feat: add sealed secrets chart (#29)

.gitignore

@@ -1 +1,3 @@
-/.idea/
+/.idea/
+
+/*/**/charts/

argo-workflows/kustomization.yaml

@@ -7,8 +7,10 @@ resources:
   - resources/argo-rolebinding.yaml
   - resources/argo-server-ingress.yaml
   - resources/argo-server-rolebinding.yaml
+  - resources/argo-server-sso-secret.yaml
   - resources/argo-workflows-certificate.yaml
   - resources/argo-workflows-issuer.yaml
+  - resources/argo-workflows-webhook-clients-secret.yaml
   - resources/workflow-count-resourcequota.yaml
   - resources/rbac/read-only-clusterrole.yaml
   - resources/rbac/read-only-namespaced-clusterrole.yaml

argo-workflows/resources/argo-server-sso-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: argo-server-sso
+  namespace: argo
+spec:
+  encryptedData:
+    clientID: AgBwPYOhFm1NhvKwtPB0Bz9xivogve9SE/aw3gxe0dr10xIMkdpPUgd6ShBfTKfvew2PDPfFAngioAviPkvYAhx5qZ6ZGA0JKMNrT4IkpHJNho0zJNhj/EkGHoiBbsw4YkM12eVPelI01UYO/QHJjA0NcN8BeokAxnK1jPlNl6z0Zjb9ojNt7x/lZ1Vmj50dQEqGGQseWo8y7dCmwg1Xr9kkZ6sZaH6hcrNJlXxui18jv31n5U4xkwyezlizOshdTlD1jcEOxBb+kCdy1JUpeiPqstB/FjlZVdWe/E1TMD+xZJyPfAMg90LLWxwt9/ig9qapkTbVRx+ugv+kMRFH07xGBk5qYjzTLrQ/SMFp7Rugv3ECS4Ygv+poV8puK4YaPK8gghyBp2Pgawss4OwZjv5SU0K3UdkByahf3kgLiSoY/OEWwJnfEr93ZIPe19aAJDE+25N8OhcMBA+chJ4ShygvEXrej0HwnDej5hqsJaLJ7OtH9PiDghmdl9l0HqKiIQij9PniH5FAC5PSg+cMx5gReSH3L9TfwZh6FQKmAE7rp0CCSdXwuCQgBRU6FcXh97oUTonTzE6h4DQGw9MG7Rdk/Uy+6yMT2OCUs7/gppjmnUW82MJB928sFJJckQSFj6+QQwN6yqWuFuLiYhs1xGI6F0yfcL3qAmgEqF7uzQXyyNi7tz5h+LzCCr68dgBFIotNtY54iEYbWDg5CA==
+    clientSecret: AgAKI+rVlKmVk7RcXBoYou4f9DvJZiYu56fP64CMj8tZ1N0hBaQBfAb7UEZMGa8PB7OP/xqZFQTiP5saVFlg9XU5eJaB4hSmbxdl7uK9I7OIMJKbBdJj4Sk0ZkqdK2gstsO4kL8s8xl9T7dlfqQjA395PZ9n7De0PnMc0nzCe3TQQj4Kzgr2G1sAlATqJ9Gwlk4olgX+C4GHQuIH+WFQe1FdrXVI9Qd5aAUsxhMWxbqoOIKWFFGdGyon3Y6O1pSXGtnbML852jZ1fDB/VwuDI6c4ZkfSuCOfha+0GlzPv5PqtVFzc/AQvQPHW2W/JvdTgGs2FpoxxjKCyBJh458Fo5ARo1vM+VbKMPEvpd42EAtvFXbg6DeP7RxqUd83TyM1QJgSAUMr/BVUXXNPTy3aLFbKbfts7nJU22LeyoOz8zWAIfBtuaxb6FvsqtXN0Iko0I4WZ8OXPVTYkSOF9O+Wom5S7rWlhIJG5BDW/oOv27M2cpnvth5SYmtOqIlPhtmJGE2I5DeFv8sXUMupfBCOJ36fnnGv6UJNf4ildqm9D0IMP98SjCEINmkcWAEvVfYXQ2+7Zx2i1vMjOPBAraMGvH34hx1v/JdbdppTZe85fkBi0ThqRfdjRjLs9F+CVDLr1Chy2q+8X+T5Iy0doS3GIM+2qEsAcMpok7hxZUQuQcsmH1abBO5TYQdsQmhV2Sui2ITwXveO6rD/MD3m2J0NaQiFFJk=

argo-workflows/resources/argo-workflows-webhook-clients-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: argo-workflows-webhook-clients
+  namespace: argo
+spec:
+  encryptedData:
+    github.com: AgAUOhspWnbPFFbqyYU1kFs6C7b/9A50fSodsZBunGoG3b2Kc0bOMWMQZPwL+5D+EQk2e1y5ddQup+ReTxgmxX0c4yxYMbKtVu2h+rTbAWiYXXjscd0WLkaWdC+a1TBpZ3KKgmydPb8iNV93W/vdbNQS5RX5OWWvIzXMPve3mG8VcfCzTJNvChkBk3KbxjmC9sJI9ER9lifN3LQz8esfrbkz9e7lc3KqNpVQ3LXWLYjlFCukhUNdwWAOK9O1f0VJRefNPo3Km9WRAv38FoEBRlxLQyogTU3pBU7NMomkHU9wrYWuIINZLZ0dzYwpprUdSOHaGLdY+yn45ddOk7CMPQ7MbeuVD2ZchCm9ge/4i4Sdegb9ZnnM8fpT+NndXoTEOs8rVsZjZC45vzErzhPUeUADqVEkkOTJJUX/WMbaNX4cVCPtxWCHMjAHL96qILMiE7VRDYNUqr7TkA0kCNH6MAnqqfuLpthSjDrqAI/ilagNTajHlk2fwsr8h0SRG+pTatx8GT2wwSDd0YDe6GWfP7yR16T4KHXtzQxNTT2dynPnPueaGPn1/gbxs5zsgsgmD8j+/qHmaQoCnz3fMvQQlNkwtVtv2rI3Q6HUglBPkpMOKOW/o0oO/C3f377WZfCei7xb2Nl7OLxITI0i3yRWCcYswGvjt7tTl5+1lnJ1tg/tpGJyolSPnDmdqN4X04HzIF3t/57LAdUbjTYUlspXhG6AsVf4dfbW+cTUiYvKyQ==

argocd/base/argo-cd-auth-secret.yaml

@@ -0,0 +1,12 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: argocd-auth
+  namespace: argocd
+spec:
+  encryptedData:
+    dex.github.clientSecret: AgAum/tTY0ctx/cpQrP3p1mS5Q9YgKD615k7dU2qn5mxTdKPw7dS07C06ZCS/Zfd+eaUP5punm4Ln9HFiMkoSJOVmBFeusHdHoHenBhsCi/NQBU2Dwb+lj63rdhYMj3QTJ+HAa4ZuDu0y0vhNhCz68h9NfH3CErSFesgDlZQs/ovaHGqoVR6kBu2HZtqTNHfcxTmfl9e/SlLftsCvzTMtEEBbqW67T0FEqs4k7udrl0oIpAcUSFxEPmWQNjoALu0BziVdVxW6dY5aG/K/aqgYRH6NSgjSDov7LVI3xG2QLfeIN9C8s3fsnGrFephldmv/mL+bZ+iEdwps8NKuXNh+4ABVZyrT/zRZAREDlvQ5iHATWCv+xcgjSWl+hUe8NgyGvHsf34PUtI/udLkZIb1KSsl7Dquu5Hb1mZMJogS915UlL68Ejh7mb9ghi3FTpDgdPEBpk1YRVLIEvK8m9YacdKV0ODNxQYpKieWT4fvUwXFviw68ls2lFrjD4GeEHC38ph1I2Hh0slqykVf8GjUkGjZpwu+A6sKYwlg5B9TI0tvqM5Le+OA727Z5JfDDZMQDuhqI3TTNybHRXzMKnAe5C5uCRoWk7VVEvrfsiKefcWGtd66YOIEs7hHrouA+4EP2g8AbeEoNS9L9BNnWiMaL14QUQXxHc++GUwfEravDzB3arPdC15MYaLHXxTxXWy17rhGZcxYirJVcXaSykihz1zI7ezgIjlChC/T+Pmud1LLGVuBevDEFFt4
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/part-of: argocd

argocd/kustomization.yaml

@@ -4,23 +4,24 @@ kind: Kustomization
 namespace: argocd
 
 resources:
-- base/argo-cd-issuer.yaml
-- base/argo-cd-certificate.yaml
-- base/argo-cd-ui-ingress.yaml
-- base/rollouts-extension.yaml
-- https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/ha/install.yaml
+  - base/argo-cd-auth-secret.yaml
+  - base/argo-cd-issuer.yaml
+  - base/argo-cd-certificate.yaml
+  - base/argo-cd-ui-ingress.yaml
+  - base/rollouts-extension.yaml
+  - https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/ha/install.yaml
 
 components:
-- https://github.com/argoproj-labs/argocd-extensions/manifests
+  - https://github.com/argoproj-labs/argocd-extensions/manifests
 
 patches:
-- path: overlays/production/argo-cd-cm.yaml
-- path: overlays/production/argocd-server-service.yaml
-- path: overlays/production/argocd-notifications-controller-deploy.yaml
-- path: overlays/production/argocd-notifications-cm.yaml
-- path: overlays/production/argocd-cmd-params-cm.yaml
-- path: overlays/production/argocd-rbac-cm.yaml
-- path: https://raw.githubusercontent.com/argoproj/argo-cd/master/notifications_catalog/install.yaml
+  - path: overlays/production/argo-cd-cm.yaml
+  - path: overlays/production/argocd-server-service.yaml
+  - path: overlays/production/argocd-notifications-controller-deploy.yaml
+  - path: overlays/production/argocd-notifications-cm.yaml
+  - path: overlays/production/argocd-cmd-params-cm.yaml
+  - path: overlays/production/argocd-rbac-cm.yaml
+  - path: https://raw.githubusercontent.com/argoproj/argo-cd/master/notifications_catalog/install.yaml
 
 images:
 - name: quay.io/argoproj/argocd

argoproj/base/sealed-secrets.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: sealed-secrets
+  namespace: argocd
+spec:
+  project: default
+  source:
+    path: sealed-secrets
+    repoURL: https://github.com/argoproj/argoproj-deployments
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: sealed-secrets
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      prune: true
+      selfHeal: true

argoproj/kustomization.yaml

@@ -16,4 +16,5 @@ resources:
   - base/istio-controlplane.yaml
   - base/istio-operator.yaml
   - base/prometheus-operator.yaml
+  - base/sealed-secrets.yaml
   - base/workflow-examples.yaml

dex/templates/dex-secret.yaml

@@ -0,0 +1,37 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: dex
+  namespace: dex
+spec:
+  encryptedData:
+    config.yaml: AgAedLyg3uIWIEGpNr/glGT6yWGgduNyS3dUEw/6Jh5VdAV/oOOdzgOL3JhDJobt+2ZtK+RDM9qq+cIlvpIPeT7bqAilprMo6L68qrse1T+bZYMGlcziR4Dx8sx5CufZl4uTmMeubvcrNJPl3qpNpGTAGF2d5ZMDwlMltgkRn+zqWjREiIaKB9qJoEG8cRjtt2R/nN54E6ON2HVjNUU0ZJuCwDJTYUuWOoLDxd+QUvsKBVgrbpGaCgYasRznOAAtl48tsAbVqdcTQItFRX9/gPukeR5qJ7y4UZUQ77Rk2C9OIvEccDwV1xpAO+Wl1A728dpv0l3ef7Vzk912TNTodml/G4wP8i0/ke14IPTD3H5R0ftlFfbXYRwj7tiZ7bebD87UTtAbledXGX3ECUBZXOHCFqG+cCYgtUSaZ38BzDNvuLrCwQqmbMMM1j5K6WBenVGMvWfSvWUg++mE+CH6kkmgc59zmKqHOntmTi1Gi9+q+j4G85gF2WbK6nZ6q4vQUejiNzvXmdM6LAGNWpGOomq7uCovFIB1Y51ABiEKcPZxb924L+eJMEzuOTAfCmaZQK4EZ8uBG1ask1TxdCvgDqJ8988KB/egoAfzx6dHCNiLWqGTZDks8NZMFu5/YBVtKc4mSAUOL8kF+uQfct0C0jSvg6q8N3XTKfzKVVkAGkUkvg42leLJHHXxGrJ8roJLv766DRXcqUvwEuMQeUo1bCdbL7598R/zLHh9XiJ8es7DUlG+sOCVq09z9eVywKZ3IqrVh7q7NhtVHuuNHjmKEkTPO97Y05q5XFkan7Uzbbdw5ttxtiXAIM/Iq9XlP4Y4DL80KOmcxROyLRGS3QUpIsVfb+zgU+Wv+zSEquAccUBTqEZG2mh9/NCS4hmXpB6yuxrtRuBlkRVAfI289X0Gwexx5Ugsenl+YBFH7xmADftfYV6eH/yE1CJUgy71Fpelpl2uKz8j7cO0EeNEth1KgY+K+Y6WFq9pyOpVUGnpeH+w/8BXxqJaenEtXGRe5X0wgLKflCx1JBap+XSeImR6tdNIrlC9mtIWcnOM+nEXIuD4OzuNtx2Dc29i2rAMABsNod0RQx01IqPkJBqDakdauqAXx2V9v3bV75X+oz0J1b8KmXt5/UfVg1v/okOz3EXyKlKB62nkNfuCHrDDGQC5cbb4/staIEK4UgIIhZKkMtNDNYld4kBrP6DgiAG/bgTF4OqKhVvVUB8HqpYzVCfbXKjhEQAQF69aQIr9NdlDN1yeTyPu2/MDG+jn2i9P+WzGldPQs16aXKULhjjtzdkpNVvfhXiliwvJSTw7vRnRqvIvEPJyKhg7UIrlNkM+U7qVNeP8jtRR/KAUo+fqHmk9G3ouKj0ftkZ8uwwVpDQRIaUZq2UXd4uNH2zcXIA9n9Cf6sDys2p4zJp0vML2ZICjoeyXJpZs6Aw4lIggaeiGus5c1EXKAFE01K6gGosty5hDSjqOP/SoabHyCZ8XWIqPjmHuXqhomXWXO9IIbXhkV14Aaz8h4FBocaqj7clAmkpJYwFtrls+jz8HdgxRJp2t/5oocCOCShwadIsUbMsBb0RydB0iJU8npmRDTS0AGPITShny3tJCssfhH5uB+14w51AT16bopXJJWwTy8Cl0DrxW8wPXTM169n5qdkAH2KykIVXTieqDIg==
+### The redacted configs
+# issuer: https://dex.apps.argoproj.io/dex
+# storage:
+#   type: sqlite3
+#   config:
+#     file: ":memory:"
+# web:
+#   http: 0.0.0.0:5556
+# logger:
+#   level: debug
+# staticClients:
+#   - id: argo-server
+#     redirectURIs:
+#       - https://workflows.apps.argoproj.io/oauth2/callback
+#     name: Argo Server
+#     secret: <REDACTED>
+# connectors:
+# - type: github
+#   # Required field for connector id.
+#   id: github
+#   # Required field for connector name.
+#   name: GitHub
+#   config:
+#     # Credentials can be string literals or pulled from the environment.
+#     clientID: <REDACTED>
+#     clientSecret: <REDACTED>
+#     redirectURI: https://dex.apps.argoproj.io/dex/callback
+#     loadAllGroups: true
+#     useLoginAsID: true

prometheus-operator/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
   - ./resources/grafana-certificate.yaml
   - ./resources/grafana-ingress.yaml
   - ./resources/grafana-issuer.yaml
+  - ./resources/grafana-secret.yaml
 
 generatorOptions:
   disableNameSuffixHash: true

prometheus-operator/overlays/prometheus-operator-grafana-secret.yaml

@@ -1,2 +1,5 @@
 - op: remove
   path: /data/admin-password
+- op: add
+  path: /metadata/annotations/sealedsecrets.bitnami.com~1patch
+  value: 'true'

prometheus-operator/resources/grafana-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: prometheus-operator-grafana
+  namespace: prometheus-operator
+spec:
+  encryptedData:
+    admin-password: AgBn4LqCWveN7MsbD+82W2ngfISNFHyDU3UQT1FX+qA456pN6TOS7fJ4LJMyAC6L2vFjOVK4SVu1GbiQnuyRoCYxlIuNV6+GL3RTpi4Ht3wxSOjmBTIyiriP+E82OUQnTyfuLDK8pinVcx+SCqROIk6muRvOQ8TMnsDsyNVc7d6zCJzYxPTMD03HSZU9qqCp0JSKLaMRS9g417l/OF76DlU2923LAkkVfgCqYsgFIcwnD/QmkeUg5Hq5AdqzZxj811HOuACHVj6budS86DqN2uqkkXNnAvtK+7fG1UUW0A/ZZfQS5SNhMXMosGq5l49J5OBiQBlK/Q3KtnxL2IOsbDCKUgoz7ttIXWxNtYhjQOdwhze1HlAxb/w0Ffam/+8q6SXfG5qTbixn2pmGg4Y+lHHLXxdZeouziDYN/gH/uOyrT7cC4p+L3r9UwCu+pgP0DwCeewCGx/vqf+yP5WTnGnRmylingTGEcFBcHItSfxpzpTFVihQt2Fy4ZT+yHmA3RYLvsok9xLHPIjwq9P8/B2tsvJ+tSgbDWiLD8hg+BYSWCK54kxFrSozpjdIIyKxgzeFrIH7AkAgklYelgopEiD/9CVJdTo53d1bQuwuccP6h1yGZdwNdhNC/x1vWJGHkvYzkx6cCAuSOTkBrFknia20imxgwKlxhQRZb73kBTVmHUK7r4iJnW3P7JuOfROT91/bLysimimYpr/18sxSLHhFq3VvJ9En11/Lln6JvcnzTEOw=

prometheus-operator/upstream/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: kube-prometheus-stack
+  repository: https://prometheus-community.github.io/helm-charts
+  version: 56.9.0
+digest: sha256:9424e1be442b0aa62a79dddbaf2dbc32fed38bc98f7b0eb7cf7dafb406883244
+generated: "2024-02-23T11:19:55.144212-05:00"

sealed-secrets/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: sealed-secrets
+  repository: https://bitnami-labs.github.io/sealed-secrets
+  version: 2.15.0
+digest: sha256:b65dbd2e45629949076509ce93159ead08088fd3303a8575e4b22bc71a240e41
+generated: "2024-03-07T17:14:05.815363-05:00"

sealed-secrets/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+name: sealed-secrets
+version: '1.0.0'
+
+dependencies:
+  - name: sealed-secrets
+    version: 2.15.0
+    repository: https://bitnami-labs.github.io/sealed-secrets

sealed-secrets/README.md

@@ -0,0 +1,50 @@
+# Sealed Secrets
+
+This is a deployment of [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets).
+
+## Usage
+
+### Homebrew installation
+
+The `kubeseal` client is also available on [homebrew](https://formulae.brew.sh/formula/kubeseal):
+
+```bash
+brew install kubeseal
+```
+
+### Encrypt secret values
+
+Secrets a encrypted for a specific name and namespace.
+
+```bash
+echo -n "my secret value" | kubeseal --raw --namespace <TARGET_SECRET_NAMESPACE> --name <TARGET_SECRET_NAME> --controller-name=sealed-secrets --controller-namespace=sealed-secrets
+```
+
+### Validate sealed secrets
+
+```bash
+cat < SEALED_SECRET.yaml > | kubeseal --controller-name=sealed-secrets --controller-namespace=sealed-secrets --validate
+```
+
+### Create sealed secrets from secrets
+
+```bash
+# Create a yaml-encoded Secret somehow:
+# (note use of `--dry-run` - this is just a local file!)
+echo -n bar | kubectl create secret generic mysecret --dry-run=client --from-file=foo=/dev/stdin -o yaml >mysecret.yaml
+
+kubeseal -f mysecret.yaml -w mysealedsecret.yaml --controller-name=sealed-secrets --controller-namespace=sealed-secrets
+
+rm mysecret.yaml
+```
+
+### Annotations
+
+The following annotations can be added on the `Secret` resource.
+
+- use `sealedsecrets.bitnami.com/patch: 'true'` to only add/modify some keys of an existing secrets
+- use `sealedsecrets.bitnami.com/managed: 'true'` to take ownership of an existing secret
+
+## Backup
+
+As a prevention, the encryption key has been saved manually as a [Secret](https://console.cloud.google.com/security/secret-manager/secret/sealed-secrets-key/versions?project=argo-demo-apps) in the GCP account.

sealed-secrets/templates/example-merge-secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: existing-secret
+  namespace: sealed-secrets
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  encryptedData:
+    # another: property
+    another: AgAArsg4GEm7Bm+Bi3Dphb3jP6ZKir1pesgTQ+skJnMUkNfZMVq5fj5zrVtlt9qj1FPieKHMKGdrRv/kOG/3wC64BUZc37vUe+21UZqFckzvXbLLR9o0sP8QqORZJTLMzI6QEXjV6qeHkADHKAzRw9BGIdBYlligZtZ9vJcwKvTk0V8Mm0FB4TBqCDLgDFxnJgXtUXdyHBOJSM7sz3HghNX3Qjxzy6wtJGR64ImJA3r6buM1AvT1Zk9mtwznHbe2KPwrWsI5dejBOHjl71ixrqqiZSzxDi/72QytJlVX4JVo0ELhOZYVcXR7Qucmqkq62SjmDjJYWDeYedKdLaVnnVsmMfxVlqFcmA+dRdkfUbckhgqVIiHN1Y4I1mxscZ+4TC2qFqYRNay4SLH5Yxq2uPrCLsu6Q5illj0F1w/pojUtXruMrKP1pb9oAbpfAW3hVuckCbIdA3U5Wx3JS/38uqcdID8v6vLw3HWbcBFAIvMyqlNReMNWBkNZIChPWNs958PtlmtA2d6sIXJG0C+9IbNbCQzO3OHELF4H1M0qEEQJqsxe8Tfg7+fet3ueorR25lSToVLkvP9DfrL0MN0KoF65/Lat+T23Y7h1vcyVmtyAor77eSGXuG2CNJltkp4+MJ2FGDzejTTWAWjTJmoxJHAp7sSwWaRHjiozTs5UHylQJCuKBa2ulmuIBMnXACNTHt+Y1RCWbzDO/Q==

sealed-secrets/templates/example-secret.yaml

@@ -0,0 +1,17 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: example
+  namespace: sealed-secrets
+spec:
+  encryptedData:
+    foo: AgBjKvgN/YXr1BNd5akl+uugA7KEYqx9ImhtNA8wuT8GDU6Bzu70O3Z57BVn/biYxZhbMKFDRYt++zx++5iVoUexIM4ELZLxt53DMBsQiap2Z58B5KwXgLkXlfysiHgRjCa2ohJSTx7yfnLYpry/OJV1xfeia8MSMICjZM/as/iGfUVpldqp+BUz1i2afBDdCrSnQTQiW1U8OukN79yR9AheE1z9a/5/utGBcehQja3CepixTI2vuUmV5NiOfn4sjgq/MDbAvMfDpnKZ6HrhF7FaQQZu+DvbH+DjR7cuV1JqbEZ4kHhL1L4A2adpvP2Ox9Yr1ozqEIdvzeb3TYyvmXglBIgxOT4ZO6M6MeQhtF/V9OSo1JpF0ixpv2917pKu3fjVyyQUCB4/Qlb1HgpclzuHhOyI3Z5r6agbmKGE8j+paqQVOItyRpncB4Fm4wKF3oYjQB6YMJC8DtZXNKs33EAdbV8nZ5LB4QOI1VuyESqGs1LClW9/MH8NrYPAWKWo3cQlIYXERAYXJ6msz8gyw8/qqDFONdxP33ylGryJF6JrJv8ces3CzGFQxAtWXjyuE8T8pgl0C/BcSYGvIavupEeKA3mu+UCrGEl/AHX2LOrEhvdPEQ0A64PYssTOHoTcZ4kkVfDDgXUpcYtyGFjYAST97H0sEKsKFhXSIzLSzdVypoWufzxYy+UDZ2g8LN38dvNEZnQ=
+### The secret above will create the following
+# apiVersion: v1
+# kind: Secret
+# type: Opaque
+# metadata:
+#   name: example
+#   namespace: sealed-secrets
+# stringData:
+#   foo: bar

sealed-secrets/templates/existing-secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: existing-secret
+  namespace: sealed-secrets
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+    sealedsecrets.bitnami.com/patch: 'true'
+stringData:
+  foo: bar

sealed-secrets/values.yaml

@@ -0,0 +1,6 @@
+sealed-secrets:
+  metrics:
+    serviceMonitor:
+      enabled: true
+    dashboards:
+      create: true