Merge pull request #5 from tazjin/feat/cloud-kms-secrets r/80

Introduce secrets management via Google Cloud KMS
author: Vincent Ambo <mail@tazj.in> 2019-09-03T15·26+0100
committer: GitHub <noreply@github.com> 2019-09-03T15·26+0100
commit: 628cec34331ea7ef94a71f562a0dc1f8d49e9ecf (patch)
tree: fe6be2f9756627ac09c3207f876430921789baec /infra/kubernetes/nixery/secrets.yaml
parent: be28462a8a29403128b39696cc632f70363efa6e (diff)
parent: 283951388c96e871c9c4a835eee6594fc27e08c0 (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/infra/kubernetes/nixery/secrets.yaml b/infra/kubernetes/nixery/secrets.yaml
new file mode 100644
index 000000000000..ec97a29d362a
--- /dev/null
+++ b/infra/kubernetes/nixery/secrets.yaml
@@ -0,0 +1,19 @@
+# The secrets below are encrypted using keys stored in Cloud KMS and
+# templated in by kontemplate when deploying.
+#
+# Not all of the values are actually secret (see the matching)
+---
+apiVersion: v1
+data:
+  gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }}
+  gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }}
+  id_nixery: {{ passLookup "nixery-ssh-private" | b64enc }}
+  id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }}
+  known_hosts: {{ insertFile "known_hosts" | b64enc }}
+  ssh_config: {{ insertFile "ssh_config" | b64enc }}
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: nixery-secrets
+  selfLink: /api/v1/namespaces/kube-public/secrets/nixery-secrets
+type: Opaque
author	Vincent Ambo <mail@tazj.in>	2019-09-03T15·26+0100
committer	GitHub <noreply@github.com>	2019-09-03T15·26+0100
commit	628cec34331ea7ef94a71f562a0dc1f8d49e9ecf (patch)
tree	fe6be2f9756627ac09c3207f876430921789baec /infra/kubernetes/nixery/secrets.yaml
parent	be28462a8a29403128b39696cc632f70363efa6e (diff)
parent	283951388c96e871c9c4a835eee6594fc27e08c0 (diff)