1
0
Fork 0

docs: add steps to rebuild kustomization secrets

This commit is contained in:
ryan-distrust.co 2023-05-16 22:06:13 -04:00
parent e76452e192
commit 710af7dbc7
Signed by untrusted user who does not match committer: ryan
GPG Key ID: 8E401478A3FBEF72
6 changed files with 90 additions and 17 deletions

View File

@ -7,7 +7,13 @@ Current order:
* Cilium * Cilium
* Cert Manager * Cert Manager
* DigitalOcean * DigitalOcean
* Cert Manager (again, to deploy the ClusterIssuer)
* Ingress NGINX * Ingress NGINX
* External DNS * External DNS
* Keycloak * Keycloak
* Forgejo * Forgejo
Any secrets necessary for any of the previous Kustomizations can be generated
via scripts in the relevant Kustomization. There should be information in the
Kustomization's README (which may be in a `docs` subdirectory) about how to
generate the secrets.

View File

@ -6,20 +6,20 @@ resources:
- cluster-issuer - cluster-issuer
- namespace.yaml - namespace.yaml
replacements: replacements:
- source: - source:
kind: Deployment kind: Deployment
name: cert-manager-webhook name: cert-manager-webhook
fieldPath: metadata.namespace fieldPath: metadata.namespace
targets: targets:
- select: - select:
kind: MutatingWebhookConfiguration kind: MutatingWebhookConfiguration
fieldPaths: fieldPaths:
- metadata.annotations.[cert-manager.io/inject-ca-from-secret] - metadata.annotations.[cert-manager.io/inject-ca-from-secret]
options: options:
delimiter: / delimiter: /
- select: - select:
kind: ValidatingWebhookConfiguration kind: ValidatingWebhookConfiguration
fieldPaths: fieldPaths:
- metadata.annotations.[cert-manager.io/inject-ca-from-secret] - metadata.annotations.[cert-manager.io/inject-ca-from-secret]
options: options:
delimiter: / delimiter: /

View File

@ -0,0 +1,7 @@
# Secrets
DigitalOcean's CNI and CCM, as well as a few other separate Kustomizations,
require a DigitalOcean token and a VPC id. This can be generated by running:
```
sh kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/digitalocean-config.enc.yaml

View File

@ -0,0 +1,31 @@
#!/bin/sh
if test -t 1; then
# This is not foolproof. Can easily be beat by doing |cat. This is just to
# make it less likely that secrets are output to terminal.
echo "Error: Not outputting secret to stdout; redirect output to a file or" \
"pipe output to \`sops\`." >/dev/stderr
exit 1
fi
printf_stderr() {
printf "$@" > /dev/stderr
}
printf_stderr "DigitalOcean VPC ID: "
read DO_VPC_ID
printf_stderr "DigitalOcean Token: "
stty -echo
read DO_TOKEN
stty echo
echo > /dev/stderr
cat <<EOF
apiVersion: v1
kind: Secret
metadata:
name: digitalocean
stringData:
vpc-id: ${DO_VPC_ID}
access-token: ${DO_TOKEN}
EOF

View File

@ -0,0 +1,24 @@
# Secrets
Forgejo requires three secret keys, each protecting a specific component. They
are generated using the Forgejo container, to ensure they are in the correct
format. These keys can be generated by running:
```sh
sh kustomizations/forgejo/scripts/generate-forgejo-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/forgejo/forgejo-config.enc.yaml
```
Forgejo supports SSH but requires host keys to be pregenerated:
```sh
sh kustomizations/forgejo/scripts/generate-forgejo-ssh-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/forgejo/forgejo-ssh-keys.enc.yaml
```
To get the database credentials, run:
```sh
sops exec-env secrets/production.enc.env 'terraform -chdir=infra/main output -json' | jq '.database_users.value.keycloak' | sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml /dev/stdin > kustomizations/keycloak/postgres-auth.enc.yaml
```
Check the Keycloak Kustomization documentation for information on generating
a Client ID and Secret.

View File

@ -9,6 +9,11 @@ To generate the admin password for Keycloak, run:
> keycloak-config.enc.yaml > keycloak-config.enc.yaml
``` ```
To get the database credentials, run:
```sh
sops exec-env secrets/production.enc.env 'terraform -chdir=infra/main output -json' | jq '.database_users.value.keycloak' | sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml /dev/stdin > kustomizations/keycloak/postgres-auth.enc.yaml
```
# Adding Clients # Adding Clients