Merge branch 'certs' into 'master'

Certs See merge request platform-one/big-bang/umbrella!19

Merge branch 'certs' into 'master'
886978d9 · runyontr · 85cca523 · b018cbc5 · 886978d9 · 886978d9
Commit 886978d9 authored 4 years ago by runyontr
--- a/.gitignore
+++ b/.gitignore
-.idea/
\ No newline at end of file
+.idea/
+certs/
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -34,6 +34,7 @@ package tests:

    # Install Big Bang
    - helm upgrade -i bigbang chart -n bigbang --create-namespace --set registryCredentials.username='robot$bigbang' --set registryCredentials.password=${REGISTRY1_PASSWORD}
+    - kubectl apply -f examples/complete/envs/dev/source-secrets.yaml

    # Wait for healthy
    - sleep 5
@@ -45,8 +46,9 @@ package tests:
    - kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang ek
    - kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang fluent-bit
    - kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang twistlock
-    - kubectl wait --for=condition=Ready --timeout 900s helmrelease -n bigbang cluster-auditor
-    
+    - kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang cluster-auditor
+    - kubectl wait --for=condition=Ready --timeout 30s kustomizations.kustomize.toolkit.fluxcd.io -n bigbang secrets
+
    # Show all deployed resources
    - kubectl get all -A

@@ -68,6 +70,8 @@ package tests:
  script:
    # Place kubernetes package test here
    - echo "Package tests go here"
+    - curl -v https://kiali.bigbang.dev
+    - curl -v https://kibana.bigbang.dev
    - kubectl get helmrelease -A

  after_script:

--- a/README.md
+++ b/README.md
@@ -19,3 +19,8 @@ kubectl apply -f examples/simple
 While simple to use, Big Bang also allows full flexibility in configuring individual packages, using encrypted secrets, and deploying to multiple environments with the same configuration base.  

 See the [readme](./examples/complete/README.md) for more information.
+
+
+### Developers
+
+Developers can use the [Developer Setup](./examples/development/README.md) to faciliate a local setup for developing improvements to Big Bang.
\ No newline at end of file
--- a/chart/templates/clusterauditor/clusterauditor-helmrelease.yaml
+++ b/chart/templates/clusterauditor/clusterauditor-helmrelease.yaml
@@ -5,7 +5,7 @@ metadata:
  name: cluster-auditor
  namespace: {{ .Release.Namespace }}
 spec:
-  targetNamespace: cluster-auditor
+  targetNamespace: logging
  chart:
    spec:
      chart: charts/application
@@ -40,7 +40,7 @@ spec:
    kind: Secret
    valuesKey: "clusterauditor.yaml"
  dependsOn:
-  - name: eck-operator
+  - name: ek
    namespace: {{ .Release.Namespace }}
  - name: cluster-auditor-policies
    namespace: {{ .Release.Namespace}}

--- a/chart/templates/logging/ek-helmrelease.yaml
+++ b/chart/templates/logging/ek-helmrelease.yaml
-{{- if .Values.logging.enabled }}
+{{- if or .Values.logging.enabled .Values.clusterAuditor.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
@@ -40,6 +40,22 @@ spec:
  values:
    hostname: {{ .Values.hostname }}

+    kibana:
+      version: 7.9.2
+
+      {{- if and (ne .Values.registryCredentials.username "") (ne .Values.registryCredentials.password "") }}
+      imagePullSecrets:
+        - name: private-registry
+      {{- end }}
+
+    elasticsearch:
+      version: 7.9.2
+
+      {{- if and (ne .Values.registryCredentials.username "") (ne .Values.registryCredentials.password "") }}
+      imagePullSecrets:
+        - name: private-registry
+      {{- end }}
+
  {{/* ECK and Logging _always_ depend on .Values.logging being enabled, so can assume they exist here */}}
  dependsOn:
    - name: eck-operator

--- a/chart/templates/logging/fluentbit-helmrelease.yaml
+++ b/chart/templates/logging/fluentbit-helmrelease.yaml
@@ -38,6 +38,11 @@ spec:
      password:
        secret: "logging-ek-es-elastic-user"

+    {{- if and (ne .Values.registryCredentials.username "") (ne .Values.registryCredentials.password "") }}
+    imagePullSecrets:
+      - name: private-registry
+    {{- end }}
+
  {{/* ECK and Logging _always_ depend on .Values.logging being enabled, so can assume they exist here */}}
  dependsOn:
    - name: ek

--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -24,10 +24,68 @@ We cannot stress enough, __do not use this key to encrypt real secret data__.  I
 # Import the gpg key
 gpg --import bigbang-dev.asc

-# Decrypt the Big Bang Secret
-sops -d envs/dev/secrets/secrets.yaml
+# Decrypt the Big Bang Development Wildcard Cert
+sops -d envs/dev/secrets/ingress-cert.yaml

-# Encrypt the Big Bang Secret
-sops -e envs/dev/secrets/secrets.yaml
+# Encrypt the Big Bang Development Wildcard Cert
+sops -e envs/dev/secrets/ingress-cert.yaml
+```
+
+## Development Workflow
+
+This example is also intended to serve as a development environment for developing against the umbrella chart.
+
+To set up your local development environment, follow the steps below:
+
+```bash
+# Create a local k3d cluster with the appropriate port forwards
+k3d cluster create --k3s-server-arg "--disable=traefik" --k3s-server-arg "--disable=metrics-server" -p 80:80@loadbalancer -p 443:443@loadbalancer
+
+# Deploy the latest fluxv2 with iron bank images
+kubectl apply -f https://repo1.dsop.io/platform-one/big-bang/apps/sandbox/fluxv2/-/raw/master/flux-system.yaml
+
+# Apply a local version of the umbrella chart
+# NOTE: This is the alternative to deploying a HelmRelease and having flux manage it, we use a local copy to avoid having to commit every change
+# NOTE: Use yq to parse the kustomize values patch and pipe it to the helm values
+yq r examples/complete/envs/dev/patch-bigbang.yaml 'spec.values' | helm upgrade -i bigbang chart -n bigbang --create-namespace -f -
+
+# Apply the necessary dev secrets
+# NOTE: You should do this immediately after the previous helm command in case there are any secrets that the helm charts require to boot
+# NOTE: Flux will take care of the reconcilitation and retry loops for us, it is normal to see resources fail to deploy a few times on boot
+kubectl apply -f examples/complete/envs/dev/source-secrets.yaml
+
+# After making changes to the umbrella chart or values, you can update the chart idempotently
+yq r examples/complete/envs/dev/patch-bigbang.yaml 'spec.values' | helm upgrade -i bigbang chart -n bigbang --create-namespace -f -

+# A convenience development script is provided to force fluxv2 to reconcile all helmreleases within the cluster
+hack/sync.sh
 ```
+
+## DNS Entries
+
+The owner of bigbang.dev has set the virtual service dns records:
+
+```bash
+$  dig kiali.bigbang.dev              
+
+; <<>> DiG 9.10.6 <<>> kiali.bigbang.dev
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60209
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 512
+;; QUESTION SECTION:
+;kiali.bigbang.dev.             IN      A
+
+;; ANSWER SECTION:
+kiali.bigbang.dev.      3600    IN      A       127.0.0.1
+
+;; Query time: 225 msec
+;; SERVER: 10.0.0.1#53(10.0.0.1)
+;; WHEN: Tue Nov 10 11:19:08 EST 2020
+;; MSG SIZE  rcvd: 62
+```
+
+so that if the cluster is deployed locally with port forwarding, a browser can be used to test the functionality of the virtual services:
--- a/examples/complete/envs/dev/patch-bigbang.yaml
+++ b/examples/complete/envs/dev/patch-bigbang.yaml
@@ -22,11 +22,35 @@ spec:
            count: 1
            persistence:
              size: 5Gi
+            resources:
+              limits:
+                cpu: 1
+                memory: 1Gi
          data:
            count: 1
            persistence:
              size: 5Gi
+            resources:
+              limits:
+                cpu: 1
+                memory: 1Gi
+
+    istio:
+      # Directly modify chart values for dev workloads
+      values:
+        kiali:
+          dashboard:
+            auth:
+              strategy: "anonymous"     # Turn off authentication for kiali dashboard
+
+    gatekeeper:
+      # Directly modify chart values for dev workloads
+      values:
+        replicas: 1

-    # Disable packages from deploying (for example while you're testing)
    twistlock:
-      enabled: false
\ No newline at end of file
+      # Directly modify chart values for dev workloads
+      values:
+        console:
+          persistence:
+            size: 5Gi
--- a/examples/complete/envs/dev/secrets/ingress-cert.yaml
+++ b/examples/complete/envs/dev/secrets/ingress-cert.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+    name: wildcard-cert
+    namespace: istio-system
+type: kubernetes.io/tls
+data:
+    tls.crt: ENC[AES256_GCM,data:gZz23wzfNn/LNuPERCTa0gkiIfDmYQaP21wskAjUSAxXqk8X9+6uHWv8h8o7t6zL2QOTup5djgcDxt3utEI96lMC3P8Y9rTdp0Itd7VvPk1cCCS7PLCW4z+fDoVbxqTh2hBB+hZM9X9FgXyamV0PCM0PFvBog55NI3tMA1jdxSp2rivIGoS+7n6vNYqrYi8gNNJhhouZ+O9ZupLiDnwfTrReih1TaIBUUudu4/L2XT0gRdFMiPGhTVE9s1U2PXMuAPkm2W5N1U2ADpP+BI20i+/yX/f6vhqxMPpxW6ajZNgeLLtF6iFqeCmtaf+Nk5lP4QjtamDoYS9Q397gf1ozhXiL+sAlIz9fuWUSIsGskmCQmvB8QkLvhqJlf8w63EpZC5niQIxrXJbn/E+R8iPZD5eoLAhw6A/gxoc4ilWzaryfNMjSsDF7knJqWDOtmpipYr/3NzoL4XguWrB86twb/ZQS7YC04wA6kYUBju3NzV9am+pYrnyLn3ucOoIeE0QkzhpRfN8HFJhc0C2r+qdUmIbanBpT+Hqwhruu+5cf/hNR35c+DIF95vqpAikSLwpDE7LyhN8JOjLv3F1QlmOHAbHxkUTpNrJFl8eUOt7bc/hIOtSaNpqLCeS2sJmrdIZ1v4aJtbZjgiwVdd6fNPn/bBxQ6uiDsTgc68xp+CkbEeqXXFcL0vufsL9QBCKX9PYv8PNgqWrD4XFluVPNWtM1XAqAvb7287dtd6NeV+XPss2b80FK9r7jb/h3/+sMCDTVS9LklhBWTk0JJII8lrkmkSOqEViYm+YDefzW53IXdL40NBWvR1PsHiBM8+e7S1CXEowTTaPp6pV4KuUa4EUhQhIaYFAqHtImwKPFOD1Fo9mzIhl+kUvo69udQD5EoYsRuj9c6aVqixfaAHlkh3xzOQQAhw1mCSjfxAaBKF0j0/m6F+PX+aSd2pmqwxOlfv9+Gi/3zqRPTq/xyIuDuCh/65pzlbsGbMIeptMdNhoY8w9q2kEYTMonL4KAqS3FvC6RMfkLk8g+lhfu3XzAHLke3qXj5AZiZ3auo1kpVCYa6egGQRR9n+mkzpOcUQxwp0xzoHLaoEe+w9QpKVjDSEzOsuChYYKOdb23j5bS3BHM4Au8hLiD9LKpCmvRKWoIGUNRCMU73f8LphCsrwAdyudbVruCRF3nhnZAafShVoNxSsvTyv10KJf/aw7ZYgFTWyLS91bD0ZONSMgO1dXMa1oRjkFti9il8cCv7I/EI6A9UW29y9WLn5cmJY/6i3tyJaByckvAWAtenQvTTOTxVrPmHNwGIAGcO6HeMXq50h1+pZnK2BYeKmvXOiQZJjCAyseiR6JqJnHm8+B7qduTi5sKDAEweUlfUQJLRN0goGa6Qqmoac9T44DKwH2Nr5bsNSvbs4cDLfQPSSZqxwPxaeyccLUTVrcv3fCDPObo3+Xc7m+lhEwOIHgojuc+B6+ZQW1y53THG626KsLpLgN3eK3UEjidqO+9BX4oX1MmCx5LN3FElQZD9Ohf0CAfji0MDFCTY5l+8WffXDQsgjtTrZZ6cWdc0IYq1Ear31qahBM/FlB8MJ9sneT8GcAGbRNfAfAznixmQ4EUIop7pQNG8JcXKH+U/a4wXgV0HvkytioB+98rd1R3TyTQUkbf1YowarceqMQZ60l4c6Fg5bcPq/4Acejs6vPsjFeBz1tDymiou1riM4R40CKg54HTG6i1IRkSECAMB3pLgEXLZrWZ+NGB/e/2Owb3ZVXNQSezE3Iurmzl3lyeiEMLoeCmd5Cux43yDUvIIeoYFFWuqsPG4mTfvcXSPj5pCkzZ33/fiw6bfkXA7u6CwvtkozHNxiztZAmWtDe0whACFrf1ixb7r9hXMu5TCTb7SdycxO88NidgEd7Xxrph4BOzDw252ZIHAooxAZfAcQm+GaBVjHFuCx91JVRBaah6Vb1wXY1wyxRebVYdEODtx6kCKUHskWnw/rpt2x27Xb36YfgdTq9LpwFWlt2eSdGMk3U/rOYgkKwMAM3UGRvTITo4NzL/KZyPmjRowTDYbM+E6OqGwT9gkWSXUl5qVpoXNkjM0cFHmHUeliHbwL7JbH7wCUPZsUkq+Nm7f8SJb/5pd9eGEoI8Ih0burDWwoatFHRMfAGURw2ICE9pBlRI+lqHmOqqAzwEi3HQz8Spn4SK5fdjVZLq9UE6zFVTk3K6lpA3eUgM75anWAL3X1/8CKYQ+Sdalr/uEz0hBe1cu0H8mit5fogR/jFHmRTVGMrGWK4WUOmT5bKm5pcguCY+0KDIUrAmh6ixw2/HhRhmMRuGjjT2EOuozLoO9EksBDfmzNtC9bX5bqUjTImPVob3Q24dqQo2VPfnkLPH4TlsMQL3PyJHhcbHIzUIkZN2UsiCYOT5WoI212/trgqXTV5wBjdN0WteemBtETLBcYSg/vVFIJuL0OBh29MLI9rOeF+rQYim3AUZIEA3dKxYRZMCGu7/TRYkoNF8YQdGpHJOXaBQWoMFM9fJuVruL3Wq/onkQxUvr4a6Jot5RzqZlzZSZ+Gk1r5X7K+v1P5lAwoYGi10kcqmHtzBYQk0UcXetmaCLQMkKqhmZcNkUQH9bL547T9pBnk0tV/xuIQt8BKMHsu4EEoTezj+DHd2+0ivXmBm9EZWZRlHNJLHDFrdkYb40ol3miOC3ue7jpV9DYO267A18WIhIrC0z6Ny0iOVIpqn/76uCBhikLgmXJr2Lkf1Zeh+C+y2ias5j9vWsiOiJUM/b4uVNSFNFQQLOSGfkWQfPTcMRCSAsuSTmi6jpazegA6xY89WnpF58QarHixQrdrselRlg+6zgayKIGhHZBiJwExaBsV5WlGtNx4wFxuC3w7KjuuCaaBYv3azXXl7QNiBQLrZcyfOUlfXVtYO9zrogwDD84i0dtmjw/CkuhLzjOHb0PQ9hEMP1X1q9WPTfwBaVLsWvf4hLV4/l9UaH80S3K0Fe2Dx3gOSXwcTE79+ijYss77YjAEoSvKj6UHbRi8OUNGnpvjJt5mK+zvp/Cod/YfyWqMDOx2HJw/nt2AAKvPvTEZ0Xfk1Q3vj07rcDiTjJqpFIwgEQinOJN4vqZ4CqEhBVs0Cz2VjptH3hjznmePTnP+Fe8JqrHir1AMZflnN4tdWSALzZehMBYUN2go6zPCkpv/O0NvS6wVBE50K+tcpy/g53z6HyILRaod+5BZCOP3b6Ip0iSfCXaLegmYQAxO1E1Qc+n5wA0YCjyALC9s2JGGb8aoZlYOD00ijjT3TKADiMvwHBpk7GltpC1TmuzJmV4AEO8CaEwfNTr/fgeACOKIoOJzsvr2foBc+Xiwh+Ton4uSHIR2ZtCn3PtWT9LxR64icYgDzF8hxt3kXOwiiqFkGIU5yAMqfjAzcdyYTcRFNmd1Z5AxTFMko7S4YwlVh9OpV3iW9aqfJ8eqkG7GRVS2E+Z+zWCoJL28YcKHAgwVJf3W70glc84jryqVcLUGDQtfmIvCcyNl573TarGnjhxlHwsyU+uX02AjgptwCWWHTbJUlbE+3nJqSJbjBvxujPn1XHHMXp45+HobVlQwtC6QrJfpofl/qjQJURabmoQ1AGz/H0R7cAgWQ5SQXvMQZ0w8qBgBDxbA08KgQBVw6epUlg2qIYghOzpi6yFML457lfNTG9a0/KFTq+YPVTOpJQ5ACS9gUYcG1jjM1g3r3MDOPj9c2OiH9+I/BX1JfGfsrCab9spUHPeGBgxsfk4fNOpEE91/Kd2gjiXT4WMtHfUwcxsADBKnemuKtBgjitfRPBUPLEXbyYR0ZRsiMgWKurNAwa9uP+lBr6q+63RRqLpjV/WQg1q+tPr5ht2APsXwj41fZvCdf+wmxD95eFWeRIiYkD1D8WOFhZ89KCCX1uinnAybruXiMfDKA/YK+Pntt0zEuAHVvpcvvyJLL9uh4PMj88gg3CltJZv5p+QL1PRr+uqXcjf1h1noAmQ6cIO3xtVkec3YKWyd68WXyu3Y4LCJqHauLPeC+rdxuybgh9HSLK6InQzxShSl3QFwDJzEp4ftnLsc6U+9FF4vBWZHaT3N/Bp6yeJ7JhC9JZmQirxoS6md2w3ScRHoWrkIeZpjmriRkoUdsuyYIteKvVRJqtSSTwqskHHCBVyqp52Qw5yWBtKjXfd8y8W53mOeUPSxXwi/eX6NyS1ts24ylHZTLkcGKcBns4zfgGI44E2OTBWMagW4DNSEAMyPa5WpOvQCDi57SLA1/GZnJ9nTzrC2EdJ7a01ujsg11oT5d9fiplzT4NMY+HChXYiGWt+ktln1TgSTmrvT+D2Jtp3YsTsQ4S/PVggQ3vi1/0gLTiI5lLJb0VRnvUMv/YI202i+V6EF4Q/6zC9qLW2FgWabG8HDeEQcQX9TJRkBoUHNHpJjHH1hQyVIkQrn50h/VoxfHOZAdf1HVKvbOYEjoYoJu8J10MNhF6g55Wl0q90HuMTL4pECw3QW3bCzISheNaPKJuEuP8om/rjL1O5EmiZO1eW3u5e6sxWEKjq0et/iRHzLh17KOWYS3K5OOB9vI8MOh06lsVUiLIs91LmvYobKOv9yuRatT86z0EbpP7CSmjQfQWRgDqbEeeYCXBBZ6ZCFspWTjBwOXOmPXs6mR4EFxgb6yrzItGSY96o5HQL0L3ibubpPWRfpuZ0AYKAw3coOwwM0pyeM335qSEUv7kP/HjHD+Vc4o3GLwbwE5cQJss93CfPF8sOkUIrusdT6ffYQi4IcJMq1ooCAhSGhwrWssEJKKBgzDKe2VDqbZxC2N6rVirTcUH2lnpjWg14WiDDPaTFJ6v2I4MfDaN63sRB2RhtMXNxqzMNz9ijZmkuSUnqmZ3aH9VXT8q7xXWHDknBID0mgJJo3sHd4e71acO6q3wWcGuZz34rv1aIMPuLqZcqVJSkLSO+FBaTdtt/ht+miGk5RWiQc5eHmSNm5ibz4LoV0kPOM84b0O0iERWBT/H9LRYT0PMieDWnGitkmcqKPjI1YN4iy6lBlOvY2D36PJmIhOaZ0XbmsQbgBJw3/mxKKSk4DgF4SfQ52QOHxgTv50P8ZxqXIsz3Bia154BHaxIL+m33DaOQCZo9kuQ1/maJSJAxqwAPbCNHS/Ea/WoiNUCBIr7HrHNNEDyATNbDy3Kr47g2U19GNbDXPzQA4XGkmhr+tLGc/+KWcwl37mOI7VEzY4gAniHaIv0DKMWCq3C1KBS8kf0DT44fodyo1JN9RoQXB4SvCCmiL7opR3TGUdhEELWegGyWeQVkpu5X3SlNno1IrZEEpPLQ6+G5oSdDPJ5U61mqD75A9V81cdqIa/83ofPbVjGaMpmDb9yP30WgVC839cUj5GtE5Jp3GveWZp8boNpHv8VVwL2dHnnxU2PCwZOhiiDdU88G4XQjhkeK8W3zEeGSVebbQZezLQrZxph06Wl0oDj/1qwQTpjbe31N6LwmIo3CkrIObke+PdFiclwe894GUM75gYtgjWbzUIXjuIxd1VHfKN6j3jZfTmOMILDvF868smPZS6gavvIZhOgrbMDVfOaAcqoarZjy4dFjeHsN+T7YvYaBmSIwiOs4TYUOTW3vQ5Jtq9hlqBlWN6LCVjelnsBEvpNOJ88p70RjqFZgQMJN9HZH1kLAVBjYWGSXZbKI1+jhZI6+s+Z+0NNRghfXgVldwKZ5XVfcw67QfPd7BI1zcVbjUURktcyWMjPtuDmuE6q1LnbWVyJFjdEmK5NjRuqw1dSD1PnpMCm22LWY1lLZc8FffDd7UYrVUL6SOL0l1rR7lHcFZXjxaf7RZid963SEmFUpK9ch+TQgT4tupcyKnFzUH2fpG7HBvZ+0XSQf6Uw4MWyGZEva7kKR4ciSOTDQAgrCteFxIbtYcF2icLRRcM6vIp6hfpVWjtiZ73qqazqyzUejzy8J/mTFxLn4kWwndh1O/VfIY5/zaYqG61jsbnEhd0DS3dqDJ+z1h45AMTUMMLz985mf+cf8XA4BapM2eIXXaKuAtN1v8fiPsgq9ikG4RCfSJXBK7vDV296Jdf8K5mBFgZQYnuazqN2ygdi01QqVhOIwvY/JnaPcPu5Iay6/NNd8MOFN+F5KTR59l++anawoQYj+t2xDevsR12+ZtR2C7WtyV43za3M3/I2Y6uvXMBHOvhD1LUSrrMq96OqE+0No2HSyb8YpG2+iiJPm0JAwfN7IVdJkoRCi6C/184WvGFr7K+gpgFq5hw1uoDHvWQg9GipLW8s812PXRVMwrdQ9Ud1PYzQBcvZtePofjDdMugEgyubxF6UtQK3Cj3AwDIzvJLEbwfKRgg9P+oezFSDRpi8znDP8fkKPJTy7swTj4qY+/ZsmE=,iv:BTnH4RFUZiNNLhxUTcsb7Ktzxl7JhUV2JcqtcT96DFg=,tag:wBn2Lul2/TLqEU937Bz0UQ==,type:str]
+    tls.key: ENC[AES256_GCM,data:mvaj64Y7mxPJ2j+p7ZkT4Qodgo6HiUgW0l+bNiCzcr14zhydvCKUNVoyJwY8C3QZKrgrv8WRc8pCoFtqSDWxkdHH8SgmRlAdRSbFIA5ScoJLRIIR1oqUPI+upnypv1wBABCYMMg+Oc4gq9Y9lXAsYxEbfwRvKXmaqwNy1NBCngQj5d2So6M5N+6WIWIpfEETlWNzIX/bLIvkRhdWdOogkqlJoR6Fb1Vi6t8EL8RSLaGjSwKbbKLDmoBg75+ohm4FnrWCM0NG/z4069qN0HFNaEl5SqfX46gM8xlla/bCH90oRz3NRd8rpZHiflxZWbnV/04IiDW/Ddzvxi+DotnRQbWnHWLnHKL/LyVCw0HPLj7mVVxN49+j7ESwrG0XyG7L1P+2Th6RES8ouHlm0SOdkxvNtTfP3lu/RRpV/q/gszk6pd8uV7ZAsiXHu0vgn+zXOhiLowWfP6j8iXHbSDK4C0/hAXl2bv0I+NENhocWTG44U30/qX63lsib+cWpSJ/BX6G/DOwxNjkL10R+Cya5Cd+Z83saX5aUhx0/hy+u/2eoKYsOtllbNrDuWdZC6gtpd1vedXWl/BD9k7cj9h4FyMamY+ToczbVkpahmsKi8U12nQocqzn38oNDyu9hdMQPVMtbEQVgirXbO1vGqQOayK4JBHZxRufixCfdmUuh2Jkvl3IvV5bRdIuMZlzMkZIIL6wHjEGsNI0g7E4xHwwfdt2fJKc6cMVfGdWr2ULmHKzLJYlu4KK8TWzoYfwkjAqmcaGueXR2LdDE+B4ftxr2aYZSUBqR9+rvKjJX4ChOWjxdewCdUT9FKtHER4CaIumfY1yxQbsl8ItHtvZAT3/fi2GuPza+AboU6z0Y9BRqhnk5Iwdd/cuLn+uSmcUBew3tR47RlH+vPDtMXDm83dgf9uQEkcoIXs6xVgEBY/LZ9Rz6s0FWakdJTlQvV7yJWU2pVhJarNk0gcut+kMgS6ZhWIrV5Zwy8dDcM8Vb17n11tsHy5194d5dwwENY9wFgcO1+kG0L8wbwcUwGK5TcCPUMY6180FLfk1HWowvGAcfo/bg8PHikSdWZAZhYqmnGTh6r0kSPsLDSQBtidSM6vdGCXQSHNihNxS74UxIFrhFAmIbb1Iz5ZMYGhiwmoE1MXNkJr4LvynZdrpkqZGNEzOt7dVyADVM8qOKsG8ED/hpYHHvAD6dZRVZPskOP1G3k9GzgM80lm/cKHTKmOLhiSLxjxLysLjObvwWKmCUy1NO02tMG8FHJ48dCHmVRECAOZPnrhcOfwQ7H5+vuQXHQWPeL7g6iiL2VowgFz7Dn2plUpyQfZnuiui6v8MD2KEW6G0sOfBzg6LTwwXVAqKFkdhEyKaSIgH4ZxJYmslFYf/fnkcuTRwXpd0iVMUW7xd5xA/T0FwRj/UbnPca0jfahnxonBpJePXQMBg5Uaz5sLE66IhGeyU5LPvx2HEsBHpW7pmESRYFQ9tCtDvP64NAWsc+nOXMvBqwqAOoO/RmmXWcvV4cFx+d13+CQUgkIP9YplgNUqTMTpioQrCeGUuG5PXc4L9ASOlnBm/fYD6nT4db0uzwl1Ze/y+XmCMIr5TucMa6AhjIarcjiK1sqj9zAjS+Yp1GIv4cEuRpMBpgQsWt0kroXek7YvUBcfIwx1NCQpCQkbaegGvVBcaipClDzrX6xuTHO0yTtmYiQ8f0iCJiSpUvjReIfpBejgRQIUQd0GWliuaOtTG+U5UJ40ppAI6Kgd9jlFclekYIP0Btu4wIvq0V/C81kEzfqgMvjhf8tyX84kGg+26JwDRWQvGFXN+cKGa9Uip+VyUEkrnhhrjeBk6Pxw/OT3pwuwu2E0e3IAQrhn/2A+fvMH6TAo+n21zq7nIof/pOcoF3wX8xSNRR3IrB9cXh7YQkUN9qwWa9J0nJpGBN3SQQl5o2t3E4war3E0AHto/8zG4hlSdVa/37eCfTTUT0Y66xhPgeVrI+5e80BXdD7FJfsV3BvsN/MG27ol/p5cNJQQYrP6RS3YaTrZE/2E1DmFiNcA5TvLtXWC4wDNaH6afm96nf7GicfH0pmpVbl3OF6FoQ5T+ldJ01lVGHDQHVK6UCm6Rs2EZ+gJCjFf6fSx95Fr2R60j2ASYjRE+tfwoRDa11R2Zy8SEsAHGFoBZtDvnMJCS4prTIeB2K57dG7cDwfnqxzIIu+cDFgeMpnAj4I8HhLlUlodz6ioMMI8TooL+4SOJCwFlo1RbK3eHklAcfLu9sm+4fl4cka31FYYnTJWgYnDN2w9k7dwS5rGu7dAqG+Xzq1QMcar8FTxh3Rb2V52/P2X7tcKLfsJQ/If62UDvlKoOlXn+DRmzxbnvgKYtqmVCxlgmoy5CUq2bZj+QXMzpE+jBHYZxn9tjQ8SC/GnEJ43+xD9W6vUjFdlK1UQUY5zLVhgBJF5FxpKinvuxHB3NT0Tvdv0GJnra02Vrcja6BwePbfhaNpmk9Izjy35U3W3qrkwQG5Z3ssZSMj/hQjKEIHaXVQFR8K9HVrLdB2s48yVhJ1ZqPQsIptWdGCn73qjZeaNO9YoomeQjKMwQ6f8PK1DSioesw93IZNDidqrOHabDFx9JyNV5HRjPDuZmKM2isMwGh25ZCnFfTDu5ip7KN6h22xsGdi9g1uuczduzEEtNW9tyJmqgEEgkXnyC427rJjrC/pOiFnTCqlDSjUaQYg5yceF7bj+5WrvDC1G9qjIsvgpXmtofsL8TLiRxwOOlswRZ3APjuEhFGlSSSSXfznvQn5otypAxy7Ewec4FICVBWMoL3R3lpdeRCvqkPbMHIYbdWCizHdwOFTV5JJYeEaDdZwNanyaWeaoBdv02TSVeuO3hqcdbkUSGu/nqtWUA99mnYXbXaYsNJwgt22Mqpv/AEXiT+MUmXEXnrOxZsbdOKYMSAGeyHlsLAx5H517rZJwrRLFNsGXsxO6F6PJt5Rw+9RgvzGOwzfl3q1T3pMfmmL6CnJJ8xDz1TuZGBfHHBKq3t7jbC4T4nTvnCUkRCBYYTYxtGsg==,iv:lX7Oc7b7Rb+RhJMxhMiJhz5oeS1Cp+1m8edirW6rW2s=,tag:ZL3bXjLzaA31JwHv8rjTFw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-11-11T03:32:41Z'
+    mac: ENC[AES256_GCM,data:CVP3ae0L8dNsKcM+kv4J2K7bat+wwZwlfqcGKgDTgqHpXb7oJZZetXWl7WUX0kVYjBjuR+9UkR2za9FNoLvI6tOi+E+xJsKZ6aD5jpCgKptliTiYqTaJUUVVOKAGLcnvo0f3h5msREfF937Ycv86Vlj5/8Zl5GHxniBagk8TEdk=,iv:tZSkn0NO6FZ4GF9RTCLGVc4Ks94Pzrcwa0HTP53mWYQ=,tag:m96rF8OdH5H7zWlOXzS/pw==,type:str]
+    pgp:
+    -   created_at: '2020-11-11T03:32:40Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA93W3Fi3CqSYARAApZNyLFLq1OJWrud1aX2IWOMMdhGr1YUmCNOWewCSLUtl
+            r7XJ0YqZWqdezMcvV+PtTMxPX3Yu7mtfKFHjhUmc2pslvIBP6RjC04uVY2Lf5Obp
+            M1wiGS29agV1uAHFINK0dh46CH3sZLHhRS+NWGdRKb9FvSY9Cpbwi7/d2tyAP/l3
+            Y+9Q8BAnA6KNStzoT42C0vQsw+nUskWdVeEbh2+fn8Peh/NADUP+3uzbKmL8UFNb
+            /MbA+BmtHskuvgC4Ei+KfknD/y2nuJ/pKJxY9WuTxoh7XC14iMakwUIEjnIY7piK
+            4yx+r6wZkYZnSu3CENojAyooEhcnZgUtl8sHBLpEVPsj7TLxmvMapETrZVWhhMxy
+            9PAYU43IBZqaMxjAKgXWJFdSX0nE4mkK7vF/l1+PIOYG48bAGh6N37dTi1onhbLA
+            qKBb+7Hi1KWTvx25ELNIg9l2lO7Bctz0zZB3vI8snmORugTCZSR4ZyRJLrAKlVX/
+            iood2azWAoCfVprXA6jmyw5C9ALTUxswgezXAhd3YS5N9GTgLSWhYf78BDC+qN+U
+            3zcySRHXaQ+nuOz3g4IVOkueBikE9HQOP/ljwcF8ow1QixVdVuH+9VGCbmQGFH4q
+            6PpX01f1Rnb1kv1VSuViVaoeukzbT4pMpjHQBBMY5CyeIZSwypNOt4k58A8IC/nS
+            XAFSBcw04ZhfQoXTvlIXudHYY1psVPGTPjzAuK0AOpLnFJoUyNVpAg2OrDnyVhkl
+            eS4Mxo/MM6cawMmQFYq5vUjInB0/SdbHrECp7pBh7+PR4tlDTG97hmJrqRu+
+            =XcAA
+            -----END PGP MESSAGE-----
+        fp: 41BFF8BAF2586039F6293D835A2E820C25FE527C
+    encrypted_regex: ^(data|stringData)$
+    version: 3.6.1
--- a/examples/complete/envs/dev/secrets/secrets.yaml
+++ b/examples/complete/envs/dev/secrets/secrets.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-    name: bigbang-values
-    namespace: bigbang
-stringData:
-    values.yaml: |-
-        registryCredentials:
-            # The presence of valid username/password triggers creation of appropriate ImagePullSecrets
-            username: ""                    # fill these in with real credentials
-            password: ""                    # fill these in with real credentials
-            email: bigbang@dsop.io
-
-        # TODO
-        ingress:
-            certificate: ""                 # while not secret, put it here to keep a consistent api space for updating certs
-            privateKey: ""                  # b64 encoded private key
-
-        # TODO
-        database:
-            host: ""
-            username: ""
-            password: ""
-
-    # TODO
-    gitlab.yaml: |-
-        database:
-            username: ""
-            password: ""
\ No newline at end of file
--- a/examples/complete/envs/dev/source-secrets.yaml
+++ b/examples/complete/envs/dev/source-secrets.yaml
@@ -6,6 +6,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: sops-gpg
+  namespace: bigbang
 data:
  bigbang-dev.asc: LS0tLS1CRUdJTiBQR1AgUFJJVkFURSBLRVkgQkxPQ0stLS0tLQoKbFFjWUJGNm53WHdCRUFDNkJUNDNhNmRhMVBndXNlRUNnRW0wcVlUa3RaMWhVaGgvZVlKUzVXNFdCSDBiL1Q0VwpYVWlWcUNmWUw5ZkxmMFlzRmZoeCtOK3Q3cWNFclZ5V1QwS2lGcHVPTEwwdjUwYllvUkxQRFErRmFvSjFBOFBsCng0VU5CazVmbVR2emZaYUp1WmFrb2ZENDFnbExBV2s1SC9hUCtBNGE5cTMrc2g5clZhYWdnWGk0WEVuWDdOMGEKZmhhMllJNTd5dVBVT0dyL1VOSFdhTFh0YnZUVTA0QVpHZTMwbE1jSi96L2xGeEVjaGRPNGVySHJlWDFScmZ1UQpsYThPYkhzNjlNamkxT0ltcXM0OGNlVy9PYVdNRnVDVmJWM29GWG5sTC9XKytzelVyTGVyMmlWT0J4bUlJb0RFCjhUeC9VOXgweGQ4N04zWWkvOEF5eC9qbStaNlowSlVmYVNCNUZhNmJqOXAzQXp1NEY0TGs0MEh5Rm5QNmt1UEsKQ2Rseld5dHVaNVk1bmQ4eSs0Y3lNZ2dCcGQ1UnF2dVRWbndmdk5FOFczSEROYzhmdGVRbVNiSUFkeVMyV1VzZwp2NTFwZEk1OUt2RmlRNjFyZUZRL3NFSnVDTnJVd1lvMGZma0MxUm1PT2t3TzYvSUVSUHpucFRHd3V4SFJocTBkCk1abHMxdDlBYUo4Z3pBZ0hwMVNDcGpWNWh1NDN5Z2YxUXNLazVTT1JVeFJwOFEzdnpWa2VJNFp2bGhPaS9CUkMKU09vRWNHS1R0SjhkOFQ1WnNraVRsc0ZrYmppdjd0Mld0YXE4QzJkV1YzWTNnT0ZmYStORXhZbHNhNENhZ3hocwpOdjlwNldUTm1ZanRJOVpOM0FMZDJ3alk2c3hjZGJyZ2MrVGlRNWNPbVJOMjNNUG00aGlzdkZFbCtRQVJBUUFCCkFBLy9SYlNkUWNzM1pSUVZBL3BuNUxZSjZJYjFZM2FpeU1zb251djdaL0ROTmJiczRzWWNzK2kwd0UvSXpudnYKRXpSWUtVRDZYa3J5Rm8wdFROVmhzbmwwOEtRa0dqeXRqL3ZNVW5UWlJYa1JiZDhoajVPZm5zVUxHSHhhZGZ4SAp1TkJBenM4YW9ncUU3OW5VbGFTcnQxcEEzR1lKY3hVbzBoNFJJL2x1ZlFySEg5NkZWVUpQQUJScmtsL1FSSmNjCmxIT250SkNtY1ArLzNIOE5nNHJWbjVKVjFxYkJodjk5QSsyRzNmZFFCUHNGSE1YanJlM1NMTFhLYVU5QlJqQmYKN28velJxWU9yaHZJQ2NZaVFNSjUyY1Nud2NYNmJXVnhZdVU4U0IySW5mOGFwNGlGaXJ2VElQbDh3QUcreElzNQpRVWxoSFhCVXB6TEVGRmxKa3ozVUEzY3pVVWZsQ2RPWEtnd3owb2M4ZGJXUDgxa3FhaUxGTStYdnlDNGE1VldHCjE4SzZ0a1Zwc1RSQ2RyZTZoWmxucWczWnB5ZE52bURjQ3ZyVVA5RkF0VjhLbXJmbThDWStzR3ZmYlp2Sm1IMWoKR0dHd2pQd1Ftb3J6YkFaR1hnQXVEcEdMdlJPNXRwMjBBQXlOU0dqZnFDck5JcnQyUnRFdlNMN0VvMXhXSks0Vwo1T3pwV3lYUVBORUl6dWFBZVhCUmpZZExMQlZIRlU4VEoxcmlTbTZKdmNoUENqVytkbE9PNVIyRERaa3QvVkpnCk1zaFJOcWJYd1RXTmRpTW42Wnd4bXR0eGpuckZNS3AzZmVDZXREdDFpYVVZUmFuWVFHUFcybE9yU1hCK0ExMXYKV29ya1Y1TzUvTDNuUWI3MmN2SWJaNWNyeDREemlWVG5TSzJqcndxZTZYVU1OUGtJQU1UOXdCU0JjQ3RWY2RObwpMcURHUzR6VFk2YUJIcm1CVzdTQ0RyRlA2MzhvZTF1ak8vdXhMU3kwdUs5d1R4Tm1VSjVHcXF3aW1UdEhmcDNaCkhzdmlTelJyZXBXMHQxbDBDaWw3dEFyU1hkVWttam5EeDBZUFk0Y09rNlY1SUNWWTBKbU85dzZKZ2tHYnpjSGMKdGpNSFIvdy8xbW9ub3BwMmx3eWpvU0ExeHRTZjRpS2dnc2EvZW5JMnh3aXFQOXdNR0cwSE83ZWRvRVd1djdiMApWZ2Y4ZkQ4Ylc3R24xQ3VjQUROT1orQXFOcVVOSUdIWHZDOHBlNlpkaUY2YlZpQ3JJdG1aNkZjbzlpMVBMaXlUClpHTWFWZ1NqY1JyVm9zVlBDRjBwWXRIaWVlZWNsK0wvUkZ3UUdFMkl3Q1VvdGJHUVNlS2tsUFlzdWJtK1FvbCsKRTZKMlE5c0lBUEcrTkErYzJkdlNCZHFKbmQzWnNHaUFXQkxHVERZa0NENjlyNjdQR2F0YWZsVFFwa2Q2N2ZnWQp3a2pSRFhURlBWWDlQVjNrRzZyYXZ2Uk5sNlFzVEpocU4zcEx4RXNLQlhiOUpGUHZMQlBmLzhyNzVacUczUFM3CmJUZzJNL3BJV3NTU0xRUVVJZlRiVE9ib0RzL0lmUFpaczlDVytMbFFPSjkvbVZGVzA4bHV4cHAwWWtQWjBmakQKM2VrTkxBcXpiWXZIbENiRkFkc2p3Vzl2cnFGTGdPb1haNXNZVEl0Q0x3OG5VMnJudWJ6eENySTNiSUFRQ3N5VwprMVF1YWc5UUdINGg5Sy9OdmRWSTlwUGdXSWRHTjJJUjBxZkF0Zkg1ZHZZcmFDaWhZbGhuVFVVekM4OWRLYlczCnJQemhpbks4cjIzODBDZElsZTZLMWl2TS9RSUhUN3NIL2lteUVEM3JDSW96dzhHMWE2eWJUekVGdUxIaWdCUUgKUzFVRFlaYUd4c0NJaS9YaUFYSjJKb3lvU2tGNzlWNGJtSU8rOG9qT2V2OUF1WlNVNTRYSlNqRkl6THF1L0JBSwptYlZpQUdjS1VrQVVyOXZGOUg0TGpmb0hWTEhKQ3NaY056bG9samVDTHlyUlUvMkRLeWZwUGJ2Nm54Y29xTnVUCnZUaGlaUm1EaDQzT0gvQnFTQkIvQ3luWDd5TmJEdnNRSTdMdUwwSmpmQTE1dTVEZEVibGM1c09VNjR0TEFIU24KWDM0UXB3bkxHbU1Ca0hPOTRnUWFMWmlGUkdENjBCK0VUeWRoeFM4Sm50SVdDeWZ5bXVPK3hFTldUNWxsbWxYTApNVktBcWJlTUQ2TFY5SE5ySWxGOW5oMHNkM2tqUkNlRndNanE2dGJhZmxvMk02b3QvUWRnZlhCNkdyUTdZbWxuClltRnVaeTFrWlhZZ0tGTm9ZWEpsWkNCRVJWWkZURTlRVFVWT1ZDQlBUa3haSUd0bGVTa2dQR0pwWjJKaGJtZEEKWkhOdmNDNXBiejZKQWs0RUV3RUlBRGdXSVFSQnYvaTY4bGhnT2ZZcFBZTmFMb0lNSmY1U2ZBVUNYcWZCZkFJYgpBd1VMQ1FnSEFnWVZDZ2tJQ3dJRUZnSURBUUllQVFJWGdBQUtDUkJhTG9JTUpmNVNmRWtWRC85a25IejluMzRGCnRkRlhLbmYvQXJ0dlhWZDNKTXl4UjE0dWNMTjNWN0FPSldQelMzNjduRmswdXNUdDFDbjRGYkRKd0t3dzFnSmkKUjBIMW9ndU41SnFuakI3aStVelpSQjFoVngxRk10SnZFcmlaUjR0MTZ2cENRd3p0eS9Sa1dmVzNyazkxOW9mawpzOVkzNlVIZFpvZjM1Y2F6UmpKeWJYaGgydFpkb0NHeHArU1htYzEwcTJYVG1CSzRZTnU4aU9jbkptZ0tLeGt1CklXVXQ2YkFUK0hkZnNVdjJINS92aUpkT1JqWjQ2RDBacDJLZGV4cld6M0xja0dBWEt1R25LeVNUSWU4cXlkRTcKbGpYbGh1ZHdjdWtKZmI2Q2l5NmVJdmdlQWxramRlVEhCN1NIK1A4QTUyYThzTUZ5U3FGY0lXVE1Tdi94WHFTbApqYzRGMHcvQ0ZGeXMwaHpnN3RxSEF6VmxVQUNyd3BhLzZnci9wZU1VVUNJdjlUQmZkNENIVS9WZHdwa3dJQmN0CmRwYkwxMlFBMGgwR0NsSHhHaDNJaG1wMnVGVkVickVhYXkrQ2ExQWxLTWdiaDBKZ0ZCSnpHV0owY3NpRHdYZkYKcVN4R1dVcmFwa0Q5WktpY1o1dm8vbGNLaWRmMGpSemxueFlpdnhiOFY1RzExWksycUNzMmtUZjA3U3lFcW1LOApmNTcrci9kNk0vdlRaSG01VUF1Z0pHb0ZkemJrb1E4cHhpdzhwck1INUpVd3JHUko0MHdIK2djSWxqWmFZVENiCmljZmJmcldueStwY3p6aDdndThacmRBdTZOejJPdVYxSUZjZ25GQzZrb01YQlU2RnFsVitlVkdaMjdjYzk5RmMKM0ZoYWNCd2NjTFlKUlJMditLOXhIdlNxMGlzMGdnWHRpSjBIR0FSZXA4RjhBUkFBcVlLSHpDWlVkK0lSaEdrRgpGQ3ZxR3JRL1g5SUt2WlA5b2FTT1BES3c2cUo5VHluMEppZE53RWxxZjRPZ0xjdzgwLzE4c2pBNklGeVZvL1hvClB6Zi9qaHFhNmRBdUpMREhpczZWOEZLMjNVTlZxOG56YjdSZ2JEU1hjU3JkSmRBd2dwVlRHaUJJUWlUa1dlbmkKcE9IbkpqNEVlWjRoUjFvNUw1R2RvVHlhWHp1UGxwZVErcXRKVjJERXdJTmF3bk9zVGYzVWhaaHRHbUc5NlB4bApkbmdnNjFxTXNYaHpYcXJoaVJLZHNBQmYrOTlvUkZzUU41akh4TjVGVnpPSGJXZnZFcXJWKzgrQ1UvMXF6UFRJCmtNVm1NTEt2WkgvS1hsKzFRd05acTlScnRSRk83dGxaS2FBelIrOHEvTTBOTTQyL0xiVjVFTVZBenV1eDdOVE0Kc3hERFFrRndDL0g3d2EyTDNzNVh2T3ZpVjJGZmIvMWhVcDFEa1BPeHM3OHhqV3NTcEJ0QmdvcERvR05sTGU0VgpoYVhFVWdRYjRYdmZSdERsYVZseDd5dVllUHVzN21lQ3dqODhwUVJsMlRnTGhDM1NRV1c0YXJMSHVGUFIzY2NDCkIzbG1iQjFGMnEzNlhENi81RU9zV1NWN1NJSklRanZlMCsvaXMzS0dhUTNwL3Vvam90V3hEeUVjdm5jWGs4bmUKZ0pBQXZaK05oWmR6My9KRTJKVHhDWDdud3RGMXljZkdWYWM2aGNFVUpIbDlZdUhZVVF1UFZwSWZBUHUyemR0ZApWa1EyZG83bkxGS0s0NDROajVxNzhOTyt0THA4dCt3WTFPQXdYaGUxaUZjMitHSnlWdkQwQlkrZWV3MnhocEI2Cm1GUEJZc2dzTE9HbDU0anZpOVlNV1dzVW1tVUFFUUVBQVFBUC9BbmpXbWFYU2RBZ2VPTWZlVE5mQ0czOFc4SU0KTDZJMWN0TXVGVG4vdndCQThFeGc1eVFlb05ONXRPT3hXdk93K1U5b2R4Q3g3WUlieElMbkFtQkZ0UHVtSTZsRwpBcHNUVU9DUkFvQWRZeHR2SlIwN1Q1OFJoNXBvU3ZsSUJkU0IyNEtTa1dGeHhxVk5INkQ3R3NTQmhRbGZEc1hGCmFxMk4zczRla1hKcFpadnVqb2E3V3JLMHNUZU9wb3VRWGdmLzFXcExSMDF2d2RXTEpCZm1PVWo2NHZpM3RJTloKd21rZ1VMMjlQME9ZRWdGUVcvVzQxaTVZRkRjd3ZCekZIYjVORk00aTl3NlVZVWJpL29yc01KTDVZT2V3VkxqcApGM1gvNFVRQ2V3V2lBNUp4YXdoVjEzU3RLckNraS81cE83N3BJdURZdURJNVAzbVNtRE4zaW1WYnNmZ2dIMXJRCjNYOFNwYm5DVGtOOHNqLy8wOFhXTkV2SFpRZ2MyTFVSUjZEZ3ZVMXkzNkFCdW9wT3cydkRSSndDWG9obUlmUXgKbERnQVlvUUR5UHhvMnZ1UGszM1UycEd0R003d3ViUjd3U3M2OWZWdXQ0cnlra2FpaEgxNHRuQTI2V012RmdzMApROGI3aG56NTFWNUFGRW1tcEk4RGxUb0VXRkdjY1FwRnJrQzYrV0UzWEVuTFJUWGlnS1piRlZob2hXUndiSGxzCndsTmVoSGR5UWRJN1lsRU1MTlFQVEJnZFhCWHNoRitWeUJQai9vTm54TXJvdEovNGFoQklSdm04R2RCbG44amkKRVZiMnlMNUpDVWZhckUwTWdLVy9uVWJzRkN3eVFrQlVEYVIvdWhnWmhsYmJ2ZGFUZVBXcEkreHBJdTdKUmR3TgpPOHRMZzMyNk5RTnkxbUdoQ0FERTFUZHhTa25oS285RC9Xejh4UjF3MUlWRWllZGJMWjI2OXVpSmRxajFNcGs3ClkwTGt3aEx0YWdzRVZrbGMvU1d6VDRzaW9aQUpWb2JnQTVVQ2JJUXZVTldEZHF0M1FXWU1QcUgvUTByUUhZZmIKNzNndG1Wc2xaWFdHVFdJdXZ3UFExcjhtdTRmenEyRDk4MzlEMGdyM0VpdmlYWEFSaTMrRlNqakJLTHV5Y2J3cQpkZGoyNGFCVXdmTGY0RXgzUjNJekdoRUpsSFBpTVYwbjE5T0p4Mko1c0RwdkhiL05tdGVieUtVRXRmcFFSYlIzCjJ2dk1UOU00YlVxWm5Lc2xkYlpZZkRpZzl2SHl0TFFIZ29PVGRBQW10bkxDTW1jaTZoa0tBQm10WGs3aS9EV28KZGJaTTY5MUVicExZK0ZwRVhLWElTdkFuVEZaRnY3dGN0dm5QUyttcENBRGNkcjI0YzkyMDQ3cEhEYWRCc29IcgpkLzBqY0JpVVZFSS9DVWZESEF1Yjl4Q3dRS0FkM242MWFjcUs1djQxL2ZibXhaNS95TUhzQkxhR3diVk82YUtICnVCUEhTeERZQlNkdDl3NGtnLzFid0ZtYUR3TmpKaDBjaVRPOWRzYlJFMWgyckNpUXdXUUs5d1AwTkhXYmxPYlUKeWlwdDJKcFdsWHRDS3U1dFE0dVc2THNwQlc0S3NPVThGRmxaSy9rdGtBeEtLL0xsNFFWSThGUTBTN3cwYjlVcApHMUx2NnZ3MDBHa1EvRFRxZEtuOG5xTmphUzAwVkdQZHpXSW5mRjJCT0F1M3RoNFhXTkF2Rmx2VEFKVVk2RGlrClJJdTVxeEE4S2NyQUFHUkRoMVQzTi8vMkNFdUJWQnd4RmVCOTRhRENmekdpc040OG1ueDd0OHpnenhHS0hmaGQKQi8wZnJ4Z0RneUpmc3U3MjRYYTJoUTh6WFVoNEdiYXY4YVdINmF5K1ZQVUw3bzhacmpXN09hQjVWNmVBdjBGUwpnM2YzM2JkekJSY0gxSHMxQVhWckpWS1B6Mk5UbVk3NEVSSkg3Qkp4T21xMDlTc1hGQ1JPeXZHaW8xSkoxVm9jCm8vbUR5SDVCWWFsbjY5UWU0UUdYTFJQMlF4NVR5OEtjY05EcEJWRG02YlhnTFhaK1NxUUZlZFVpdkswcEMzYUQKbFc2eUhManorWUhwWk1ydWxmR2JCa2dKMml6SDJkWTFEUWZDbjhTcGRReG5aNW5PRDNtYU0zSTJRdTVlM20rawp2NVN1SlJXQVkvZnBwUlY3WDRvK0p0NnpaSEViMmF6blRYQ3I0R2NySGsycytFdS9GV1FHVjBpbmtWTTQvci9vCno4Mlo0ZEZvekhzQWZtL3piTzJXbVZUZmZTMkpBallFR0FFSUFDQVdJUVJCdi9pNjhsaGdPZllwUFlOYUxvSU0KSmY1U2ZBVUNYcWZCZkFJYkRBQUtDUkJhTG9JTUpmNVNmQXBqRC85Mk9RTDdUbnBBemFSR05NMDFPMUtVTGFHVApkYWsvZkVwa2NUMTFrMWRKeDY3b1NrdmRvYWlSK1NMbWsvaHJJVmJ1MWxINzd3b1JYcmxpdHRCSmFkbExsbDFoCnFkSGd1RHdBQ0Q3QVZpMkZhdlRvTVNVSHF6L01NaFVkS3Jvd3lPdmVGbSsweCtSeFFoWTlId2lzbGRpZ1pyT2UKajNWdFZRR2NHSU5YYmFOdUdUSUNScU5nMXhDdmdzMm9EU0d0VE1DU2N1ZzNMTUVnaEpYUGVIZHdyVy9HcFJoMgo4WkxIbS9Qem1NMTRUUjhpV2pmWkVNMDZ0djZxaGc2NUVMNEVtNG5XUXdRbjgwbnFtNGMwWnk2RjlKd2tmbnYxCm1rVGJISnBUUDQ4SWlQNW12WGVtNHN5R0JhSFZ2RzlMdXpKZUxCV09qdUVQQUFBTCs2QzR2UkZhK29KL09PaU0Kb0xVbWVyMjg2ZDV6cWJwb05PVjI5RUMvYS9uc2ZBMTZNWHhXQmNTV0s5ZHlxekc3K1pjTEZSRHdkdmhkYzNrWgp3eXhOR0hocHROVHAwU3hkb2JBa0N5R3VFMVJTNWtuWUNjTTJ0dnZFVmxhUHNzbldoVlQ4OXMzYndVWnl6eU05CkllM0FuSTBZajNqVFZnRU9IaUdpMVpleFNNa3NTSEZzVG93Rk1TUXF0L0FJV25tL0tPZ1E3dkFLbjUxVFdaTW8KZ0lKakMxelMwZjlYalpiZzFTdWRUanF5TkJjRDc3cEVFZWxsUHZ2V2ZFd2VIeHY3UTBKamhKMFNBNTZsM0ZSRgpYZm0wSGY2a0lMSEV4MEVGbElkTXNPTFp6c3Y4UzRuRkdjN2RzTzBKdHdWTW5FWm9VN1J4M3BQQkpaZGx6akYvCnQzZ2xmTnNFSnI2YTdKQWltdz09Cj1mM1I0Ci0tLS0tRU5EIFBHUCBQUklWQVRFIEtFWSBCTE9DSy0tLS0tCg==

@@ -14,19 +15,20 @@ apiVersion: source.toolkit.fluxcd.io/v1beta1
 kind: GitRepository
 metadata:
  name: secrets
+  namespace: bigbang
 spec:
  interval: 1m0s
  # NOTE: We could use the same "bigbang" repository, but secrets are usually committed to a consumer owned repo,
  #       so we are demonstrating that here with a new `GitRepository` resource pointed to the same repo
  url: https://repo1.dsop.io/platform-one/big-bang/umbrella.git
  ref:
-    branch: valuesfrom
-
+    branch: certs
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
 kind: Kustomization
 metadata:
  name: secrets
+  namespace: bigbang
 spec:
  interval: 5m0s
  sourceRef:
@@ -34,6 +36,7 @@ spec:
    name: secrets
    namespace: bigbang
  # See the NOTE above
+  # NOTE: This points to a folder _without_ a kustomization.yaml, flux generates the kustomization.yaml for us with resources comprised of all the files within the folder
  path: "./examples/complete/envs/dev/secrets"
  prune: true
  decryption: