Add generation for in-repo secrets.

2026-03-19 18:16:20 -04:00
parent 4abd80ac98
commit eaf0c16c17
7 changed files with 149 additions and 7 deletions
--- a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
+++ b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
@@ -0,0 +1,70 @@
+{
+  lib,
+  k8s,
+  callPackage,
+  runCommand,
+  symlinkJoin,
+  ...
+}:
+let
+  pre_encryption_secrets =
+    builtins.mapAttrs
+      (
+        secret_namespace: secrets:
+        (builtins.mapAttrs (
+          secret_name: secret_values:
+          (callPackage ../../package/k8s-secret-generic/package.nix {
+            inherit secret_name secret_namespace secret_values;
+          })
+        ) secrets)
+      )
+      {
+        "external-dns" = {
+          "rfc2136" = {
+            "EXTERNAL_DNS_RFC2136_TSIG_SECRET" = (
+              builtins.readFile "${./secrets/external-dns/rfc2136/EXTERNAL_DNS_RFC2136_TSIG_SECRET}"
+            );
+          };
+        };
+        "cert-manager" = {
+          "rfc2136" = {
+            "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
+          };
+        };
+      };
+  encrypted_secrets = (
+    builtins.mapAttrs (
+      secret_namespace: secrets:
+      (builtins.mapAttrs (
+        secret_name: secret_package:
+        (callPackage ../../package/k8s-secret-encrypted/package.nix {
+          source_file = "${
+            pre_encryption_secrets."${secret_namespace}"."${secret_name}"
+          }/${secret_name}.yaml";
+          output_filename = "${secret_name}.yaml";
+          pgp_public_key = "${k8s.pgp-keys.flux_gpg}/flux_gpg_public_key.asc";
+        })
+      ) secrets)
+    ) pre_encryption_secrets
+  );
+  combined_script = (
+    lib.concatMapStringsSep "\n" (
+      secret_namespace:
+      ''
+        mkdir -p $out/${secret_namespace}
+      ''
+      + (lib.concatMapStringsSep "\n" (secret_name: ''
+        cat ${
+          encrypted_secrets."${secret_namespace}"."${secret_name}"
+        }/${secret_name}.yaml > $out/${secret_namespace}/${secret_name}.yaml
+      '') (builtins.attrNames encrypted_secrets."${secret_namespace}"))
+    ) (builtins.attrNames encrypted_secrets)
+  );
+  gen_in_repo_secrets = runCommand "gen_in_repo_secrets" { } combined_script;
+in
+symlinkJoin {
+  name = "in-repo-secrets";
+  paths = [
+    gen_in_repo_secrets
+  ];
+}