airship/airshipctl
Code Issues Proposed changes
airshipctl/manifests/site/test-site/target/generator
History
Alexey Odinokov b51e7559b6 Adding encryption of k8s secrets and iso users passwords 
This patchset introduces a generated with template [1] and encrypted
VariableCatalogue generated-secrets that contains steps to
generate: ephemeral and target CA+admin key/cert and passwords for
users in ephemeral bootstrap iso.

It also introduces the way how these secrets are used in manifests:
They're decrypted by kustomize and incorporated into the folders
`catalogues` in the site, so they can be used by replacement plugin.

This patchset contains modifications in replacement plugin
configurations to put the decrypted values from VariableCatalogue
in place.

Since k8s secrets were substituted with generated values
this patchset removes pre-generated k8s secrets.

[1]
manifests/type/gating/target/generator/secret-template.yaml

Change-Id: I0898c74012833f0e171d36bb8145acf358510b69
2021-02-12 04:07:36 +00:00
..
override
Adding encryption of k8s secrets and iso users passwords
2021-02-12 04:07:36 +00:00
results
Adding encryption of k8s secrets and iso users passwords
2021-02-12 04:07:36 +00:00
kustomization.yaml
Adding encryption of k8s secrets and iso users passwords
2021-02-12 04:07:36 +00:00
README.md
Add secrets generator phase
2021-01-14 18:57:15 +00:00

README.md

Secrets generator/encrypter/decrypter

This directory contains an utility that helps generate, encrypt and decrypt secrects. These secrects can be used anywhere in manifests.

For example we can use PGP key from SOPS example. To get the key we need to run: curl -fsSL -o key.asc https://raw.githubusercontent.com/mozilla/sops/master/pgp/sops_functional_tests_key.asc

and import this key as environment variable: export SOPS_IMPORT_PGP="$(cat key.asc)" && export SOPS_PGP_FP="FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"

Generator

To generate secrets we use template that will be passed to kustomize as generators during airshipctl phase run secret-generate execution.

Encrypter

To encrypt the secrets that have been generated we use generic container executor. To start the secrets generate phase we need to execute following phase: airshipctl phase run secret-generate The executor run SOPS container and pass the pre-generated secrets to this container. This container encrypt the secrets and write it to directory specified in kustomizeSinkOutputDir(results/generated).

Decrypter

To decrypt previously encrypted secrets we use decrypt-secrets.yaml. It will run the decrypt sops function when we run KUSTOMIZE_PLUGIN_HOME=$(pwd)/manifests SOPS_IMPORT_PGP=$(cat key.asc) kustomize build --enable_alpha_plugins manifests/site/test-site/target/catalogues/