feat(k8s): Insert Nixery's secrets via kontemplate
Instead of having a manually prepared secret, use Cloud KMS (as per the previous commits) to decrypt the in-repo secrets and template them into the Secret resource in Kubernetes. Not all of the values are actually secret, it has thus become a bit easier to edit the known hosts, SSH config and such now.
This commit is contained in:
Vincent Ambo
parent
0bc548e75e
commit
283951388c
5 changed files with 25 additions and 4 deletions
|
|
@ -3,10 +3,6 @@
|
|||
# The service via which Nixery is exposed has a private DNS entry
|
||||
# pointing to it, which makes it possible to resolve `nixery.local`
|
||||
# in-cluster without things getting nasty.
|
||||
#
|
||||
# The 'nixery-keys' secret was configured manually using a created
|
||||
# service account key. This does not use metadata-based authentication
|
||||
# due to the requirement for having an actual PEM-key to sign with.
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
|
|
|
|||
1
infra/kubernetes/nixery/id_nixery.pub
Normal file
1
infra/kubernetes/nixery/id_nixery.pub
Normal file
|
|
@ -0,0 +1 @@
|
|||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzBM6ydst77jDHNcTFWKD9Fw4SReqyNEEp2MtQBk2wt94U4yLp8MQIuNeOEn1GaDEX4RGCxqai/2UVF1w9ZNdU+v2fXcKWfkKuGQH2XcNfXor2cVNObd40H78++iZiv3nmM/NaEdkTbTBbi925cRy9u5FgItDgsJlyKNRglCb0fr6KlgpvWjL20dp/eeZ8a/gLniHK8PnEsgERQSvJnsyFpxxVhxtoUiyLWpXDl4npf/rQr0eRDf4Q5sN/nbTwksapPHfze8dKcaoA7A2NqT3bJ6DPGrwVCzGRtGw/SXJwFwmmtAl9O6BklpeReyiknSxc+KOtrjDW6O0r6yvymD5Z nixery
|
||||
1
infra/kubernetes/nixery/known_hosts
Normal file
1
infra/kubernetes/nixery/known_hosts
Normal file
|
|
@ -0,0 +1 @@
|
|||
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
|
||||
19
infra/kubernetes/nixery/secrets.yaml
Normal file
19
infra/kubernetes/nixery/secrets.yaml
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
# The secrets below are encrypted using keys stored in Cloud KMS and
|
||||
# templated in by kontemplate when deploying.
|
||||
#
|
||||
# Not all of the values are actually secret (see the matching)
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }}
|
||||
gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }}
|
||||
id_nixery: {{ passLookup "nixery-ssh-private" | b64enc }}
|
||||
id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }}
|
||||
known_hosts: {{ insertFile "known_hosts" | b64enc }}
|
||||
ssh_config: {{ insertFile "ssh_config" | b64enc }}
|
||||
kind: Secret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: nixery-secrets
|
||||
selfLink: /api/v1/namespaces/kube-public/secrets/nixery-secrets
|
||||
type: Opaque
|
||||
4
infra/kubernetes/nixery/ssh_config
Normal file
4
infra/kubernetes/nixery/ssh_config
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
Match host *
|
||||
User tazjin@google.com
|
||||
IdentityFile /var/nixery/id_nixery
|
||||
UserKnownHostsFile /var/nixery/known_hosts
|
||||
Loading…
Reference in a new issue