Generate kubernetes secrets for ssh keys.

2025-12-21 18:45:49 -05:00 · 2025-12-21 18:45:49 -05:00 · 32fda29efe
commit 32fda29efe
parent ffbd1b56c8
5 changed files with 59 additions and 3 deletions
--- a/nix/kubernetes/README.org
+++ b/nix/kubernetes/README.org
@ -110,8 +110,8 @@
      registry: "ghcr.io/fluxcd"
    sync:
      kind: GitRepository
-      url: "https://gitlab.com/my-org/my-fleet.git"
-      ref: "refs/heads/main"
+      url: "ssh://git@10.215.1.210:22/repos/mrmanager"
+      ref: "refs/heads/nix"
      path: "clusters/my-cluster"
      pullSecret: "flux-system"
 #+end_src
--- a/nix/kubernetes/keys/package/bootstrap-script/package.nix
+++ b/nix/kubernetes/keys/package/bootstrap-script/package.nix
@ -34,6 +34,7 @@ let
      ./files/manifests/flux_namespace.yaml
      ./files/manifests/flux.yaml
      ./files/manifests/flux_instance.yaml
+      "${k8s.k8s-ssh-secrets.kubernetes-deploy-key}/kubernetes-deploy-key.yaml"
    ]
  );
  apply_manifests = "kubectl --kubeconfig=${k8s.client-configs.admin}/admin.kubeconfig apply --server-side --force-conflicts -f ${manifests}";
--- a/nix/kubernetes/keys/package/k8s-keys/package.nix
+++ b/nix/kubernetes/keys/package/k8s-keys/package.nix
@ -12,5 +12,6 @@ symlinkJoin {
  ++ (builtins.attrValues k8s.keys)
  ++ (builtins.attrValues k8s.client-configs)
  ++ (builtins.attrValues k8s.ssh-keys)
-  ++ (builtins.attrValues k8s.pgp-keys);
+  ++ (builtins.attrValues k8s.pgp-keys)
+  ++ (builtins.attrValues k8s.k8s-ssh-secrets);
 }
--- a/nix/kubernetes/keys/package/k8s-secret-ssh/package.nix
+++ b/nix/kubernetes/keys/package/k8s-secret-ssh/package.nix
@ -0,0 +1,39 @@
+# unpackPhase
+# patchPhase
+# configurePhase
+# buildPhase
+# checkPhase
+# installPhase
+# fixupPhase
+# installCheckPhase
+# distPhase
+{
+  stdenv,
+  k8s,
+  kubectl,
+  secret_name,
+  secret_namespace,
+  ssh_key_name,
+  ...
+}:
+stdenv.mkDerivation (finalAttrs: {
+  name = "k8s-secret-ssh-${secret_name}";
+  nativeBuildInputs = [ kubectl ];
+  buildInputs = [ ];
+
+  unpackPhase = "true";
+
+  buildPhase = ''
+    kubectl create secret generic ${secret_name} \
+      --namespace ${secret_namespace} \
+      --from-file=identity=${k8s.ssh-keys."${ssh_key_name}"}/${ssh_key_name} \
+      --from-file=identity.pub=${k8s.ssh-keys."${ssh_key_name}"}/${ssh_key_name}.pub \
+      --dry-run=client -o yaml > ${secret_name}.yaml
+  '';
+  # --from-file=known_hosts=$(OUT)/known_hosts \
+
+  installPhase = ''
+    mkdir "$out"
+    cp "${secret_name}.yaml" $out/
+  '';
+})
--- a/nix/kubernetes/keys/scope.nix
+++ b/nix/kubernetes/keys/scope.nix
@ -114,6 +114,21 @@ makeScope newScope (
          };
        }
    );
+    k8s-ssh-secrets = (
+      builtins.mapAttrs
+        (
+          secret_name: secret_config:
+          (callPackage ./package/k8s-secret-ssh/package.nix (
+            additional_vars // { inherit secret_name; } // secret_config
+          ))
+        )
+        {
+          "kubernetes-deploy-key" = {
+            secret_namespace = "flux-system";
+            ssh_key_name = "flux_ssh_key";
+          };
+        }
+    );
    client-configs = (
      builtins.mapAttrs
        (