diff --git a/nix/kubernetes/README.org b/nix/kubernetes/README.org index 9437c61a..bce9ceed 100644 --- a/nix/kubernetes/README.org +++ b/nix/kubernetes/README.org @@ -11,12 +11,13 @@ ]; #+end_src * IP Ranges -| | IPv4 | IPv6 | -|---------------+-----------------------------+-----------------------------------------| -| Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 | -| Service | 10.197.0.0/16 | fd00:3e42:e349::/112 | -| Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 | -| Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 | +| | IPv4 | IPv6 | +|------------------------------+-----------------------------+-----------------------------------------| +| Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 | +| Service | 10.197.0.0/16 | fd00:3e42:e349::/112 | +| Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 | +| Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 | +| PowerDNS from inside cluster | 10.215.1.211 | | * Healthcheck ** Check cilium status #+begin_src bash diff --git a/nix/kubernetes/keys/flake.nix b/nix/kubernetes/keys/flake.nix index 5bc06a6b..851cd71b 100644 --- a/nix/kubernetes/keys/flake.nix +++ b/nix/kubernetes/keys/flake.nix @@ -23,6 +23,7 @@ deploy_script = pkgs.k8s.deploy_script; default = pkgs.k8s.all_keys; bootstrap_script = pkgs.k8s.bootstrap_script; + mrmanager_repo_secrets = pkgs.k8s.mrmanager_repo_secrets; } ); overlays.default = ( diff --git a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_apply_git.yaml b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_apply_git.yaml index d60e9bbb..91e6f46c 100644 --- a/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_apply_git.yaml +++ b/nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_apply_git.yaml @@ -14,7 +14,6 @@ spec: ignore: | bootstrap .sops.yaml - secrets/ --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization diff --git a/nix/kubernetes/keys/package/k8s-keys/package.nix b/nix/kubernetes/keys/package/k8s-keys/package.nix index 71596b87..b6b2b870 100644 --- a/nix/kubernetes/keys/package/k8s-keys/package.nix +++ b/nix/kubernetes/keys/package/k8s-keys/package.nix @@ -10,12 +10,17 @@ let cp ${k8s.deploy_script} $out/deploy_script cp ${k8s.bootstrap_script} $out/bootstrap_script ''; + mrmanager_repo_secrets = runCommand "mrmanager_repo_secrets" { } '' + mkdir $out + cp -r ${k8s.mrmanager_repo_secrets} $out/mrmanager_repo_secrets + ''; in symlinkJoin { name = "k8s-keys"; paths = [ scripts k8s.encryption_config + mrmanager_repo_secrets ] ++ (builtins.attrValues k8s.ca) ++ (builtins.attrValues k8s.keys) diff --git a/nix/kubernetes/keys/package/k8s-secret-encrypted/package.nix b/nix/kubernetes/keys/package/k8s-secret-encrypted/package.nix new file mode 100644 index 00000000..6d2fbbc3 --- /dev/null +++ b/nix/kubernetes/keys/package/k8s-secret-encrypted/package.nix @@ -0,0 +1,65 @@ +# unpackPhase +# patchPhase +# configurePhase +# buildPhase +# checkPhase +# installPhase +# fixupPhase +# installCheckPhase +# distPhase +{ + pkgs, + stdenv, + kubectl, + gnupg, + source_file, + output_filename, + pgp_public_key, + ... +}: +let + pgp_key_id_command = pkgs.runCommand "pgp_key_id_command" { } '' + mkdir keyring + export GNUPGHOME=$(readlink -f keyring) + ${gnupg}/bin/gpg --with-fingerprint --with-colons --keyid-format LONG "${pgp_public_key}" | grep '^pub' | cut -d ':' -f 5 > $out + ''; + pgp_key_id = builtins.readFile pgp_key_id_command; + sops_config = { + creation_rules = [ + { + "path_regex" = ".*.yaml"; + "encrypted_regex" = "^(data|stringData)$"; + "pgp" = pgp_key_id; + } + ]; + }; + settingsFormat = pkgs.formats.yaml { }; + yaml_body = settingsFormat.generate ".sops.yaml" sops_config; + yaml_file = pkgs.writeTextFile { + name = ".sops.yaml"; + text = (builtins.readFile yaml_body); + }; +in +stdenv.mkDerivation (finalAttrs: { + name = "k8s-secret-encrypted-${output_filename}"; + nativeBuildInputs = [ + kubectl + gnupg + ]; + buildInputs = [ ]; + + unpackPhase = "true"; + + buildPhase = '' + mkdir keyring + export GNUPGHOME=$(readlink -f keyring) + cat "${pgp_public_key}" | gpg --import + ''; + + installPhase = '' + set -x + export GNUPGHOME=$(readlink -f keyring) + mkdir "$out" + cat "${source_file}" | ${pkgs.sops}/bin/sops --config "${yaml_file}" encrypt --filename-override "${output_filename}" | tee "$out/${output_filename}" + ''; +}) diff --git a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix new file mode 100644 index 00000000..c08fa860 --- /dev/null +++ b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix @@ -0,0 +1,70 @@ +{ + lib, + k8s, + callPackage, + runCommand, + symlinkJoin, + ... +}: +let + pre_encryption_secrets = + builtins.mapAttrs + ( + secret_namespace: secrets: + (builtins.mapAttrs ( + secret_name: secret_values: + (callPackage ../../package/k8s-secret-generic/package.nix { + inherit secret_name secret_namespace secret_values; + }) + ) secrets) + ) + { + "external-dns" = { + "rfc2136" = { + "EXTERNAL_DNS_RFC2136_TSIG_SECRET" = ( + builtins.readFile "${./secrets/external-dns/rfc2136/EXTERNAL_DNS_RFC2136_TSIG_SECRET}" + ); + }; + }; + "cert-manager" = { + "rfc2136" = { + "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}"); + }; + }; + }; + encrypted_secrets = ( + builtins.mapAttrs ( + secret_namespace: secrets: + (builtins.mapAttrs ( + secret_name: secret_package: + (callPackage ../../package/k8s-secret-encrypted/package.nix { + source_file = "${ + pre_encryption_secrets."${secret_namespace}"."${secret_name}" + }/${secret_name}.yaml"; + output_filename = "${secret_name}.yaml"; + pgp_public_key = "${k8s.pgp-keys.flux_gpg}/flux_gpg_public_key.asc"; + }) + ) secrets) + ) pre_encryption_secrets + ); + combined_script = ( + lib.concatMapStringsSep "\n" ( + secret_namespace: + '' + mkdir -p $out/${secret_namespace} + '' + + (lib.concatMapStringsSep "\n" (secret_name: '' + cat ${ + encrypted_secrets."${secret_namespace}"."${secret_name}" + }/${secret_name}.yaml > $out/${secret_namespace}/${secret_name}.yaml + '') (builtins.attrNames encrypted_secrets."${secret_namespace}")) + ) (builtins.attrNames encrypted_secrets) + ); + gen_in_repo_secrets = runCommand "gen_in_repo_secrets" { } combined_script; +in +symlinkJoin { + name = "in-repo-secrets"; + paths = [ + gen_in_repo_secrets + ]; +} diff --git a/nix/kubernetes/keys/scope.nix b/nix/kubernetes/keys/scope.nix index f1f87b36..cd0ca351 100644 --- a/nix/kubernetes/keys/scope.nix +++ b/nix/kubernetes/keys/scope.nix @@ -373,5 +373,6 @@ makeScope newScope ( all_keys = (callPackage ./package/k8s-keys/package.nix additional_vars); deploy_script = (callPackage ./package/deploy-script/package.nix additional_vars); bootstrap_script = (callPackage ./package/bootstrap-script/package.nix additional_vars); + mrmanager_repo_secrets = (callPackage ./package/mrmanager-repo-secrets/package.nix additional_vars); } )