docs: add steps to rebuild kustomization secrets

2023-05-16 22:06:13 -04:00 · 2023-05-16 22:06:13 -04:00 · 710af7dbc7
parent e76452e192
commit 710af7dbc7
6 changed files with 90 additions and 17 deletions
--- a/docs/kustomization-ordering.md
+++ b/docs/kustomization-ordering.md
@ -7,7 +7,13 @@ Current order:
 * Cilium
 * Cert Manager
 * DigitalOcean
 * Cert Manager (again, to deploy the ClusterIssuer)
 * Ingress NGINX
 * External DNS
 * Keycloak
 * Forgejo
 Any secrets necessary for any of the previous Kustomizations can be generated
 via scripts in the relevant Kustomization. There should be information in the
 Kustomization's README (which may be in a `docs` subdirectory) about how to
 generate the secrets.
--- a/kustomizations/cert-manager/kustomization.yaml
+++ b/kustomizations/cert-manager/kustomization.yaml
@ -6,20 +6,20 @@ resources:
 - cluster-issuer
 - namespace.yaml
 replacements:
-  - source:
+- source:
-      kind: Deployment
+    kind: Deployment
-      name: cert-manager-webhook
+    name: cert-manager-webhook
-      fieldPath: metadata.namespace
+    fieldPath: metadata.namespace
-    targets:
+  targets:
-      - select:
+  - select:
-          kind: MutatingWebhookConfiguration
+      kind: MutatingWebhookConfiguration
-        fieldPaths:
+    fieldPaths:
-          - metadata.annotations.[cert-manager.io/inject-ca-from-secret]
+    - metadata.annotations.[cert-manager.io/inject-ca-from-secret]
-        options:
+    options:
-          delimiter: /
+      delimiter: /
-      - select:
+  - select:
-          kind: ValidatingWebhookConfiguration
+      kind: ValidatingWebhookConfiguration
-        fieldPaths:
+    fieldPaths:
-          - metadata.annotations.[cert-manager.io/inject-ca-from-secret]
+    - metadata.annotations.[cert-manager.io/inject-ca-from-secret]
-        options:
+    options:
-          delimiter: /
+      delimiter: /
--- a/kustomizations/digitalocean/README.md
+++ b/kustomizations/digitalocean/README.md
@ -0,0 +1,7 @@
 # Secrets
 DigitalOcean's CNI and CCM, as well as a few other separate Kustomizations,
 require a DigitalOcean token and a VPC id. This can be generated by running:
 ```
 sh kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/digitalocean-config.enc.yaml
--- a/kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh
+++ b/kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh
@ -0,0 +1,31 @@
 #!/bin/sh
 if test -t 1; then
  # This is not foolproof. Can easily be beat by doing |cat. This is just to
  # make it less likely that secrets are output to terminal.
  echo "Error: Not outputting secret to stdout; redirect output to a file or" \
    "pipe output to \`sops\`." >/dev/stderr
  exit 1
 fi
 printf_stderr() {
  printf "$@" > /dev/stderr
 }
 printf_stderr "DigitalOcean VPC ID: "
 read DO_VPC_ID
 printf_stderr "DigitalOcean Token: "
 stty -echo
 read DO_TOKEN
 stty echo
 echo > /dev/stderr
 cat <<EOF
 apiVersion: v1
 kind: Secret
 metadata:
  name: digitalocean
 stringData:
  vpc-id: ${DO_VPC_ID}
  access-token: ${DO_TOKEN}
 EOF
--- a/kustomizations/forgejo/docs/README.md
+++ b/kustomizations/forgejo/docs/README.md
@ -0,0 +1,24 @@
 # Secrets
 Forgejo requires three secret keys, each protecting a specific component. They
 are generated using the Forgejo container, to ensure they are in the correct
 format. These keys can be generated by running:
 ```sh
 sh kustomizations/forgejo/scripts/generate-forgejo-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/forgejo/forgejo-config.enc.yaml
 ```
 Forgejo supports SSH but requires host keys to be pregenerated:
 ```sh
 sh kustomizations/forgejo/scripts/generate-forgejo-ssh-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/forgejo/forgejo-ssh-keys.enc.yaml
 ```
 To get the database credentials, run:
 ```sh
 sops exec-env secrets/production.enc.env 'terraform -chdir=infra/main output -json' | jq '.database_users.value.keycloak' | sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml /dev/stdin > kustomizations/keycloak/postgres-auth.enc.yaml
 ```
 Check the Keycloak Kustomization documentation for information on generating
 a Client ID and Secret.
--- a/kustomizations/keycloak/docs/README.md
+++ b/kustomizations/keycloak/docs/README.md
@ -9,6 +9,11 @@ To generate the admin password for Keycloak, run:
  > keycloak-config.enc.yaml
 ```
 To get the database credentials, run:
 ```sh
 sops exec-env secrets/production.enc.env 'terraform -chdir=infra/main output -json' | jq '.database_users.value.keycloak' | sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml /dev/stdin > kustomizations/keycloak/postgres-auth.enc.yaml
 ```
 # Adding Clients