-
Notifications
You must be signed in to change notification settings - Fork 820
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
infra/gcp: manage aaa secrets via terraform #3028
Conversation
/cc @ameukam |
Perhaps unsurprisingly, the bash script to import all of this looks not unlike the bash script that is being removed... #!/usr/bin/env bash
project="kubernetes-public"
secret_specs=()
prow_secrets=(
k8s-infra-build-clusters-kubeconfig
k8s-infra-cherrypick-robot-github-token
k8s-infra-ci-robot-github-account-password
k8s-infra-ci-robot-github-token
k8s-infra-prow-cookie
k8s-infra-prow-github-oauth-config
k8s-infra-prow-hmac-token
)
publishing_bot_secrets=(
publishing-bot-github-token
)
slack_infra_secrets=(
recaptcha-secret-key
recaptcha-site-key
slack-event-log-config
slack-moderator-config
slack-moderator-words-config
slack-post-message-config
slack-welcomer-config
slackin-token
)
triageparty_release_secrets=(
triage-party-github-token
)
elekto_secrets=(
elekto-db-database
elekto-db-host
elekto-db-password
elekto-db-port
elekto-db-username
elekto-github-client-id
elekto-github-client-secret
elekto-meta-secret
)
mapfile -t secret_specs < <(
printf "%s/prow\n" "${prow_secrets[@]}"
printf "%s/publishing-bot\n" "${publishing_bot_secrets[@]}"
printf "%s/slack-infra\n" "${slack_infra_secrets[@]}"
printf "%s/triageparty-release\n" "${triageparty_release_secrets[@]}"
printf "%s/elekto\n" "${elekto_secrets[@]}"
)
for spec in "${secret_specs[@]}"; do
secret="$(echo "${spec}" | cut -d/ -f1)"
app="$(echo "${spec}" | cut -d/ -f2)"
owners="k8s-infra-rbac-${app}@kubernetes.io"
role="roles/secretmanager.admin"
terraform import \
google_secret_manager_secret.aaa_app_secrets[\"${secret}\"] \
"projects/${project}/secrets/${secret}"
terraform import \
google_secret_manager_secret_iam_binding.aaa_app_secret_admins[\"${secret}\"] \
"projects/${project}/secrets/${secret} ${role} group:${owners}"
done Verifying via
|
/hold |
This will result in one actual change which I think is fine given that we've got this password in 1password now
|
cb106fe
to
305408e
Compare
/hold cancel |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/hold
don't want to cause this to merge immediately bc I'm still new to k8s-infra, I've validated that all of the secrets should align the same way, and should evaluate equivalently (plus also saw @spiffxp's testing). The DSL is also fairly nice for managing secrets in the future.
] | ||
}, | ||
} | ||
// Even though we could just use the list, we're going to keep parity with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
honestly also makes for a fairly nice DSL
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: endocrimes, spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
/hold cancel |
Deployed by updating state using script above and running terraform apply
|
Related:
This removes the last of the bash-based secret provisioning code. This will require terraform import commands to deploy