airship
/
treasuremap
Code Issues Proposed changes
treasuremap/manifests/type/airship-core/shared/update-secrets/template.yaml

141 lines
6.3 KiB
YAML
Raw Blame History

apiVersion: airshipit.org/v1alpha1
kind: Templater
metadata:
name: secret-template
annotations:
config.kubernetes.io/function: |
container:
image: quay.io/airshipit/templater:latest
envs:
- FORCE_REGENERATE
- ONLY_CLUSTERS
- DEBUG_TEMPLATER
values:
# these settings are overridable
sshKeyGen:
encBit: 4096
ephemeralCluster:
ca:
subj: "/CN=Kubernetes API"
validity: 3650
kubeconfigCert:
subj: "/CN=admin/O=system:masters"
validity: 365
targetCluster:
ca:
subj: "/CN=Kubernetes API"
validity: 3650
kubeconfigCert:
subj: "/CN=admin/O=system:masters"
validity: 365
template: |
{{/***********************************************************************/}}
{{/* define regenerate templates for different sections */}}
{{/***********************************************************************/}}
{{- define "regenEphemeralK8sSecrets" -}}
{{- $ClusterCa := genCAEx .ephemeralCluster.ca.subj (int .ephemeralCluster.ca.validity) }}
{{- $KubeconfigCert := genSignedCertEx .ephemeralCluster.kubeconfigCert.subj nil nil (int .ephemeralCluster.kubeconfigCert.validity) $ClusterCa -}}
values:
- data: {{ $ClusterCa.Cert | b64enc | quote }}
name: caCrt
- data: {{ $ClusterCa.Key | b64enc | quote }}
name: caKey
- data: {{ $KubeconfigCert.Cert | b64enc | quote }}
name: crt
- data: {{ $KubeconfigCert.Key | b64enc | quote }}
name: key
{{- end -}}
{{- define "regenTargetK8sSecrets" -}}
{{- $ClusterCa := genCAEx .targetCluster.ca.subj (int .targetCluster.ca.validity) }}
{{- $KubeconfigCert := genSignedCertEx .targetCluster.kubeconfigCert.subj nil nil (int .targetCluster.kubeconfigCert.validity) $ClusterCa }}
values:
- data: {{ $ClusterCa.Cert | b64enc | quote }}
name: caCrt
- data: {{ $ClusterCa.Key | b64enc | quote }}
name: caKey
- data: {{ $KubeconfigCert.Cert | b64enc | quote }}
name: crt
- data: {{ $KubeconfigCert.Key | b64enc | quote }}
name: key
{{- end -}}
{{- define "regenIsoImageSecrets" -}}
values:
- data: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org" | quote }}
name: rootPasswd
- data: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org" | quote }}
name: deployerPasswd
{{- end -}}
{{- define "regenTargetSshSecrets" -}}
{{- $sshKey := genSSHKeyPair (int .sshKeyGen.encBit) }}
values:
- data: {{ $sshKey.Private | quote }}
name: privateKey
- data: {{ $sshKey.Public | quote }}
name: publicKey
{{- end -}}
{{/***********************************************************************/}}
{{- $onlyClusters := list -}}
{{- if not (eq (env "ONLY_CLUSTERS") "") -}}
{{- $onlyClusters = splitList "," (env "ONLY_CLUSTERS") -}}
{{- end -}}
{{/***********************************************************************/}}
{{/* get combined-secrets yaml and exclude it from the bundle */}}
{{- $combinedSecrets := index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets$" "false"))) 0 -}}
{{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets$" "true"))) -}}
{{/* get combined-secrets-import yaml and exclude it from the bundle */}}
{{- $combinedSecretsImport := index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets-import$"))) 0 -}}
{{/* skip secrets generation if it wasn't decrypted */}}
{{- if and (eq (include "isEncrypted" $combinedSecrets) "false") (or (eq (len $onlyClusters) 0) (has "ephemeral" $onlyClusters)) -}}
{{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets-import$" "true"))) -}}
apiVersion: airshipit.org/v1alpha1
kind: VariableCatalogue
metadata:
labels:
airshipit.org/deploy-k8s: "false"
name: combined-ephemeral-secrets-import
secretGroups: []
---
apiVersion: airshipit.org/v1alpha1
kind: VariableCatalogue
metadata:
annotations:
config.kubernetes.io/path: "ephemeral/catalogues/encrypted/secrets.yaml"
labels:
airshipit.org/deploy-k8s: "false"
name: combined-ephemeral-secrets
secretGroups:
- {{ include "group" (list . $combinedSecrets $combinedSecretsImport "isoImageSecrets" "once" "regenIsoImageSecrets" ) | indent 4 | trim }}
- {{ include "group" (list . $combinedSecrets $combinedSecretsImport "ephemeralK8sSecrets" "once" "regenEphemeralK8sSecrets" ) | indent 4 | trim }}
---
{{- end -}}
{{/***********************************************************************/}}
{{/* get combined-secrets yaml and exclude it from the bundle */}}
{{- $combinedSecrets = index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets$" "false"))) 0 -}}
{{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets$" "true"))) -}}
{{/* get combined-secrets-import yaml and exclude it from the bundle */}}
{{- $combinedSecretsImport = index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets-import$"))) 0 -}}
{{/* skip secrets generation if it wasn't decrypted */}}
{{- if and (eq (include "isEncrypted" $combinedSecrets) "false") (or (eq (len $onlyClusters) 0) (has "target" $onlyClusters)) -}}
{{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets-import$" "true"))) -}}
apiVersion: airshipit.org/v1alpha1
kind: VariableCatalogue
metadata:
labels:
airshipit.org/deploy-k8s: "false"
name: combined-target-secrets-import
secretGroups: []
---
apiVersion: airshipit.org/v1alpha1
kind: VariableCatalogue
metadata:
annotations:
config.kubernetes.io/path: "target/catalogues/encrypted/secrets.yaml"
labels:
airshipit.org/deploy-k8s: "false"
name: combined-target-secrets
secretGroups:
- {{ include "group" (list . $combinedSecrets $combinedSecretsImport "targetK8sSecrets" "yearly" "regenTargetK8sSecrets" ) | indent 4 | trim }}
- {{ include "group" (list . $combinedSecrets $combinedSecretsImport "targetSshSecrets" "yearly" "regenTargetSshSecrets" ) | indent 4 | trim }}
---
{{- end -}}
View Git Blame Copy Permalink