Add generation for in-repo secrets.
This commit is contained in:
Tom Alexander
@@ -23,6 +23,7 @@
|
||||
deploy_script = pkgs.k8s.deploy_script;
|
||||
default = pkgs.k8s.all_keys;
|
||||
bootstrap_script = pkgs.k8s.bootstrap_script;
|
||||
mrmanager_repo_secrets = pkgs.k8s.mrmanager_repo_secrets;
|
||||
}
|
||||
);
|
||||
overlays.default = (
|
||||
|
||||
@@ -14,7 +14,6 @@ spec:
|
||||
ignore: |
|
||||
bootstrap
|
||||
.sops.yaml
|
||||
secrets/
|
||||
---
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
|
||||
@@ -10,12 +10,17 @@ let
|
||||
cp ${k8s.deploy_script} $out/deploy_script
|
||||
cp ${k8s.bootstrap_script} $out/bootstrap_script
|
||||
'';
|
||||
mrmanager_repo_secrets = runCommand "mrmanager_repo_secrets" { } ''
|
||||
mkdir $out
|
||||
cp -r ${k8s.mrmanager_repo_secrets} $out/mrmanager_repo_secrets
|
||||
'';
|
||||
in
|
||||
symlinkJoin {
|
||||
name = "k8s-keys";
|
||||
paths = [
|
||||
scripts
|
||||
k8s.encryption_config
|
||||
mrmanager_repo_secrets
|
||||
]
|
||||
++ (builtins.attrValues k8s.ca)
|
||||
++ (builtins.attrValues k8s.keys)
|
||||
|
||||
65
nix/kubernetes/keys/package/k8s-secret-encrypted/package.nix
Normal file
65
nix/kubernetes/keys/package/k8s-secret-encrypted/package.nix
Normal file
@@ -0,0 +1,65 @@
|
||||
# unpackPhase
|
||||
# patchPhase
|
||||
# configurePhase
|
||||
# buildPhase
|
||||
# checkPhase
|
||||
# installPhase
|
||||
# fixupPhase
|
||||
# installCheckPhase
|
||||
# distPhase
|
||||
{
|
||||
pkgs,
|
||||
stdenv,
|
||||
kubectl,
|
||||
gnupg,
|
||||
source_file,
|
||||
output_filename,
|
||||
pgp_public_key,
|
||||
...
|
||||
}:
|
||||
let
|
||||
pgp_key_id_command = pkgs.runCommand "pgp_key_id_command" { } ''
|
||||
mkdir keyring
|
||||
export GNUPGHOME=$(readlink -f keyring)
|
||||
${gnupg}/bin/gpg --with-fingerprint --with-colons --keyid-format LONG "${pgp_public_key}" | grep '^pub' | cut -d ':' -f 5 > $out
|
||||
'';
|
||||
pgp_key_id = builtins.readFile pgp_key_id_command;
|
||||
sops_config = {
|
||||
creation_rules = [
|
||||
{
|
||||
"path_regex" = ".*.yaml";
|
||||
"encrypted_regex" = "^(data|stringData)$";
|
||||
"pgp" = pgp_key_id;
|
||||
}
|
||||
];
|
||||
};
|
||||
settingsFormat = pkgs.formats.yaml { };
|
||||
yaml_body = settingsFormat.generate ".sops.yaml" sops_config;
|
||||
yaml_file = pkgs.writeTextFile {
|
||||
name = ".sops.yaml";
|
||||
text = (builtins.readFile yaml_body);
|
||||
};
|
||||
in
|
||||
stdenv.mkDerivation (finalAttrs: {
|
||||
name = "k8s-secret-encrypted-${output_filename}";
|
||||
nativeBuildInputs = [
|
||||
kubectl
|
||||
gnupg
|
||||
];
|
||||
buildInputs = [ ];
|
||||
|
||||
unpackPhase = "true";
|
||||
|
||||
buildPhase = ''
|
||||
mkdir keyring
|
||||
export GNUPGHOME=$(readlink -f keyring)
|
||||
cat "${pgp_public_key}" | gpg --import
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
set -x
|
||||
export GNUPGHOME=$(readlink -f keyring)
|
||||
mkdir "$out"
|
||||
cat "${source_file}" | ${pkgs.sops}/bin/sops --config "${yaml_file}" encrypt --filename-override "${output_filename}" | tee "$out/${output_filename}"
|
||||
'';
|
||||
})
|
||||
@@ -0,0 +1,70 @@
|
||||
{
|
||||
lib,
|
||||
k8s,
|
||||
callPackage,
|
||||
runCommand,
|
||||
symlinkJoin,
|
||||
...
|
||||
}:
|
||||
let
|
||||
pre_encryption_secrets =
|
||||
builtins.mapAttrs
|
||||
(
|
||||
secret_namespace: secrets:
|
||||
(builtins.mapAttrs (
|
||||
secret_name: secret_values:
|
||||
(callPackage ../../package/k8s-secret-generic/package.nix {
|
||||
inherit secret_name secret_namespace secret_values;
|
||||
})
|
||||
) secrets)
|
||||
)
|
||||
{
|
||||
"external-dns" = {
|
||||
"rfc2136" = {
|
||||
"EXTERNAL_DNS_RFC2136_TSIG_SECRET" = (
|
||||
builtins.readFile "${./secrets/external-dns/rfc2136/EXTERNAL_DNS_RFC2136_TSIG_SECRET}"
|
||||
);
|
||||
};
|
||||
};
|
||||
"cert-manager" = {
|
||||
"rfc2136" = {
|
||||
"TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
|
||||
};
|
||||
};
|
||||
};
|
||||
encrypted_secrets = (
|
||||
builtins.mapAttrs (
|
||||
secret_namespace: secrets:
|
||||
(builtins.mapAttrs (
|
||||
secret_name: secret_package:
|
||||
(callPackage ../../package/k8s-secret-encrypted/package.nix {
|
||||
source_file = "${
|
||||
pre_encryption_secrets."${secret_namespace}"."${secret_name}"
|
||||
}/${secret_name}.yaml";
|
||||
output_filename = "${secret_name}.yaml";
|
||||
pgp_public_key = "${k8s.pgp-keys.flux_gpg}/flux_gpg_public_key.asc";
|
||||
})
|
||||
) secrets)
|
||||
) pre_encryption_secrets
|
||||
);
|
||||
combined_script = (
|
||||
lib.concatMapStringsSep "\n" (
|
||||
secret_namespace:
|
||||
''
|
||||
mkdir -p $out/${secret_namespace}
|
||||
''
|
||||
+ (lib.concatMapStringsSep "\n" (secret_name: ''
|
||||
cat ${
|
||||
encrypted_secrets."${secret_namespace}"."${secret_name}"
|
||||
}/${secret_name}.yaml > $out/${secret_namespace}/${secret_name}.yaml
|
||||
'') (builtins.attrNames encrypted_secrets."${secret_namespace}"))
|
||||
) (builtins.attrNames encrypted_secrets)
|
||||
);
|
||||
gen_in_repo_secrets = runCommand "gen_in_repo_secrets" { } combined_script;
|
||||
in
|
||||
symlinkJoin {
|
||||
name = "in-repo-secrets";
|
||||
paths = [
|
||||
gen_in_repo_secrets
|
||||
];
|
||||
}
|
||||
@@ -373,5 +373,6 @@ makeScope newScope (
|
||||
all_keys = (callPackage ./package/k8s-keys/package.nix additional_vars);
|
||||
deploy_script = (callPackage ./package/deploy-script/package.nix additional_vars);
|
||||
bootstrap_script = (callPackage ./package/bootstrap-script/package.nix additional_vars);
|
||||
mrmanager_repo_secrets = (callPackage ./package/mrmanager-repo-secrets/package.nix additional_vars);
|
||||
}
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user