141 lines
6.3 KiB
YAML
141 lines
6.3 KiB
YAML
apiVersion: airshipit.org/v1alpha1
|
|
kind: Templater
|
|
metadata:
|
|
name: secret-template
|
|
annotations:
|
|
config.kubernetes.io/function: |
|
|
container:
|
|
image: quay.io/airshipit/templater:latest
|
|
envs:
|
|
- FORCE_REGENERATE
|
|
- ONLY_CLUSTERS
|
|
- DEBUG_TEMPLATER
|
|
values:
|
|
# these settings are overridable
|
|
sshKeyGen:
|
|
encBit: 4096
|
|
ephemeralCluster:
|
|
ca:
|
|
subj: "/CN=Kubernetes API"
|
|
validity: 3650
|
|
kubeconfigCert:
|
|
subj: "/CN=admin/O=system:masters"
|
|
validity: 365
|
|
targetCluster:
|
|
ca:
|
|
subj: "/CN=Kubernetes API"
|
|
validity: 3650
|
|
kubeconfigCert:
|
|
subj: "/CN=admin/O=system:masters"
|
|
validity: 365
|
|
template: |
|
|
{{/***********************************************************************/}}
|
|
{{/* define regenerate templates for different sections */}}
|
|
{{/***********************************************************************/}}
|
|
{{- define "regenEphemeralK8sSecrets" -}}
|
|
{{- $ClusterCa := genCAEx .ephemeralCluster.ca.subj (int .ephemeralCluster.ca.validity) }}
|
|
{{- $KubeconfigCert := genSignedCertEx .ephemeralCluster.kubeconfigCert.subj nil nil (int .ephemeralCluster.kubeconfigCert.validity) $ClusterCa -}}
|
|
values:
|
|
- data: {{ $ClusterCa.Cert | b64enc | quote }}
|
|
name: caCrt
|
|
- data: {{ $ClusterCa.Key | b64enc | quote }}
|
|
name: caKey
|
|
- data: {{ $KubeconfigCert.Cert | b64enc | quote }}
|
|
name: crt
|
|
- data: {{ $KubeconfigCert.Key | b64enc | quote }}
|
|
name: key
|
|
{{- end -}}
|
|
{{- define "regenTargetK8sSecrets" -}}
|
|
{{- $ClusterCa := genCAEx .targetCluster.ca.subj (int .targetCluster.ca.validity) }}
|
|
{{- $KubeconfigCert := genSignedCertEx .targetCluster.kubeconfigCert.subj nil nil (int .targetCluster.kubeconfigCert.validity) $ClusterCa }}
|
|
values:
|
|
- data: {{ $ClusterCa.Cert | b64enc | quote }}
|
|
name: caCrt
|
|
- data: {{ $ClusterCa.Key | b64enc | quote }}
|
|
name: caKey
|
|
- data: {{ $KubeconfigCert.Cert | b64enc | quote }}
|
|
name: crt
|
|
- data: {{ $KubeconfigCert.Key | b64enc | quote }}
|
|
name: key
|
|
{{- end -}}
|
|
{{- define "regenIsoImageSecrets" -}}
|
|
values:
|
|
- data: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org" | quote }}
|
|
name: rootPasswd
|
|
- data: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org" | quote }}
|
|
name: deployerPasswd
|
|
{{- end -}}
|
|
{{- define "regenTargetSshSecrets" -}}
|
|
{{- $sshKey := genSSHKeyPair (int .sshKeyGen.encBit) }}
|
|
values:
|
|
- data: {{ $sshKey.Private | quote }}
|
|
name: privateKey
|
|
- data: {{ $sshKey.Public | quote }}
|
|
name: publicKey
|
|
{{- end -}}
|
|
{{/***********************************************************************/}}
|
|
{{- $onlyClusters := list -}}
|
|
{{- if not (eq (env "ONLY_CLUSTERS") "") -}}
|
|
{{- $onlyClusters = splitList "," (env "ONLY_CLUSTERS") -}}
|
|
{{- end -}}
|
|
{{/***********************************************************************/}}
|
|
{{/* get combined-secrets yaml and exclude it from the bundle */}}
|
|
{{- $combinedSecrets := index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets$" "false"))) 0 -}}
|
|
{{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets$" "true"))) -}}
|
|
{{/* get combined-secrets-import yaml and exclude it from the bundle */}}
|
|
{{- $combinedSecretsImport := index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets-import$"))) 0 -}}
|
|
{{/* skip secrets generation if it wasn't decrypted */}}
|
|
{{- if and (eq (include "isEncrypted" $combinedSecrets) "false") (or (eq (len $onlyClusters) 0) (has "ephemeral" $onlyClusters)) -}}
|
|
{{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-ephemeral-secrets-import$" "true"))) -}}
|
|
apiVersion: airshipit.org/v1alpha1
|
|
kind: VariableCatalogue
|
|
metadata:
|
|
labels:
|
|
airshipit.org/deploy-k8s: "false"
|
|
name: combined-ephemeral-secrets-import
|
|
secretGroups: []
|
|
---
|
|
apiVersion: airshipit.org/v1alpha1
|
|
kind: VariableCatalogue
|
|
metadata:
|
|
annotations:
|
|
config.kubernetes.io/path: "ephemeral/catalogues/encrypted/secrets.yaml"
|
|
labels:
|
|
airshipit.org/deploy-k8s: "false"
|
|
name: combined-ephemeral-secrets
|
|
secretGroups:
|
|
- {{ include "group" (list . $combinedSecrets $combinedSecretsImport "isoImageSecrets" "once" "regenIsoImageSecrets" ) | indent 4 | trim }}
|
|
- {{ include "group" (list . $combinedSecrets $combinedSecretsImport "ephemeralK8sSecrets" "once" "regenEphemeralK8sSecrets" ) | indent 4 | trim }}
|
|
---
|
|
{{- end -}}
|
|
{{/***********************************************************************/}}
|
|
{{/* get combined-secrets yaml and exclude it from the bundle */}}
|
|
{{- $combinedSecrets = index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets$" "false"))) 0 -}}
|
|
{{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets$" "true"))) -}}
|
|
{{/* get combined-secrets-import yaml and exclude it from the bundle */}}
|
|
{{- $combinedSecretsImport = index (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets-import$"))) 0 -}}
|
|
{{/* skip secrets generation if it wasn't decrypted */}}
|
|
{{- if and (eq (include "isEncrypted" $combinedSecrets) "false") (or (eq (len $onlyClusters) 0) (has "target" $onlyClusters)) -}}
|
|
{{- $_ := setItems (KOneFilter getItems (include "grepTpl" (list "[\"metadata\", \"name\"]" "^combined-target-secrets-import$" "true"))) -}}
|
|
apiVersion: airshipit.org/v1alpha1
|
|
kind: VariableCatalogue
|
|
metadata:
|
|
labels:
|
|
airshipit.org/deploy-k8s: "false"
|
|
name: combined-target-secrets-import
|
|
secretGroups: []
|
|
---
|
|
apiVersion: airshipit.org/v1alpha1
|
|
kind: VariableCatalogue
|
|
metadata:
|
|
annotations:
|
|
config.kubernetes.io/path: "target/catalogues/encrypted/secrets.yaml"
|
|
labels:
|
|
airshipit.org/deploy-k8s: "false"
|
|
name: combined-target-secrets
|
|
secretGroups:
|
|
- {{ include "group" (list . $combinedSecrets $combinedSecretsImport "targetK8sSecrets" "yearly" "regenTargetK8sSecrets" ) | indent 4 | trim }}
|
|
- {{ include "group" (list . $combinedSecrets $combinedSecretsImport "targetSshSecrets" "yearly" "regenTargetSshSecrets" ) | indent 4 | trim }}
|
|
---
|
|
{{- end -}}
|