tvl-depot/infra/kubernetes/nixery/secrets.yaml

# The secrets below are encrypted using keys stored in Cloud KMS and
# templated in by kontemplate when deploying.
#
# Not all of the values are actually secret (see the matching)
---
apiVersion: v1
kind: Secret
metadata:
  name: nixery-secrets
  namespace: kube-public
type: Opaque
data:
  gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }}
  gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }}
  id_nixery: {{ printf "%s\n" (passLookup "nixery-ssh-private") | b64enc }}
  id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }}
  known_hosts: {{ insertFile "known_hosts" | b64enc }}
  ssh_config: {{ insertFile "ssh_config" | b64enc }}
feat(k8s): Insert Nixery's secrets via kontemplate Instead of having a manually prepared secret, use Cloud KMS (as per the previous commits) to decrypt the in-repo secrets and template them into the Secret resource in Kubernetes. Not all of the values are actually secret, it has thus become a bit easier to edit the known hosts, SSH config and such now. 2019-09-03 17:10:42 +02:00			`# The secrets below are encrypted using keys stored in Cloud KMS and`
			`# templated in by kontemplate when deploying.`
			`#`
			`# Not all of the values are actually secret (see the matching)`
			`---`
			`apiVersion: v1`
fix(k8s): Move nixery-secrets to the correct namespace 2019-09-04 11:34:20 +02:00			`kind: Secret`
			`metadata:`
			`name: nixery-secrets`
			`namespace: kube-public`
			`type: Opaque`
feat(k8s): Insert Nixery's secrets via kontemplate Instead of having a manually prepared secret, use Cloud KMS (as per the previous commits) to decrypt the in-repo secrets and template them into the Secret resource in Kubernetes. Not all of the values are actually secret, it has thus become a bit easier to edit the known hosts, SSH config and such now. 2019-09-03 17:10:42 +02:00			`data:`
			`gcs-key.json: {{ passLookup "nixery-gcs-json" \| b64enc }}`
			`gcs-key.pem: {{ passLookup "nixery-gcs-pem" \| b64enc }}`
fix(k8s): Reinsert passLookup newline after kontemplate trims it SSH can not read the key without the trailing newline. Ideally kontemplate would expose a toggle for this. 2019-09-04 17:46:06 +02:00			`id_nixery: {{ printf "%s\n" (passLookup "nixery-ssh-private") \| b64enc }}`
feat(k8s): Insert Nixery's secrets via kontemplate Instead of having a manually prepared secret, use Cloud KMS (as per the previous commits) to decrypt the in-repo secrets and template them into the Secret resource in Kubernetes. Not all of the values are actually secret, it has thus become a bit easier to edit the known hosts, SSH config and such now. 2019-09-03 17:10:42 +02:00			`id_nixery.pub: {{ insertFile "id_nixery.pub" \| b64enc }}`
			`known_hosts: {{ insertFile "known_hosts" \| b64enc }}`
			`ssh_config: {{ insertFile "ssh_config" \| b64enc }}`