diff options
author | Vincent Ambo <tazjin@google.com> | 2019-09-03T15·10+0100 |
---|---|---|
committer | Vincent Ambo <tazjin@google.com> | 2019-09-03T15·12+0100 |
commit | 283951388c96e871c9c4a835eee6594fc27e08c0 (patch) | |
tree | fe6be2f9756627ac09c3207f876430921789baec /infra/kubernetes/nixery/secrets.yaml | |
parent | 0bc548e75e7e06ee4ad172449f818d7e4b861b1d (diff) |
feat(k8s): Insert Nixery's secrets via kontemplate
Instead of having a manually prepared secret, use Cloud KMS (as per the previous commits) to decrypt the in-repo secrets and template them into the Secret resource in Kubernetes. Not all of the values are actually secret, it has thus become a bit easier to edit the known hosts, SSH config and such now.
Diffstat (limited to 'infra/kubernetes/nixery/secrets.yaml')
-rw-r--r-- | infra/kubernetes/nixery/secrets.yaml | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/infra/kubernetes/nixery/secrets.yaml b/infra/kubernetes/nixery/secrets.yaml new file mode 100644 index 000000000000..ec97a29d362a --- /dev/null +++ b/infra/kubernetes/nixery/secrets.yaml @@ -0,0 +1,19 @@ +# The secrets below are encrypted using keys stored in Cloud KMS and +# templated in by kontemplate when deploying. +# +# Not all of the values are actually secret (see the matching) +--- +apiVersion: v1 +data: + gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }} + gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }} + id_nixery: {{ passLookup "nixery-ssh-private" | b64enc }} + id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }} + known_hosts: {{ insertFile "known_hosts" | b64enc }} + ssh_config: {{ insertFile "ssh_config" | b64enc }} +kind: Secret +metadata: + creationTimestamp: null + name: nixery-secrets + selfLink: /api/v1/namespaces/kube-public/secrets/nixery-secrets +type: Opaque |