refactor: Use secretFromTemplate to partially encrypt config

monitor/blackbox-exporter/ksops.yaml

@@ -7,5 +7,16 @@ metadata:
       exec:
         path: ksops
 
-files:
-  - ./secrets/config.yaml
+secretFromTemplate:
+  - template:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: blackbox-exporter
+        annotations:
+          kustomize.config.k8s.io/needs-hash: "true"
+      files:
+        - config.yml=./secrets/config-template.yaml
+    vars:
+      envs:
+        - ./secrets/vars.env

monitor/blackbox-exporter/secrets/config-template.yaml

@@ -0,0 +1,7 @@
+modules:
+  http_check:
+    prober: http
+    http:
+      headers:
+        Cookie: _forward_auth={{ .PROBE_TOKEN }}
+      preferred_ip_protocol: ipv4

monitor/blackbox-exporter/secrets/vars.env

@@ -0,0 +1,7 @@
+PROBE_TOKEN=ENC[AES256_GCM,data:L4N4y14KdVmBayLEF+IPRafFKz0yIlxvUvRBISHgrSmx9GtjnECGvfUU57dOOeZMzsiYBrTMrGTGcsWt1IHQ+T0KY4CeEuB7N7rD0A2wIAqHbep63sFtifeCz7565yCNyo6kkuVHti/Z9Mg8s0DRHfBtWXnyMlfJ8TrGiCKJX2jvGb456+86,iv:D+zr6h9Xr/gdJjln3WLXvYQryvFUxnngvC9XCOHUZOg=,tag:0lcsGD16A8Wd8/Aa6agQhQ==,type:str]
+sops_lastmodified=2024-10-20T06:04:25Z
+sops_version=3.7.3
+sops_mac=ENC[AES256_GCM,data:Zxty3a09vnKMyxlPAod6ZygqRMYAdSauP3bHcC1XAqTjhuENv6w1nD5Q8v/9TSx3QW8up8iYcT0l8gWvMhqs1nbWCq6fvCopOJ1jFny9X9fkk/XiQ0yvrblAjHE8h8teVQtmdbGbEr4G9Mdv+h94jR9RJR5FyeLbKbiKPLjnBfY=,iv:teMbmiqekPip9/cE9nhoKrYIbm9vYiQbM5onsOrWSgw=,tag:Zo5+f9PuH5vrP/wsYxuu4w==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkMHVjUmtDZGdKVCtCcGJt\na0tPaWFFV01ReTYySVZUQ1lCaW9DS1dwK0JzCmZ1bzFxRjM1cmhodkRoRmJNWVRq\nZlN0U3RvaFl2WEtNTnVIS00weXJVMW8KLS0tIG5ncHh1bGUrZzVBZHgzRXNwZjBL\nMXNwS0dNRW9DMGJvQ1drOS9GZmV4aHMKyKbAiIKTmsbo6KYDISCGEV6JPtZv00ul\n6O+5Q3HkoKAEHmLJUAqiCgylsn13YzAYswt0BQnzlGFuRETS81vH4w==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1g2rwkffct3veu3zl5a09cny4qgjw5he9drdxjwxqclzq6fa0ldtql4kxvd
+sops_unencrypted_regex=^(apiVersion|metadata|kind|type)$