about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <tazjin@google.com>2019-09-03T15·10+0100
committerVincent Ambo <tazjin@google.com>2019-09-03T15·12+0100
commit283951388c96e871c9c4a835eee6594fc27e08c0 (patch)
treefe6be2f9756627ac09c3207f876430921789baec
parent0bc548e75e7e06ee4ad172449f818d7e4b861b1d (diff)
feat(k8s): Insert Nixery's secrets via kontemplate
Instead of having a manually prepared secret, use Cloud KMS (as per
the previous commits) to decrypt the in-repo secrets and template them
into the Secret resource in Kubernetes.

Not all of the values are actually secret, it has thus become a bit
easier to edit the known hosts, SSH config and such now.
Diffstat
-rw-r--r--infra/kubernetes/nixery/config.yaml4
-rw-r--r--infra/kubernetes/nixery/id_nixery.pub1
-rw-r--r--infra/kubernetes/nixery/known_hosts1
-rw-r--r--infra/kubernetes/nixery/secrets.yaml19
-rw-r--r--infra/kubernetes/nixery/ssh_config4
5 files changed, 25 insertions, 4 deletions
diff --git a/infra/kubernetes/nixery/config.yaml b/infra/kubernetes/nixery/config.yaml
index 1bd95536ac..796e21a727 100644
--- a/infra/kubernetes/nixery/config.yaml
+++ b/infra/kubernetes/nixery/config.yaml
@@ -3,10 +3,6 @@
 # The service via which Nixery is exposed has a private DNS entry
 # pointing to it, which makes it possible to resolve `nixery.local`
 # in-cluster without things getting nasty.
-#
-# The 'nixery-keys' secret was configured manually using a created
-# service account key. This does not use metadata-based authentication
-# due to the requirement for having an actual PEM-key to sign with.
 ---
 apiVersion: apps/v1
 kind: Deployment
diff --git a/infra/kubernetes/nixery/id_nixery.pub b/infra/kubernetes/nixery/id_nixery.pub
new file mode 100644
index 0000000000..dc3fd617d0
--- /dev/null
+++ b/infra/kubernetes/nixery/id_nixery.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzBM6ydst77jDHNcTFWKD9Fw4SReqyNEEp2MtQBk2wt94U4yLp8MQIuNeOEn1GaDEX4RGCxqai/2UVF1w9ZNdU+v2fXcKWfkKuGQH2XcNfXor2cVNObd40H78++iZiv3nmM/NaEdkTbTBbi925cRy9u5FgItDgsJlyKNRglCb0fr6KlgpvWjL20dp/eeZ8a/gLniHK8PnEsgERQSvJnsyFpxxVhxtoUiyLWpXDl4npf/rQr0eRDf4Q5sN/nbTwksapPHfze8dKcaoA7A2NqT3bJ6DPGrwVCzGRtGw/SXJwFwmmtAl9O6BklpeReyiknSxc+KOtrjDW6O0r6yvymD5Z nixery
diff --git a/infra/kubernetes/nixery/known_hosts b/infra/kubernetes/nixery/known_hosts
new file mode 100644
index 0000000000..1bae52b899
--- /dev/null
+++ b/infra/kubernetes/nixery/known_hosts
@@ -0,0 +1 @@
+github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
diff --git a/infra/kubernetes/nixery/secrets.yaml b/infra/kubernetes/nixery/secrets.yaml
new file mode 100644
index 0000000000..ec97a29d36
--- /dev/null
+++ b/infra/kubernetes/nixery/secrets.yaml
@@ -0,0 +1,19 @@
+# The secrets below are encrypted using keys stored in Cloud KMS and
+# templated in by kontemplate when deploying.
+#
+# Not all of the values are actually secret (see the matching)
+---
+apiVersion: v1
+data:
+  gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }}
+  gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }}
+  id_nixery: {{ passLookup "nixery-ssh-private" | b64enc }}
+  id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }}
+  known_hosts: {{ insertFile "known_hosts" | b64enc }}
+  ssh_config: {{ insertFile "ssh_config" | b64enc }}
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: nixery-secrets
+  selfLink: /api/v1/namespaces/kube-public/secrets/nixery-secrets
+type: Opaque
diff --git a/infra/kubernetes/nixery/ssh_config b/infra/kubernetes/nixery/ssh_config
new file mode 100644
index 0000000000..78afbb0b03
--- /dev/null
+++ b/infra/kubernetes/nixery/ssh_config
@@ -0,0 +1,4 @@
+Match host *
+      User tazjin@google.com
+      IdentityFile /var/nixery/id_nixery
+      UserKnownHostsFile /var/nixery/known_hosts
generated by cgit-pink 1.4.1 (git 2.44.0) at 2024-05-17T23·21+0000