From 8459a6d2d30ff75f20b74c7b6d00eabb5770c339 Mon Sep 17 00:00:00 2001 From: Zvi Grinberg Date: Mon, 26 Jan 2026 00:46:25 +0200 Subject: [PATCH 1/5] chore: create tests overlay variant Signed-off-by: Zvi Grinberg --- .gitignore | 9 ++ .gitmodules | 5 + kustomize/README.md | 49 ++++++ .../overlays/tests}/buildah-task.yaml | 3 +- .../overlays/tests/exploit-iq-ips.secret | 15 ++ .../tests/google-sheets-secrets-enc.yaml | 26 ++++ .../tests/integration-tests-secrets-enc.yaml | 27 ++++ kustomize/overlays/tests/kustomization.yaml | 93 ++++++++++++ .../overlays/tests/mongodb-credentials.env2 | 15 ++ kustomize/overlays/tests/nginx-patch.yaml | 12 ++ kustomize/overlays/tests/nginx_cache.conf | 115 +++++++++++++++ kustomize/overlays/tests/oauth-secrets.env2 | 15 ++ .../tests/registry-app-creds-enc.yaml | 25 ++++ kustomize/overlays/tests/sc-llm-pvc.yaml | 13 ++ kustomize/overlays/tests/secrets.env2 | 15 ++ .../tests/server-model-config-enc.yaml | 32 ++++ kustomize/overlays/tests/tekton-config.yaml | 139 ++++++++++++++++++ .../overlays/tests/user-feedback-ips.secret | 15 ++ 18 files changed, 621 insertions(+), 2 deletions(-) rename {.tekton/tasks => kustomize/overlays/tests}/buildah-task.yaml (99%) create mode 100644 kustomize/overlays/tests/exploit-iq-ips.secret create mode 100644 kustomize/overlays/tests/google-sheets-secrets-enc.yaml create mode 100644 kustomize/overlays/tests/integration-tests-secrets-enc.yaml create mode 100644 kustomize/overlays/tests/kustomization.yaml create mode 100644 kustomize/overlays/tests/mongodb-credentials.env2 create mode 100644 kustomize/overlays/tests/nginx-patch.yaml create mode 100644 kustomize/overlays/tests/nginx_cache.conf create mode 100644 kustomize/overlays/tests/oauth-secrets.env2 create mode 100644 kustomize/overlays/tests/registry-app-creds-enc.yaml create mode 100644 kustomize/overlays/tests/sc-llm-pvc.yaml create mode 100644 kustomize/overlays/tests/secrets.env2 create mode 100644 kustomize/overlays/tests/server-model-config-enc.yaml create mode 100644 kustomize/overlays/tests/tekton-config.yaml create mode 100644 kustomize/overlays/tests/user-feedback-ips.secret diff --git a/.gitignore b/.gitignore index 0f3af34e..79b658d8 100644 --- a/.gitignore +++ b/.gitignore @@ -198,5 +198,14 @@ tags # Persistent undo [._]*.un~ +**/exploit-iq-ips.json +**/user-feedback-ips.json +**/google-sheets-secrets.yaml +**/integration-tests-secrets.yaml +**/server-model-config.yaml +**/sec-decryption.key +**/registry-app-creds.yaml + + # End of https://www.gitignore.io/api/vim,c++,cmake,python,synology diff --git a/.gitmodules b/.gitmodules index 1717d5fe..555ccf7b 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,8 @@ [submodule ".tests-automation"] path = .tests-automation url = https://github.com/RHEcosystemAppEng/exploitiq-tests-automation.git + +[submodule "exploit-iq-models"] + path = exploit-iq-models + url = https://github.com/RHEcosystemAppEng/exploit-iq-models.git + diff --git a/kustomize/README.md b/kustomize/README.md index 0e837506..ae287a39 100644 --- a/kustomize/README.md +++ b/kustomize/README.md @@ -236,3 +236,52 @@ kustomize build overlays/$DEPLOYMENT_VARIANT_NAME/ | oc delete -l purpose!=pers # Or, Delete Everything kustomize build overlays/$DEPLOYMENT_VARIANT_NAME/ | oc delete -f - ``` +### Deploy Test overlay variant (Rapid deployment) +1. Download and install [GnuPG](https://www.gnupg.org/download/) and [sops](https://github.com/getsops/sops/releases) +2. Create new namespace/project: +```shell +export PROJECT_NAME=exploit-test +oc new-project $PROJECT_NAME +``` +3. Take private key and import it to GPG: +```shell +gpg --import /path/to/sec-decryption.key +``` +4. Decrypt all secret files: +```shell +cd $(git rev-parse --show-toplevel)/kustomize/overlays/tests +mkdir -p secrets +sops -d exploit-iq-ips.secret > secrets/exploit-iq-ips.json +sops -d google-sheets-secrets-enc.yaml > secrets/google-sheets-secrets.yaml +sops -d integration-tests-secrets-enc.yaml > secrets/integration-tests-secrets.yaml +sops -d mongodb-credentials.env2 > secrets/mongodb-credentials.env +sops -d oauth-secrets.env2 > secrets/oauth-secrets.env +sops -d registry-app-creds-enc.yaml > secrets/registry-app-creds.yaml +sops -d secrets.env2 > secrets/secrets.env +sops -d server-model-config-enc.yaml > secrets/server-model-config.yaml +sops -d user-feedback-ips.secret > secrets/user-feedback-ips.json +``` + +5. Override any secret that you need in the decrypted files, if not needed, you can continue to next step. +6. Now deploy to the cluster the exploitIQ system ( minus agent) with all resources: +```shell +kustomize build . | oc apply -f - +``` + +7. Deploy Self hosted LLM for the automation tests ( Integration tests and Confusion matrix runner): +```shell +helm upgrade --install --set nim_embed.enabled=false --set llama3_1_70b_instruct_4bit.storageClass.name=gp3-csi-thr +oughput-2000 --set llama3_1_70b_instruct_4bit.readinessProbe.initialDelaySeconds=25 --set llama3_1_70b_instruct_4bit.readinessProbe.periodSeconds=10 --set global.tolerationsKey=p4d-gpu exploit-iq-tests ../../../exploit-iq-models/agent-morpheus-models +``` + +8. Remove untracked decrypted secrets files +```shell +rm -rf secrets/ +``` + +9. Tear down: +```shell +helm delete exploit-iq-tests + +oc delete project $(oc project --short -q) +``` diff --git a/.tekton/tasks/buildah-task.yaml b/kustomize/overlays/tests/buildah-task.yaml similarity index 99% rename from .tekton/tasks/buildah-task.yaml rename to kustomize/overlays/tests/buildah-task.yaml index 60f9a43a..953dceaf 100644 --- a/.tekton/tasks/buildah-task.yaml +++ b/kustomize/overlays/tests/buildah-task.yaml @@ -2,7 +2,6 @@ apiVersion: tekton.dev/v1 kind: Task metadata: name: buildah-pvc - namespace: ruben-morpheus spec: description: | @@ -165,4 +164,4 @@ spec: - description: An optional workspace that allows providing the entitlement keys for Buildah to access subscription. The mounted workspace contains entitlement.pem and entitlement-key.pem. mountPath: /tmp/entitlement name: rhel-entitlement - optional: true \ No newline at end of file + optional: true diff --git a/kustomize/overlays/tests/exploit-iq-ips.secret b/kustomize/overlays/tests/exploit-iq-ips.secret new file mode 100644 index 00000000..975a0461 --- /dev/null +++ b/kustomize/overlays/tests/exploit-iq-ips.secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:7Mhg0suh1pr4gW2ZSVDfDVBxR9M+WeOS/ndzCa6HynWbnbVi6o/bXSBrUwukb9NLEPyXG+i0Ja265AmV2Ix//+0YiHxRMTNWuAWeik9C1FhPyMefg/QJ7/TqVA19011U1oaqZwttcfxtiC69lKbIG6vZnxuLtWhjoWfi1SJrqPZ+EsKSD/st2DoWkhvlGd+ea8RyboXt2knL2jy7smo1wRWSUl98SqDr6TLqNg==,iv:oup5Ep55EXokJe+jRlOBXIxGoP88ZqV6aHzQtDrAGok=,tag:UuwWcFrQ8OJf5weq0HNBrg==,type:str]", + "sops": { + "lastmodified": "2026-01-25T12:11:15Z", + "mac": "ENC[AES256_GCM,data:o+/YRK8wHs6hlEJqkwDtzV/3plYxOTRs7QGfqLGv0TaGZMIYFnbav1M4AFDYY7pMxEnRCyRJWr6G6L3mN8Uwdcr9FyMls1yQAXnu8a6iP7xLSvShvk4sXmdRKCV+ZoI6uWOGpT5um2ovpqce2GENStvk7PhFhS0R+Dc2IqBYbyA=,iv:rWe1RZ8QEIeOTrIVYTroLrqm9QaugtTVw41dtxJRk5Y=,tag:CRh9MgwYzbLV+fqkIjpcxA==,type:str]", + "pgp": [ + { + "created_at": "2026-01-25T12:11:15Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dy77zzNMwU0sSAQdAenSUkHYnXpk59IsDKXVzwzXcmJYgwOC/mjNFPxrPUQkw\nIroNi7SaoYcdQ5bNd/IygS+LSJbqxWpMvPLgxw+Z/BUS0lWppfzAYgMeHGjH5Y+u\n0lwBGxusz5C9WM+oOHNOhrg8DZZU3iLfDgWpICqJ6OtRlcSlJlr2gXPFZngunkxz\nX5fFnLDgs2j6OV5CQEAkjC3j73t9RSE61ILuRLqZGMFjCm/xtL7KieKhstFxqw==\n=mhUv\n-----END PGP MESSAGE-----", + "fp": "8DEE2D0E1357B78C782691234A2D3B6C7E35AEF7" + } + ], + "version": "3.11.0" + } +} diff --git a/kustomize/overlays/tests/google-sheets-secrets-enc.yaml b/kustomize/overlays/tests/google-sheets-secrets-enc.yaml new file mode 100644 index 00000000..9f9b7cd7 --- /dev/null +++ b/kustomize/overlays/tests/google-sheets-secrets-enc.yaml @@ -0,0 +1,26 @@ +apiVersion: ENC[AES256_GCM,data:FCE=,iv:mX1MhglqJCtmZ2+lAxeUdRweyKUjU0eEcxBBOyEfhQ0=,tag:wVimkqWtiSk2L6IcokRRHg==,type:str] +data: + credentials.json: ENC[AES256_GCM,data:eLGkTsE6lGTJOawS4Z4nNhbKwBLJVkSaFF1Tji8vpcH0M0A7LvRY53W6zH3TqSbvQ+AWssXjkuz7OIyHSg0WW60tkYixfToK/Rgy4TAbLTA++LcVqoe9tVspDtifEJLwTwHEiirX61SVgdK11Rm+035ICXmPlbV4VyQBfC1hHf0LDeX533raYq4QDyz/X/htT9eO/x3NyyYlPykcCT5Uyva1BV2Gi9iq8AJdpMBC/V+20DrPfzSsHgNlGUMOTmMK4qzs6nyOj3LeGc07ycKfGRK+hCCwTxoFyBJ25hgpNGB2FLRfJApqUjnKnh7VuoeilYEUdeWKVnzzsNsJc26CzeixxNXTaNPG2eo6LtNXndtMgXyEOa9zu0owJsrLl/zHHqqmtOkJvEKYkED6QhVMzfF5ciCnoyh3kwyVERVXhVMRGB19Gdn3dv9pdw/OPGOvvV3AGuzGR6SMvfKUn3lqoui7EWnOhsVd03RHXY8CXuBX7u9Y3aBEFj0DPaIBfH6CkG6oA6XhCt4kH57M/S43MbnlUC+napRqTJiJzRc49Qc3TpxG9VFSkMNOCnnm+8pxnbhGzaYA1izm1YHUTk1v6yjTaOCyTWQFEfum73TaafoF+QGypyHaiidRaa6VQ5XGkDxZ/yONWpt4i9NUp9+xoFersBYk9XBLWJdza4jVe2qOuLkM64OdNrnwKnxVqXFUNk9kyvXfMoCcweV9jCRN8Ky214MfnU5ALgVizPbW7TkZD/Tt9T4She4F17SgiR/+NTn8DArPVUuhQlCX4oR54CMFv/iQBYs1NMKKLZJ+aFyo62shAj7cV4grhtLNgezh+i5u9ISWS6ruU7GPxlOgxrdoDIPavCMi2GmcoCsxF2q/CtOghYyKh1fg02gnrkrJW8k3z9ZCmti5wlaPy8Td58xCLzsVxGSOwfexFdtR45EaPaHmlQotyIivfPKsFS24vqNdSjPYp6SygRv61G6aHg67EmzsT21hLb1PhtMLGpSdYYASBfdHq/6y2KsUQg2YZcDAURKEIc+1QWkRwsDBdr7RPrcmUFZVq7V0QsmFRiJqt1nDgn9GRfF02QXGLFoAehH64COjpERpymENoRKzqwVzL71VqoTdu9A1YXYhJdSzcWcSZ61pkLxgh6B6eM5PKLxqiQAIxgektIYf8yvSg3o+l3X36YHqb1pJXTgffe7ilehTPtkR8hbU4CpBR5+A6Se8/JBD74ym8Z0+A2UjUd/IsY6QOOza3Luko9UEDO2UMF4CgRRE1zdxW79i6HkNEEQaEB3uLfI72LuBI4bGdnAsPLzMk1/1ExtuvuzThJq3E6SXh3RSuFn2benLfvfn7GSVS4tJwdfkWzhTX13rqSByhey8kNiKYGMAj8I+rlr5th70VeZGbRD22OZ/99sK67xGA0M5GgodKvkFR3LQFYImD4rYt9k5DZ3PtI/r+dBQWZPecUuzHj3Mkn92G5wSnhJuEPUsfJJPOFyV+bBVjTh+FSqMUgmd2lzAn/Z3MqcfW2bRsNOFXHW/+vIf+xK6JsjTEipqZCLMl4cO0WL2gcL8KGetlfO91mgnpNcfZ8fkGOfRsEueA8CiQaJN4tGcKPW/TBJdqi7sCHHtwX8BlD/tcGX4OahaARR+jouKvYkKCtYsg8vq4up3BTYeHaATXxETUDzw1GYhnSzVdkZOq6ZsefvutDzR1PYgcOYHZ4mMOBghvwks6UNZNNQlFlfkD35ThBqCPzmPKuIFvUotjtxpGr6sfHBAqA6iPqe02iWs1+36ZyYzjioXyb3Mu2BVu6RnNYABzmJdAhiDxKXIjYLlIQJ3gocy5GpPkAn16qzuA3/RN9/FTVHKck60uqSsvrQ0TCG54hCN0O8lPZ2jGyH2ok4LMhyqHV1F8O1GGTDxoFZn/z00vXhh2yTv1km6ktlXdHKQB/T10YszwkczcseQw+O6BbGZEPzB4OiYX1kLthgqzkI8JIwnMZNdz1O+va2o1TAaFL9pCzGWkQqz1X6Nup0S1rJ0UsNPPAj8fZdjKrsvACbcd+oZLyUmexrXb9k8Jq0wPLKXZ51pX0JGB57BbDpBqeeA13QdFCUPNcr1nYSFyBKkkJu1zSeCluceeIHMHhIdie7HLCDL1PR909gwd0Y59c3QGfsuqHgblTbovXwx6s6ezvwlZpKXePj2Orknm/Kgmgou4ECtr/Yw1fmkCea1j5IkMCX9MJZ/TI1kVKpMdlwN+fkjADX8FJoe+EnNfjCkQxp1xFg189iWPm3VEIw989jJygHGwfu/IV6ZPvv9LCtTrV8dR8jPuliS1k0SUHB42iZB6J5XRKc3fbuHpcoLX715XNDW9zzlD+22bIHgCekOgvrlSeoXKHbbY0V9DML3ooF8mafFscMva/qExPnKTvNx3FIuTCRMgTMr57DlnwknrYR3eHM5BfWjsb7T/ZBEMTQf3jafmCoDC+V83qtNHJxGP2ObjpW878Ljtj1NF6Sqkne22aypmyvrY1kI2xeVl8UzGM9c5Wj7S3IxiROWGiubEfVgH0MZluir2jLLDUThNTTH2PlPjQ05VklTg9PobvJqna2xrUYhI6jvBwCq+SD6yTErNqLEozmZqkBkTkV7RAkY6a8S1FBkLXQDJVJUP6Thac50Ty3TDpJ044D1xwpFbrchosgVc2a4vkunlVx1tc+Uot4IYxAlCBzTQbeTq5wbgNEZSljVnAT5V1hgdJCt4wwBh+rUvLm01I5w/l6j3r9wNY2d1MJjvz2SGh4WcxkwOmsIoac9dky8imubt5Rc1kaJ2QDgeUpWvfyPaGn/vQRPtMTp+zF7aezf4Ci/FXBUUOQPZfUN70qH92Sg1cuETRCPNMGgBVlsIY+a7f75P+Av7pRheLZ8Z5EQ8Vt93pRp0o0a9Fyia4Go9V6FeTV+jgbltY03VhEFo1SEh0HU1cV1UKu++90okOjfKNTOH81zuESXvjI+V0fRIen6lbDaF3EToZ7XWL5MPobfOsuf++3HYAdoXPjI/khji0QJ3OlaTMkCrKMlOO2IXvm0rlsMvM4yLPuNeB5vQemv9hgaEwxH2RokKG2iaBEmMQec5m58b03kFhu9SnXJvKo71k3T1Y39iiTxcjzv7Ob/BqD463ndX0POhMJneM+OqyYA9mZ9ZEit+JtOquQ18wn8gRyP6oHRBkGkR880519rnzhCNhYZQyvYw6/3QUBy4FNDugtn7ANZXXkSfNPsqUsR91USMbtSAShczLcIyI0ybDiVVUbGD3zZ97pxPKq1cMeZ+iLKrgGXuDzPBgmtcluOrctWdxFoc4WPtem6mc/V2DtjNmTPGxVbA02wGHxYPLSTebm9xqfIk/QY2E4V3vQJybfgS/Ni1y9RErbI0/k0p3kdrnYXKfey1x2LMxACmIALkpMzOsms11tLMGpEONKHlUnKbVWR4GncBDraYCNGuIrQVls5O/1+eydu+2EAgbs2GG3/30zphqgQ+RA1LOwR4dFt+WswDyMiyYikl3OBUVQZ7gJNwkMEsM4Khfk90FcyEvtToqFMYKXHODEs6XcRyZFIJn/z6p2y5M2RniDc9/nM93mHJWtor/qK2eEt8ixjKDU9475HqPZefQFtYmtPq0J/Q3PL9N5jk7uodMOho2vSka86gGSDpYFWi0pw3wUfCgmAP/4zIiPOzM3Ut5YMOGWCvj4izOlwf8dpn3NJLEMhFukxxcMevzIF6uwWWPPcA6eLByWJWI1pM4TWtCY73yAuvPz1aH5wljV1ikozh3sZxeSx6kiMri0mg3Qg2g4nDMqMu8UozlCdn4uIvFgp92MBo1uMp8cnjZ82lgftI1PG2kpdeUjJRzNW7Kp9MUeG3O18IWE0KRDLU9mbd7RXLsTM534kI48NYYMJhiWu4ckr+mPg+mRkrp387serB/paD/oftcquKvvwRQKSqsIblxIrOqzx9c9smoZtEaN0Wjo1Rp/XFxAsXa9/UPGLswA4gheAnrWMldTBmacBHKz3O5FJk2KBgssqD07Gf+HALTLtdQxcCAdMjaSP/Anw17ooEZpxgbnegZi3wJXOKZujGHlZtpnMBeIip/DwzqPFPihF3/gtAvpWwvZTfPX88tShKQfg4jetcS9EhPAFcGleQqe86F6sN/WX9DVGX6vKr8TEDV2QXti3VFo+i6/lP+yFipRlxkmhsSObIW2TCDKcprBd2snmaa/xkRRFVrseaV4xuYdzVj9A+hlaJmq7gDxapCUyprIAD58p6NG1w6Ec8EbO4PJezQ==,iv:5/2vAV0mR91A76D1eknZllR6G2CcgS1CjFzH/vgC7yM=,tag:P4+B4QMpgh+v8G67QVSBUA==,type:str] + input_sheet_id: ENC[AES256_GCM,data:QGcHsxrPb4ocTIWd8CMvtetiwmeKJ2zaJ1pixjCzvB9i7IznNiTWSfm6rOmf1nd+1oCRsTFiSjlrM+73,iv:QpcPMsNz5xghxrjYw6kkdPJvL9zBLfVtyfE/Hyo2qMM=,tag:pz4UWY5aZYDLFCDjKcyqxw==,type:str] + output_sheet_id: ENC[AES256_GCM,data:XfLR39Saza3v6xX9NRxm1Lgg++0jTUVJU7T2DG/U8wpnfDJkHBlwzyQIypIWfapR2q2JMHh5CsfR6IY2,iv:MriqJEbO4qHyRuLqmYLCGghqcLXa79W0OueQRFzdQik=,tag:pIelynMOFR+qDWNQBZb7kw==,type:str] +kind: ENC[AES256_GCM,data:YfSIF+rj,iv:GSZfu8MjRgrLoZiDd3tYMC22XSBX8hN7rx4Qc+q1Sy8=,tag:pz5hprvCEnw2Js6o40s+VQ==,type:str] +metadata: + name: ENC[AES256_GCM,data:pFg7/Zxxt1Tc9WQJVivlI8hgN5TL,iv:i/nNCn/CMrNBuRXaR7OgvADNV4vSwk0SkSwMrvzW0Xg=,tag:LBmpT+Aw2vziK13JDVOcFw==,type:str] +type: ENC[AES256_GCM,data:tcJ0TrMy,iv:bFgWgWktWvbfbQO8svO90b/6izbSTHKm4e3KdalerbU=,tag:nb7GgK5m+IjokvJAqUcDeg==,type:str] +sops: + lastmodified: "2026-01-25T22:22:08Z" + mac: ENC[AES256_GCM,data:FcISvk+RreKCwSHfvvobTXNbNbnRuvh7dPmjgTSzsW9jJGSaT9pVI1KnZO7pSwZyx9e1SxFxltM+l5lKRwEx644g8sXn4vgm5iS7hydlCaUSSG1S2Vm7QTkrc+Xd4anWt3/V9NTBgC99MbADwKUxL7SKj4auzXi2rbiJgrN2To8=,iv:bHBRrT6lFX2d9eOvS3henEqMusk3X9RbqPtqzIE1sA0=,tag:SXS5CgV6HSr+Ma0jADU/8g==,type:str] + pgp: + - created_at: "2026-01-25T22:22:08Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4Dy77zzNMwU0sSAQdAtKMi6CN5tPD/ZRK0uiEZ1zZzS6XVXgaun1QQn3OufDcw + fVPefvN/Fw+6DuIzyRsBOCRT10BrD+2Cb08JE6GUMOLO7bihuAitxbwbzOivPPgK + 0l4Bj8S91shsRwhqFWDBWFHxiKJIuXLVBJd2AvijI3ErEL2hrxf3BAzaFQxtuxz7 + BPb4egF5zsUIjzkwW4vzUbqTiFzZPTh6uBOq1R5C1Ux3YFxDUWtKf4/0dOjQeiYB + =w0Fd + -----END PGP MESSAGE----- + fp: 8DEE2D0E1357B78C782691234A2D3B6C7E35AEF7 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/kustomize/overlays/tests/integration-tests-secrets-enc.yaml b/kustomize/overlays/tests/integration-tests-secrets-enc.yaml new file mode 100644 index 00000000..35e01213 --- /dev/null +++ b/kustomize/overlays/tests/integration-tests-secrets-enc.yaml @@ -0,0 +1,27 @@ +apiVersion: ENC[AES256_GCM,data:1iQ=,iv:HLBDch8hrZ1GpuB1+poHHWUNAlcKxHayVJhEvlbxq9M=,tag:wykCE87aZrCQbIdC3YO3QA==,type:str] +data: + GHSA_API_KEY: ENC[AES256_GCM,data:U28HKEJBc0nRNzS2ok6mmGU5uragLIBDkJ+8FzkNpsimf1YhXbT0/SbYgWs3TukQTBZ4nlpx1Gw=,iv:+EUrOoUJmQ6ldIsAuxcqIGd9OkfOTs11sfmj13wH9RE=,tag:rpCbWvXRi5G1x8XF5vXR3g==,type:str] + NVD_API_KEY: ENC[AES256_GCM,data:xbcl0ZI8ul0YPfI0ALb07Jx9lwXVyk+GpiE1r18lIMcC3mmFYH+v6b27RyUfa5zO,iv:RzZjdioWQmpWtQImXOM9vo6aPOXifWALgi9gmlsRS1U=,tag:aKUXAOsbfOvhhogYx6tAVw==,type:str] + NVIDIA_API_KEY: ENC[AES256_GCM,data:LV/REkQyjf9/r5pmF6isMLIrWNy7yPOILu1a3s5g2tgs6/GRuyDQjbWQEVeIS7Ia5xHLJYLsFFhv5Bp2GsCjDONejEG0iS8E/FHvvwIWm7XvwICh3/3kAO2v5zYhqYbO,iv:6ofERGT1m2SX44keQq6pGTQ2nZMsPL2GG1+Pqebp470=,tag:O/+3KL1tivQX5qoZVrq+8A==,type:str] + SERPAPI_API_KEY: ENC[AES256_GCM,data:qp8vpoTBsQUf16xrO0SwP6NC0YXYIat17sIf2Ceqg+0ywm+t456vAPwA3BzO4Q2ShoZacI325IKS73ikSbfUt38gM9kRry7S8vc7yWOapTAxDVMepNO65w==,iv:a802YttrC+iE6KIwGnRXS0Gz0TiJWHOdLJGD+RDtON4=,tag:MzyHmEPXb7FNqX6CB2kN/g==,type:str] +kind: ENC[AES256_GCM,data:GW1La2Ea,iv:Z+yqoV/+I6ZQ3EEddouc3NhYvUg/fZPSErB16foM51E=,tag:5QDiiu/FJeE9cFTmaTC1Cg==,type:str] +metadata: + name: ENC[AES256_GCM,data:F1vRnNiwgEv3Ym5uyw6HadY=,iv:mDA/W7a2YrlMVrE3rLH14FqdmZVrp9P+csIVB+wHff4=,tag:FY7zr/T+XB6Kl94Ir95/Kw==,type:str] +type: ENC[AES256_GCM,data:3czhKxVb,iv:2YRDLhXyiAalT7BJp006tjOvY/VKhb1u1wRGHpJFRHk=,tag:NHLatir8R+Zee/+7SnIkTg==,type:str] +sops: + lastmodified: "2026-01-25T22:25:21Z" + mac: ENC[AES256_GCM,data:YQEOFODZyLaVbnZbXToqv78KH3riikik97h3PSv1Ay0xhcjdBtBRv1JTIfVWCyAuMX7jA7WdUy9VL3xw7luK6TFbQRLI9W2vwovZ5ljA0qthTBIXuU98eLEsz/FNpg1GukNPhGKw54iTokGyEbRA5+Vo2zXygi5q3Ui/F5FDLyI=,iv:1ap3lpJvQuaFqD+l7jc7MHnVaCXCNBWRl0gue80anmg=,tag:yO6vcbIrM38ufAncapYcJQ==,type:str] + pgp: + - created_at: "2026-01-25T22:25:21Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4Dy77zzNMwU0sSAQdAmOC1w11IvoBbzsDvMXNQXp7YzVqNEGt6xdxpgHExxjgw + h7GhiURhkbRGTA1Bd9V9JetB1ibDMv3Z2TSI0A+BS1GoNoG8BeM0t+efur3hMGNx + 0l4B/gnyReoDLZA6aaZDOMBLZe/GDaJ+FTegb5+VCTzAAsS1RgYrvPftBbCbyXbx + PdZo1yS+IMxuCQf0c3Q69FKF8Q8qy930UFjRxxHgiYdOQijJEhSyBpwiYhZK27tM + =geg9 + -----END PGP MESSAGE----- + fp: 8DEE2D0E1357B78C782691234A2D3B6C7E35AEF7 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/kustomize/overlays/tests/kustomization.yaml b/kustomize/overlays/tests/kustomization.yaml new file mode 100644 index 00000000..fbafaf32 --- /dev/null +++ b/kustomize/overlays/tests/kustomization.yaml @@ -0,0 +1,93 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../base +- sc-llm-pvc.yaml +- buildah-task.yaml +- tekton-config.yaml +- secrets/google-sheets-secrets.yaml +- secrets/integration-tests-secrets.yaml +- secrets/registry-app-creds.yaml +- secrets/server-model-config.yaml + +secretGenerator: + - name: argilla-user-feedback-ips + files: + - .dockerconfigjson=secrets/user-feedback-ips.json + type: kubernetes.io/dockerconfigjson + + - name: exploit-iq-pull-secret + files: + - .dockerconfigjson=secrets/exploit-iq-ips.json + type: kubernetes.io/dockerconfigjson + + - name: ecosystem-appeng-morpheus-quay + files: + - .dockerconfigjson=secrets/exploit-iq-ips.json + type: kubernetes.io/dockerconfigjson + + - name: exploit-iq-secret + behavior: replace + envs: + - secrets/secrets.env + + + + + - name: oauth-client-secret + behavior: replace + envs: + - secrets/oauth-secrets.env + + - name: mongodb-credentials + behavior: replace + envs: + - secrets/mongodb-credentials.env + + +configMapGenerator: + - behavior: replace + + name: nginx-cache-config + files: + - nginx.conf=nginx_cache.conf + +commonAnnotations: + deployment-variant: tests + +patches: +- path: nginx-patch.yaml + +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: exploit-iq + $patch: delete +- patch: |- + apiVersion: v1 + kind: Service + metadata: + name: exploit-iq + $patch: delete +- patch: |- + apiVersion: v1 + kind: Service + metadata: + name: exploit-iq-phoenix-tracing + $patch: delete +- patch: |- + apiVersion: route.openshift.io/v1 + kind: Route + metadata: + name: exploit-iq-phoenix-tracing + $patch: delete +- target: + version: v1 + kind: PersistentVolumeClaim + name: exploit-iq-data # Use the original name to match + patch: |- + - op: replace + path: /metadata/name + value: unit-test-shared-cache diff --git a/kustomize/overlays/tests/mongodb-credentials.env2 b/kustomize/overlays/tests/mongodb-credentials.env2 new file mode 100644 index 00000000..780f2636 --- /dev/null +++ b/kustomize/overlays/tests/mongodb-credentials.env2 @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:cTEW4bqf52nVEz7nWKXJAx/5NNoG6PH+sPu6BYuhj3M/4z4GpXaqSPvWL+V2LQwQCtmP1D2/BMtxbwgak1x699wYMfPdptx1I9iFnOM2P+CrYZFbOllYrEUHA6g7Cv4RItSadLPsYpNizMDxTP8udaWbYFq/2r6rnlK/V81nZaJZdxeyxC7T1CVqnxCGS3anI1ZVPDGY4F7t,iv:nkEQJuCDVI3wKzDsjh6tEHfob9kXJEegl9MhaaDClgE=,tag:kRirr2RpmIHJHQVlmbGbSA==,type:str]", + "sops": { + "lastmodified": "2026-01-25T11:54:45Z", + "mac": "ENC[AES256_GCM,data:hICbk3dfXtva1J8jqG7uGLis+pJuwGve7tdQSeu7x3M/AjXukgZqxQoOrzE7H7WEh6R4XM8z7OfFqmIegjDtJ3RGy3VIbo2uXpHrhkAGUI9204ehhe0GG3erZKWAYxdryFA27UOddYhMEqyeezrdmXEzbMhy3eOXTQlyENb9gH8=,iv:rMqa6c70Zim0SB4oba55MYcjS332/znRVU2YX9UBhsU=,tag:Gt7FgLOjKvqPc5v0zIZYBw==,type:str]", + "pgp": [ + { + "created_at": "2026-01-25T11:54:45Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dy77zzNMwU0sSAQdACeUMbw2HeFxqxL2d3+bLpJ5O8nnaixniZfOyLFNbDxUw\nudBo0dYJ5p9eSAr7/8xQBVeloOvLfO5DXBYlwZSkM4s1MPnTYM3vL6Je3qImRKzL\n0l4BPooAU/OY5y8idxBsi5gOKw/utLJ7150AhkLOCfvBVB5WP2zLLkWMx4rYMGTM\n8/hKqGkHi+8D2XfEByknn+95q92XnkGNcxZacCARXxFeDy0m+ZEeJa/KTO+5XU96\n=srjn\n-----END PGP MESSAGE-----", + "fp": "8DEE2D0E1357B78C782691234A2D3B6C7E35AEF7" + } + ], + "version": "3.11.0" + } +} diff --git a/kustomize/overlays/tests/nginx-patch.yaml b/kustomize/overlays/tests/nginx-patch.yaml new file mode 100644 index 00000000..f8cd9dca --- /dev/null +++ b/kustomize/overlays/tests/nginx-patch.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-cache +spec: + template: + spec: + containers: + - name: nginx + env: + - name: NGINX_UPSTREAM_NIM_EMBED + value: http://localhost:8000 diff --git a/kustomize/overlays/tests/nginx_cache.conf b/kustomize/overlays/tests/nginx_cache.conf new file mode 100644 index 00000000..33c32b01 --- /dev/null +++ b/kustomize/overlays/tests/nginx_cache.conf @@ -0,0 +1,115 @@ +pid /tmp/nginx.pid; + +worker_processes auto; + +events { + worker_connections 1024; +} + +http { + proxy_ssl_server_name on; + + proxy_cache_path /server_cache/llm levels=1:2 keys_zone=llm_cache:10m max_size=20g inactive=14d use_temp_path=off; + + proxy_cache_path /server_cache/intel levels=1:2 keys_zone=intel_cache:10m max_size=20g inactive=14d use_temp_path=off; + + log_format upstream_time '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"' + 'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; + + log_format cache_log '[$time_local] traceId: $http_traceId - ($upstream_cache_status) "$request" $status - $body_bytes_sent bytes {$remote_addr} "$http_user_agent" $request_time - $connection_requests. Auth: $http_authorization_present'; + + log_format no_cache_log '[$time_local] traceId: $http_traceId - (BYPASSED) "$request" $status - $body_bytes_sent bytes {$remote_addr} "$http_user_agent" $request_time - $connection_requests. Auth: $http_authorization_present'; + + log_format mirror_log '[$time_local] traceId: $http_traceId - (MIRROR) "$request" $status - $body_bytes_sent bytes {$remote_addr} "$http_user_agent" $request_time - $connection_requests. Auth: $http_authorization_present'; + + log_format nvai_cache_log '[$time_local] traceId: $http_traceId - ($upstream_cache_status) "$request" $status - $body_bytes_sent bytes {$remote_addr} "$http_user_agent" $request_time - $connection_requests. Auth: $http_authorization_present. Final Auth: $http_authorization_present'; + + include /etc/nginx/conf.d/variables/*.conf; + + map $http_cache_control $cache_bypass { + no-cache 1; + } + + # Log to stdout + access_log /dev/stdout cache_log; + + error_log /dev/stdout info; + + client_max_body_size 1G; + + server { + listen 8080; + server_name localhost; + + proxy_http_version 1.1; + + # Headers to Add + # proxy_set_header Host $host; + proxy_set_header Connection ''; + + # Headers to Remove + proxy_ignore_headers Cache-Control; + proxy_ignore_headers "Set-Cookie"; + proxy_hide_header "Set-Cookie"; + + # Proxy Buffer Config + proxy_busy_buffers_size 1024k; + proxy_buffers 4 512k; + proxy_buffer_size 1024k; + + # Proxy validity + proxy_cache_valid 200 202 14d; + proxy_read_timeout 8m; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_background_update on; + proxy_cache_lock on; + proxy_cache_bypass $cache_bypass; + + set $http_authorization_present '[NOT PROVIDED]'; # Default to '[NOT PROVIDED]' + + if ($http_authorization) { + set $http_authorization_present '[REDACTED]'; # Set to '[REDACTED]' when the Authorization header is present + } + + # Configure a resolver to use for DNS resolution. This uses the Docker DNS resolver + # See https://tenzer.dk/nginx-with-dynamic-upstreams/ for why this is necessary + # When considering what the "base_url" should be, consider the following: + # - The base_url should be the unchangable part of the URL for any request tho that API + # - If the API uses versioning, the version should be included in the base_url + # - If the API is a subpath of a larger API, the base_url should be the path to the API + # - Examples: + # - GET `https://api.first.org/data/v1/epss` => base_url=`https://api.first.org/data/v1` + # - GET `https://services.nvd.nist.gov/rest/json/cves/2.0` => base_url=`https://services.nvd.nist.gov/rest` + + # resolver 127.0.0.11 [::1]:5353 valid=60s; + + # rewrite_log on; + + ################ Docker Compose Services ################# + + # Include any additional routes from the routes directory + include /etc/nginx/conf.d/routes/*.conf; + + + ################### Redirect Handling #################### + + location @handle_redirects { + # store the current state of the world so we can reuse it in a minute + # We need to capture these values now, because as soon as we invoke + # the proxy_* directives, these will disappear + set $original_uri $uri; + set $orig_loc $upstream_http_location; + + # nginx goes to fetch the value from the upstream Location header + proxy_pass $orig_loc; + proxy_cache llm_cache; + + # But we store the result with the cache key of the original request URI + # so that future clients don't need to follow the redirect too + proxy_cache_key $original_uri; + proxy_cache_valid 200 206 14d; + } + } +} diff --git a/kustomize/overlays/tests/oauth-secrets.env2 b/kustomize/overlays/tests/oauth-secrets.env2 new file mode 100644 index 00000000..ae7f97eb --- /dev/null +++ b/kustomize/overlays/tests/oauth-secrets.env2 @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:JM3q6XFUVQ8XvsAWyaHAXUcxGPgB3ixEwIL6NGXTLfznS8v7FRRouw1iG7zDn+IFCk2kYhHW+wJ2fDBj23Fdh5dMPIDzMvxn2yyLLqyvYsnzM9JNVnIM1XALph/U0J0GYmzMLIJgqKnk7UexkypD8VM=,iv:6YKdj5UDd2TdPNwG4u5U1CZ3Mbi0MV82kgvNc+R4MUU=,tag:Rm3WSsiGmnmIn1NrQdZlpg==,type:str]", + "sops": { + "lastmodified": "2026-01-25T11:54:51Z", + "mac": "ENC[AES256_GCM,data:UiHjGVbr6MnTwXjpfQAba15b2dW0EeRmZ0LCqvwMfMoJlRQOgjmGDldeXBRO+jyYKvMsxfRLsGjIIDAnWE4+68NCHhH4IbDPH3gvwLijzNrUWX5wwFtQP7uXhtB5gQjt0G5e1Mwtz2oPPPRQ1BTVycHrJN8E81UANBpTN93kQFU=,iv:tnwkRwG9ChLQFudPafIGotkyjUXTedcRhT4QXiI0t80=,tag:ZEGjTCCkmRTKTboqE/GK6w==,type:str]", + "pgp": [ + { + "created_at": "2026-01-25T11:54:51Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dy77zzNMwU0sSAQdABXzNXw0NPdMDlcCmVeio3d9jVFxFAr/IQkfrGkzimFMw\nt8tPnMaZfSe0ZNTtDMUhtXtYqu8Mqk+IGNANQyQXw9/pK6tL3sdctQpwES+h5SOK\n0l4B7x69zvOIlmK3yB8EoPE1Vn/0qoRjjyOk3/CWoeDGjL4hwwmOLTtAM0un/VCb\nhiEX4nEgWIaz4DWyQLZkqhJbPlRLTOvwXZI95UY1f5nQRt/zjbeKtRbXmiH+qlXy\n=X3t6\n-----END PGP MESSAGE-----", + "fp": "8DEE2D0E1357B78C782691234A2D3B6C7E35AEF7" + } + ], + "version": "3.11.0" + } +} diff --git a/kustomize/overlays/tests/registry-app-creds-enc.yaml b/kustomize/overlays/tests/registry-app-creds-enc.yaml new file mode 100644 index 00000000..86da72c7 --- /dev/null +++ b/kustomize/overlays/tests/registry-app-creds-enc.yaml @@ -0,0 +1,25 @@ +apiVersion: ENC[AES256_GCM,data:tCQ=,iv:/JnoJlOSPDnpfzPax3IltVloS91QOp2VWzDWAkVi1cw=,tag:N+vwaUKTsFHin1YE0hh2pA==,type:str] +data: + REGISTRY_REDHAT_PASSWORD: ENC[AES256_GCM,data:DY9vrRSPyVvFWqIUiughhehhr65Z0xGrTzMH254SVOuMdHqq8PClGO9XN+JBjMib63nd/Dih5jMkdAqGPt8HnumVWJKj2O8B1ry1o1kcHbGEv3RM0YPs5xzoAqCX8P5eP9MRW1vJc0vxqJA3hKPJ5colLR4KevFmoFYMPCczVHJygvNQlqU0smJaQcdwyPYWo0NQgSYGo6qUVbjgYCjzQFf1EJEiaZX+bdQTAlcHcdexZI+5cquSijaBFxi4GlLSXIldlnPA+rCQ8hTyD3PEj7drvfJad6u06Wm0MjJoyD/gAIoE/9NiSsnq+7fr5Ulf1FrFekq7ps1iMm83uKAiXRSC2WtBnNA0UdU09Dl5efXSvlvCi5AbK4o6gI/LnMyvcGkYlqKDgGYYNcDZqMe8wxk3SOuMuL0JZTBdC92AN2HZtYvinDrL885azN7tXHulNwYRGtPkK2GH2Yuhbi693dwejR6Edk6C2KhczOKtaLFH7ULiQSUMwk/xEmqH1HDOcuai0oX94HuIKYiWFVhoe72I2Mxbwc9Wt8cQ/WAn5DEuBrdQJ/gd9q4/lRAi1x/5wwlGy2TWMOiq2Oh7tTrh6wEvImLFKQ6wxlxFLHYs1p9xvSrHcyFxa6zyNOsir2cImQSaXdS/d91JfjFiHY9MHdCTP7wY3Tb9kYKi2txUdTbVop7SiKpTJfZg1rwhZWi0HsEWpDCJugKENbJinv6IaEmb8yc5pnl9vS0qLfljDAipnBkMm81J05kVhrZoq5I6w1a7JYXomXcTZAPwPTwh+PMuI/+IUxT/ciWbkT2YfPWmWGlzLFaKGd1w7sj3XthTtrIh5elw2xwoeuEwvZLIbeZRZwhWOoi/h6ByMPdCc2ReUaN91yumN22sYaw8mHudz2D4nbPo12ZfPfA1Xx4EsVFe5j0FLn5GP2TCcuO/DAMrXvXUykhGCPMcExpid2Q+WXYYq/LwAEyyqqfUVsXbjlb9+4i4MqXISzUhI5mQmVbh5iusWbEUvrvpBJe1wsLZhRfOSpdmQRhYNoSiVj/xZfJt2jzqPK4ISmkY9wiK68V79cJgugzwS28bWwF08AZZNSsPAXadODCpuqCve7JmWl3nR0X0Acel/gqU2KCykGbr3EvdxUaIGUHsbLqoXjhrLrVsJ0Lyd3g+bhNL1an4QzgUHiVok0/eUQXXcUJt5TddedG2TkOtQINl8atBSS9TNW1paxco8Aiq47uRRC+4O1i0V1iyeYOPejQjMjTTGF2326R6c6REmQVsAqjqG1FaqH6WzQZB8p0sXHTtm+bFGKjPnjaaHezolumRL/DrrFL16VtJuqZLnKJ9m3RjAZQVVqINt9SUiNU3IA0u,iv:COGn/Fn8b7HLutwSONHSkQL8FDm/DiaTzksfJhv+5no=,tag:FLTdrggW+uTEdbczPZqCAw==,type:str] + REGISTRY_REDHAT_USERNAME: ENC[AES256_GCM,data:7tDxGRcjSHGsBb//r5NBJtaz+g9HrTQ2,iv:/gRNExKbdVqMOvdvUxCw5ajJVTb/7Pthxs02AlwKqo0=,tag:wjBGPzc8nkF/3LMoZaFoKA==,type:str] +kind: ENC[AES256_GCM,data:0g19ZH//,iv:FQwXlhfkZNRBZF65DmZarqFDLeQQJ8lUSS9d0laPABU=,tag:0RcpIXMAN4CK5QI5QkXG/A==,type:str] +metadata: + name: ENC[AES256_GCM,data:FDxteHJ/f1a7FgW+RUryKQ==,iv:59iQVkcUKGymcArOn4PCR8L1ups0XmHcmv601J9dtHc=,tag:vrdPMLmn0UDijAWfCm9MSg==,type:str] +type: ENC[AES256_GCM,data:jJztE258,iv:jk9TV1Uf1ydiyunGsv32tlp5grXTVyTbI2lJkVTM9lU=,tag:WUnjbftart7YctxO1XS+sg==,type:str] +sops: + lastmodified: "2026-01-25T22:26:41Z" + mac: ENC[AES256_GCM,data:5IZ8f03JChaaNm/wozc7wbs+DDeFYEguGB9/C49MPv6zK2xhnHFmk0B/RHrIl+/ZNZU0NtcQ9ZZxeYGEHgDKrHJpnFrPZeuRUPhmfCkVY2POzas85SI0oCfXKaSehdzRVd7XQ1++fRo9SHXbWsNgRH2C+g3XToFjOeyBg6cPfBM=,iv:bf0WSgF5g19TtxYL7HfzpjXlZAQbUAaXW2LkGraGVFw=,tag:KcRubwVZFcge2Kw5GrpMkw==,type:str] + pgp: + - created_at: "2026-01-25T22:26:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4Dy77zzNMwU0sSAQdA0hIJBy0m1G4y//yFta/U+2rnqzA/E5cuBHP379fUD2Ew + v0oJlrgCU01/xwvy2VvAHJaVbZ2/3vcR6DCnpo33Ev3tZFwRKDM8jQzPZpkvaAwh + 0lwBB7dTxipu3NSEQDY8Y/g9+eIlbQTF3T6aRi1XHXoVNsgsaHGTfAxfA99mXKzD + Q50124BAwhb88VXw6OLvN8CqcEK3l0t1VtpgF6BkGTB7/cJxaWmfHbP+O8J2Ew== + =GF5p + -----END PGP MESSAGE----- + fp: 8DEE2D0E1357B78C782691234A2D3B6C7E35AEF7 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/kustomize/overlays/tests/sc-llm-pvc.yaml b/kustomize/overlays/tests/sc-llm-pvc.yaml new file mode 100644 index 00000000..fe5caa30 --- /dev/null +++ b/kustomize/overlays/tests/sc-llm-pvc.yaml @@ -0,0 +1,13 @@ +allowVolumeExpansion: true +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: gp3-csi-throughput-2000 +parameters: + encrypted: "true" + throughput: "2000" + iops: "64000" + type: gp3 +provisioner: ebs.csi.aws.com +reclaimPolicy: Delete +volumeBindingMode: WaitForFirstConsumer diff --git a/kustomize/overlays/tests/secrets.env2 b/kustomize/overlays/tests/secrets.env2 new file mode 100644 index 00000000..df5a5048 --- /dev/null +++ b/kustomize/overlays/tests/secrets.env2 @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:qJ79PMbpPyOLezRJhCB2mRe5C+LVDHvDnv8RwbYYX2H4c2P8Ugyhcs+3uAyARQnSdzKOu2Vf57lo3eB6pyU6FZwP7rn2nNbcviPQdQZA4Z4e3S/ZPodhqzkwCU/8KlAYJUDWRt7rbtz6yRSjF+9uwu1dJXIGoFrpCo7KE8pZgaAAHvADnBT7RT6MAyQkQZQpqpGyBiF1vZ/MPnY7w1ke5/IpzY30kIepcwZ0fCdgViweYthkKu/CrBwl7h/S6FxPp/+EpjEMQimnvSaMybjoKYovQ7aNK+sE5CFHxv09Wsy2oVx7C0DDkQGJJTmDXgbNwUmwNq9OK8vteh91YvH2r3yPJT5Q2UoRSvVpOnqyQGenrYme712O5ZL1MW9qLpukUtEGQjcK7gaOANOqKFAly0yDtBg7mvHmvtqJl7mqGjqE+m931h9bNQgIdP/kxt10RxfwRatMuQUfhmpqEAQCDsEW8WUCOjE3whBCYsrY429dRRmDS4sffOnN8SQkrqNh6/+7n7WQFw71Yjy2Nak7WRdWNsPuSUAGvq2kOVjQzWUbH6LSzcuDmV5chCunDQYXvbSO4K448Zq7zU8tnL/Kq0BC51iLztUBAQgZ2mSRFimx2IIJcZs3iKHN9Rad6w03oD1vyCfUMMLWCpqN+v/o9Gdtuh54lV75ocVk/uC6WBtfkRd31KDi9rERB1lO+zufillhOcsb6ihI1xg0HLbX4N0ds5Kl142BuJ57QuTC48M3rJRhAVCHNerHlPZFIaHNCJ6XeUEPbr+Bq8GTdKLIZTT3HWzPQRid5nrvKAgOH1k+N87QM95ofmnrd/RshwtyjcvCVLY0Ua2/93JxqlhaTMR4J9u8WoN3zNQ5oPGnU1/Gf7z7HzWicNne36XBv44Apby4V0IBrnpTi7PNzqKDm6vOUyGKJvbHXlHuEBEAMcdApdGkGCMwf5vHfdk1naI/7rXWcvJtlJgAdDACDtKhOdWX7o6FvsS2qyKTWeeDV/KuUpt2IJ2v0SoYCbClSydJseKy044Yr+Q/OlNTLfoVYP6Y+qbtJtjxUqJq6aq2kg6lP7bnEpLqyo5Od6GO2pI/E/N1OifZRNvaIwildhd+BSv4cM55Syu+S4aGbyb9o3+NeVhtC6uYIJZxIxFJfxbnAG89I1Yb1rmoD5YrXOAIv/jD95B0mU/JntsblJYlKyJ8TyiOL3w5ftoWTiRKefzwnvZcoUcxQ/iO9smcWaUABFC6nBFZJblYQ1E7d/b9PAsD+KwOJBJnhMPl/3qYip3SOL8NSX7+VtfRwMgd/MQInjmnhQx96xV6UWHe1EBX+Bx/75ZCye6f+EY/4tABMHyCgfZw2rofjsANCnZqp4MxUFKBUw/gm0JVAwMPR3u+uAWWnkiekjvGeqbMGW0Y+cteKZA/b/kaw3fLASSbzAMju0Od9rEV8lJd3T4j6PJ+uXuxieUU+mD1GRn5l5ZngiL6ntSQF6UD8bZ4Gss3PgvHEmqdaY1ta5k3t1OsJF/edgwzPW2Vlzc7wSHWpkGMIUTqsMiNIIM57otjt8ox2VfoJakt0Fj1AJ6MAtUJYLgGlBzsvoQ5h+yXT1dqNOUzqra1Zl5XsdWx+gnaFN+PUG+v0pmkXl8NJInYDcpFzacEMzVT+F1nCpwJ57bLAbmJVeqQ,iv:MNFqnAFl1Ugx9oebDR66ckvZx8jksY+HeDsNFehFrk4=,tag:f6N8qxAy07EJHHwu2N5K3g==,type:str]", + "sops": { + "lastmodified": "2026-01-25T12:03:28Z", + "mac": "ENC[AES256_GCM,data:S8a8LiimwRsM2oqj6kMnG1umAXxb42GcdGLpDtcXLcbA3EewgRVCl+UIkDvFkagK8WUl2jr715wNgS/OlIWWdTBc/jAfU0iV3AHOCCz/Z1t16wQ96Pf3sEc0++l4EFlPfBPmhhCdXoAVh8TrPSpQRRKEXNY9JKcps2nZ5UDJ5tM=,iv:djGFNCf5O36+iyb+ENVdnThB749rc7PvpA8JAFJFKCg=,tag:fl7sRerdVAAXBkIATUl7zw==,type:str]", + "pgp": [ + { + "created_at": "2026-01-25T12:03:28Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dy77zzNMwU0sSAQdAZGmK8TFHDd7hi+u6iK85h+tsLOTnv+cd5N5R2hmhizgw\nYGsqyjGgzxKosWdsGQw9n6RQwLookPSjLtO74CInBmSSpbL+k4NhAKs+G2vCojdN\n0lwB7TegWbha7ElzY6+MjOv+1p5EBhHFIWut+6+iV7HzrbralcDvo1Lo7b7e/4sv\n3jEf4HcelocgSLURYvL/5Cl48AVXrhkxdha+6xw4py4YRFIarIMU8ZRnL5gAqw==\n=caPs\n-----END PGP MESSAGE-----", + "fp": "8DEE2D0E1357B78C782691234A2D3B6C7E35AEF7" + } + ], + "version": "3.11.0" + } +} diff --git a/kustomize/overlays/tests/server-model-config-enc.yaml b/kustomize/overlays/tests/server-model-config-enc.yaml new file mode 100644 index 00000000..f978b3c5 --- /dev/null +++ b/kustomize/overlays/tests/server-model-config-enc.yaml @@ -0,0 +1,32 @@ +apiVersion: ENC[AES256_GCM,data:GqM=,iv:X9ZA6MF+bye5xH0o8LL/4XFDfiVzgDeL/LJUVGNiJnA=,tag:jlRvjVgKLC66t+n/9UPxeQ==,type:str] +data: + CHECKLIST_MODEL_NAME: ENC[AES256_GCM,data:7OrZQrchux0+jlBPEuDhsyAv1Ix75Yp1/uPKdjy2g2lziSXhdwBrEtSF0U4dQWBITTYp,iv:TAd+SIFStCUd1qQDtQpD9ejlH8R6oCa4mLrwBYPh5nE=,tag:wGSMp+pww/4Zt7mvqVvwrg==,type:str] + CODE_VDB_RETRIEVER_MODEL_NAME: ENC[AES256_GCM,data:4D444ciNBzQPnhYXT0niQZWF12OtQ/stcNpdEbCXCCRbf/jUfkYoai+0u08EsYgmh+TC,iv:SehqcrF7ZA5itfSeEDMyeuFTOBrufGLlGcNxO+yKdp4=,tag:4jJ05Bitj0iVNDvSl2NeaQ==,type:str] + CVE_AGENT_EXECUTOR_MODEL_NAME: ENC[AES256_GCM,data:xtooeRKaRb2uXvEmhcq6W6M9UX1g2fk2WC9jf0cj0ReMlNZ0waj7JOY0KVfWM4n9eBEg,iv:mYGS+QzlUv3aUKQlGF3Qj++h9kg73Btpmi+mf3GUJ3w=,tag:BWLyR3yhAqEdpLE1T4lYpg==,type:str] + DOC_VDB_RETRIEVER_MODEL_NAME: ENC[AES256_GCM,data:g9DV3/7vINF2g4MPUScMedRhx4EzUn6aOHztFmAmhdqU7iaOYAMLQaGZkkMdiXsSqziu,iv:0swptAt4Hwg0/y3f28btcv2Mtq0yYB/mCTfFXjWe00k=,tag:vdgiZOimYt+5uluRtyP+cQ==,type:str] + GENERATE_CVSS_MODEL_NAME: ENC[AES256_GCM,data:uDTbwkxuuohDKJ9X+uAYHE2lJgb8BKEBkTGH5xL1YWy82R6OpWE53l9d9/KAk8JL3COi,iv:bWsmW1J1U0zmWlhj5cvLz1dFYG/NPF3PiZhWS5duT+Q=,tag:w6PCNZhOysrHW7l74X8EiQ==,type:str] + JUSTIFY_MODEL_NAME: ENC[AES256_GCM,data:ar93nbJy18x6Nb++YGHSuh6QGFnmhiyAZtq6hpRsDT6g4XSAmFAsCO5IvBEIZ7dpNprZ,iv:ks3khWQCRnz8mUrvK7B9SVz+wKOF49JU817dWglaDrM=,tag:OB3ULv2x4Ref63j/nlp8DQ==,type:str] + NVIDIA_API_BASE: ENC[AES256_GCM,data:58mO8y0qF6FBOXcc4E3jppjo3ym6A48wGZL9OxTPlHcYptR/AW6KvGdSA8TMk5DG9RE10Edx0ChXB9XsMFvxfQnfA+9OiBnCNxRUXw==,iv:OUlIO/XHdqkvpOM35JfEQSke6TmyCuMOEcvJqLSUkzE=,tag:kifU31FSIu3//q9pc7u40A==,type:str] + PYTHON_VERSION: ENC[AES256_GCM,data:OmHFTw==,iv:qsd4oNKf/oYCSpICfSE7cuUlIfRmI7VrZ+Wth/nNPvM=,tag:Hy0YNQ9lmcbqrXHEjtzfxg==,type:str] + SUMMARIZE_MODEL_NAME: ENC[AES256_GCM,data:vO8ztZTgcvg5tv5FQaKlKBsTs8ms/78Qe9OtmDS7LnibP6K9yljNbz9ai73Ph3CIn4Wu,iv:ak/afG2kXG1rvsriN21zNsjttc2Vt+VoYhoauwWA6ZI=,tag:lf0QVlghAuin8l4keWkY3A==,type:str] +immutable: ENC[AES256_GCM,data:7VHk5CM=,iv:9GuqxkAjk0XtcAHP1xJ7OjfHRDEydV2XCrNzXMzNZho=,tag:J261qozJtzdv+tOzIZYmrA==,type:bool] +kind: ENC[AES256_GCM,data:+XvGoKaqZt3d,iv:ipjdNZIC5ucrWo7Cpa3I64nKLd2eOslQjwe6R0LXsXU=,tag:ZvTEtcfLxIBMvqEw7mLqWA==,type:str] +metadata: + name: ENC[AES256_GCM,data:bIyOig0niHOw8aT3r5yg6wSZzg==,iv:FNtbtOzmrKkz4Ocb7ujgsBBg72P0ACMlS5DfT8DP4rk=,tag:beE9XVfmH2CzYoCkYJMnuQ==,type:str] +sops: + lastmodified: "2026-01-26T09:27:06Z" + mac: ENC[AES256_GCM,data:xMMv5Lrb9cRGYoEjwLHHf74gadMJfm17697zJn/UI+2bZceSBVlJZAN+4Q8yOtTDM0uC1uuGbwZC82yJuguMNuDUFo8yQJ1evU45A8WPKJXLW9GkLCIuh/8302kH08EI9GLcBR5eXuQCl1N1uKRx56rNCiu/WCFJN3WUS/gM/8A=,iv:C1KHyp68xbcOSCDpDjvoHMsPGB4YsnQ+2dHkyOo+l8g=,tag:0aFf97vxoXupUQX8kQAkRA==,type:str] + pgp: + - created_at: "2026-01-26T09:27:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4Dy77zzNMwU0sSAQdAANcbJdqeIUK1mUDG/+GglQPLSlMcvS0xt0aP0eHsakEw + EU5sQytLTMNUYH6iRp7BacACVQ8T/1rllgno7lGN5nLoEUDbg/wOtFH3ZHFus6kj + 0l4Bwe9pK+UsHDqy6I38YWHU42AsEECCZjs5fPHUnKBR2oBBpf4S/Eg9/FVnRIOY + QFkPgGIyQIOPbCVzaIo+tzuIwwT0RjQQAcnPZM3eM0ie1q82eD9UstkwAV6Upzqv + =mxQm + -----END PGP MESSAGE----- + fp: 8DEE2D0E1357B78C782691234A2D3B6C7E35AEF7 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/kustomize/overlays/tests/tekton-config.yaml b/kustomize/overlays/tests/tekton-config.yaml new file mode 100644 index 00000000..8183bbcf --- /dev/null +++ b/kustomize/overlays/tests/tekton-config.yaml @@ -0,0 +1,139 @@ +apiVersion: operator.tekton.dev/v1alpha1 +kind: TektonConfig +metadata: + finalizers: + - tektonconfigs.operator.tekton.dev + labels: + openshift-pipelines.tekton.dev/sa-created: "true" + operator.tekton.dev/release-version: 1.21.0 + name: config +spec: + addon: + params: + - name: communityResolverTasks + value: "true" + - name: pipelineTemplates + value: "true" + - name: resolverTasks + value: "true" + - name: resolverStepActions + value: "true" + chain: + artifacts.oci.format: simplesigning + artifacts.oci.storage: oci + artifacts.pipelinerun.format: in-toto + artifacts.pipelinerun.storage: oci + artifacts.taskrun.format: in-toto + artifacts.taskrun.storage: oci + disabled: false + options: {} + performance: + disable-ha: false + config: {} + dashboard: + options: {} + readonly: false + hub: + options: {} + pipeline: + await-sidecar-readiness: true + coschedule: pipelineruns + default-service-account: pipeline + disable-affinity-assistant: true + disable-creds-init: false + enable-api-fields: beta + enable-bundles-resolver: true + enable-cel-in-whenexpression: false + enable-cluster-resolver: true + enable-custom-tasks: true + enable-git-resolver: true + enable-hub-resolver: true + enable-param-enum: false + enable-provenance-in-status: true + enable-step-actions: true + enforce-nonfalsifiability: none + keep-pod-on-cancel: false + max-result-size: 4096 + metrics.count.enable-reason: false + metrics.pipelinerun.duration-type: histogram + metrics.pipelinerun.level: pipeline + metrics.taskrun.duration-type: histogram + metrics.taskrun.level: task + options: {} + params: + - name: enableMetrics + value: "true" + performance: + disable-ha: false + require-git-ssh-secret-known-hosts: false + results-from: termination-message + running-in-environment-with-injected-sidecars: true + send-cloudevents-for-runs: false + set-security-context: false + trusted-resources-verification-no-match-policy: ignore + platforms: + openshift: + pipelinesAsCode: + enable: true + options: {} + settings: + application-name: Pipelines as Code CI + auto-configure-new-github-repo: "false" + auto-configure-repo-namespace-template: "" + auto-configure-repo-repository-template: "" + bitbucket-cloud-additional-source-ip: "" + bitbucket-cloud-check-source-ip: "true" + custom-console-name: "" + custom-console-url: "" + custom-console-url-namespace: "" + custom-console-url-pr-details: "" + custom-console-url-pr-tasklog: "" + default-max-keep-runs: "0" + enable-cancel-in-progress-on-pull-requests: "false" + enable-cancel-in-progress-on-push: "false" + error-detection-from-container-logs: "true" + error-detection-max-number-of-lines: "50" + error-detection-simple-regexp: ^(?P[^:]*):(?P[0-9]+):(?P[0-9]+)?([ + ]*)?(?P.*) + error-log-snippet: "true" + error-log-snippet-number-of-lines: "3" + hub-catalog-type: artifacthub + hub-url: https://artifacthub.io/api/v1 + max-keep-run-upper-limit: "0" + remember-ok-to-test: "false" + remote-tasks: "true" + require-ok-to-test-sha: "false" + secret-auto-create: "true" + secret-github-app-scope-extra-repos: "" + secret-github-app-token-scoped: "true" + skip-push-event-for-pr-commits: "true" + tekton-dashboard-url: "" + scc: + default: pipelines-scc + profile: all + pruner: + disabled: false + keep: 100 + resources: + - pipelinerun + schedule: 0 8 * * * + result: + disabled: false + is_external_db: false + options: {} + performance: + disable-ha: false + route_enabled: true + route_tls_termination: edge + targetNamespace: openshift-pipelines + tektonpruner: + disabled: true + global-config: + enforcedConfigLevel: global + historyLimit: 100 + options: {} + trigger: + default-service-account: pipeline + disabled: false + enable-api-fields: stable + options: {} diff --git a/kustomize/overlays/tests/user-feedback-ips.secret b/kustomize/overlays/tests/user-feedback-ips.secret new file mode 100644 index 00000000..e0f44fb9 --- /dev/null +++ b/kustomize/overlays/tests/user-feedback-ips.secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:DTCFG/YxGdv2PUvFy4ZpUcn71vTKVE9Pq6OdqGrhThVqW5yIZFdIlEutthH9q/AbnzZZalBxf7nb7T/muOnJd+pE+uN1jlrv6kSdaEcwgViK9CQCRVhqIfWCZNFYyGVFpo90TlD8dTrvk0f1LqbnTQGbuhBIscuKmYzJB+FZuUYzBP+7YgLD34lwhRwOd3gM6IwYyptkDYL7BnZB8t7bZSeliuQwmjwJZ49oDVtG8+CZN7UlUw1hxVJPM96BR6Ob,iv:VE3imWMy9VK5IEQ0ZV+WYbHtRNNAUXPZZY3mA52P258=,tag:2UFpjo65+QUs9fvcTueiQQ==,type:str]", + "sops": { + "lastmodified": "2026-01-25T12:11:26Z", + "mac": "ENC[AES256_GCM,data:PpNa9n8COE+xLG2Kmb8U18dAUT7iqhUfsquUqJC+42DdGC5eWU9t+nxJjy2Hgpf+Gj9hZErRQDYn6LZufKl87YcOix5V8TlBx078LIw1ZFch5xvPIoRef47uedpnPZM6UDAYFljDj6VWUXj6zdqC+GypArYYt5c50iIpY31Fd0c=,iv:N/8Ie16mcQ+QnGjg9c4rXK0OSJn+KujWA7S2WFFa4jc=,tag:69iiCf7FIVmm//LrtCixcw==,type:str]", + "pgp": [ + { + "created_at": "2026-01-25T12:11:26Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dy77zzNMwU0sSAQdA/VGmVQPa0NNd5tNIIEunjIeYbcNYFAytX7GStmGIWzow\nzGLovmXwgN/5IQAdqZiRovpI5nURr49xCgCjiHfvui0eI0mm05+Zhph7GlSG0FwV\n0lwB7q/kruiHG/tWCtqESzJYMfun7Jh0CWH/yl3K7N3JiwREqUsSUVG4xOdhJEEs\nus/Ov0GJd6isSwb1uLjtCNszmiQXss6Rw/tutDmRwR4nE0J26CujVwqkuSDbbg==\n=RFOe\n-----END PGP MESSAGE-----", + "fp": "8DEE2D0E1357B78C782691234A2D3B6C7E35AEF7" + } + ], + "version": "3.11.0" + } +} From 9f616192bfab8858770bdd69c3a26e0650ecde12 Mon Sep 17 00:00:00 2001 From: Zvi Grinberg Date: Mon, 26 Jan 2026 18:39:59 +0200 Subject: [PATCH 2/5] docs: add sections about PAC github application and openshift pipelines config Signed-off-by: Zvi Grinberg --- kustomize/README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/kustomize/README.md b/kustomize/README.md index ae287a39..921e967c 100644 --- a/kustomize/README.md +++ b/kustomize/README.md @@ -270,8 +270,7 @@ kustomize build . | oc apply -f - 7. Deploy Self hosted LLM for the automation tests ( Integration tests and Confusion matrix runner): ```shell -helm upgrade --install --set nim_embed.enabled=false --set llama3_1_70b_instruct_4bit.storageClass.name=gp3-csi-thr -oughput-2000 --set llama3_1_70b_instruct_4bit.readinessProbe.initialDelaySeconds=25 --set llama3_1_70b_instruct_4bit.readinessProbe.periodSeconds=10 --set global.tolerationsKey=p4d-gpu exploit-iq-tests ../../../exploit-iq-models/agent-morpheus-models +helm upgrade --install --set nim_embed.enabled=false --set llama3_1_70b_instruct_4bit.storageClass.name=gp3-csi-throughput-2000 --set llama3_1_70b_instruct_4bit.readinessProbe.initialDelaySeconds=25 --set llama3_1_70b_instruct_4bit.readinessProbe.periodSeconds=10 --set global.tolerationsKey=p4d-gpu exploit-iq-tests ../../../exploit-iq-models/agent-morpheus-models ``` 8. Remove untracked decrypted secrets files @@ -285,3 +284,7 @@ helm delete exploit-iq-tests oc delete project $(oc project --short -q) ``` + +10. Need to install on cluster [Openshift pipelines operator](https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines/1.19/html/installing_and_configuring/installing-pipelines) +11. If need to install the [exploit-iq-pac](https://github.com/apps/exploit-iq-pac/) PAC (pipeline as code) github application on a new cluster , you need to make sure to configure it according to the [PAC github application docs](https://pipelinesascode.com/docs/install/github_apps/#configure-pipelines-as-code-on-your-cluster-to-access-the-github-app). +In this case, you need to supply to the secret in the documentation github application private key generated in the github app settings, and webhook secret defined and set in the application settings. From 06084b786590e13f0516f570f4b036ee161d1cf5 Mon Sep 17 00:00:00 2001 From: Zvi Grinberg Date: Mon, 26 Jan 2026 23:07:24 +0200 Subject: [PATCH 3/5] chore: propagate ips to all taskruns Signed-off-by: Zvi Grinberg --- .tekton/on-pull-request.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.tekton/on-pull-request.yaml b/.tekton/on-pull-request.yaml index 00d714fb..5551a482 100644 --- a/.tekton/on-pull-request.yaml +++ b/.tekton/on-pull-request.yaml @@ -17,6 +17,10 @@ metadata: # How many runs we want to keep. pipelinesascode.tekton.dev/max-keep-runs: "5" spec: + taskRunTemplate: + podTemplate: + imagePullSecrets: + - name: ecosystem-appeng-morpheus-quay params: # The variable with brackets are special to Pipelines as Code # They will automatically be expanded with the events from Github. @@ -255,6 +259,8 @@ spec: workspace: basic-auth # Needed for pushing tags/releases - name: exploit-iq-data workspace: exploit-iq-data + - name: dockerconfig + workspace: dockerconfig-ws params: - name: CURRENT_REVISION value: $(params.revision) @@ -262,6 +268,7 @@ spec: value: $(params.pr_number) taskSpec: + params: - name: CURRENT_REVISION type: string @@ -271,7 +278,6 @@ spec: - name: source - name: basic-auth - name: exploit-iq-data - # >>> THE SERVER (Sidecar) <<< sidecars: - name: server-application From 593f1e288106aea936d0eb962c014f9e93fd4a36 Mon Sep 17 00:00:00 2001 From: Zvi Grinberg Date: Tue, 27 Jan 2026 17:06:22 +0200 Subject: [PATCH 4/5] fix: correct wrong password in secret chore: add exploit-iq client app ips secret for the ci build process Signed-off-by: Zvi Grinberg --- .gitignore | 1 + kustomize/README.md | 1 + .../exploit-iq-client-build-ips-enc.yaml | 24 ++++++++++++++++ kustomize/overlays/tests/kustomization.yaml | 1 + .../tests/registry-app-creds-enc.yaml | 28 +++++++++---------- 5 files changed, 41 insertions(+), 14 deletions(-) create mode 100644 kustomize/overlays/tests/exploit-iq-client-build-ips-enc.yaml diff --git a/.gitignore b/.gitignore index 79b658d8..0c31c4db 100644 --- a/.gitignore +++ b/.gitignore @@ -205,6 +205,7 @@ tags **/server-model-config.yaml **/sec-decryption.key **/registry-app-creds.yaml +**/exploit-iq-client-build-ips.yaml diff --git a/kustomize/README.md b/kustomize/README.md index 921e967c..9edb09d2 100644 --- a/kustomize/README.md +++ b/kustomize/README.md @@ -260,6 +260,7 @@ sops -d registry-app-creds-enc.yaml > secrets/registry-app-creds.yaml sops -d secrets.env2 > secrets/secrets.env sops -d server-model-config-enc.yaml > secrets/server-model-config.yaml sops -d user-feedback-ips.secret > secrets/user-feedback-ips.json +sops -d exploit-iq-client-build-ips-enc.yaml > secrets/exploit-iq-client-build-ips.yaml ``` 5. Override any secret that you need in the decrypted files, if not needed, you can continue to next step. diff --git a/kustomize/overlays/tests/exploit-iq-client-build-ips-enc.yaml b/kustomize/overlays/tests/exploit-iq-client-build-ips-enc.yaml new file mode 100644 index 00000000..1e385c0b --- /dev/null +++ b/kustomize/overlays/tests/exploit-iq-client-build-ips-enc.yaml @@ -0,0 +1,24 @@ +apiVersion: ENC[AES256_GCM,data:V0g=,iv:aku+6VNcpHX/VwyWNuHMU9p1UJn9QgI9az5pl57Up0c=,tag:9cHqcamNq/n459qQRu6bKg==,type:str] +data: + .dockerconfigjson: ENC[AES256_GCM,data:PSc/c7Dw4D0LycEKR0DwFGucqdHms9QombznJc7BtJEfDBd1/mTFOobGw4LHkUtUc3I7eplOd+u41N0PvERRXbsf26iWQkupb578MdoTXXtzpzwKZcOt1pmROrIs/I8yIgCmOYL0feqhPwSP0aYESYwTCQXK9nMvkrCNPpdsyeBMaQ17K2G+Lg0zk2/Crh8xQwbbVuU+ZxVCQ2mlORGQVFTQzjCCvMll28szpvqSXS6fcxJ1Ctma3I9Dhzv4fDP0QVlmxM9IjCZ2gQLqqMulXzmIViqxUn5G7Nmm3GtS7DjdKTpIFr6hIowzi/ikywmOX9rvqQKpZsq1VSkdenR7Nkq2BJQERmjxrGRp460ikA9MxI076q5HdjY6fibKSFROom9fltTOdniDZjnzd7rp/WT0Q+rrI4C9hVOFZ291KEOysLfmovSXWtDOKlX1EsnrwZVll7QWjLbqElqmGluOAHKJNFVUeBMxveRPcFVT01+4ddtcOqKgvx8vVihavEDEYCHTUny+VqUhnAYbXyH27TqfcfH7xs7KOcc71xnpXtcyAkdPBXku7T1xzl9090O4ZuDEK0hADGIL3RJuO6kCVIJes8vEfAY1HAiCBO3ykcrizkV76E9FPvNZlX7vbsmWQ07NbyFHBv6lKsuPrLBf80eulUxLnBz5+jfaHi7QcNjY2ADaPcdxyKvYipWxnjmOE5UisIQ3mmH6TvMg2ZuyBfuLwgDeLRyReXjfutYz1XFUNc5dstNJ0BRQ086zfppvKn+EniP6mmpflmFRGp1jULg3SgZiWXQ7SvLWhnDGIE2JS0j+dLr2ZyGrwrXNRSb0ypLuB2fxS3Tn1ZjVGsToB0gWv574v8IE68uI1J63FnL73DpYGIBLrnpN3QsAtRXSQ8jgPU6OLn3F8CNGM0NY9EsaT5sR2KA7TOo/dWzHWPfgphs3P1JwvAiT4shvFB1weu0jAKRAE2+vWPyazK29IYyqFg18KP5b/ibU4v/cmPJo69uy7tBOhS8YGKZ68IGcq4QJO9JKgS6LRd66mqZd9YdJSqwsVSi0fh+CtesxvpHWn1bz0Q1RMSczw4/8/4SY2mDIDOf/Z1ViiO+CgH1z5gR7UNeUmWHXUlDRf3y1YRFu8BhRCw+VH4yu+pg/m4r8E4bZ8fWZTMZpm/Q9Vf5NwJoKpwgOXorImJmSb0/UUq2VkMjDTiv0W7DZ9Ks6hz1yVCsALQB0FgC73zUAFm+f5PfpB3yhloxFeUKPWW4vNfHGq1M5GIc6eW87f39/U44n7WKYz0cdqebejVUNO6bIn8uF6+KqGc8dMKOpFheZQdIciOFkjd9L73//+NiG3kPXiwtsJKGLd3QybB3yEVF/DvFI7P1Kn0SaKB4Z0+lSElAxj7FF6P/oJHA9nNIYF+FR9EISstJOoyo2nXqQO3iMPeqjVdIBo1NJHjn33uvu6hVcnA15pXJshWpUPlSWq2Vw2R6YJcxzYnSQSxZYN+I9YQ5FIAOElA/8HJv9/4vDd4fkK2+P++UzgBOiZtLyNeNc6fuJkBisqqlse2MPtAttrvpjFmSAWgBzN7MUtd6bIrsTCP1i+tdNsyzIkDQtgTQVvjGT8knc0OHsgzvNZuIXfzqNbVwok6X8Lsal1I91en/o6BSGsOSLAKKN1trTb6UKFTqzkpKbKTQpthuN1sWlZuQGyfuNKVbx2KGciUjB9RtBUtNrj71moZ+90gQ9/chvAl3bRpMEwKhdtkrgX5k2rQGLz3Rtll96tEmJqvsPaF4geydJMTS6WIdZXGaBbsDA7barMi78ntiHSgHswQIw7FdMh/E+kmyITAi/rePle3nfSXiqP281XzdSWkzVgQDuVMQ7iq4+mD+r2hVaxA/DpVfi71qryHLY1GG9R57ba7wi1LMOLxcJ0SGVVnf4Y8qV7HdBtatig64JMrMFsfwT68RSd0XjNa8o8tsPKxsWgWfLYor1R+X0DvDTjXfEai/TgExmt+d9HKT/fiHpGpu21RmmJ89Q2HxxKaBG6ItwoyQfYmV77Wxl34UkPeG3NWuEmyzZ+MS/skkbVDdpMEc0R8h9xk3Uot8yT+1KBH/cyXvpqa7Q7kfRYFaeuKUDpHMZfSa4hfriRZsTrgDGF16kHU7HLpCQN6gPe16j6GfVSFHQpjEDcx5XxDp06ZFjhl06xsNt18ytPdykOBux26f4KWyN/TTgjDU0lVqWZ6P2I9tgDyJf6lQmqQ==,iv:GiAFMGtzev6bnTtbKrhaUmJipZfYEriVDR0hIIcbuvk=,tag:p87FISG6OFI5n2suKECcKg==,type:str] +kind: ENC[AES256_GCM,data:oDXj1wmI,iv:zRQA0DPLBhe7skXIqE4vLQKlQgzsOW7PhmSQBTUhVcw=,tag:NeNhMXL3nrFDXVGiISQqvw==,type:str] +metadata: + name: ENC[AES256_GCM,data:YWKVdWVd7Vkby+mGaoqCCdFbZnk=,iv:xNy7/XNWt0Ng7A45WEZ+K8RQD6inqy9TEhVFqnWzxm0=,tag:X+ar+MFIhG4Nsz5gwopLJg==,type:str] +type: ENC[AES256_GCM,data:tC3kqUKpNt1xPF8COd35itVzvDwEXxmOvnc5iYOT,iv:4KHXCxzXmH2LSX3/WmvWjeol2kG9FtcB9K1vczpoS2k=,tag:EkcbbOGnUM5ICiwV9fyYog==,type:str] +sops: + lastmodified: "2026-01-27T14:58:25Z" + mac: ENC[AES256_GCM,data:4QX9acqwVT0yIblv0/On8BZVK3d47GcLccXhWWyrdRYW+4BgR8zc1v+k1YRxJEBlojlXNqvaFs9tEEdNWQ0QHBUsR8jMQ0T2t5EqHb9LPE4WOYuBVcTyeqDmyc01EKHDWdutYxo15kotCMG1FO5OgZ11Rcwdv3f1QVdgskN4Pks=,iv:kiq2siF75QwGOK84k013AD8ex5N/kPMc6FrUOp531v0=,tag:Qq2Y1COIOw46WyU/qUH+ZQ==,type:str] + pgp: + - created_at: "2026-01-27T14:58:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4Dy77zzNMwU0sSAQdAeDQZY4S70FaOHXTn3u7lIZfKvrpRyBtH5osQEepI+E4w + NnlXnnxgtOHBU8nHJZK2vmNge1hVUaGBcZ+mvsnanMEs0zpFkn2LD1hoQhVR+kYo + 0l4BIJTzMKoU0+NlCheUC8dD4lPhgVszP+Lis2ftddN2+q3rAwkcpBZC3ADkw4lp + GFuWjTCeNbfrWV5VGPj0rUfgXrqBS49df/aBBlkwCuEI+iwKFaw6UE21TrOT7p6L + =MreB + -----END PGP MESSAGE----- + fp: 8DEE2D0E1357B78C782691234A2D3B6C7E35AEF7 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/kustomize/overlays/tests/kustomization.yaml b/kustomize/overlays/tests/kustomization.yaml index fbafaf32..f2c17fd3 100644 --- a/kustomize/overlays/tests/kustomization.yaml +++ b/kustomize/overlays/tests/kustomization.yaml @@ -10,6 +10,7 @@ resources: - secrets/integration-tests-secrets.yaml - secrets/registry-app-creds.yaml - secrets/server-model-config.yaml +- secrets/exploit-iq-client-build-ips.yaml secretGenerator: - name: argilla-user-feedback-ips diff --git a/kustomize/overlays/tests/registry-app-creds-enc.yaml b/kustomize/overlays/tests/registry-app-creds-enc.yaml index 86da72c7..57af3b13 100644 --- a/kustomize/overlays/tests/registry-app-creds-enc.yaml +++ b/kustomize/overlays/tests/registry-app-creds-enc.yaml @@ -1,24 +1,24 @@ -apiVersion: ENC[AES256_GCM,data:tCQ=,iv:/JnoJlOSPDnpfzPax3IltVloS91QOp2VWzDWAkVi1cw=,tag:N+vwaUKTsFHin1YE0hh2pA==,type:str] +apiVersion: ENC[AES256_GCM,data:IZw=,iv:xXXhE071qT3QN3TglSdLUY9cFsjaVyJb194zVl1Bso8=,tag:lgtA2jrDSfp5lMw6M9dMKg==,type:str] data: - REGISTRY_REDHAT_PASSWORD: ENC[AES256_GCM,data:DY9vrRSPyVvFWqIUiughhehhr65Z0xGrTzMH254SVOuMdHqq8PClGO9XN+JBjMib63nd/Dih5jMkdAqGPt8HnumVWJKj2O8B1ry1o1kcHbGEv3RM0YPs5xzoAqCX8P5eP9MRW1vJc0vxqJA3hKPJ5colLR4KevFmoFYMPCczVHJygvNQlqU0smJaQcdwyPYWo0NQgSYGo6qUVbjgYCjzQFf1EJEiaZX+bdQTAlcHcdexZI+5cquSijaBFxi4GlLSXIldlnPA+rCQ8hTyD3PEj7drvfJad6u06Wm0MjJoyD/gAIoE/9NiSsnq+7fr5Ulf1FrFekq7ps1iMm83uKAiXRSC2WtBnNA0UdU09Dl5efXSvlvCi5AbK4o6gI/LnMyvcGkYlqKDgGYYNcDZqMe8wxk3SOuMuL0JZTBdC92AN2HZtYvinDrL885azN7tXHulNwYRGtPkK2GH2Yuhbi693dwejR6Edk6C2KhczOKtaLFH7ULiQSUMwk/xEmqH1HDOcuai0oX94HuIKYiWFVhoe72I2Mxbwc9Wt8cQ/WAn5DEuBrdQJ/gd9q4/lRAi1x/5wwlGy2TWMOiq2Oh7tTrh6wEvImLFKQ6wxlxFLHYs1p9xvSrHcyFxa6zyNOsir2cImQSaXdS/d91JfjFiHY9MHdCTP7wY3Tb9kYKi2txUdTbVop7SiKpTJfZg1rwhZWi0HsEWpDCJugKENbJinv6IaEmb8yc5pnl9vS0qLfljDAipnBkMm81J05kVhrZoq5I6w1a7JYXomXcTZAPwPTwh+PMuI/+IUxT/ciWbkT2YfPWmWGlzLFaKGd1w7sj3XthTtrIh5elw2xwoeuEwvZLIbeZRZwhWOoi/h6ByMPdCc2ReUaN91yumN22sYaw8mHudz2D4nbPo12ZfPfA1Xx4EsVFe5j0FLn5GP2TCcuO/DAMrXvXUykhGCPMcExpid2Q+WXYYq/LwAEyyqqfUVsXbjlb9+4i4MqXISzUhI5mQmVbh5iusWbEUvrvpBJe1wsLZhRfOSpdmQRhYNoSiVj/xZfJt2jzqPK4ISmkY9wiK68V79cJgugzwS28bWwF08AZZNSsPAXadODCpuqCve7JmWl3nR0X0Acel/gqU2KCykGbr3EvdxUaIGUHsbLqoXjhrLrVsJ0Lyd3g+bhNL1an4QzgUHiVok0/eUQXXcUJt5TddedG2TkOtQINl8atBSS9TNW1paxco8Aiq47uRRC+4O1i0V1iyeYOPejQjMjTTGF2326R6c6REmQVsAqjqG1FaqH6WzQZB8p0sXHTtm+bFGKjPnjaaHezolumRL/DrrFL16VtJuqZLnKJ9m3RjAZQVVqINt9SUiNU3IA0u,iv:COGn/Fn8b7HLutwSONHSkQL8FDm/DiaTzksfJhv+5no=,tag:FLTdrggW+uTEdbczPZqCAw==,type:str] - REGISTRY_REDHAT_USERNAME: ENC[AES256_GCM,data:7tDxGRcjSHGsBb//r5NBJtaz+g9HrTQ2,iv:/gRNExKbdVqMOvdvUxCw5ajJVTb/7Pthxs02AlwKqo0=,tag:wjBGPzc8nkF/3LMoZaFoKA==,type:str] -kind: ENC[AES256_GCM,data:0g19ZH//,iv:FQwXlhfkZNRBZF65DmZarqFDLeQQJ8lUSS9d0laPABU=,tag:0RcpIXMAN4CK5QI5QkXG/A==,type:str] + REGISTRY_REDHAT_PASSWORD: ENC[AES256_GCM,data:GquthNXj1O8624wEORBAvwpCGkG8Xv/BLAXuzTQX7RKwo3e9xdsxMbZ6QajCrwGeApCF+aQaKSkBXn4Weg7xJnKmrwN2X1fbdNeQFF9cvLaIY18VEJDtl5twsCYZlae62oHw4j1UNV124dQA6DPCtHND8GHw3rORYgMyGTnQxsCikbjcu94KVcFuiyXKPx21JUs0DT95YvzUtgkpPoKQJiexghfBH4NnunytiR/zamAfHLCgRdAcGC0qsbLEKDN3x+v4AF342oFnwT6OGfbcBaJrL27Kq6S+SO6ZlDAXvNawsiN60qZ3Ekj0DiUHSDKu9nuHOgAyyYQ8wfoZdwe3cpM8UHL0zLqQ3xvtOa1wxc5U5hiDaoC6kLzmvlGZEbBYbe4tHmaHyP0PUi4/qLou31x0xLrQbvnAsXbgn/2YEDhddSnW2B2uFpAxps7J1S4SIFrDIocaT7hdxu1k4vKDrVK3iIxNdzsbxJthUnbffsydXCHYAyorGpMicCwqY2WTHDlFu7whEoGzxx+z97c8eZcxgML3DHZ1tRexh3e/iuic8w8X8bwSDmYb3/i649ZnDSYPp8TbLbNPorneWMc4mch5ThOMyL4n434siHo8zsr64mSud+uWx2CBqcuVpR2eNGZYXJL4cimdLrugb58LAUBisPzLKnUtFxiiGsz2DfP8KgUEIlYaTq2a6Ns0LDIpxxvygMqcjLfEXblDV8zptI79zaOt75ghfUNP5CpkeOZmfkkp7KSPuyx1TLRXdW94pDiSE0rZp0VgzTkHFA/AF5S1QhINWuuAggWpB5zGqwM+uQb8+q+Ixwu/pCNCZd4xA+5hgyDhX3NZ+c+awD81WlwOLilneoT1O3VhCcBobxLdL3C//gtNOyxPFy68rzYgZD6MjHczw4aWYT3kGcr7MeVKKhqJPSRrESSythHX6AjVvg2ePKqTYScJo7qILgDMSKq3NhRu4vj3fSqQ13530mwAqrbV58N8t5XAkeciMI9GKFaxDiSSEUwbngOWd7aAgyePqFmLubfmM4jqtkKLJwcOzcE8F86cUbrKwAntm6x83+Jpt2qDZUCEOWbo/73WJAVv+l5Z91Qj7eWff70BOvg6jLNJoL0+r80x932VJPOwgrCaESBbFSs+olwfgyxkzQxrJ6tBtwX87fgzKhN0rwBSGukZsAZxzM2u9WS8trLIBOsEXFwofVP1nAcwRsexcni40TEw2DxjPrWW2aU8HOx+fVHy9xlglgNezu/ppcelDEdOcfwX0E1AflV7acIJSyU/k/R66LtUGUi5IUAEsDIWKgIcnAd3vIPTNxtjyJonStuLQ1JlqAMzRVyq7qch8uO5PS5Erxc=,iv:/zxAcdPQbS6r4iBGwUUlxShsfhuNjcCfo349uuvlhR8=,tag:y7+qHLSL0lSUcXgnH2tD8g==,type:str] + REGISTRY_REDHAT_USERNAME: ENC[AES256_GCM,data:+BCMkat0CX6ZoZbXcFVVEoBXFiPfyhxE,iv:KHaat2fMj/cDEPjbBC6enL9kCiCgWyjFw3ptCW2AuDk=,tag:ufvyd0TvLdKvCcaxz3ir/Q==,type:str] +kind: ENC[AES256_GCM,data:6E22NgYo,iv:Wi/gwNNrx0dL2/aacRKqJgKiSf9UF93Tixgc7E2pHIc=,tag:ZUbcU6fbNIgNXOQvGCeifw==,type:str] metadata: - name: ENC[AES256_GCM,data:FDxteHJ/f1a7FgW+RUryKQ==,iv:59iQVkcUKGymcArOn4PCR8L1ups0XmHcmv601J9dtHc=,tag:vrdPMLmn0UDijAWfCm9MSg==,type:str] -type: ENC[AES256_GCM,data:jJztE258,iv:jk9TV1Uf1ydiyunGsv32tlp5grXTVyTbI2lJkVTM9lU=,tag:WUnjbftart7YctxO1XS+sg==,type:str] + name: ENC[AES256_GCM,data:Myf/HsxEcMl/n0W/5vAtqA==,iv:qebrYwM4DLfYvUR/Sxin6GIDha8w4px/ybK8CGsnGAA=,tag:k7vi+9O9TBYHt7R8l7AcaA==,type:str] +type: ENC[AES256_GCM,data:X2uOhC+V,iv:dhqBwROQkhzoJM0PmjdmeOcNGj72k2Q3g5y0uPdJthI=,tag:irVym2z88svdyvJD5B1hfA==,type:str] sops: - lastmodified: "2026-01-25T22:26:41Z" - mac: ENC[AES256_GCM,data:5IZ8f03JChaaNm/wozc7wbs+DDeFYEguGB9/C49MPv6zK2xhnHFmk0B/RHrIl+/ZNZU0NtcQ9ZZxeYGEHgDKrHJpnFrPZeuRUPhmfCkVY2POzas85SI0oCfXKaSehdzRVd7XQ1++fRo9SHXbWsNgRH2C+g3XToFjOeyBg6cPfBM=,iv:bf0WSgF5g19TtxYL7HfzpjXlZAQbUAaXW2LkGraGVFw=,tag:KcRubwVZFcge2Kw5GrpMkw==,type:str] + lastmodified: "2026-01-27T15:04:49Z" + mac: ENC[AES256_GCM,data:98VTQKDDdusGPrUqQE0l+i/pCcD8AQG9iWjYJofYAXkebsx3ABXlHuyuDS+fg7fGsLTSR2CoxyLyqjnanL8PpdXS1AFCSFUCpD9VoJ1WEadCJ4c9lgKJpb84f2TZTggsE6bH4HpHZuEDZR1/U4gbX0bE/4MXpMpkWxWc0+tOKDw=,iv:eyFLHWaY5vHRNyjp5I8tmQQyZDrc4wvDKowreOBvDJs=,tag:TfGnJOewwjbE/K1Uayrmog==,type:str] pgp: - - created_at: "2026-01-25T22:26:41Z" + - created_at: "2026-01-27T15:04:49Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4Dy77zzNMwU0sSAQdA0hIJBy0m1G4y//yFta/U+2rnqzA/E5cuBHP379fUD2Ew - v0oJlrgCU01/xwvy2VvAHJaVbZ2/3vcR6DCnpo33Ev3tZFwRKDM8jQzPZpkvaAwh - 0lwBB7dTxipu3NSEQDY8Y/g9+eIlbQTF3T6aRi1XHXoVNsgsaHGTfAxfA99mXKzD - Q50124BAwhb88VXw6OLvN8CqcEK3l0t1VtpgF6BkGTB7/cJxaWmfHbP+O8J2Ew== - =GF5p + hF4Dy77zzNMwU0sSAQdAtMvASO+L3ZWyF7hGBPz2KsVM2iH/GASnzUZthLd0tR0w + aAtePRC34cc6hzeMsXGyPkU93Aq1kimzGUuzfIFaMHBEBwsJetzR78p0bedNTBhv + 0l4B0MFdxa2LKX57vMhBnjSPqnndz9c4EzT+4faM3sb16Ly3of2kYdtrsf8LdyIs + NHhoxWAiuyqlKZ3vHEL950R9NS7OjhxOYqVTPVXOaOSpC7SL+rO2vIH1GdJk51iE + =lqdO -----END PGP MESSAGE----- fp: 8DEE2D0E1357B78C782691234A2D3B6C7E35AEF7 unencrypted_suffix: _unencrypted From 57cde151aeef78f62e9cc6941b920e7232c765cb Mon Sep 17 00:00:00 2001 From: Zvi Grinberg Date: Tue, 27 Jan 2026 17:14:46 +0200 Subject: [PATCH 5/5] chore: add secret exploit-iq-automation-token to tests deployment variant Signed-off-by: Zvi Grinberg --- .gitignore | 1 + kustomize/README.md | 1 + .../exploit-iq-automation-token-enc.yaml | 24 +++++++++++++++++++ kustomize/overlays/tests/kustomization.yaml | 1 + 4 files changed, 27 insertions(+) create mode 100644 kustomize/overlays/tests/exploit-iq-automation-token-enc.yaml diff --git a/.gitignore b/.gitignore index 0c31c4db..3ef4a493 100644 --- a/.gitignore +++ b/.gitignore @@ -206,6 +206,7 @@ tags **/sec-decryption.key **/registry-app-creds.yaml **/exploit-iq-client-build-ips.yaml +**/exploit-iq-automation-token.yaml diff --git a/kustomize/README.md b/kustomize/README.md index 9edb09d2..7993f32a 100644 --- a/kustomize/README.md +++ b/kustomize/README.md @@ -261,6 +261,7 @@ sops -d secrets.env2 > secrets/secrets.env sops -d server-model-config-enc.yaml > secrets/server-model-config.yaml sops -d user-feedback-ips.secret > secrets/user-feedback-ips.json sops -d exploit-iq-client-build-ips-enc.yaml > secrets/exploit-iq-client-build-ips.yaml +sops -d exploit-iq-automation-token-enc.yaml > secrets/exploit-iq-automation-token.yaml ``` 5. Override any secret that you need in the decrypted files, if not needed, you can continue to next step. diff --git a/kustomize/overlays/tests/exploit-iq-automation-token-enc.yaml b/kustomize/overlays/tests/exploit-iq-automation-token-enc.yaml new file mode 100644 index 00000000..d8df648f --- /dev/null +++ b/kustomize/overlays/tests/exploit-iq-automation-token-enc.yaml @@ -0,0 +1,24 @@ +apiVersion: ENC[AES256_GCM,data:Uns=,iv:t7ZWH0eiE63kyMW42wFsfsKN01OkC+brLLXaJUEClQs=,tag:pxTCqrwC1cUO/EMTfFrPzA==,type:str] +data: + gh-token: ENC[AES256_GCM,data:GgFKPuhztlsqsZ7PjXGH6V04uNu6ElKs5iC8uUW/UCL7vjmx5VR0suUaDA1DISb+Bc9W83bMnkW70H8CUwMX50OI536T/hDTokLAYTsFD+05HsUWKSxBqq7G25fv3mzPYSBAVKs0EL7K+f2Le6k2yeYltkOkfIRFtabFcg==,iv:cl5jl1oKbR2AtJYCoH4Je8SSyP4Jc+gPInIRfOflTSw=,tag:CrnZspbYfUjz0wgjzwfQhg==,type:str] +kind: ENC[AES256_GCM,data:j8rCiStt,iv:CaoFjqicLryq3MS+mvgVO5ffBbIX9vUQVQ5uy/NyNnM=,tag:r4LeUOBMkvXK3hd7faj/wA==,type:str] +metadata: + name: ENC[AES256_GCM,data:X7/gU5Es3+keADmoDJQWfF27KBKVjoCUcLRe,iv:zYPeX1H91bcUut1/wbVi6UdyRAwcT2QKRu//GS8KAY0=,tag:hPQtbwjqeIazh/hrnmzbjA==,type:str] +type: ENC[AES256_GCM,data:waF5cqrS,iv:yh5grziLkmXblL+zoo/DbsFI8GJdBICWq5xbGrjqrjM=,tag:W1odWNRYm9RpU4XBAXDvpA==,type:str] +sops: + lastmodified: "2026-01-27T15:12:24Z" + mac: ENC[AES256_GCM,data:AupZMMI0ycLlxF3/s2fLy97AC75/QF7itpaldF+I6Cuoj6FdmBd+2HwiDuz+505ZAm0/pP7Ez7p+zA7STyxY0vzGBu2XoOhKOcj0seJHrHZh60PXlV2BgQarBxVTtSg3BWFLrKYNRRHevHezfRKxFichlQZzj5Pc6TmheNs2c7U=,iv:TXYL4TE8GlAeuTjaw9GfdP+mmXtWpz++sHp0InHk04c=,tag:0I+c3wRyLh2vL+9N7K5i+w==,type:str] + pgp: + - created_at: "2026-01-27T15:12:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4Dy77zzNMwU0sSAQdA/biMrPzXXQ6FZhsAqOpLTXUzegYmekUNov4ZxfhQyWsw + GLEYcoYdGLjZo/BSUP3t6+8XJ/LY6ytRvMvsxWWJKGBspxIyE7JwTCpIdOWA4p0v + 0lwBlyu0o8Jc31ct4J1V+mPowF8L1znKEgqVBugA+l3N5JRizwecTdcb8k0OXHqf + +hXfcCYVK5FYJbdtGsGEEZmS6vGjdAViNiTyuS4NS+Lh4sEFXA0Z4CT7YILArA== + =5nCL + -----END PGP MESSAGE----- + fp: 8DEE2D0E1357B78C782691234A2D3B6C7E35AEF7 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/kustomize/overlays/tests/kustomization.yaml b/kustomize/overlays/tests/kustomization.yaml index f2c17fd3..09043a87 100644 --- a/kustomize/overlays/tests/kustomization.yaml +++ b/kustomize/overlays/tests/kustomization.yaml @@ -11,6 +11,7 @@ resources: - secrets/registry-app-creds.yaml - secrets/server-model-config.yaml - secrets/exploit-iq-client-build-ips.yaml +- secrets/exploit-iq-automation-token.yaml secretGenerator: - name: argilla-user-feedback-ips