forked from public/stack
docs: add steps to rebuild kustomization secrets
This commit is contained in:
parent
e76452e192
commit
710af7dbc7
|
@ -7,7 +7,13 @@ Current order:
|
||||||
* Cilium
|
* Cilium
|
||||||
* Cert Manager
|
* Cert Manager
|
||||||
* DigitalOcean
|
* DigitalOcean
|
||||||
|
* Cert Manager (again, to deploy the ClusterIssuer)
|
||||||
* Ingress NGINX
|
* Ingress NGINX
|
||||||
* External DNS
|
* External DNS
|
||||||
* Keycloak
|
* Keycloak
|
||||||
* Forgejo
|
* Forgejo
|
||||||
|
|
||||||
|
Any secrets necessary for any of the previous Kustomizations can be generated
|
||||||
|
via scripts in the relevant Kustomization. There should be information in the
|
||||||
|
Kustomization's README (which may be in a `docs` subdirectory) about how to
|
||||||
|
generate the secrets.
|
||||||
|
|
|
@ -6,20 +6,20 @@ resources:
|
||||||
- cluster-issuer
|
- cluster-issuer
|
||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
replacements:
|
replacements:
|
||||||
- source:
|
- source:
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
name: cert-manager-webhook
|
name: cert-manager-webhook
|
||||||
fieldPath: metadata.namespace
|
fieldPath: metadata.namespace
|
||||||
targets:
|
targets:
|
||||||
- select:
|
- select:
|
||||||
kind: MutatingWebhookConfiguration
|
kind: MutatingWebhookConfiguration
|
||||||
fieldPaths:
|
fieldPaths:
|
||||||
- metadata.annotations.[cert-manager.io/inject-ca-from-secret]
|
- metadata.annotations.[cert-manager.io/inject-ca-from-secret]
|
||||||
options:
|
options:
|
||||||
delimiter: /
|
delimiter: /
|
||||||
- select:
|
- select:
|
||||||
kind: ValidatingWebhookConfiguration
|
kind: ValidatingWebhookConfiguration
|
||||||
fieldPaths:
|
fieldPaths:
|
||||||
- metadata.annotations.[cert-manager.io/inject-ca-from-secret]
|
- metadata.annotations.[cert-manager.io/inject-ca-from-secret]
|
||||||
options:
|
options:
|
||||||
delimiter: /
|
delimiter: /
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
# Secrets
|
||||||
|
|
||||||
|
DigitalOcean's CNI and CCM, as well as a few other separate Kustomizations,
|
||||||
|
require a DigitalOcean token and a VPC id. This can be generated by running:
|
||||||
|
|
||||||
|
```
|
||||||
|
sh kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/digitalocean-config.enc.yaml
|
|
@ -0,0 +1,31 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
if test -t 1; then
|
||||||
|
# This is not foolproof. Can easily be beat by doing |cat. This is just to
|
||||||
|
# make it less likely that secrets are output to terminal.
|
||||||
|
echo "Error: Not outputting secret to stdout; redirect output to a file or" \
|
||||||
|
"pipe output to \`sops\`." >/dev/stderr
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
printf_stderr() {
|
||||||
|
printf "$@" > /dev/stderr
|
||||||
|
}
|
||||||
|
|
||||||
|
printf_stderr "DigitalOcean VPC ID: "
|
||||||
|
read DO_VPC_ID
|
||||||
|
printf_stderr "DigitalOcean Token: "
|
||||||
|
stty -echo
|
||||||
|
read DO_TOKEN
|
||||||
|
stty echo
|
||||||
|
echo > /dev/stderr
|
||||||
|
|
||||||
|
cat <<EOF
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: digitalocean
|
||||||
|
stringData:
|
||||||
|
vpc-id: ${DO_VPC_ID}
|
||||||
|
access-token: ${DO_TOKEN}
|
||||||
|
EOF
|
|
@ -0,0 +1,24 @@
|
||||||
|
# Secrets
|
||||||
|
|
||||||
|
Forgejo requires three secret keys, each protecting a specific component. They
|
||||||
|
are generated using the Forgejo container, to ensure they are in the correct
|
||||||
|
format. These keys can be generated by running:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
sh kustomizations/forgejo/scripts/generate-forgejo-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/forgejo/forgejo-config.enc.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
Forgejo supports SSH but requires host keys to be pregenerated:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
sh kustomizations/forgejo/scripts/generate-forgejo-ssh-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/forgejo/forgejo-ssh-keys.enc.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
To get the database credentials, run:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
sops exec-env secrets/production.enc.env 'terraform -chdir=infra/main output -json' | jq '.database_users.value.keycloak' | sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml /dev/stdin > kustomizations/keycloak/postgres-auth.enc.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
Check the Keycloak Kustomization documentation for information on generating
|
||||||
|
a Client ID and Secret.
|
|
@ -9,6 +9,11 @@ To generate the admin password for Keycloak, run:
|
||||||
> keycloak-config.enc.yaml
|
> keycloak-config.enc.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
|
To get the database credentials, run:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
sops exec-env secrets/production.enc.env 'terraform -chdir=infra/main output -json' | jq '.database_users.value.keycloak' | sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml /dev/stdin > kustomizations/keycloak/postgres-auth.enc.yaml
|
||||||
|
```
|
||||||
|
|
||||||
# Adding Clients
|
# Adding Clients
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue