sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

allow hercules to access terraform secrets

Browse source
This commit is contained in:
zowoq 2023-03-13 07:47:34 +10:00
parent 4a54d2714d
commit f05a9e14a5
4 changed files with 46 additions and 32 deletions

2
.sops.yaml
View file

@ -4,6 +4,7 @@ keys:
- &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
- &build04 age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
- &github_actions age1hdmmmv423xajuv4pjumnj35j34e4rhta3wgatjafy3dxf38yycysqzl4mn
- &hercules_tf age1lk9prt0l75xyj4r9lvel5cdac4ll8jnywrm0fp8nackeqzmwkfqq974lst
- &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
- &ryantm age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
- &zimbatm age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
@ -21,6 +22,7 @@ creation_rules:
key_groups:
- age:
- *github_actions
- *hercules_tf
- *mic92
- *ryantm
- *zimbatm

2
roles/hercules-ci/default.nix
View file

@ -9,12 +9,14 @@ in
{
sops.secrets."binary-caches.json" = herculesSecret;
sops.secrets."cluster-join-token.key" = herculesSecret;
sops.secrets."hercules-secrets" = herculesSecret;
services.hercules-ci-agent = {
enable = true;
settings = {
binaryCachesPath = secrets."binary-caches.json".path;
clusterJoinTokenPath = secrets."cluster-join-token.key".path;
secretsJsonPath = secrets."hercules-secrets".path;
};
};
}

5
roles/hercules-ci/secrets.yaml
View file

@ -1,5 +1,6 @@
cluster-join-token.key: ENC[AES256_GCM,data:Ba8S5Cx3NJR/FoKkSVc5pX1bwKkYHAhTid3dlWcGRXPCmVtrMgBKLjDZ5b3AajZio+IvS7XNajsVqPUB/rsBUPL+mz/DPbnI4bibLkB0KZl5v6FnMf6RbGr7RWbEsGXWlJh77l/AmGRWJTj7Dh3LaQ53dguhNIDuXGvNhTLs690/93Xnc+x+d5tzl2hNz/A4/IQxpsRoJJKygqGndbc0bTUPo0QZMLtf8kHQtCiozfm1SeW49ITnM+4VCOJB8NkSkwUfy5Rs574fFijYSOGT8LSSH0ly2oxHEY+UaJudRhjr5uzrcZPI/WrrtkI=,iv:87JRtvlkkExu37uYRaHojsk1vjhO1ocw2L9yE+7shpI=,tag:0de71eZjy8F/w0LQzOVAyg==,type:str]
binary-caches.json: ENC[AES256_GCM,data:pshvo/BxcIDXrWpW6jb1Hti8pqIEER+andBFpbOArKdaSb1LoVC45G+QwqLxjnDckiBeJm+refQE/x8i6QI0kYHcHEmX4iByvtcDM7RB6ZQSghTO0oqhi1blZRp+NjVdpgeti9VOkLPOYR+ruCDXeZmjt9fWnpGxC6ok5h5z5XLtq5xICy0DBl4VJXw3NwMnpIfj4vvczTP1TlUmP3GElHImRj6F59Vyw4jbTZRIqrib97x8nrO24t3P6RqooY0WHPR1sQXJebxCCO3TiJjxLHNtjLhJgez/O6Ou8CJx999wGvGmm3k8DzUDh94bnG12tal0PrPSJLdsQItpYqDPbK6f6R0wVmzcAywW22SCqk6kaCLGSDCYQRh3xGNsdmVfDQSJPjnAOJDNjJR5adoe8KPHIrc5eZiXjS9mJO7eYPX2IfkNHlM18NjT/Q716Ez9tnBatVb5+YKLlZMm+SSgWNxwZhBiQUvR3wdX3jOXIAjdfCGy4ocCffP05WC4YzjHo5E1EsOBN/cr5LfAS36XFwChHJ6iE4zjwsQe3X7jN9mlZdksBe8gEKFns2rr5IMmXG/enLdVjigRgDShNglP,iv:IOqba6lLXCEVZ+HNaH3uM4E3lbKzm8XCXlbAp6UPBIE=,tag:RX2d2UEWpZu48pW1UUaQcQ==,type:str]
hercules-secrets: ENC[AES256_GCM,data:sDNJiLGr084QtdTC2rUWjop1v+j/SvcJYhGfzrbBUJddJsMuL5XnDcFyzZrm+xoct5pGRMJtPPQya2sfXBdY3mmyNQ5hOCOECm3koYyxbnEkOgY0StmJS6z49+orqVJUafMyRih4Z+3gtMeDwsXQqZCc9OxYjF/SYghi0q1X1k3y8U9teAsS3rSkGlfJkYn5AYye1fEhXKgbAdkKWgUj72W9sTibdqkWG60cJLETb8/Y3o3a9cna3/is4yH0JdoWJHmwqmquvEybkM9WDQqlb4heXVpLEUTT+C7/U83eBSFabfpaCXD1XdnUztHT8foXqz+APJ0Ap99y2GddUarpju7dQ0uKHYc8ftowSxCOMzbAf7V3FV9deBOCKfrDMZE1nhOwAZQ/8E23wBfqYL4f60+hsZdSbErCsyVROHuofswlNLNOVU4beg92hwqNEpqyAyOuubRfn2xvuOnSoZ1N3nvCSWuItzqN4NaDGesiccuvS5Ncy9F0dgkQmx19MUDI4t2icXDcAr/v3rlTytWtlgpToEnkdmUASOZTy10Jz7zoPnjV1u+aDTaDpCq4QTZf2cDzNpdCETR0CtEuXX6FkTLwbW4NpeTsNVaIQgHoKA2lFmKYsqQzC9/spfnjLzdGAs+aNbf//X5epkIVnP/wxF2gEVd4JOK2kujNYPDOcNhUQd9dlenNkWMEGIgvZDbpR+aIXj8u/3AbWN+tUdeWEFGd0j0DKRtNoMdsBn/nkNtrlrseAzo8CqzSLHU7kKoamg==,iv:NIGlQcBdU0AQQ2LDHCdCyqSzsWQALTZQDKGTqwYFvjc=,tag:ImbGAtmDxkyhJ10q6vF0ig==,type:str]
sops:
kms: []
gcp_kms: []
@ -69,8 +70,8 @@ sops:
QTh4K0xzYVgzWVcwNzJ6bHFncHNTNHMK/iAbmGaTunJefyKK/GQYYMzd1PY+hvOt
i2SfjO8ZPXRkQcDxRa5EqOkKzpzBijjSsGGH04MprCBI6ysaJA+lEg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-02-05T03:29:16Z"
mac: ENC[AES256_GCM,data:/ds2F2gy1lH11QCXZzRdXKpf/iPCyPyfHr0HnqA+mzenMBEMonpckMXKr/i9RrzJxTEx6RCCMiV+by/c0WR0BWkI5P+2aaMqcjXigzL0Ec9LPjH5XcDlN5eeqRCrd8jYsrZpo4te2CKNsA6ramcBN+qaaIPJB9zBJMhXjYAnMM0=,iv:68T2ZiJc/9nZUXZPTaU9ygl8SNuCsWBjVmRGkEJOex4=,tag:Imt27qoaJU6pnU2DzHC7AA==,type:str]
lastmodified: "2023-03-12T21:46:12Z"
mac: ENC[AES256_GCM,data:5o9P5p96LsGRwv05j7ncU006DnUeXn/nKKAtAw0gofkFr95Wntd9NXsbzGEy4Mjlzlwr6noJtzqPHZxP09nWUYLrVAn5/D+6tU39dpS/zfbYx4vQQwH1KOrlwbOaV1WQVz9du4XBITH/Pf1rL4p48nAjCboTs4W3/jMGXM70WNs=,iv:NxIiEWLd4R2eONOh7WLyLcaxxvCNk+fRqo3EQNM03dk=,tag:DUmrpTsggi5UdM8nbSzdKw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

69
terraform/secrets.yaml
View file

@ -9,50 +9,59 @@ sops:
azure_kv: []
hc_vault: []
age:
- recipient: age1hdmmmv423xajuv4pjumnj35j34e4rhta3wgatjafy3dxf38yycysqzl4mn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMaXNzeGRhNk93VTMwWVly
c0FKQXJiM2xjNElqb09YL0VKY1orRkpUZndBCi9oNnIvck9NeGRDWm9hbGF4RWd3
bUhwVGsrV1dNMGErTjhhbk96YTc3MUUKLS0tIDAyOGtJOHZndVM2Mm9ja2Juck9o
Mm0xdzRNOERBTjBSejd4Y01kYjBpRTQK3olfsRDAezCEx0GIDUcGmmkJyZNeiXN6
NFatlmRBSr4JH6X0JHfWzsC9oc3ursytLf7Hf3t/4mHg1EefgaML9A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lk9prt0l75xyj4r9lvel5cdac4ll8jnywrm0fp8nackeqzmwkfqq974lst
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDL0NMSmdYV3RraUh6M0c3
d3I2dksrQ3dXdGpXVTFsRnVBNy9vRjFkK20wCmJkSzBvNzFyVi9EMFl4eWFNYno1
VGxOdkF2VHU5Mmp6K2gwSnc4OG1oUXMKLS0tIHh4bWxEVjdubk5TeWhONU0xamxt
dERwMTNibXpNSjlKTkJhK0FEZi9IekkKER40oOuP7YgRXN2R0G8rTDOk4qoayKHG
4SYSVqULCn/79ayYkx2XDLim2Wuws9yyxxG5TiZd70Ym3V7TPF3eTA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIM3pBNmc4OCtCVWN3dm5E
Q2tLdDF3Z3Z0NS9JeWtBZGxXNzZBeHFXVFZ3CkZZaW16WVNlNEc0YVpOejRJbkJ4
RFdkeDZHMkxySVIxMHlEbGhaMkE0NUUKLS0tIHYvYkplcURmSkNiT2cwdHJhQjli
ZHNQcDVuY09IMWFJSmp0allJUzVISVkKRH1UGq0sObtWTEf3fAnSDbZ+3AkgoNat
ZF7d/WuLsZYIS5C4/lx6W4qcM3ZkYFeE7KVP+scD6KnO7eeBPNFNSw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTTFITkFIYzJIRnA4am0x
Y1UrS1VkYllKczUwYmtOcGswMEJ6d05TVWw0CnpZWmhCQWNjd2Jyd3hCeXVJeHlX
ZHJhK0xPY2RVVXBNNzdEQ3FFeENpbUUKLS0tIHRJckYwL0p3ZlZjZVVIaDg2a1ho
d2M0U05YaExrZmh5czFPSVRXUFlsNGsKT9YmqWb9t1N1A8+Qm8ZqXIVh+xOh0B66
luiM+s2yrxus4d8E0YPQqpqUTWnHKYaQ33/pWwH9JJqFBFMU9ISpig==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMk1VZXN2eTJraVJpM3hB
NnNrN1B0Q1F4ejNacVgvdkhPNytuSmc5bjJBCndRZ3E5Z2Y0eHB6ODErcEQ0dkp4
MVQ0dm9xTkdRT3p5RXRyRDZPR1FOV1kKLS0tIFJySENhSGI1UFhWZG90ODN1WlNv
V1hvOXdmZEwwbHRiUkxEM2JrM3BDTzgK1GR3QVwflr7EgtHoy1gbpVK7COsPxI9y
CSq1Aak5rCU0F0wTJcZxLTE5tHErYaqD6exxTM1zk4SVcevdyHiu1Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdWRzdFNWeHNkYUM5MkFq
bmVoSjE4a0QwYnN3SEZCcW1maFlmS0NQNmtvClhJcXF2UVpnQ014SGdwNlFjaEN4
bDI5Q2FVSUJuOWpIVGUzREVUVXltVTAKLS0tIDRFSzJldXR5NUUrekVvd1FyMHR2
TDN5WlkxanVxeWFjVmFNU0s0L25tVzQK8hYYaWng3ferINNh6x12z/d87A1E2gid
0EugOY4LIIk98bUB0jEh6J/lIJ1NbOKEzimjktUengdM2T6Yf4Nsew==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpYVhzMkF6M3cwc0l3Zzlr
dE1ha2hkK3lPZkgvZkR5Sk5HV1FlcjkveEVZCnErNGRHbFRJZWZCQUg2Ukx4V094
dkZ6QTJqaG9Pa0FBMk5VWHJaNUE4N1UKLS0tIFVyNDdHczhZaDlkeVZEMFErTEVW
ME9vKzJIV2U3U1lYM3huUTRkOS8zbzgKAPHThcG53rpyNnqaJWc5PeUi1VtyAqEj
Egv6gsELcg993JyvXx6920/8tSMt1cGUW4vfvHkhBUF9TM/Bn1hS0A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkTTd5QnRvb0ZZd0VDZTZq
TmM4M3Flc2c0SXVqVUs0cXhrZ29BVU9qakRJCnJidE5UdDlUUlQ0MmdxZE1BTHFs
NGFvTXJUM2RLeGhTc1ZBN3kxM0tVZGsKLS0tIGtET05DOVZOQ0JpejlKMnROd0c1
bEUvNERlVXZ1dVhhUElQL2Rta0h4bWMK8epdovp7pJNjSKzFGQa1jC43x5TLzXaQ
xVbKblq6Eg0IBBBMURHnOPFHxp+hzuoYmiVpFXPnNpCzAg0Xs+86hA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySUgxNnl4cGxOTDVVMFFo
bVVBV3JOdjgremxWMW8veXpXV0FhQ3lQeTNzCnZHVm9RZWFXYzVnS3RzOGlScy9L
aWxLN1RPcEltUGtGRklSRmZvM05INlUKLS0tIEFlWGxZMDFXaXZiMTFyNEQ2ejcw
WGdnV0F6ZHZQTkQ3K291VnVBR2JrdncKzqwRD0XNz9GOKtlBC5quRY8uGaYXY5rf
sHWz57NYh3w+QeF/dGe1Ny777ur5rwQbeFgnFjN7lavkWwrKKVzZFA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hdmmmv423xajuv4pjumnj35j34e4rhta3wgatjafy3dxf38yycysqzl4mn
- recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxWFJFQXI2TmtIbUNTQ1lR
YVptZEJMUFhMODZWMjNNTzlxdTgrbVdqR1JvCkI0b0prckozWjhuRXpwSzVjejJp
eWdPMXAyL3ZVUmFqa3NubFJGNzRJaEUKLS0tIHo3bjY4NHhQUVg3cWlNMXF5aEhR
MnhHSHdqd2xxbk5OWEx1Q3hGTGcySWsKnGKLLHKPewnG83Ejc+NJkfKsl8Z6vmSA
Ao8Dc09GJzou5X0fP2h1/CpsB6XASD1Qox2oxEYPZvWNtiFGAaq9tg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZTJUNEFXN2pNUnYvZUpV
RzU5SUJkR0g3RmJLbWhFdFc1alBJNjMrNnlNCjdYY0VwRzkrcmhWOGg3SGQ5eVQy
ZUo3ejZsRVdCTENBMG1kcXhHSzdkZkEKLS0tIEJvZEx4T3NFS1hDT3NGc1ZTejQ4
akl4L2M1ZE1lZGpWVnRTRmw2OXJFdG8KBOVFOXsyEYPAiaUoC51Op/yBsgxo1SYM
fcHbyvKqhV5gea/IKYbIE8XKM0ERgTi72tQBducylvclDh7sXYL6LA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-02-15T03:05:31Z"
mac: ENC[AES256_GCM,data:n3I8BMP5sTYiSZwmW0QXZ61WUANo7smy1W1Ctfb1Xuv/5kOTKaqaMu5osk7DTBihtXTuQIgTKqvnWaZ/V0PAQJpu6kt5SoUmfzL3QeVUbvrWhKd2EpWhncD1ZmL7WvpLYXTD6a2ubGm7n+4NuwgYXZbG4xy/Q+ASDeum4MthgtE=,iv:h6+ah6wQDMkcaj4+Hy+7jWF58XeepJKW+tnW6bLF1gg=,tag:j4telEtpvSWqkwk7U3OWZA==,type:str]