airship/airshipctl
Code Issues Proposed changes
8dddae9daa
airshipctl/tools/deployment/update-krm-images
Alexey Odinokov e2c56108ee Nextgen secrets implementation with separation per cluster 
1. Extending templater with kyaml functions and creating combined catalogue
to be able to request/update the existing resources.
This is based on 'everything is transformer' concept introduced in kustomize 4.x
That includes gathering all secrets into 1 variable catalogue and
special mechanism to regenerate/merge with manual secrets.

2. Implementing 'catalogue per cluster' approach for secrets.

3. Rearranging secrets so it's possible to use:
pgp (each person may have his own key), age, Hachicorp Vault and etc
and the list of people who can decrypt documents is set in a special file.
Since in some cases there should be a separate list of people who can decrypt
data - this list is set for each cluster (ephemeral and target) separatelly.

Closes: #586
Change-Id: I038f84dd138d5ad4a35f4862c61ff2124c2fd530
2021-09-03 20:46:15 +00:00

44 lines
2.2 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
set -xe
export MANIFEST_DIR=${MANIFEST_DIR:-"$(pwd)"}
export OLD_REPLACEMENT_TRANSFORMER=${OLD_REPLACEMENT_TRANSFORMER:-"localhost/replacement-transformer"}
export OLD_TEMPLATER=${OLD_TEMPLATER:-"localhost/templater"}
export OLD_CLOUD_INIT=${OLD_CLOUD_INIT:-"localhost/cloud-init"}
export OLD_TOOLBOX=${OLD_TOOLBOX:-"localhost/toolbox"}
export OLD_KUBEVAL_VALIDATOR=${OLD_KUBEVAL_VALIDATOR:-"localhost/kubeval-validator"}
export OLD_SOPS=${OLD_SOPS:-"gcr.io/kpt-fn-contrib/sops:v0.3.0"}
export NEW_REPLACEMENT_TRANSFORMER=${NEW_REPLACEMENT_TRANSFORMER:-$OLD_REPLACEMENT_TRANSFORMER}
export NEW_TEMPLATER=${NEW_TEMPLATER:-$OLD_TEMPLATER}
export NEW_CLOUD_INIT=${NEW_CLOUD_INIT:-$OLD_CLOUD_INIT}
export NEW_TOOLBOX=${NEW_TOOLBOX:-$OLD_TOOLBOX}
export NEW_KUBEVAL_VALIDATOR=${NEW_KUBEVAL_VALIDATOR:-$OLD_KUBEVAL_VALIDATOR}
export NEW_SOPS=${NEW_SOPS:-$OLD_SOPS}
find "$MANIFEST_DIR" -type f -exec sed -i -e "s#$OLD_REPLACEMENT_TRANSFORMER#$NEW_REPLACEMENT_TRANSFORMER#g" {} \;
find "$MANIFEST_DIR" -type f -exec sed -i -e "s#$OLD_TEMPLATER#$NEW_TEMPLATER#g" {} \;
find "$MANIFEST_DIR" -type f -exec sed -i -e "s#$OLD_CLOUD_INIT#$NEW_CLOUD_INIT#g" {} \;
find "$MANIFEST_DIR" -type f -exec sed -i -e "s#$OLD_TOOLBOX#$NEW_TOOLBOX#g" {} \;
find "$MANIFEST_DIR" -type f -exec sed -i -e "s#$OLD_KUBEVAL_VALIDATOR#$NEW_KUBEVAL_VALIDATOR#g" {} \;
find "$MANIFEST_DIR" -type f -exec sed -i -e "s#$OLD_SOPS#$NEW_SOPS#g" {} \;
View Git Blame Copy Permalink