airship/airshipctl
Code Issues Proposed changes
Files
4e7b4efa8f23a72e86a6b51a54826429f7503b0f
airshipctl/manifests/site/test-site/target/generator
History
Vladislav Kuzmin 8dba799c18 Add secrets generator phase 
This phase builded on top of generic executor container.
It uses kustomize generator to generate secrets
and SOPS function to encrypt secrets.

Usage:
    1. `curl -fsSL -o key.asc https://raw.githubusercontent.com/mozilla/sops/master/pgp/sops_functional_tests_key.asc`
       Copy existing key from sops project
    2. `export SOPS_IMPORT_PGP="$(cat key.asc)" && export SOPS_PGP_FP="FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"`
    3. `airshipctl phase run secret-generate`
        It will generate and encrypt secret in
        manifests/site/test-site/target/generator/results/generated/
    4. `KUSTOMIZE_PLUGIN_HOME=$(pwd)/manifests SOPS_IMPORT_PGP=$(cat key.asc) kustomize build --enable_alpha_plugins
        manifests/site/test-site/target/catalogues/ > output.txt`
	It will decrypt encrypted secret

Co-authored-by: Alexey Odinokov <aodinokov@mirantis.com>
Change-Id: I1682d71b7805eb36c407e712dcb747de799bc8bb
Relates-To: #379
2021-01-14 18:57:15 +00:00
..
results
Add secrets generator phase
2021-01-14 18:57:15 +00:00
kustomization.yaml
Add secrets generator phase
2021-01-14 18:57:15 +00:00
README.md
Add secrets generator phase
2021-01-14 18:57:15 +00:00
secret-template.yaml
Add secrets generator phase
2021-01-14 18:57:15 +00:00

README.md

Secrets generator/encrypter/decrypter

This directory contains an utility that helps generate, encrypt and decrypt secrects. These secrects can be used anywhere in manifests.

For example we can use PGP key from SOPS example. To get the key we need to run: curl -fsSL -o key.asc https://raw.githubusercontent.com/mozilla/sops/master/pgp/sops_functional_tests_key.asc

and import this key as environment variable: export SOPS_IMPORT_PGP="$(cat key.asc)" && export SOPS_PGP_FP="FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"

Generator

To generate secrets we use template that will be passed to kustomize as generators during airshipctl phase run secret-generate execution.

Encrypter

To encrypt the secrets that have been generated we use generic container executor. To start the secrets generate phase we need to execute following phase: airshipctl phase run secret-generate The executor run SOPS container and pass the pre-generated secrets to this container. This container encrypt the secrets and write it to directory specified in kustomizeSinkOutputDir(results/generated).

Decrypter

To decrypt previously encrypted secrets we use decrypt-secrets.yaml. It will run the decrypt sops function when we run KUSTOMIZE_PLUGIN_HOME=$(pwd)/manifests SOPS_IMPORT_PGP=$(cat key.asc) kustomize build --enable_alpha_plugins manifests/site/test-site/target/catalogues/