about summary refs log tree commit diff
path: root/infra/kubernetes/nixery/secrets.yaml
diff options
context:
space:
mode:
authorVincent Ambo <tazjin@google.com>2019-09-03T15·10+0100
committerVincent Ambo <tazjin@google.com>2019-09-03T15·12+0100
commit283951388c96e871c9c4a835eee6594fc27e08c0 (patch)
treefe6be2f9756627ac09c3207f876430921789baec /infra/kubernetes/nixery/secrets.yaml
parent0bc548e75e7e06ee4ad172449f818d7e4b861b1d (diff)
feat(k8s): Insert Nixery's secrets via kontemplate
Instead of having a manually prepared secret, use Cloud KMS (as per
the previous commits) to decrypt the in-repo secrets and template them
into the Secret resource in Kubernetes.

Not all of the values are actually secret, it has thus become a bit
easier to edit the known hosts, SSH config and such now.
Diffstat (limited to 'infra/kubernetes/nixery/secrets.yaml')
-rw-r--r--infra/kubernetes/nixery/secrets.yaml19
1 files changed, 19 insertions, 0 deletions
diff --git a/infra/kubernetes/nixery/secrets.yaml b/infra/kubernetes/nixery/secrets.yaml
new file mode 100644
index 000000000000..ec97a29d362a
--- /dev/null
+++ b/infra/kubernetes/nixery/secrets.yaml
@@ -0,0 +1,19 @@
+# The secrets below are encrypted using keys stored in Cloud KMS and
+# templated in by kontemplate when deploying.
+#
+# Not all of the values are actually secret (see the matching)
+---
+apiVersion: v1
+data:
+  gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }}
+  gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }}
+  id_nixery: {{ passLookup "nixery-ssh-private" | b64enc }}
+  id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }}
+  known_hosts: {{ insertFile "known_hosts" | b64enc }}
+  ssh_config: {{ insertFile "ssh_config" | b64enc }}
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: nixery-secrets
+  selfLink: /api/v1/namespaces/kube-public/secrets/nixery-secrets
+type: Opaque