZ6jKK/AUyG5M5rCNTRK/y9nCaZyfOymfxOXS
+            4AHkAEjq/TB8anv0w+6AOgY8zeGnreC44AbhDzTg8+LOTWBt4N3lStETdA50XBc9
+            E3peoZcIyHGKRbvjTRxyZe20o18SIqLgueR4z3SOu6AHy2Ji8mSu9sqc4hUzR73h
+            8VUA
+            =CpMa
+            -----END PGP MESSAGE-----
+        fp: 1FD6667A0808D4D48BDB8757A61B48D8288FCF8A
+    encrypted_regex: ^(data|stringData)$
+    version: 3.5.0

argocd/secret-generator.yaml

@@ -3,6 +3,6 @@ kind: ksops
 metadata:
   name: argocd-ksops-secrets
 files:
+  - ./argocd-secret.enc.yaml
   - ./deploy-key.enc.yaml
   - ./ssh-key.enc.yaml
-  - ./webhook-secret.enc.yaml