maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(k8s): Insert Nixery's secrets via kontemplate

Browse source 
Instead of having a manually prepared secret, use Cloud KMS (as per
the previous commits) to decrypt the in-repo secrets and template them
into the Secret resource in Kubernetes.

Not all of the values are actually secret, it has thus become a bit
easier to edit the known hosts, SSH config and such now.
This commit is contained in:
Vincent Ambo 2019-09-03 16:10:42 +01:00
parent 0bc548e75e
commit 283951388c
5 changed files with 25 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

19
infra/kubernetes/nixery/secrets.yaml Normal file
View file

@ -0,0 +1,19 @@
# The secrets below are encrypted using keys stored in Cloud KMS and
# templated in by kontemplate when deploying.
#
# Not all of the values are actually secret (see the matching)
---
apiVersion: v1
data:
gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }}
gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }}
id_nixery: {{ passLookup "nixery-ssh-private" | b64enc }}
id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }}
known_hosts: {{ insertFile "known_hosts" | b64enc }}
ssh_config: {{ insertFile "ssh_config" | b64enc }}
kind: Secret
metadata:
creationTimestamp: null
name: nixery-secrets
selfLink: /api/v1/namespaces/kube-public/secrets/nixery-secrets
type: Opaque