forked from public/stack
docs: add steps to rebuild kustomization secrets
This commit is contained in:
parent
e76452e192
commit
710af7dbc7
|
@ -7,7 +7,13 @@ Current order:
|
|||
* Cilium
|
||||
* Cert Manager
|
||||
* DigitalOcean
|
||||
* Cert Manager (again, to deploy the ClusterIssuer)
|
||||
* Ingress NGINX
|
||||
* External DNS
|
||||
* Keycloak
|
||||
* Forgejo
|
||||
|
||||
Any secrets necessary for any of the previous Kustomizations can be generated
|
||||
via scripts in the relevant Kustomization. There should be information in the
|
||||
Kustomization's README (which may be in a `docs` subdirectory) about how to
|
||||
generate the secrets.
|
||||
|
|
|
@ -6,20 +6,20 @@ resources:
|
|||
- cluster-issuer
|
||||
- namespace.yaml
|
||||
replacements:
|
||||
- source:
|
||||
kind: Deployment
|
||||
name: cert-manager-webhook
|
||||
fieldPath: metadata.namespace
|
||||
targets:
|
||||
- select:
|
||||
kind: MutatingWebhookConfiguration
|
||||
fieldPaths:
|
||||
- metadata.annotations.[cert-manager.io/inject-ca-from-secret]
|
||||
options:
|
||||
delimiter: /
|
||||
- select:
|
||||
kind: ValidatingWebhookConfiguration
|
||||
fieldPaths:
|
||||
- metadata.annotations.[cert-manager.io/inject-ca-from-secret]
|
||||
options:
|
||||
delimiter: /
|
||||
- source:
|
||||
kind: Deployment
|
||||
name: cert-manager-webhook
|
||||
fieldPath: metadata.namespace
|
||||
targets:
|
||||
- select:
|
||||
kind: MutatingWebhookConfiguration
|
||||
fieldPaths:
|
||||
- metadata.annotations.[cert-manager.io/inject-ca-from-secret]
|
||||
options:
|
||||
delimiter: /
|
||||
- select:
|
||||
kind: ValidatingWebhookConfiguration
|
||||
fieldPaths:
|
||||
- metadata.annotations.[cert-manager.io/inject-ca-from-secret]
|
||||
options:
|
||||
delimiter: /
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
# Secrets
|
||||
|
||||
DigitalOcean's CNI and CCM, as well as a few other separate Kustomizations,
|
||||
require a DigitalOcean token and a VPC id. This can be generated by running:
|
||||
|
||||
```
|
||||
sh kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/digitalocean-config.enc.yaml
|
|
@ -0,0 +1,31 @@
|
|||
#!/bin/sh
|
||||
|
||||
if test -t 1; then
|
||||
# This is not foolproof. Can easily be beat by doing |cat. This is just to
|
||||
# make it less likely that secrets are output to terminal.
|
||||
echo "Error: Not outputting secret to stdout; redirect output to a file or" \
|
||||
"pipe output to \`sops\`." >/dev/stderr
|
||||
exit 1
|
||||
fi
|
||||
|
||||
printf_stderr() {
|
||||
printf "$@" > /dev/stderr
|
||||
}
|
||||
|
||||
printf_stderr "DigitalOcean VPC ID: "
|
||||
read DO_VPC_ID
|
||||
printf_stderr "DigitalOcean Token: "
|
||||
stty -echo
|
||||
read DO_TOKEN
|
||||
stty echo
|
||||
echo > /dev/stderr
|
||||
|
||||
cat <<EOF
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: digitalocean
|
||||
stringData:
|
||||
vpc-id: ${DO_VPC_ID}
|
||||
access-token: ${DO_TOKEN}
|
||||
EOF
|
|
@ -0,0 +1,24 @@
|
|||
# Secrets
|
||||
|
||||
Forgejo requires three secret keys, each protecting a specific component. They
|
||||
are generated using the Forgejo container, to ensure they are in the correct
|
||||
format. These keys can be generated by running:
|
||||
|
||||
```sh
|
||||
sh kustomizations/forgejo/scripts/generate-forgejo-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/forgejo/forgejo-config.enc.yaml
|
||||
```
|
||||
|
||||
Forgejo supports SSH but requires host keys to be pregenerated:
|
||||
|
||||
```sh
|
||||
sh kustomizations/forgejo/scripts/generate-forgejo-ssh-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/forgejo/forgejo-ssh-keys.enc.yaml
|
||||
```
|
||||
|
||||
To get the database credentials, run:
|
||||
|
||||
```sh
|
||||
sops exec-env secrets/production.enc.env 'terraform -chdir=infra/main output -json' | jq '.database_users.value.keycloak' | sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml /dev/stdin > kustomizations/keycloak/postgres-auth.enc.yaml
|
||||
```
|
||||
|
||||
Check the Keycloak Kustomization documentation for information on generating
|
||||
a Client ID and Secret.
|
|
@ -9,6 +9,11 @@ To generate the admin password for Keycloak, run:
|
|||
> keycloak-config.enc.yaml
|
||||
```
|
||||
|
||||
To get the database credentials, run:
|
||||
|
||||
```sh
|
||||
sops exec-env secrets/production.enc.env 'terraform -chdir=infra/main output -json' | jq '.database_users.value.keycloak' | sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml /dev/stdin > kustomizations/keycloak/postgres-auth.enc.yaml
|
||||
```
|
||||
|
||||
# Adding Clients
|
||||
|
||||
|
|
Loading…
Reference in New Issue