From 710af7dbc75af3727c1624d1babd61124c1e9dac Mon Sep 17 00:00:00 2001 From: "ryan-distrust.co" Date: Tue, 16 May 2023 22:06:13 -0400 Subject: [PATCH] docs: add steps to rebuild kustomization secrets --- docs/kustomization-ordering.md | 6 ++++ .../cert-manager/kustomization.yaml | 34 +++++++++---------- kustomizations/digitalocean/README.md | 7 ++++ .../generate-digitalocean-token-secret.sh | 31 +++++++++++++++++ kustomizations/forgejo/docs/README.md | 24 +++++++++++++ kustomizations/keycloak/docs/README.md | 5 +++ 6 files changed, 90 insertions(+), 17 deletions(-) create mode 100644 kustomizations/digitalocean/README.md create mode 100755 kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh create mode 100644 kustomizations/forgejo/docs/README.md diff --git a/docs/kustomization-ordering.md b/docs/kustomization-ordering.md index f52b4ae..d225889 100644 --- a/docs/kustomization-ordering.md +++ b/docs/kustomization-ordering.md @@ -7,7 +7,13 @@ Current order: * Cilium * Cert Manager * DigitalOcean +* Cert Manager (again, to deploy the ClusterIssuer) * Ingress NGINX * External DNS * Keycloak * Forgejo + +Any secrets necessary for any of the previous Kustomizations can be generated +via scripts in the relevant Kustomization. There should be information in the +Kustomization's README (which may be in a `docs` subdirectory) about how to +generate the secrets. diff --git a/kustomizations/cert-manager/kustomization.yaml b/kustomizations/cert-manager/kustomization.yaml index 605c130..394350d 100644 --- a/kustomizations/cert-manager/kustomization.yaml +++ b/kustomizations/cert-manager/kustomization.yaml @@ -6,20 +6,20 @@ resources: - cluster-issuer - namespace.yaml replacements: - - source: - kind: Deployment - name: cert-manager-webhook - fieldPath: metadata.namespace - targets: - - select: - kind: MutatingWebhookConfiguration - fieldPaths: - - metadata.annotations.[cert-manager.io/inject-ca-from-secret] - options: - delimiter: / - - select: - kind: ValidatingWebhookConfiguration - fieldPaths: - - metadata.annotations.[cert-manager.io/inject-ca-from-secret] - options: - delimiter: / +- source: + kind: Deployment + name: cert-manager-webhook + fieldPath: metadata.namespace + targets: + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from-secret] + options: + delimiter: / + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from-secret] + options: + delimiter: / diff --git a/kustomizations/digitalocean/README.md b/kustomizations/digitalocean/README.md new file mode 100644 index 0000000..8ec37de --- /dev/null +++ b/kustomizations/digitalocean/README.md @@ -0,0 +1,7 @@ +# Secrets + +DigitalOcean's CNI and CCM, as well as a few other separate Kustomizations, +require a DigitalOcean token and a VPC id. This can be generated by running: + +``` +sh kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/digitalocean-config.enc.yaml diff --git a/kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh b/kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh new file mode 100755 index 0000000..7fb03dd --- /dev/null +++ b/kustomizations/digitalocean/scripts/generate-digitalocean-token-secret.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +if test -t 1; then + # This is not foolproof. Can easily be beat by doing |cat. This is just to + # make it less likely that secrets are output to terminal. + echo "Error: Not outputting secret to stdout; redirect output to a file or" \ + "pipe output to \`sops\`." >/dev/stderr + exit 1 +fi + +printf_stderr() { + printf "$@" > /dev/stderr +} + +printf_stderr "DigitalOcean VPC ID: " +read DO_VPC_ID +printf_stderr "DigitalOcean Token: " +stty -echo +read DO_TOKEN +stty echo +echo > /dev/stderr + +cat < kustomizations/forgejo/forgejo-config.enc.yaml +``` + +Forgejo supports SSH but requires host keys to be pregenerated: + +```sh +sh kustomizations/forgejo/scripts/generate-forgejo-ssh-secret.sh | sops --encrypt --encrypted-regex='^(data|stringData)$' --input-type=yaml --output-type=yaml /dev/stdin > kustomizations/forgejo/forgejo-ssh-keys.enc.yaml +``` + +To get the database credentials, run: + +```sh +sops exec-env secrets/production.enc.env 'terraform -chdir=infra/main output -json' | jq '.database_users.value.keycloak' | sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml /dev/stdin > kustomizations/keycloak/postgres-auth.enc.yaml +``` + +Check the Keycloak Kustomization documentation for information on generating +a Client ID and Secret. diff --git a/kustomizations/keycloak/docs/README.md b/kustomizations/keycloak/docs/README.md index 3849ec8..fa836c7 100644 --- a/kustomizations/keycloak/docs/README.md +++ b/kustomizations/keycloak/docs/README.md @@ -9,6 +9,11 @@ To generate the admin password for Keycloak, run: > keycloak-config.enc.yaml ``` +To get the database credentials, run: + +```sh +sops exec-env secrets/production.enc.env 'terraform -chdir=infra/main output -json' | jq '.database_users.value.keycloak' | sops --encrypt --encrypted-regex '^(data|stringData)$' --input-type=json --output-type=yaml /dev/stdin > kustomizations/keycloak/postgres-auth.enc.yaml +``` # Adding Clients