Updates for deployment

.controlplane/controlplane.yml

@@ -60,9 +60,14 @@ apps:
     <<: *common
     # Order matters!
     setup_app_templates:
+      # GVC template contains the identity
       - gvc
+
+      # Resources
       - postgres
       - redis
+
+      # Workloads, like Dynos types on Heroku
       - daily-task
       - rails
     # Prefix is used to identify these "qa" apps.

.controlplane/templates/daily-task.yml

@@ -30,3 +30,5 @@ spec:
     external:
       outboundAllowCIDR:
         - 0.0.0.0/0
+  # Identity is used for binding workload to secrets
+  identityLink: {{APP_IDENTITY_LINK}}

.controlplane/templates/gvc.yml

@@ -23,3 +23,9 @@ spec:
   staticPlacement:
     locationLinks:
       - {{APP_LOCATION_LINK}}
+
+---
+
+# Identity is needed to access secrets
+kind: identity
+name: {{APP_IDENTITY}}

.controlplane/templates/rails.yml

@@ -34,3 +34,5 @@ spec:
       # Could configure outbound for more security
       outboundAllowCIDR:
         - 0.0.0.0/0
+  # Identity is used for binding workload to secrets
+  identityLink: {{APP_IDENTITY_LINK}}

.controlplane/templates/secrets-policy.yml

@@ -0,0 +1,4 @@
+# Policy is needed to allow identities to access secrets
+kind: policy
+name: {{APP_SECRETS_POLICY}}
+targetKind: secret

.controlplane/templates/secrets.yml

@@ -0,0 +1,23 @@
+# Org level secrets are used to store sensitive information that is
+# shared across multiple apps in the same organization. This is
+# useful for storing things like API keys, database credentials, and
+# other sensitive information that is shared across multiple apps
+# in the same organization.
+
+# This is how you apply this once (not during CI)
+# cpl apply-template secrets  -a qa-react-webpack-rails-tutorial --org shakacode-open-source-examples-staging
+
+kind: secret
+name: {{APP_SECRETS}}
+type: dictionary
+data:
+  SOME_ENV: "123456"
+
+---
+
+# Policy is needed to allow identities to access secrets
+kind: policy
+name: {{APP_SECRETS_POLICY}}
+targetKind: secret
+targetLinks:
+  - //secret/{{APP_SECRETS}}