Update README.md

README.md

@@ -2,9 +2,86 @@
 
 Helm configs and Kubernetes manifests for my dev cluster managed by Kustomize.
 
+## Structure
+
+- infra
+    - [storage](https://github.com/rancher/local-path-provisioner): Local path provisioner configuration
+    - [traefik](https://doc.traefik.io/traefik/): Reverse proxy with wildcart SSL certificates
+- apps
+    - [authelia](https://www.authelia.com/): SSO and basic auth provider
+    - [gitea](https://docs.gitea.com/): Git server with [Actions](https://docs.gitea.com/usage/actions/overview) and [renovate-bot](https://docs.renovatebot.com/)
+    - [namesny-com](https://namesny.com/): Personal website and blog
+
+
 ## Requirements
 
+- [age](https://github.com/FiloSottile/age)
 - [helm](https://helm.sh/)
 - [kustomize](https://kustomize.io/)
 - [sops](https://github.com/getsops/sops)
 - [ksops](https://github.com/viaduct-ai/kustomize-sops)
+
+## Usage
+
+Generate age key
+
+```bash
+mkdir -p $HOME/.config/sops/age
+age-keygen -o $HOME/.config/sops/age/keys.txt
+```
+
+Create `.sops.yaml` file in the repo root and copy the age public key
+
+`.sops.yaml`
+```yaml
+creation_rules:
+  - unencrypted_regex: "^(apiVersion|metadata|kind|type)$"
+    age: "<age public key>"
+```
+
+Create `secret.yaml`
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mysecret
+type: Opaque
+data:
+  username: YWRtaW4=
+  password: MWYyZDFlMmU2N2Rm
+```
+
+Encrypt the secret using sops
+
+```bash
+sops -e secret.yaml > secret.enc.yaml
+```
+
+Create `secret-generator.yaml`
+
+```yaml
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: gitea-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          path: ksops
+files:
+- ./secret.enc.yaml
+```
+
+Use secret generator in `kustomization.yaml`
+
+```yaml
+generators:
+  - ./secret-generator.yaml
+```
+
+Deploy application
+
+```sh
+kustomize build --enable-helm --enable-alpha-plugins --enable-exec . | k apply -f -
+```