From eb43ba75d2399d8ae0461cb85b9ce9a6a367cc2c Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@google.com>
Date: Tue, 3 Sep 2019 13:44:30 +0100
Subject: chore(gcp): Remove monorepo repository

The repository is now public on Github.
---
 infra/gcp/default.tf | 5 -----
 1 file changed, 5 deletions(-)

(limited to 'infra')

diff --git a/infra/gcp/default.tf b/infra/gcp/default.tf
index 677e737a242e..18096bf2b476 100644
--- a/infra/gcp/default.tf
+++ b/infra/gcp/default.tf
@@ -81,8 +81,3 @@ resource "google_service_account" "nixery" {
   account_id   = "nixery"
   display_name = "Nixery service account"
 }
-
-# Configure a git repository in which to store my monorepo
-resource "google_sourcerepo_repository" "monorepo" {
-  name = "monorepo"
-}
-- 
cgit 1.4.1


From abd5d7538c727e1aca7712455a799cf034d0fbaf Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@google.com>
Date: Tue, 3 Sep 2019 15:13:34 +0100
Subject: feat(gcp): Create Cloud KMS resources for encrypting secrets

The idea here is to use Cloud KMS and a shell script that mimics
'pass' to trick kontemplate into using Cloud KMS to decrypt secrets.
---
 infra/gcp/default.tf | 36 ++++++++++++++++++++++++++++--------
 1 file changed, 28 insertions(+), 8 deletions(-)

(limited to 'infra')

diff --git a/infra/gcp/default.tf b/infra/gcp/default.tf
index 18096bf2b476..d13345393bd4 100644
--- a/infra/gcp/default.tf
+++ b/infra/gcp/default.tf
@@ -27,24 +27,25 @@ resource "google_project_services" "primary" {
     "bigquerystorage.googleapis.com",
     "cloudapis.googleapis.com",
     "clouddebugger.googleapis.com",
+    "cloudkms.googleapis.com",
     "cloudtrace.googleapis.com",
+    "compute.googleapis.com",
+    "container.googleapis.com",
+    "containerregistry.googleapis.com",
     "datastore.googleapis.com",
     "dns.googleapis.com",
+    "iam.googleapis.com",
+    "iamcredentials.googleapis.com",
     "logging.googleapis.com",
     "monitoring.googleapis.com",
+    "oslogin.googleapis.com",
+    "pubsub.googleapis.com",
     "servicemanagement.googleapis.com",
     "serviceusage.googleapis.com",
+    "sourcerepo.googleapis.com",
     "sql-component.googleapis.com",
     "storage-api.googleapis.com",
     "storage-component.googleapis.com",
-    "container.googleapis.com",
-    "iam.googleapis.com",
-    "compute.googleapis.com",
-    "iamcredentials.googleapis.com",
-    "oslogin.googleapis.com",
-    "pubsub.googleapis.com",
-    "containerregistry.googleapis.com",
-    "sourcerepo.googleapis.com",
   ]
 }
 
@@ -81,3 +82,22 @@ resource "google_service_account" "nixery" {
   account_id   = "nixery"
   display_name = "Nixery service account"
 }
+
+# Configure Cloud KMS for secret encryption
+resource "google_kms_key_ring" "tazjins_keys" {
+  name     = "tazjins-keys"
+  location = "europe-north1"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "google_kms_crypto_key" "kontemplate_key" {
+  name     = "kontemplate-key"
+  key_ring = google_kms_key_ring.tazjins_keys.id
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
-- 
cgit 1.4.1


From 283951388c96e871c9c4a835eee6594fc27e08c0 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@google.com>
Date: Tue, 3 Sep 2019 16:10:42 +0100
Subject: feat(k8s): Insert Nixery's secrets via kontemplate

Instead of having a manually prepared secret, use Cloud KMS (as per
the previous commits) to decrypt the in-repo secrets and template them
into the Secret resource in Kubernetes.

Not all of the values are actually secret, it has thus become a bit
easier to edit the known hosts, SSH config and such now.
---
 infra/kubernetes/nixery/config.yaml   |  4 ----
 infra/kubernetes/nixery/id_nixery.pub |  1 +
 infra/kubernetes/nixery/known_hosts   |  1 +
 infra/kubernetes/nixery/secrets.yaml  | 19 +++++++++++++++++++
 infra/kubernetes/nixery/ssh_config    |  4 ++++
 5 files changed, 25 insertions(+), 4 deletions(-)
 create mode 100644 infra/kubernetes/nixery/id_nixery.pub
 create mode 100644 infra/kubernetes/nixery/known_hosts
 create mode 100644 infra/kubernetes/nixery/secrets.yaml
 create mode 100644 infra/kubernetes/nixery/ssh_config

(limited to 'infra')

diff --git a/infra/kubernetes/nixery/config.yaml b/infra/kubernetes/nixery/config.yaml
index 1bd95536ac17..796e21a7273c 100644
--- a/infra/kubernetes/nixery/config.yaml
+++ b/infra/kubernetes/nixery/config.yaml
@@ -3,10 +3,6 @@
 # The service via which Nixery is exposed has a private DNS entry
 # pointing to it, which makes it possible to resolve `nixery.local`
 # in-cluster without things getting nasty.
-#
-# The 'nixery-keys' secret was configured manually using a created
-# service account key. This does not use metadata-based authentication
-# due to the requirement for having an actual PEM-key to sign with.
 ---
 apiVersion: apps/v1
 kind: Deployment
diff --git a/infra/kubernetes/nixery/id_nixery.pub b/infra/kubernetes/nixery/id_nixery.pub
new file mode 100644
index 000000000000..dc3fd617d0a1
--- /dev/null
+++ b/infra/kubernetes/nixery/id_nixery.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzBM6ydst77jDHNcTFWKD9Fw4SReqyNEEp2MtQBk2wt94U4yLp8MQIuNeOEn1GaDEX4RGCxqai/2UVF1w9ZNdU+v2fXcKWfkKuGQH2XcNfXor2cVNObd40H78++iZiv3nmM/NaEdkTbTBbi925cRy9u5FgItDgsJlyKNRglCb0fr6KlgpvWjL20dp/eeZ8a/gLniHK8PnEsgERQSvJnsyFpxxVhxtoUiyLWpXDl4npf/rQr0eRDf4Q5sN/nbTwksapPHfze8dKcaoA7A2NqT3bJ6DPGrwVCzGRtGw/SXJwFwmmtAl9O6BklpeReyiknSxc+KOtrjDW6O0r6yvymD5Z nixery
diff --git a/infra/kubernetes/nixery/known_hosts b/infra/kubernetes/nixery/known_hosts
new file mode 100644
index 000000000000..1bae52b8991a
--- /dev/null
+++ b/infra/kubernetes/nixery/known_hosts
@@ -0,0 +1 @@
+github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
diff --git a/infra/kubernetes/nixery/secrets.yaml b/infra/kubernetes/nixery/secrets.yaml
new file mode 100644
index 000000000000..ec97a29d362a
--- /dev/null
+++ b/infra/kubernetes/nixery/secrets.yaml
@@ -0,0 +1,19 @@
+# The secrets below are encrypted using keys stored in Cloud KMS and
+# templated in by kontemplate when deploying.
+#
+# Not all of the values are actually secret (see the matching)
+---
+apiVersion: v1
+data:
+  gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }}
+  gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }}
+  id_nixery: {{ passLookup "nixery-ssh-private" | b64enc }}
+  id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }}
+  known_hosts: {{ insertFile "known_hosts" | b64enc }}
+  ssh_config: {{ insertFile "ssh_config" | b64enc }}
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: nixery-secrets
+  selfLink: /api/v1/namespaces/kube-public/secrets/nixery-secrets
+type: Opaque
diff --git a/infra/kubernetes/nixery/ssh_config b/infra/kubernetes/nixery/ssh_config
new file mode 100644
index 000000000000..78afbb0b039d
--- /dev/null
+++ b/infra/kubernetes/nixery/ssh_config
@@ -0,0 +1,4 @@
+Match host *
+      User tazjin@google.com
+      IdentityFile /var/nixery/id_nixery
+      UserKnownHostsFile /var/nixery/known_hosts
-- 
cgit 1.4.1