From eb43ba75d2399d8ae0461cb85b9ce9a6a367cc2c Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@google.com>
Date: Tue, 3 Sep 2019 13:44:30 +0100
Subject: [PATCH 1/5] chore(gcp): Remove monorepo repository

The repository is now public on Github.
---
 infra/gcp/default.tf | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/infra/gcp/default.tf b/infra/gcp/default.tf
index 677e737a2..18096bf2b 100644
--- a/infra/gcp/default.tf
+++ b/infra/gcp/default.tf
@@ -81,8 +81,3 @@ resource "google_service_account" "nixery" {
   account_id   = "nixery"
   display_name = "Nixery service account"
 }
-
-# Configure a git repository in which to store my monorepo
-resource "google_sourcerepo_repository" "monorepo" {
-  name = "monorepo"
-}

From abd5d7538c727e1aca7712455a799cf034d0fbaf Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@google.com>
Date: Tue, 3 Sep 2019 15:13:34 +0100
Subject: [PATCH 2/5] feat(gcp): Create Cloud KMS resources for encrypting
 secrets

The idea here is to use Cloud KMS and a shell script that mimics
'pass' to trick kontemplate into using Cloud KMS to decrypt secrets.
---
 infra/gcp/default.tf | 36 ++++++++++++++++++++++++++++--------
 1 file changed, 28 insertions(+), 8 deletions(-)

diff --git a/infra/gcp/default.tf b/infra/gcp/default.tf
index 18096bf2b..d13345393 100644
--- a/infra/gcp/default.tf
+++ b/infra/gcp/default.tf
@@ -27,24 +27,25 @@ resource "google_project_services" "primary" {
     "bigquerystorage.googleapis.com",
     "cloudapis.googleapis.com",
     "clouddebugger.googleapis.com",
+    "cloudkms.googleapis.com",
     "cloudtrace.googleapis.com",
+    "compute.googleapis.com",
+    "container.googleapis.com",
+    "containerregistry.googleapis.com",
     "datastore.googleapis.com",
     "dns.googleapis.com",
+    "iam.googleapis.com",
+    "iamcredentials.googleapis.com",
     "logging.googleapis.com",
     "monitoring.googleapis.com",
+    "oslogin.googleapis.com",
+    "pubsub.googleapis.com",
     "servicemanagement.googleapis.com",
     "serviceusage.googleapis.com",
+    "sourcerepo.googleapis.com",
     "sql-component.googleapis.com",
     "storage-api.googleapis.com",
     "storage-component.googleapis.com",
-    "container.googleapis.com",
-    "iam.googleapis.com",
-    "compute.googleapis.com",
-    "iamcredentials.googleapis.com",
-    "oslogin.googleapis.com",
-    "pubsub.googleapis.com",
-    "containerregistry.googleapis.com",
-    "sourcerepo.googleapis.com",
   ]
 }
 
@@ -81,3 +82,22 @@ resource "google_service_account" "nixery" {
   account_id   = "nixery"
   display_name = "Nixery service account"
 }
+
+# Configure Cloud KMS for secret encryption
+resource "google_kms_key_ring" "tazjins_keys" {
+  name     = "tazjins-keys"
+  location = "europe-north1"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "google_kms_crypto_key" "kontemplate_key" {
+  name     = "kontemplate-key"
+  key_ring = google_kms_key_ring.tazjins_keys.id
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}

From bcd7710be565a4711a43d56122b37c7b38514b81 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@google.com>
Date: Tue, 3 Sep 2019 15:56:31 +0100
Subject: [PATCH 3/5] feat(tools): Introduce pass-compatible wrapper using
 Cloud KMS

Adds a shell script that supports a subset of the 'pass' interface for
compatibility with kontemplate, and wraps kontemplate in a script that
places this version on the PATH.

This makes it possible to use Cloud KMS encrypted secrets with kontemplate.
---
 .envrc                     |  1 +
 default.nix                | 13 +++++++++
 tools/bin/__dispatch.sh    |  3 ++
 tools/bin/pass             |  1 +
 tools/kms_pass/default.nix | 60 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 78 insertions(+)
 create mode 120000 tools/bin/pass
 create mode 100644 tools/kms_pass/default.nix

diff --git a/.envrc b/.envrc
index d89bcd9d6..6b3ce7ebb 100644
--- a/.envrc
+++ b/.envrc
@@ -4,3 +4,4 @@
 export PATH="${PWD}/tools/bin:${PATH}"
 export NIX_PATH="nixpkgs=${PWD}/default.nix"
 export REPO_ROOT="${PWD}"
+export SECRETS_DIR="${PWD}/secrets"
diff --git a/default.nix b/default.nix
index ed6258108..3b5736a19 100644
--- a/default.nix
+++ b/default.nix
@@ -28,6 +28,13 @@ let
       blog = self.callPackage ./services/tazblog {};
       blog_cli = self.callPackage ./tools/blog_cli {};
       gemma = self.callPackage ./services/gemma {};
+
+      kms_pass = self.callPackage ./tools/kms_pass {
+        project = "tazjins-infrastructure";
+        region = "europe-north1";
+        keyring = "tazjins-keys";
+        key = "kontemplate-key";
+      };
     };
 
     # Third-party projects (either vendored or modified from nixpkgs) go here:
@@ -49,6 +56,12 @@ let
       sha256 = "1wn7nmb1cqfk2j91l3rwc6yhimfkzxprb8wknw5wi57yhq9m6lv1";
     }) {}).elmPackages;
 
+    # Wrap kontemplate to inject the Cloud KMS version of 'pass'
+    kontemplate = self.writeShellScriptBin "kontemplate" ''
+      export PATH="${self.tazjin.kms_pass}/bin:$PATH"
+      exec ${super.kontemplate}/bin/kontemplate $@
+    '';
+
     # One of Gemma's dependencies is missing in nixpkgs' Quicklisp
     # package set, it is overlaid locally here.
     lispPackages = import ./third_party/common_lisp/quicklisp.nix {
diff --git a/tools/bin/__dispatch.sh b/tools/bin/__dispatch.sh
index 09b404f3b..20848bd51 100755
--- a/tools/bin/__dispatch.sh
+++ b/tools/bin/__dispatch.sh
@@ -22,6 +22,9 @@ case "${TARGET_TOOL}" in
   stern)
     attr="stern"
     ;;
+  pass)
+    attr="tazjin.kms_pass"
+    ;;
   *)
     echo "The tool '${TARGET_TOOL}' is currently not installed in this repository."
     exit 1
diff --git a/tools/bin/pass b/tools/bin/pass
new file mode 120000
index 000000000..8390ec9c9
--- /dev/null
+++ b/tools/bin/pass
@@ -0,0 +1 @@
+__dispatch.sh
\ No newline at end of file
diff --git a/tools/kms_pass/default.nix b/tools/kms_pass/default.nix
new file mode 100644
index 000000000..fbc17650a
--- /dev/null
+++ b/tools/kms_pass/default.nix
@@ -0,0 +1,60 @@
+# This tool mimics a subset of the interface of 'pass', but uses
+# Google Cloud KMS for encryption.
+#
+# It is intended to be compatible with how 'kontemplate' invokes
+# 'pass.'
+#
+# Only the 'show' and 'insert' commands are supported.
+
+{ google-cloud-sdk, tree, writeShellScriptBin
+, project, region, keyring, key }:
+
+writeShellScriptBin "pass" ''
+  set -eo pipefail
+
+  CMD="$1"
+  readonly SECRET=$2
+  readonly SECRET_PATH="$SECRETS_DIR/$SECRET"
+
+  function secret_check {
+    if [[ -z $SECRET ]]; then
+      echo 'Secret must be specified'
+      exit 1
+    fi
+  }
+
+  if [[ -z $CMD ]]; then
+    CMD="ls"
+  fi
+
+  case "$CMD" in
+    ls)
+       ${tree}/bin/tree $SECRETS_DIR
+       ;;
+    show)
+      secret_check
+      ${google-cloud-sdk}/bin/gcloud kms decrypt \
+        --project ${project} \
+        --location ${region} \
+        --keyring ${keyring} \
+        --key ${key} \
+        --ciphertext-file $SECRET_PATH \
+        --plaintext-file -
+      ;;
+    insert)
+      secret_check
+      ${google-cloud-sdk}/bin/gcloud kms encrypt \
+        --project ${project} \
+        --location ${region} \
+        --keyring ${keyring} \
+        --key ${key} \
+        --ciphertext-file $SECRET_PATH \
+        --plaintext-file -
+      echo "Inserted secret '$SECRET'"
+      ;;
+    *)
+      echo "Usage: pass show/insert <secret>"
+      exit 1
+      ;;
+  esac
+''

From 0bc548e75e7e06ee4ad172449f818d7e4b861b1d Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@google.com>
Date: Tue, 3 Sep 2019 16:10:14 +0100
Subject: [PATCH 4/5] feat(secrets): Check in secrets required by Nixery

---
 secrets/nixery-gcs-json    | Bin 0 -> 2416 bytes
 secrets/nixery-gcs-pem     | Bin 0 -> 3214 bytes
 secrets/nixery-ssh-private | Bin 0 -> 1906 bytes
 3 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 secrets/nixery-gcs-json
 create mode 100644 secrets/nixery-gcs-pem
 create mode 100644 secrets/nixery-ssh-private

diff --git a/secrets/nixery-gcs-json b/secrets/nixery-gcs-json
new file mode 100644
index 0000000000000000000000000000000000000000..b8b5445116856fe6dfc4db28d080a6ae4be42e72
GIT binary patch
literal 2416
zcmd;5VYnFl=38ozvXT4Qiprkn?-QQqcdhjCX-^8cm@)CX;hx9eB3}s|7h-7Ze{PcJ
z_cTk;#z&mZF(Enfx{{Qx_WOdXM+IFzZTmVy)UAK_3-`X|<?%%lT0Q@Sz8UI#$o=2s
zDO1A7t@gccx^GC|lgwGGbjp@B@1NHoUKY5jaN=^8(C4e`+YYYw)GFV|7G6<5m3fY`
zfXnftjY0XPBA<KeUv6d-_gl<sx$9?9%NPFVyf-c#`Ip+qV7`013uj}R@Z|X7<24C?
zHZH5%;BUP+HqS|B{=AB`R^xf{lcz2}uDkJtT7}#BAIyELg;qWetBVT~dA;pbV%hfp
zeKqxb9PLhTSd^Z!&-j-r*{|t(KQEy^+u-NEgiQ@oIOXfll&qVxa)Y?|ho;_(kvY3g
z6zN~pnB;s_{!-s7P3Pu!`@GUFG)L*m?%cKgsvnbM{er2>&mUMdjrCu`+w{MFlQ~!U
zR7SA6?0?l{m1x$|;?(E&_f6~h|I58j@LX?XnEQYEtZbpghwjTVOtb9;-WOd>yz2gp
zpWR|g+DV;vvMm2*eOwftv+T>-y(jLP-?x45B)j@<)Zx4D@7{gOCSA|9oQbcFpS6C|
zSJByuygw~UwtktV^+fCC9m9o8%WRH5)K3@vW^=P%Hg>00d&LULuY#9X@8E67KWSlF
zTKPg*Rgra-c>lAD3kr7bTytl|CMO%V>MCBte@~Cjd&+rY%ere*mTmuXA%wT-x)66v
z{>^WF?Te-`tq_gAShV=|MPmWmwi$1t*B;qlc2fPdqrm!zWp~^ITIJP`=a^s2n|Dz|
zMNVl=bMns|#am_!cK^>Yh6`TK+FGPzTxRj(_xB2)y@LA=csS&=Y4ykbOyqbvXYtw`
z`$clz?-rl@SHvQCc|H3Hg;b#>f--Lf`VJJGtZ|*FwJp|4@7L@{LjJZgHOu-UJXz-7
zcUT=2DW}vkMQM(1a{a2u|JmZD;!dtPW^JA~ee<uMAFt%4D8+bNd|Y17e9_Q<A#>!5
z#TBm|llGcyZg{n7#q#Y68Y0o`yH8F&nz2eh&o`5!@x9o!gc?l|hd!aHiB2A~G=x<=
zyb`}E=$3vm^_lYga;edwzth$({kumpwIu%a;)w#A?My!{T+6p=PILc@rHeY!Eh7&b
zMfS^ZO<+5J_=Bqg%k98Dmp08_;AK9kC!)!m(fUrqI@uyoDXwqMYYy3kZA`3udh>Fq
z;FHH@9U7f;1A^4=Do8JN6aF{(sG~q$-Oo?c4wf5LZ#jD6<?6~gJ3369lJs2aQf+_U
zy0CQC*4?Y34&1c6_2vDNik<nwg~!&;E^CSQeN#C#^5UDX`E5y8R$nvbI?8KalOL)6
zBY)QIyc3t%&+zVI5;U+{xs^#+KK^v(-rZ4xHMtgig-P$Gu4flta)rTQqxqT5kKcOT
zxYV;gT;rql-)MG$s^G2Lq<_V3W0bx8K+Wsj{x1op*2&H9JO7m}yJivVA(|r6yZfrS
z{BxEg``)uM9q!_~eQ&vlb@Z*W!+*Rv<zhDfis*g8by?o$Sn8}(-!>@OpS<~N`-(RX
z4=u0O+<RI4BQ!YW`xh^<&@A6;@oIUOUS4wCmJlrVyL-`&-@6?JPll8VyNNvvEwZ#>
z**kmkRHvJcyYI1xR;8LBt^ekv5mj#T`392=&%XjLl}QYZ`VPfXIZ5V*{70`p_{I{}
zaMb8`_?t-@J_nY?vmJW$Kq;(e(kJErMqFoihBRDXeO5)!=;@bFrAvOz*SAnsUmrSQ
zTX4o^!>@m~Y%%??rQz=WM;FhrC7;ycmtN)JWd5V8>rIKj_nx#=g@(HiCVlALm~B(3
zQ>=eHVD|Id&#Y$&8~zWpVYz$s$S>U+66=1R^jE!dsPM`A&aE6>C!3d@Jg49}QD#eW
zH2cZ66EUW{E}O0RowPxtvD;KwZHJH5?#`IT<wt5he|cKV>GYdz%Hb&zO%gxa+gLY=
zUQm9wN>ud3u5HE<?_R|<Cr9P&3)`Lgc1lzGmlL~VRtUy&i9TI^f5*Ei-zUe1{W+^-
z=(@usLo77xT1sBb0w?8V1}x{4eiwaxG$VG&p0zHeHJn%OEDf8z&F`wY;NwYi%~w2(
zVVm~i#d+HR4d%L@=pKIan1pXvrmyk0f05X5Bp@OpScUhARqGb_7n{C3pONKVt;p7-
z@uO+ym;N%oH@a8mFns1$T4;Yvf$9JM^!_uFY_WAm1lISN$a45fK3e;3Rmf@oTTd?k
ze7dW@?!qRQsssOTKM;Ie?Go~!HM6MVvU_jhwB^%xXuizk<Sa2g(omuFB*iB9=5;6k
z55fOJk4}>e`@|3(^|bbIr^bUL#&;|Bcgi0zo6Z^O^;o&;=amCFA)N~|m$bj^2;{7~
zdhWu7S1)`F{hHKwcs}bs6y?pE;_r5|blvF}`&rUoM<|Oi@l0BM{AO9(fq%Y7Keo>f
z|Ihm)>gM$`6Im^I7Y3e~9sGyOEpxLG*Q&+*^VtHQ6)qDg;W)L6WqPg^qtcn})2H%H
z>itmpHR-dxcR-xzjqr@}9i0o#^WUDnDczwa<<+y7Gb?ZIVh%ido5^R7+C!!1CoDOh
zmDfJsdfUE8FKy-x&xg$J7wTMJZj%b$y3;f|Up{}e`28o}!kg~%3FO$u)*D_doc@>V
zyl?Q^qRqebwJVGsi>2)ReEabCBXbQ-UNLAanDasIf7F!d-h}7L0+$~M`0ma6)_wD}
z((377S3mFnTFtR;VoRz8LtXHl<`vD)8wyKyWlfE5wNShAY}VuY+S#f9mEtbAcFm2-
z*}t<SwC{@UmiFJ;K0jx4Gwss5H1+U#n^Qr$<!5&{XFDEMd%mn8fz3vq^#`xxlJsUb
zX+2NAGW$id_wRM6SZmt#AeXno@J~h?L)m-Vg8pN5Au9Qz6C*_zr|@~HpPlM?_h-8^
z^R}AjLQgiR8*AQRIb%IT_xLh<b=$@YhDQHgN4rGN*uCKUwrkUkCUXyqcK?LpMNRXb
zu35@>_fC`7&&!LtE^kY}x4i2e>to;Fv)23wxZHA$V|((Sn>nVZnYDgIbca1kR+iqq
zm_1%H`rh6xW>2;1Vt;<`mwi9!gl3*{<n#FSrLG2tXSV-3AKP$3aWS*=3W@AUKdHk<
zEk3e3-RLTjU;b{9fFSdU{|26goA&eM$8w&2bc*+>?+>X6sjj@t-wpSs)Z4aRnjP`9
zdA{udpLQ{`Gbb<2G4A57e4enLXSu=LC)#Is{L%gL_yfy@`ZNgvyIsCD`xd(~+w~X9
zZB&ruzIrh3Zq~xI8($9^w(-ZDTNa<T>gcQgv$u4|GiKy&<9=LpsmG(??S|%z#RZJY
FM*%YHxv>BM

literal 0
HcmV?d00001

diff --git a/secrets/nixery-gcs-pem b/secrets/nixery-gcs-pem
new file mode 100644
index 0000000000000000000000000000000000000000..798a1e5a66f823a90804a48a7252f798831cefbf
GIT binary patch
literal 3214
zcmd;5VYnFl=3C)`t!rFWD&%kIKXBOo+(~$=qW@|Cev#8WOC9ewY%3RfD#6g!|J-Ej
zYPGlv^RwTqG1+$bzE7aU{3ni&?f<Fx|C;h|iLz2D!#U9zM;zYxtl0m0%Fo_26H3LN
zn`rm2Rh^k9a*KIVnOpR!&g^8B(_Fy|N?*);7CZllc+f|#TEP=_rG^%Dfzg5{*&myV
z8~b%C<r-%#5NIrzJnfyk^>;5p@mD^d;%gFH&zyR`aaY;$l_{zro|ZiOE^pTR^5785
zuKO9x$*g~PqYHDZk^+LvUa;OXoNpadm}kV2q<WFRJo`p|-=W#kYDP1&7hcs$uRitK
z#{Xc<{8m<dbxy70j_QS#iIPsgR|x;~oU({ldvo6YI`4S4y?^d`P0nUsDyI>rv|~@@
zc3G=cRq;Cn7H{NUyXKm~-NZsOdFjYb--Eq1^1VGBjpu5<n5<TBy}PUXWR+agyCxnE
z<CGr?C64#wTbJf#7F(8oFrRS3Vqbbu)8@9cY=K>O_TN8obE4t30*P?TeQudEjy^dw
zO^|QL;w-<6DGZmN=a=4?*YsMwAZ3wuP3-cF7nx!&_ey2lQ{k~F<#;~t9kalhZ@i0d
zOPZ#IPD;2?ts<Nlz1sUlhCQ3{(vNn0TfXmS=!%s3JK^un$NFo${%R(qD^D_S<~pW#
zOPAGfs?M?SP_tR5)Y#{oPImZpvAUdN0_&=%>SdO%7H?5pov=)7+cD>ECe~sj(;@@^
zrtPm{&b~D^;+}R@r0?vq>l4h1O@w&$+~dA@|D3qw)&I%L4ZV+-91)p+e&v$LM%m7;
zjeM4xKPJw}yQiP3>MXi!wdC}h(VQjg^tY^2*e3q2YBD3=9;ONB*#lQB;@;MOx_ySQ
z?ZKl@1j8?h+9$6#x6GvU&V)$u)sMa2L@%B4w|(`7Pw|4%!AH+J&Yh&Z;^@}``-R8n
zq~GoiI4K-$C8spqW0B2MA&YZQuk@-s5odoL?|xgw|8DOU-BmTZZvDMxCo-qrkLPCN
zX#aI%y&9v(|F3FQuLJK@>ZJZRDa<(3@lnol9pk@n+k+El?-c&_<WpqhnXl1JrJGZe
zl|Du1Ic8r|yY*`i^CI*5OOLuw`!VG|F?pQ$OzyB+g8ss+(;bsS*Du#wab(sXnHMQ4
z=N3<0A&@cq*1Kn`GORk{t$)sB^HX`I`{l;ZLu`*--L^MeeJaxG@$}|f(M@h`UYAuq
ztlzm{?}tx@Q>}|v<WH6=U3@IIbNTDEN6X&bJuAI*mb09q<@y`uhfhW?P-CnVD_g61
z$4=)r$J6jUZ&SHDfsQvf9ZVDLa7bN}&9iixgzY}BvtM_ciapleyEUTL&&$Cfqq<jl
zGIP#GhdL(S*-3n950A2h>#w@NwvBo7p^q+QR@$E1Wlwl6%D$zk9$P-6=TrQt#(DJ%
zjxe=xE!tSRBlJww`&1Rqjf}nWhht}Le8y(|F<DO7s?V@m;H*%$mS56_5XpaAo?cQn
z+#$ZFd-~NQRaUxj&4n{>y}EWqEo@o$2c-oYyp0R&Wal%oZ{MicU$~Ct(;9cb1zPc&
zb|3a#n66MO_uv-im6*a$Z~Kxb`t*FL3+m|I8=Cm}%D%VH8m6=6=E_d}U3l8(gsSvB
zCzU@9YmDV5zSh0rS^PUmpnU1-`N`rNTV)q0eC7Q5Jpc1W(|<lcH}!7d*l_ui{-#)i
zO)Klqy7au%zA;5+;wm1izo~7WQ&vj(7Y4LMP2oz;JG`1JC?=ybi>*m?O^eTpP`BVK
z*JcGW*d?dj<$a}Le%Srow^J8`)GBAT9PbLf^vmP>i_fQb3$KWOGs7l*^>54Wt^FNO
zZD-Yeb>~~&9vt5s5a2K=Vy1|2a>CZBl5=h@IIw?FQSfcu=Vx|Qx_+3x;iSrnB{q*1
zvf9ai7XFh`=21RxMn-Eh&ypz9N73q*wVZpVbscvuuzTK;kt$o-QZ#G(`BfP@H$znF
z-alr3Xk3?7D3b4JbZ70Q&l?YTWuN}2?8<Riuj%fNrE{zPdz5+S9X8bA*nMg3ayCiV
z&9}HSwpm?Fyv}DoN&8i=*Y;Z5me}CMW(!`%|Lf1<(sEn!q~Q>^V2n_E!p~i6Ci%=c
z`ThH`@DrT#G?qR1qGq@4eX8o)vRLQoyIF6!{=U{7x%BbvQsdv8CX@Z;t{pkCkzIR%
zLfu{K&BB2O3G1ZlWx{@aK6G#5o%s=_H(KYY$_0BUoqKv;=<&j<sU70Y3qx4>uHD&`
zc=&*ljODBxlaFD-`KLUXW`#1_>rL(`*gkh(&fVNx0r9?DpGxxGf2`YluKM!jGxIOR
zeVrfjq;>a|x^+^`%x!k}EEk=bE2v=hl~?^ve)8Ai>k54xXX3WFao9c1Kiy$c#9^sF
zxh*>Xd&U11o%<C_1W&~>I$KP6_sVj<{w2L{(YMb`lWY+#_h-KF{J!+&lTzwm&lL0Q
z+vk(T5fM?wJNsDC9S8qQxv$skd##{c6)iqlrg_24OxYsU5^lY9>-7wbW)|m*_dh>x
z;Q4S5|E@WP+HI%UK83A%ck%Uy18c?J2_3k#=Yi}&zM#L|;q{{1HTG=nh|k?^IJ@xi
zjClFQrX~sD*R*Bc%50YW`zrd}!<;wQCN(oG<+b=W=S%nH=Nnu$Fl`qM7T+*=ZN<FU
zes*ywF+o3{1AMl=SE4@oDma`vd~3P<-t!4cl_DO#XX<B0O#8<7`^y*ZU4PTQbIEkF
zZY~XB+B#2Lcy*Qj|0p@{S!J^dKYQ=z`M*EK<xc|tg$d#}^y?P!&5?ic?q*u+$_H=1
z{uUPzI(=97&HJSZy8>Gpn?je*5o4(AUQ?|S(VA1yVY$-uWb2KB=h^G08fX5xnVw?4
zXO`4{7q`1rQ$C8GJoeONR(U69SB|B0-x4t{*Q;S)Go_--71Ymfu+TgqAp0Oc_qfeU
zrz;{GjK0gNeeS%O)4}n|zc+33lcm}7lPAC0sM&j`h?8Naa6`-!f!<<^Uj~lTYV%}I
zvR^yRB{Y#&wX@CFy*T0ii4{ppl@}c}xqJNm%f~n5m*(7mo;z3BtF$`&SM-nWi81?s
z>eL>K<J}UvFm>n2X)!rGfnIaHOs`&1IA>|I_rFebit@UISMw!z+voXjsn)%GT7d05
zHzV&c@4L~z)YrcWTk_*+;k4HVyE#OXJ{>t1uwt&s*1*P!>bbiTw?Fe~T2o_TC%Zqv
zMC7h#`?H0dxqP+Dral#MHkg0P<xN|4Ze0Ae*zjYmHdQ98R9w88L*96IXD`3W5cA5Z
z=DlLA>qXV~PyT;RPz>RD$hzJ0%Fg+Id(KaP8oOo-^VZMO@0@y;9hE%0i@EP>@RLKg
z0+(>N?|f#&f7ySt^~dnc_sKc>w>&K-C^t;G7I3;#X8GL|g@PYu2PR#**&fhnzodBA
zvu*#5@n;B}5?t&i{oAv+AxQPBZ-(akH`l+^WhNZ{b-nq_fufJP+MZ80@0jpnE^l6u
zG3(7Oo)=!ZK7IQ+)Ozs|wL46+v|Bd_%imbf(DyI&ZQ<D~tFAASRG#b77IyKwvQ6a&
zpU&ny<MsTqi;Ca=b_wnjRCh9yRC25{b3StNl1GII$INTi2WPH$_b=;jnA58a^|>yq
z5`wGN6fe1<^v}nxul~LLgC#weP50J5Shm}e;keiL%g--O-2P5>U(cp9$1X5!__pgr
zJu5@IR?EB^j){A748B}0TKV;eSHOLttk<t&8Z=WX)1!UD*E1grZP3e}6tU}HcF_IH
z7c1AKmvgmbCkIq5(G8BAs?Z#4zM;n1xMh3R9fc&X#eMT;a{supY(YTJ{jN#h^^Buq
z)++`W=6<#BUh-&l97k~4w5SE2=Q_L=&I~{OJ*3FtDtmCALxx{P<U)VNsh_X@6*!}}
z?fXrJC(%6TKeLOl?7O-A4|CYO-#?wY3+1m?^)Ll(era<`#$Vvq6<vqE3H@!0|A%Zd
zU)q*+iNnu=`JDL#zD=9G+xnI?|0tJz;=xjzw`96lb&8wEREeL5Cn-#--n(JT`yGK@
zZ~09OSBI{@{O9$jfRksgU#w=@qxIg)x%tziHHo>$q^>=`?Xa`^@2rPQIX-%rJLlIn
zPd}}hyrPRybpQ5ScBOh#Vn4)P+iJ7$Tk3>$y85<{N~%6PF>I&_;k<CU{?|$S^v_CL
zyB#-fsWN4<YKf?3<gBdzvmx(qdF@4y%N!YL-D_@o{STG*4!^SH_)3eC#G9{!Z%=&V
zS5#ul+u6o`yjH+=cjkoy4Qi|Z92Hz<zUF=Uwu5tLPN-K%G|@T}Qgr2M?5)`z>vg|}
zebuv^Hdk+>u#jhMcW2g|md9bU;^xlWb-GT<*5q=JKa+*E<zlzYxA`0gcX&OyboFo+
zv!(whKCNVnw|WxAE_@RNQu)7xNe4y8<~lpy+xz3f1*UXekE!?mmP@_Nv`aqz=#E08
NFWXtErv78~p8(-ZI6VLW

literal 0
HcmV?d00001

diff --git a/secrets/nixery-ssh-private b/secrets/nixery-ssh-private
new file mode 100644
index 0000000000000000000000000000000000000000..5c4ff2023350ff5ac7f152dcb6ed1aa1e31525d8
GIT binary patch
literal 1906
zcmd;5VYnFl=9_Y=lCt~x&2_g9cvUe5eVV^}PGj_^^QkIV_4de{A1M_&$;Z&v|J<ap
ztyQYPG4sPxi!;BxlPeM#9Rhk}mj>mW`ntr!<GRB4-g9~1uH8=iy6F3P$B%~l9bP@Y
z(l{gUK)Ab<(d~jYX&WT@UaU?2<#F0vcggZwQ8Og`9S=C@eNNRl>)p?~=Irfr@uAK?
zAHT1B6aDaUo2P79%)t-0nGYPB@Pf&In&ruL1;M*ibsoJ^Z03v<YvIf~yJ6{h{@?AF
zw)05v-_cn)Q!vYR?&P;e+Rc=>xz?8!^!$8M>v1!+P-uavg3iZTeOk4*8d#s|<TM;J
zV>@#GxR|luoA~7ZoQ|CLnhWDv>wk5qE>W4?&wp=~(b;bG|8t$<c3C`^NbFYIZ@p9E
z#@d-I*OVq7dGtd6cmIpBC2K@8&+;@#>dNI#tcl~9z5SMVYSpO^%N`n(EIuEU+<l_y
z6{~OL@s)}vuCiS5s}-2^<IjPNY+1M2XOk`nf9K5myk%90ILE@R)0N#CcfMen!0dYb
zezJwR<<lZDiI62v6y}->n4dq8`hH#CCzF@aePt&#yi_$_rFmSH{E^7c&k>-!c=nt-
zSDJ6Gjy!UuTcrA3y<;4c$=m(6R98s)s&R5Garnlp^?&2}pl3Vp33l}q8{TiUU6WMt
zZeQf7*n7YK%5bwLJj!z2`)uN=>3exSr>@YjXcv>^m|-Dvc!9Odt`o^;vOnw&G%9My
z3}m*c-EMRKy4t_1LD{np_4e3p`Kxn}f2Dq)viOV>TbnErpUxHVyu#D!&6TfyR#)$I
z(>=QjY*uG;zGd{iec~iOeZGFJUC++t`-3f$<HR2q#tEKw>valRxJOUgLP+-L_9hSM
z?JN<STfXy_C`|iX?r8qotL&!5@~wM3kA9i3&e`&Ij|S`E*p45$%hX=VTru9kdH>gu
zRmUs}cQv^F|E|(55LCSLbJV(h{12HY@!4ewALP^cSv!SIU3b^3<gIh<GDSP<{DSrL
zb!s0?6f88`(VM@vt}j#g)Q&l~^9%h~v7I%_QV_OyyYpfDf9>0^Q&J==V$GHauSwWA
z)%ynH$I|1!SFEpIW>YG1gq0^scXs^|$#>3eo|a5gwb&<JpYf7+4~xyqPucq-=auDm
zU%s((nj)K4#Wtm5D<97IxX$)k!^yB;bG3!{u!suGd+6LzIwf?DvUATjN$qW>73`7!
zUx?guWM~LBiJqimp=`ZI*kjhs*|o+y%75l`cx{#q*Is%x)#Jnk-UUx?vrbqmG_7CC
z-u(QkvbU0YDVNTy6Y+Vp<@F*1c1b_JolNImZaC}pvQ%yU)RK8?4=q&ODAJTU_t%-l
z+1h&S4Qcb+_Lt0=p}ey6SoLE8-;i0Rho4`V;ybIIgJ0-&x3CTSnS}0|b6%VNl?C6D
z%-QyBg1B&uK|T8hRbxY8M(L>)tkuG7n;r@n3Y>lBvWl^;YNOk_=`)Y%@m*UVq7%Mk
z<BJ<t#HW1md(^#s_tL-H!rUtAi-Sw-KVGu3u<hFO-*G$p?2w3j1&8^Xv*eo31W%FN
zzLJBD$<ZVIZuZKMg0vG75>9pJC!2a-Wr<quG}-Z4oni30sm8~j=y-J|dR*qNFaIrl
z<^Rv`tUfhsQ?1q4_e;)<>pgPC<&Q#FeiB<mZ1}pIry-yIl=&<Qiae;a?Y^Rpah|$D
z_Mh5?M{0A$mhSg&zWk^}sCj`?-<HFdQd2Z5x6O}f{L`>*`n6A;O_Iwks*PL14^D~`
zW}lUI?o?p*`wf{Hh4=QlD$mmsc*pd6%It4fO=j4pC#<U1@-s8selL6Z-sxL2R~t|K
z_G3=&O3?}X&J}<DD3O#gxyH}!u)vMG^OCn@oK1YN{pjRlJErYWv`_Elo}qDb&QA8_
z+j>)W$|xQTKV0(7;>q2F!W{9Kb^eAA^EBn}a!EL_P0W!zx<ew&a{AGwJC<d}Zh7={
zz3$f^x0`%i|F12)ve0qk;pd{8`Zuo33D;d$(xbJ4>BHJLb>Epd9VSdGZRy@S*HLTZ
z&IwKTpH^R7W&H4TLj0=44ojsEpQQG%UCLKn(Dvf5SV83-k;h@TJ1)QS|98*&O5XpN
z;2CeeTvvU;cuKEnQz+ZF4UQk~3I6%|<F4|P#GqHD%lWPbC+>+nnYBB@<5;i$mq`sX
z4Oz`YD^6|FR}~JpSL1p1cJBAWtKTfo6#2_$JqYJ1-!E}p>_VBMDA)I2uZ@rHiepMH
zjI#e`C-Yz~`@NVAoM9D4-RyP!ej;5=CZC^gKjNq{PydUCs<p$N-e`vVJ97jd+`AYp
z5O^}}LVNHw@46#hy=uWS2|;?Zb+*JeA2gN>eYZyJwS<}jt7+~GE*VAr8SJk*`Hwp8
z-q*B~%V3$`xBD9&y*_#3a!gLkTK35seLrVQ#k2nDUGUc7Oz4!;>9cx+oQ_VgY6@mD
zQ7fta6UzAT{q!lv_0paS9`0G`Zhs>B<3!ftCXWiXnssjeHhIV2?4Bf>*X}giFtA~s
ziHFNkV@8?GPseJP=8CMZ-OhjLT$f~i*bQOVrytY|CBBLOI;nO${%H@>`t;v-_Q?Gc
nzH|OaU&yL`d-@9QKFAF6iBY>}mGJrUg06=l57kP4FO&fQ_b{jp

literal 0
HcmV?d00001


From 283951388c96e871c9c4a835eee6594fc27e08c0 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@google.com>
Date: Tue, 3 Sep 2019 16:10:42 +0100
Subject: [PATCH 5/5] feat(k8s): Insert Nixery's secrets via kontemplate

Instead of having a manually prepared secret, use Cloud KMS (as per
the previous commits) to decrypt the in-repo secrets and template them
into the Secret resource in Kubernetes.

Not all of the values are actually secret, it has thus become a bit
easier to edit the known hosts, SSH config and such now.
---
 infra/kubernetes/nixery/config.yaml   |  4 ----
 infra/kubernetes/nixery/id_nixery.pub |  1 +
 infra/kubernetes/nixery/known_hosts   |  1 +
 infra/kubernetes/nixery/secrets.yaml  | 19 +++++++++++++++++++
 infra/kubernetes/nixery/ssh_config    |  4 ++++
 5 files changed, 25 insertions(+), 4 deletions(-)
 create mode 100644 infra/kubernetes/nixery/id_nixery.pub
 create mode 100644 infra/kubernetes/nixery/known_hosts
 create mode 100644 infra/kubernetes/nixery/secrets.yaml
 create mode 100644 infra/kubernetes/nixery/ssh_config

diff --git a/infra/kubernetes/nixery/config.yaml b/infra/kubernetes/nixery/config.yaml
index 1bd95536a..796e21a72 100644
--- a/infra/kubernetes/nixery/config.yaml
+++ b/infra/kubernetes/nixery/config.yaml
@@ -3,10 +3,6 @@
 # The service via which Nixery is exposed has a private DNS entry
 # pointing to it, which makes it possible to resolve `nixery.local`
 # in-cluster without things getting nasty.
-#
-# The 'nixery-keys' secret was configured manually using a created
-# service account key. This does not use metadata-based authentication
-# due to the requirement for having an actual PEM-key to sign with.
 ---
 apiVersion: apps/v1
 kind: Deployment
diff --git a/infra/kubernetes/nixery/id_nixery.pub b/infra/kubernetes/nixery/id_nixery.pub
new file mode 100644
index 000000000..dc3fd617d
--- /dev/null
+++ b/infra/kubernetes/nixery/id_nixery.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzBM6ydst77jDHNcTFWKD9Fw4SReqyNEEp2MtQBk2wt94U4yLp8MQIuNeOEn1GaDEX4RGCxqai/2UVF1w9ZNdU+v2fXcKWfkKuGQH2XcNfXor2cVNObd40H78++iZiv3nmM/NaEdkTbTBbi925cRy9u5FgItDgsJlyKNRglCb0fr6KlgpvWjL20dp/eeZ8a/gLniHK8PnEsgERQSvJnsyFpxxVhxtoUiyLWpXDl4npf/rQr0eRDf4Q5sN/nbTwksapPHfze8dKcaoA7A2NqT3bJ6DPGrwVCzGRtGw/SXJwFwmmtAl9O6BklpeReyiknSxc+KOtrjDW6O0r6yvymD5Z nixery
diff --git a/infra/kubernetes/nixery/known_hosts b/infra/kubernetes/nixery/known_hosts
new file mode 100644
index 000000000..1bae52b89
--- /dev/null
+++ b/infra/kubernetes/nixery/known_hosts
@@ -0,0 +1 @@
+github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
diff --git a/infra/kubernetes/nixery/secrets.yaml b/infra/kubernetes/nixery/secrets.yaml
new file mode 100644
index 000000000..ec97a29d3
--- /dev/null
+++ b/infra/kubernetes/nixery/secrets.yaml
@@ -0,0 +1,19 @@
+# The secrets below are encrypted using keys stored in Cloud KMS and
+# templated in by kontemplate when deploying.
+#
+# Not all of the values are actually secret (see the matching)
+---
+apiVersion: v1
+data:
+  gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }}
+  gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }}
+  id_nixery: {{ passLookup "nixery-ssh-private" | b64enc }}
+  id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }}
+  known_hosts: {{ insertFile "known_hosts" | b64enc }}
+  ssh_config: {{ insertFile "ssh_config" | b64enc }}
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: nixery-secrets
+  selfLink: /api/v1/namespaces/kube-public/secrets/nixery-secrets
+type: Opaque
diff --git a/infra/kubernetes/nixery/ssh_config b/infra/kubernetes/nixery/ssh_config
new file mode 100644
index 000000000..78afbb0b0
--- /dev/null
+++ b/infra/kubernetes/nixery/ssh_config
@@ -0,0 +1,4 @@
+Match host *
+      User tazjin@google.com
+      IdentityFile /var/nixery/id_nixery
+      UserKnownHostsFile /var/nixery/known_hosts