From dbe8b8e40137efb3a0447f654a2357acd3c89231 Mon Sep 17 00:00:00 2001 From: dvirlabs <114520947+dvirlabs@users.noreply.github.com> Date: Tue, 26 May 2026 15:22:52 +0300 Subject: [PATCH] Add secret for n8n --- argocd-apps/cluster-secret-store-creator.yaml | 19 ----- argocd-apps/external-secrets-dev-tools.yaml | 19 ----- argocd-apps/external-secrets.yaml | 18 ----- argocd-apps/vault-config.yaml | 17 ---- argocd-apps/vault.yaml | 29 ------- charts/n8n/templates/deployment.yaml | 4 +- charts/n8n/values.yaml | 4 - .../cicd/bootstrap-job.disable | 76 ------------------ .../cicd/clustersecretstore.yaml | 19 ----- .../internal-users/bootstrap-job.disable | 76 ------------------ .../internal-users/clustersecretstore.yaml | 19 ----- .../oidc/bootstrap-job.disable | 76 ------------------ .../oidc/clustersecretstore.yaml | 19 ----- .../bootstrap-job.disable | 77 ------------------- .../clustersecretstore.yaml | 19 ----- .../woodpecker/external-secret.yaml.disable | 18 ----- .../externalsecret-woodpecker-harbor.yaml | 22 ------ manifests/external-secrets/values.yaml | 28 ------- manifests/n8n/values.yaml | 4 - manifests/secrets-dev-tools/values.yaml | 10 ++- 20 files changed, 11 insertions(+), 562 deletions(-) delete mode 100644 argocd-apps/cluster-secret-store-creator.yaml delete mode 100644 argocd-apps/external-secrets-dev-tools.yaml delete mode 100644 argocd-apps/external-secrets.yaml delete mode 100644 argocd-apps/vault-config.yaml delete mode 100644 argocd-apps/vault.yaml delete mode 100644 manifests/cluster-secret-store/cicd/bootstrap-job.disable delete mode 100644 manifests/cluster-secret-store/cicd/clustersecretstore.yaml delete mode 100644 manifests/cluster-secret-store/internal-users/bootstrap-job.disable delete mode 100644 manifests/cluster-secret-store/internal-users/clustersecretstore.yaml delete mode 100644 manifests/cluster-secret-store/oidc/bootstrap-job.disable delete mode 100644 manifests/cluster-secret-store/oidc/clustersecretstore.yaml delete mode 100644 manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.disable delete mode 100644 manifests/cluster-secret-store/vault-general-secrets/clustersecretstore.yaml delete mode 100644 manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml.disable delete mode 100644 manifests/external-secrets-dev-tools/woodpecker/externalsecret-woodpecker-harbor.yaml delete mode 100644 manifests/external-secrets/values.yaml diff --git a/argocd-apps/cluster-secret-store-creator.yaml b/argocd-apps/cluster-secret-store-creator.yaml deleted file mode 100644 index 0844a11..0000000 --- a/argocd-apps/cluster-secret-store-creator.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# apiVersion: argoproj.io/v1alpha1 -# kind: Application -# metadata: -# name: cluster-secret-store-creator -# namespace: argocd -# spec: -# project: dev-tools -# source: -# repoURL: ssh://git@gitea-ssh.dev-tools.svc.cluster.local:2222/dvirlabs/dev-tools.git -# targetRevision: HEAD -# path: manifests/cluster-secret-store -# directory: -# recurse: true -# destination: -# server: https://kubernetes.default.svc -# namespace: dev-tools -# syncPolicy: -# syncOptions: -# - CreateNamespace=true diff --git a/argocd-apps/external-secrets-dev-tools.yaml b/argocd-apps/external-secrets-dev-tools.yaml deleted file mode 100644 index 7c95c8e..0000000 --- a/argocd-apps/external-secrets-dev-tools.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# apiVersion: argoproj.io/v1alpha1 -# kind: Application -# metadata: -# name: external-secrets-dev-tools -# namespace: argocd -# spec: -# project: dev-tools -# source: -# repoURL: ssh://git@gitea-ssh.dev-tools.svc.cluster.local:2222/dvirlabs/dev-tools.git -# targetRevision: HEAD -# path: manifests/external-secrets-dev-tools -# directory: -# recurse: true -# destination: -# server: https://kubernetes.default.svc -# namespace: dev-tools -# syncPolicy: -# syncOptions: -# - CreateNamespace=true diff --git a/argocd-apps/external-secrets.yaml b/argocd-apps/external-secrets.yaml deleted file mode 100644 index 740c513..0000000 --- a/argocd-apps/external-secrets.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# apiVersion: argoproj.io/v1alpha1 -# kind: Application -# metadata: -# name: external-secrets -# namespace: argocd -# spec: -# project: dev-tools -# source: -# repoURL: 'ssh://git@gitea-ssh.dev-tools.svc.cluster.local:2222/dvirlabs/dev-tools.git' -# targetRevision: HEAD -# path: charts/external-secrets -# helm: -# valueFiles: -# - ../../manifests/external-secrets/values.yaml -# destination: -# server: https://kubernetes.default.svc -# namespace: dev-tools -# syncPolicy: {} diff --git a/argocd-apps/vault-config.yaml b/argocd-apps/vault-config.yaml deleted file mode 100644 index 86a4eb6..0000000 --- a/argocd-apps/vault-config.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# apiVersion: argoproj.io/v1alpha1 -# kind: Application -# metadata: -# name: vault-config -# namespace: argocd -# spec: -# project: dev-tools -# source: -# repoURL: ssh://git@gitea-ssh.dev-tools.svc.cluster.local:2222/dvirlabs/dev-tools.git -# targetRevision: HEAD -# path: manifests/vault -# directory: -# recurse: true -# destination: -# server: https://kubernetes.default.svc -# namespace: dev-tools -# syncPolicy: {} diff --git a/argocd-apps/vault.yaml b/argocd-apps/vault.yaml deleted file mode 100644 index f883e08..0000000 --- a/argocd-apps/vault.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# apiVersion: argoproj.io/v1alpha1 -# kind: Application -# metadata: -# name: vault -# namespace: argocd -# spec: -# project: dev-tools -# source: -# repoURL: ssh://git@gitea-ssh.dev-tools.svc.cluster.local:2222/dvirlabs/dev-tools.git -# targetRevision: HEAD -# path: charts/vault -# helm: -# valueFiles: -# - ../../manifests/vault/values.yaml -# destination: -# server: https://kubernetes.default.svc -# namespace: dev-tools -# syncPolicy: {} -# ignoreDifferences: -# - group: admissionregistration.k8s.io -# kind: MutatingWebhookConfiguration -# name: vault-agent-injector-cfg -# jsonPointers: -# - /webhooks/0/clientConfig/caBundle -# - group: apps -# kind: Deployment -# name: vault-agent-injector -# jsonPointers: -# - /spec/template/metadata/annotations diff --git a/charts/n8n/templates/deployment.yaml b/charts/n8n/templates/deployment.yaml index 803af85..f77fbf0 100644 --- a/charts/n8n/templates/deployment.yaml +++ b/charts/n8n/templates/deployment.yaml @@ -65,11 +65,11 @@ spec: configMapKeyRef: name: {{ include "n8n.fullname" . }} key: DB_SQLITE_FILE - # Sensitive values from Secret + # Sensitive values from Secret created by ExternalSecret - name: N8N_ENCRYPTION_KEY valueFrom: secretKeyRef: - name: {{ .Values.existingSecret | default (include "n8n.fullname" .) }} + name: n8n-secrets key: N8N_ENCRYPTION_KEY {{- if .Values.env }} {{- range $key, $value := .Values.env }} diff --git a/charts/n8n/values.yaml b/charts/n8n/values.yaml index c4ca372..2db2e1a 100644 --- a/charts/n8n/values.yaml +++ b/charts/n8n/values.yaml @@ -58,10 +58,6 @@ envFrom: [] # - secretRef: # name: n8n-tokens -# Reference to an existing Secret for sensitive values -# If not provided, Secret with the same name as the release will be used -existingSecret: "" - resources: requests: cpu: 100m diff --git a/manifests/cluster-secret-store/cicd/bootstrap-job.disable b/manifests/cluster-secret-store/cicd/bootstrap-job.disable deleted file mode 100644 index 28c96fa..0000000 --- a/manifests/cluster-secret-store/cicd/bootstrap-job.disable +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: vault-bootstrap-cicd - namespace: dev-tools - annotations: - argocd.argoproj.io/hook: Sync - argocd.argoproj.io/hook-delete-policy: HookSucceeded - argocd.argoproj.io/sync-wave: "1" -spec: - backoffLimit: 2 - ttlSecondsAfterFinished: 60 - template: - spec: - restartPolicy: OnFailure - securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - containers: - - name: vault - image: hashicorp/vault:1.16 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - env: - - name: VAULT_ADDR - value: "http://vault.dev-tools.svc.cluster.local:8200" - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-admin-token - key: token - command: - - /bin/sh - - -c - args: - - | - set -e - echo "[bootstrap for scope cicd]" - - i=0 - until vault status >/dev/null 2>&1; do - i=$((i+1)) - if [ "$i" -gt 30 ]; then - echo "Vault is not ready after 30 attempts"; exit 1 - fi - echo "Waiting for Vault... ($i/30)" - sleep 2 - done - - cat >/tmp/policy.hcl <<'EOF' - path "cicd/metadata/*" { capabilities = ["list"] } - path "cicd/data/*" { capabilities = ["read"] } - EOF - - vault policy write eso-cicd-read /tmp/policy.hcl || true - - vault write auth/kubernetes/role/eso-cicd \ - bound_service_account_names="external-secrets" \ - bound_service_account_namespaces="dev-tools" \ - bound_audiences="https://kubernetes.default.svc" \ - policies="eso-cicd-read" \ - ttl=1h diff --git a/manifests/cluster-secret-store/cicd/clustersecretstore.yaml b/manifests/cluster-secret-store/cicd/clustersecretstore.yaml deleted file mode 100644 index 3070cef..0000000 --- a/manifests/cluster-secret-store/cicd/clustersecretstore.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-cicd - annotations: - argocd.argoproj.io/sync-wave: "0" -spec: - provider: - vault: - server: "http://vault.dev-tools.svc.cluster.local:8200" - path: "cicd" - version: "v2" - auth: - kubernetes: - mountPath: "kubernetes" - role: "eso-cicd" - serviceAccountRef: - name: "external-secrets" - namespace: "dev-tools" diff --git a/manifests/cluster-secret-store/internal-users/bootstrap-job.disable b/manifests/cluster-secret-store/internal-users/bootstrap-job.disable deleted file mode 100644 index 610cde5..0000000 --- a/manifests/cluster-secret-store/internal-users/bootstrap-job.disable +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: vault-bootstrap-internal-users - namespace: dev-tools - annotations: - argocd.argoproj.io/hook: Sync - argocd.argoproj.io/hook-delete-policy: HookSucceeded - argocd.argoproj.io/sync-wave: "1" -spec: - backoffLimit: 2 - ttlSecondsAfterFinished: 60 - template: - spec: - restartPolicy: OnFailure - securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - containers: - - name: vault - image: hashicorp/vault:1.16 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - env: - - name: VAULT_ADDR - value: "http://vault.dev-tools.svc.cluster.local:8200" - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-admin-token - key: token - command: - - /bin/sh - - -c - args: - - | - set -e - echo "[bootstrap for scope internal-users]" - - i=0 - until vault status >/dev/null 2>&1; do - i=$((i+1)) - if [ "$i" -gt 30 ]; then - echo "Vault is not ready after 30 attempts"; exit 1 - fi - echo "Waiting for Vault... ($i/30)" - sleep 2 - done - - cat >/tmp/policy.hcl <<'EOF' - path "internal-users/metadata/*" { capabilities = ["list"] } - path "internal-users/data/*" { capabilities = ["read"] } - EOF - - vault policy write eso-internal-users-read /tmp/policy.hcl || true - - vault write auth/kubernetes/role/eso-internal-users \ - bound_service_account_names="external-secrets" \ - bound_service_account_namespaces="dev-tools" \ - bound_audiences="https://kubernetes.default.svc" \ - policies="eso-internal-users-read" \ - ttl=1h diff --git a/manifests/cluster-secret-store/internal-users/clustersecretstore.yaml b/manifests/cluster-secret-store/internal-users/clustersecretstore.yaml deleted file mode 100644 index 7beb108..0000000 --- a/manifests/cluster-secret-store/internal-users/clustersecretstore.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-internal-users - annotations: - argocd.argoproj.io/sync-wave: "0" -spec: - provider: - vault: - server: "http://vault.dev-tools.svc.cluster.local:8200" - path: "internal-users" - version: "v2" - auth: - kubernetes: - mountPath: "kubernetes" - role: "eso-internal-users" - serviceAccountRef: - name: "external-secrets" - namespace: "dev-tools" diff --git a/manifests/cluster-secret-store/oidc/bootstrap-job.disable b/manifests/cluster-secret-store/oidc/bootstrap-job.disable deleted file mode 100644 index 81cd0ec..0000000 --- a/manifests/cluster-secret-store/oidc/bootstrap-job.disable +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: vault-bootstrap-oidc - namespace: dev-tools - annotations: - argocd.argoproj.io/hook: Sync - argocd.argoproj.io/hook-delete-policy: HookSucceeded - argocd.argoproj.io/sync-wave: "1" -spec: - backoffLimit: 2 - ttlSecondsAfterFinished: 60 - template: - spec: - restartPolicy: OnFailure - securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - containers: - - name: vault - image: hashicorp/vault:1.16 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - env: - - name: VAULT_ADDR - value: "http://vault.dev-tools.svc.cluster.local:8200" - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-admin-token - key: token - command: - - /bin/sh - - -c - args: - - | - set -e - echo "[bootstrap for scope oidc-secrets]" - - i=0 - until vault status >/dev/null 2>&1; do - i=$((i+1)) - if [ "$i" -gt 30 ]; then - echo "Vault is not ready after 30 attempts"; exit 1 - fi - echo "Waiting for Vault... ($i/30)" - sleep 2 - done - - cat >/tmp/policy.hcl <<'EOF' - path "oidc-secrets/metadata/*" { capabilities = ["list"] } - path "oidc-secrets/data/*" { capabilities = ["read"] } - EOF - - vault policy write eso-oidc-read /tmp/policy.hcl || true - - vault write auth/kubernetes/role/eso-oidc \ - bound_service_account_names="external-secrets" \ - bound_service_account_namespaces="dev-tools" \ - bound_audiences="https://kubernetes.default.svc" \ - policies="eso-oidc-read" \ - ttl=1h \ No newline at end of file diff --git a/manifests/cluster-secret-store/oidc/clustersecretstore.yaml b/manifests/cluster-secret-store/oidc/clustersecretstore.yaml deleted file mode 100644 index ea5e8de..0000000 --- a/manifests/cluster-secret-store/oidc/clustersecretstore.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-oidc - annotations: - argocd.argoproj.io/sync-wave: "0" -spec: - provider: - vault: - server: "http://vault.dev-tools.svc.cluster.local:8200" - path: "oidc-clients" - version: "v2" - auth: - kubernetes: - mountPath: "kubernetes" - role: "eso-oidc" - serviceAccountRef: - name: "external-secrets" - namespace: "dev-tools" diff --git a/manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.disable b/manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.disable deleted file mode 100644 index c91fa4e..0000000 --- a/manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.disable +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: vault-bootstrap-general - namespace: dev-tools - annotations: - argocd.argoproj.io/hook: Sync - argocd.argoproj.io/hook-delete-policy: HookSucceeded - argocd.argoproj.io/sync-wave: "1" -spec: - backoffLimit: 2 - ttlSecondsAfterFinished: 60 - template: - spec: - restartPolicy: OnFailure - securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - containers: - - name: vault - image: hashicorp/vault:1.16 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - env: - - name: VAULT_ADDR - value: "http://vault.dev-tools.svc.cluster.local:8200" - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: vault-admin-token - key: token - command: - - /bin/sh - - -c - args: - - | - set -e - echo "[bootstrap for scope general-secrets]" - - i=0 - until vault status >/dev/null 2>&1; do - i=$((i+1)) - if [ "$i" -gt 30 ]; then - echo "Vault is not ready after 30 attempts"; exit 1 - fi - echo "Waiting for Vault... ($i/30)" - sleep 2 - done - - cat >/tmp/policy.hcl <<'EOF' - path "general-secrets/metadata/*" { capabilities = ["list"] } - path "general-secrets/data/*" { capabilities = ["read"] } - EOF - - vault policy write eso-general-read /tmp/policy.hcl || true - - vault write auth/kubernetes/role/eso-general \ - bound_service_account_names="external-secrets" \ - bound_service_account_namespaces="dev-tools" \ - bound_audiences="https://kubernetes.default.svc" \ - policies="eso-general-read" \ - ttl=1h - diff --git a/manifests/cluster-secret-store/vault-general-secrets/clustersecretstore.yaml b/manifests/cluster-secret-store/vault-general-secrets/clustersecretstore.yaml deleted file mode 100644 index b37269b..0000000 --- a/manifests/cluster-secret-store/vault-general-secrets/clustersecretstore.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: vault-general-secrets - annotations: - argocd.argoproj.io/sync-wave: "0" -spec: - provider: - vault: - server: "http://vault.dev-tools.svc.cluster.local:8200" - path: "general-secrets" - version: "v2" - auth: - kubernetes: - mountPath: "kubernetes" - role: "eso-general" - serviceAccountRef: - name: "external-secrets" - namespace: "dev-tools" diff --git a/manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml.disable b/manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml.disable deleted file mode 100644 index 4a9c9b9..0000000 --- a/manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml.disable +++ /dev/null @@ -1,18 +0,0 @@ -# apiVersion: external-secrets.io/v1beta1 -# kind: ExternalSecret -# metadata: -# name: kaniko-docker-config -# namespace: dev-tools -# spec: -# refreshInterval: 1h -# secretStoreRef: -# name: vault-general-secrets -# kind: ClusterSecretStore -# target: -# name: kaniko-docker-config -# creationPolicy: Owner -# data: -# - secretKey: config.json -# remoteRef: -# key: general-secrets/woodpecker-kaniko -# property: config.json diff --git a/manifests/external-secrets-dev-tools/woodpecker/externalsecret-woodpecker-harbor.yaml b/manifests/external-secrets-dev-tools/woodpecker/externalsecret-woodpecker-harbor.yaml deleted file mode 100644 index 3681d1a..0000000 --- a/manifests/external-secrets-dev-tools/woodpecker/externalsecret-woodpecker-harbor.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: woodpecker-harbor-creds - namespace: dev-tools -spec: - refreshInterval: 1h - secretStoreRef: - name: vault-cicd # ClusterSecretStore for CICD secrets - kind: ClusterSecretStore - target: - name: woodpecker-harbor-secret # K8s Secret that will be created - creationPolicy: Owner - data: - - secretKey: docker_username - remoteRef: - key: harbor # relative to ClusterSecretStore's path (cicd) - property: docker_username - - secretKey: docker_password - remoteRef: - key: harbor - property: docker_password diff --git a/manifests/external-secrets/values.yaml b/manifests/external-secrets/values.yaml deleted file mode 100644 index b763019..0000000 --- a/manifests/external-secrets/values.yaml +++ /dev/null @@ -1,28 +0,0 @@ -installCRDs: true - -image: - repository: ghcr.io/external-secrets/external-secrets - tag: v0.9.19 - pullPolicy: IfNotPresent - flavour: default - -webhook: - enabled: true - image: - repository: ghcr.io/external-secrets/external-secrets - tag: v0.9.19 - flavour: webhook - -certController: - enabled: true - image: - repository: ghcr.io/external-secrets/external-secrets - tag: v0.9.19 - flavour: cert-controller - certs: - duration: 8760h - renewBefore: 720h - selfSigned: true - -nodeSelector: - node-role.kubernetes.io/worker: "true" \ No newline at end of file diff --git a/manifests/n8n/values.yaml b/manifests/n8n/values.yaml index e66f232..b71c752 100644 --- a/manifests/n8n/values.yaml +++ b/manifests/n8n/values.yaml @@ -36,10 +36,6 @@ persistence: storageClass: nfs-client size: 10Gi -# Reference to existing Secret for sensitive values like N8N_ENCRYPTION_KEY -# This Secret must be created in the dev-tools namespace before ArgoCD syncs -existingSecret: n8n-secrets - resources: requests: cpu: 100m diff --git a/manifests/secrets-dev-tools/values.yaml b/manifests/secrets-dev-tools/values.yaml index b7db6dd..84cc7c0 100644 --- a/manifests/secrets-dev-tools/values.yaml +++ b/manifests/secrets-dev-tools/values.yaml @@ -2,4 +2,12 @@ secretStore: name: vault kind: ClusterSecretStore -externalSecrets: [] +externalSecrets: + - name: n8n-secrets + namespace: dev-tools + targetName: n8n-secrets + creationPolicy: Owner + data: + - secretKey: N8N_ENCRYPTION_KEY + remoteKey: dev-tools/n8n + property: encryption_key