From f05a9e14a5781f9091075a82929c4a1588fd38c5 Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Mon, 13 Mar 2023 07:47:34 +1000
Subject: [PATCH] allow hercules to access terraform secrets
---
.sops.yaml | 2 +
roles/hercules-ci/default.nix | 2 +
roles/hercules-ci/secrets.yaml | 5 ++-
terraform/secrets.yaml | 69 +++++++++++++++++++---------------
4 files changed, 46 insertions(+), 32 deletions(-)
diff --git a/.sops.yaml b/.sops.yaml
index 3d003aa..bfde39c 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -4,6 +4,7 @@ keys:
- &build03 age1qg7tfjwzp6dxwkw9vej6knkhdvqre3fu7ryzsdk5ggvtdx854ycqevlwnq
- &build04 age1r464z5e2shvnh9ekzapgghevr9wy7spd4d7pt5a89ucdk6kr6yhqzv5gkj
- &github_actions age1hdmmmv423xajuv4pjumnj35j34e4rhta3wgatjafy3dxf38yycysqzl4mn
+ - &hercules_tf age1lk9prt0l75xyj4r9lvel5cdac4ll8jnywrm0fp8nackeqzmwkfqq974lst
- &mic92 age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
- &ryantm age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
- &zimbatm age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
@@ -21,6 +22,7 @@ creation_rules:
key_groups:
- age:
- *github_actions
+ - *hercules_tf
- *mic92
- *ryantm
- *zimbatm
diff --git a/roles/hercules-ci/default.nix b/roles/hercules-ci/default.nix
index bf6de6b..f9ad6de 100644
--- a/roles/hercules-ci/default.nix
+++ b/roles/hercules-ci/default.nix
@@ -9,12 +9,14 @@ in
{
sops.secrets."binary-caches.json" = herculesSecret;
sops.secrets."cluster-join-token.key" = herculesSecret;
+ sops.secrets."hercules-secrets" = herculesSecret;
services.hercules-ci-agent = {
enable = true;
settings = {
binaryCachesPath = secrets."binary-caches.json".path;
clusterJoinTokenPath = secrets."cluster-join-token.key".path;
+ secretsJsonPath = secrets."hercules-secrets".path;
};
};
}
diff --git a/roles/hercules-ci/secrets.yaml b/roles/hercules-ci/secrets.yaml
index 7c9bb6f..3a40f1f 100644
--- a/roles/hercules-ci/secrets.yaml
+++ b/roles/hercules-ci/secrets.yaml
@@ -1,5 +1,6 @@
cluster-join-token.key: ENC[AES256_GCM,data:Ba8S5Cx3NJR/FoKkSVc5pX1bwKkYHAhTid3dlWcGRXPCmVtrMgBKLjDZ5b3AajZio+IvS7XNajsVqPUB/rsBUPL+mz/DPbnI4bibLkB0KZl5v6FnMf6RbGr7RWbEsGXWlJh77l/AmGRWJTj7Dh3LaQ53dguhNIDuXGvNhTLs690/93Xnc+x+d5tzl2hNz/A4/IQxpsRoJJKygqGndbc0bTUPo0QZMLtf8kHQtCiozfm1SeW49ITnM+4VCOJB8NkSkwUfy5Rs574fFijYSOGT8LSSH0ly2oxHEY+UaJudRhjr5uzrcZPI/WrrtkI=,iv:87JRtvlkkExu37uYRaHojsk1vjhO1ocw2L9yE+7shpI=,tag:0de71eZjy8F/w0LQzOVAyg==,type:str]
binary-caches.json: ENC[AES256_GCM,data:pshvo/BxcIDXrWpW6jb1Hti8pqIEER+andBFpbOArKdaSb1LoVC45G+QwqLxjnDckiBeJm+refQE/x8i6QI0kYHcHEmX4iByvtcDM7RB6ZQSghTO0oqhi1blZRp+NjVdpgeti9VOkLPOYR+ruCDXeZmjt9fWnpGxC6ok5h5z5XLtq5xICy0DBl4VJXw3NwMnpIfj4vvczTP1TlUmP3GElHImRj6F59Vyw4jbTZRIqrib97x8nrO24t3P6RqooY0WHPR1sQXJebxCCO3TiJjxLHNtjLhJgez/O6Ou8CJx999wGvGmm3k8DzUDh94bnG12tal0PrPSJLdsQItpYqDPbK6f6R0wVmzcAywW22SCqk6kaCLGSDCYQRh3xGNsdmVfDQSJPjnAOJDNjJR5adoe8KPHIrc5eZiXjS9mJO7eYPX2IfkNHlM18NjT/Q716Ez9tnBatVb5+YKLlZMm+SSgWNxwZhBiQUvR3wdX3jOXIAjdfCGy4ocCffP05WC4YzjHo5E1EsOBN/cr5LfAS36XFwChHJ6iE4zjwsQe3X7jN9mlZdksBe8gEKFns2rr5IMmXG/enLdVjigRgDShNglP,iv:IOqba6lLXCEVZ+HNaH3uM4E3lbKzm8XCXlbAp6UPBIE=,tag:RX2d2UEWpZu48pW1UUaQcQ==,type:str]
+hercules-secrets: ENC[AES256_GCM,data:sDNJiLGr084QtdTC2rUWjop1v+j/SvcJYhGfzrbBUJddJsMuL5XnDcFyzZrm+xoct5pGRMJtPPQya2sfXBdY3mmyNQ5hOCOECm3koYyxbnEkOgY0StmJS6z49+orqVJUafMyRih4Z+3gtMeDwsXQqZCc9OxYjF/SYghi0q1X1k3y8U9teAsS3rSkGlfJkYn5AYye1fEhXKgbAdkKWgUj72W9sTibdqkWG60cJLETb8/Y3o3a9cna3/is4yH0JdoWJHmwqmquvEybkM9WDQqlb4heXVpLEUTT+C7/U83eBSFabfpaCXD1XdnUztHT8foXqz+APJ0Ap99y2GddUarpju7dQ0uKHYc8ftowSxCOMzbAf7V3FV9deBOCKfrDMZE1nhOwAZQ/8E23wBfqYL4f60+hsZdSbErCsyVROHuofswlNLNOVU4beg92hwqNEpqyAyOuubRfn2xvuOnSoZ1N3nvCSWuItzqN4NaDGesiccuvS5Ncy9F0dgkQmx19MUDI4t2icXDcAr/v3rlTytWtlgpToEnkdmUASOZTy10Jz7zoPnjV1u+aDTaDpCq4QTZf2cDzNpdCETR0CtEuXX6FkTLwbW4NpeTsNVaIQgHoKA2lFmKYsqQzC9/spfnjLzdGAs+aNbf//X5epkIVnP/wxF2gEVd4JOK2kujNYPDOcNhUQd9dlenNkWMEGIgvZDbpR+aIXj8u/3AbWN+tUdeWEFGd0j0DKRtNoMdsBn/nkNtrlrseAzo8CqzSLHU7kKoamg==,iv:NIGlQcBdU0AQQ2LDHCdCyqSzsWQALTZQDKGTqwYFvjc=,tag:ImbGAtmDxkyhJ10q6vF0ig==,type:str]
sops:
kms: []
gcp_kms: []
@@ -69,8 +70,8 @@ sops:
QTh4K0xzYVgzWVcwNzJ6bHFncHNTNHMK/iAbmGaTunJefyKK/GQYYMzd1PY+hvOt
i2SfjO8ZPXRkQcDxRa5EqOkKzpzBijjSsGGH04MprCBI6ysaJA+lEg==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2023-02-05T03:29:16Z"
- mac: ENC[AES256_GCM,data:/ds2F2gy1lH11QCXZzRdXKpf/iPCyPyfHr0HnqA+mzenMBEMonpckMXKr/i9RrzJxTEx6RCCMiV+by/c0WR0BWkI5P+2aaMqcjXigzL0Ec9LPjH5XcDlN5eeqRCrd8jYsrZpo4te2CKNsA6ramcBN+qaaIPJB9zBJMhXjYAnMM0=,iv:68T2ZiJc/9nZUXZPTaU9ygl8SNuCsWBjVmRGkEJOex4=,tag:Imt27qoaJU6pnU2DzHC7AA==,type:str]
+ lastmodified: "2023-03-12T21:46:12Z"
+ mac: ENC[AES256_GCM,data:5o9P5p96LsGRwv05j7ncU006DnUeXn/nKKAtAw0gofkFr95Wntd9NXsbzGEy4Mjlzlwr6noJtzqPHZxP09nWUYLrVAn5/D+6tU39dpS/zfbYx4vQQwH1KOrlwbOaV1WQVz9du4XBITH/Pf1rL4p48nAjCboTs4W3/jMGXM70WNs=,iv:NxIiEWLd4R2eONOh7WLyLcaxxvCNk+fRqo3EQNM03dk=,tag:DUmrpTsggi5UdM8nbSzdKw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3
diff --git a/terraform/secrets.yaml b/terraform/secrets.yaml
index 291c894..c6778df 100644
--- a/terraform/secrets.yaml
+++ b/terraform/secrets.yaml
@@ -9,50 +9,59 @@ sops:
azure_kv: []
hc_vault: []
age:
+ - recipient: age1hdmmmv423xajuv4pjumnj35j34e4rhta3wgatjafy3dxf38yycysqzl4mn
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMaXNzeGRhNk93VTMwWVly
+ c0FKQXJiM2xjNElqb09YL0VKY1orRkpUZndBCi9oNnIvck9NeGRDWm9hbGF4RWd3
+ bUhwVGsrV1dNMGErTjhhbk96YTc3MUUKLS0tIDAyOGtJOHZndVM2Mm9ja2Juck9o
+ Mm0xdzRNOERBTjBSejd4Y01kYjBpRTQK3olfsRDAezCEx0GIDUcGmmkJyZNeiXN6
+ NFatlmRBSr4JH6X0JHfWzsC9oc3ursytLf7Hf3t/4mHg1EefgaML9A==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1lk9prt0l75xyj4r9lvel5cdac4ll8jnywrm0fp8nackeqzmwkfqq974lst
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDL0NMSmdYV3RraUh6M0c3
+ d3I2dksrQ3dXdGpXVTFsRnVBNy9vRjFkK20wCmJkSzBvNzFyVi9EMFl4eWFNYno1
+ VGxOdkF2VHU5Mmp6K2gwSnc4OG1oUXMKLS0tIHh4bWxEVjdubk5TeWhONU0xamxt
+ dERwMTNibXpNSjlKTkJhK0FEZi9IekkKER40oOuP7YgRXN2R0G8rTDOk4qoayKHG
+ 4SYSVqULCn/79ayYkx2XDLim2Wuws9yyxxG5TiZd70Ym3V7TPF3eTA==
+ -----END AGE ENCRYPTED FILE-----
- recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIM3pBNmc4OCtCVWN3dm5E
- Q2tLdDF3Z3Z0NS9JeWtBZGxXNzZBeHFXVFZ3CkZZaW16WVNlNEc0YVpOejRJbkJ4
- RFdkeDZHMkxySVIxMHlEbGhaMkE0NUUKLS0tIHYvYkplcURmSkNiT2cwdHJhQjli
- ZHNQcDVuY09IMWFJSmp0allJUzVISVkKRH1UGq0sObtWTEf3fAnSDbZ+3AkgoNat
- ZF7d/WuLsZYIS5C4/lx6W4qcM3ZkYFeE7KVP+scD6KnO7eeBPNFNSw==
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTTFITkFIYzJIRnA4am0x
+ Y1UrS1VkYllKczUwYmtOcGswMEJ6d05TVWw0CnpZWmhCQWNjd2Jyd3hCeXVJeHlX
+ ZHJhK0xPY2RVVXBNNzdEQ3FFeENpbUUKLS0tIHRJckYwL0p3ZlZjZVVIaDg2a1ho
+ d2M0U05YaExrZmh5czFPSVRXUFlsNGsKT9YmqWb9t1N1A8+Qm8ZqXIVh+xOh0B66
+ luiM+s2yrxus4d8E0YPQqpqUTWnHKYaQ33/pWwH9JJqFBFMU9ISpig==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMk1VZXN2eTJraVJpM3hB
- NnNrN1B0Q1F4ejNacVgvdkhPNytuSmc5bjJBCndRZ3E5Z2Y0eHB6ODErcEQ0dkp4
- MVQ0dm9xTkdRT3p5RXRyRDZPR1FOV1kKLS0tIFJySENhSGI1UFhWZG90ODN1WlNv
- V1hvOXdmZEwwbHRiUkxEM2JrM3BDTzgK1GR3QVwflr7EgtHoy1gbpVK7COsPxI9y
- CSq1Aak5rCU0F0wTJcZxLTE5tHErYaqD6exxTM1zk4SVcevdyHiu1Q==
- -----END AGE ENCRYPTED FILE-----
- - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdWRzdFNWeHNkYUM5MkFq
- bmVoSjE4a0QwYnN3SEZCcW1maFlmS0NQNmtvClhJcXF2UVpnQ014SGdwNlFjaEN4
- bDI5Q2FVSUJuOWpIVGUzREVUVXltVTAKLS0tIDRFSzJldXR5NUUrekVvd1FyMHR2
- TDN5WlkxanVxeWFjVmFNU0s0L25tVzQK8hYYaWng3ferINNh6x12z/d87A1E2gid
- 0EugOY4LIIk98bUB0jEh6J/lIJ1NbOKEzimjktUengdM2T6Yf4Nsew==
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpYVhzMkF6M3cwc0l3Zzlr
+ dE1ha2hkK3lPZkgvZkR5Sk5HV1FlcjkveEVZCnErNGRHbFRJZWZCQUg2Ukx4V094
+ dkZ6QTJqaG9Pa0FBMk5VWHJaNUE4N1UKLS0tIFVyNDdHczhZaDlkeVZEMFErTEVW
+ ME9vKzJIV2U3U1lYM3huUTRkOS8zbzgKAPHThcG53rpyNnqaJWc5PeUi1VtyAqEj
+ Egv6gsELcg993JyvXx6920/8tSMt1cGUW4vfvHkhBUF9TM/Bn1hS0A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkTTd5QnRvb0ZZd0VDZTZq
- TmM4M3Flc2c0SXVqVUs0cXhrZ29BVU9qakRJCnJidE5UdDlUUlQ0MmdxZE1BTHFs
- NGFvTXJUM2RLeGhTc1ZBN3kxM0tVZGsKLS0tIGtET05DOVZOQ0JpejlKMnROd0c1
- bEUvNERlVXZ1dVhhUElQL2Rta0h4bWMK8epdovp7pJNjSKzFGQa1jC43x5TLzXaQ
- xVbKblq6Eg0IBBBMURHnOPFHxp+hzuoYmiVpFXPnNpCzAg0Xs+86hA==
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySUgxNnl4cGxOTDVVMFFo
+ bVVBV3JOdjgremxWMW8veXpXV0FhQ3lQeTNzCnZHVm9RZWFXYzVnS3RzOGlScy9L
+ aWxLN1RPcEltUGtGRklSRmZvM05INlUKLS0tIEFlWGxZMDFXaXZiMTFyNEQ2ejcw
+ WGdnV0F6ZHZQTkQ3K291VnVBR2JrdncKzqwRD0XNz9GOKtlBC5quRY8uGaYXY5rf
+ sHWz57NYh3w+QeF/dGe1Ny777ur5rwQbeFgnFjN7lavkWwrKKVzZFA==
-----END AGE ENCRYPTED FILE-----
- - recipient: age1hdmmmv423xajuv4pjumnj35j34e4rhta3wgatjafy3dxf38yycysqzl4mn
+ - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxWFJFQXI2TmtIbUNTQ1lR
- YVptZEJMUFhMODZWMjNNTzlxdTgrbVdqR1JvCkI0b0prckozWjhuRXpwSzVjejJp
- eWdPMXAyL3ZVUmFqa3NubFJGNzRJaEUKLS0tIHo3bjY4NHhQUVg3cWlNMXF5aEhR
- MnhHSHdqd2xxbk5OWEx1Q3hGTGcySWsKnGKLLHKPewnG83Ejc+NJkfKsl8Z6vmSA
- Ao8Dc09GJzou5X0fP2h1/CpsB6XASD1Qox2oxEYPZvWNtiFGAaq9tg==
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZTJUNEFXN2pNUnYvZUpV
+ RzU5SUJkR0g3RmJLbWhFdFc1alBJNjMrNnlNCjdYY0VwRzkrcmhWOGg3SGQ5eVQy
+ ZUo3ejZsRVdCTENBMG1kcXhHSzdkZkEKLS0tIEJvZEx4T3NFS1hDT3NGc1ZTejQ4
+ akl4L2M1ZE1lZGpWVnRTRmw2OXJFdG8KBOVFOXsyEYPAiaUoC51Op/yBsgxo1SYM
+ fcHbyvKqhV5gea/IKYbIE8XKM0ERgTi72tQBducylvclDh7sXYL6LA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-02-15T03:05:31Z"
mac: ENC[AES256_GCM,data:n3I8BMP5sTYiSZwmW0QXZ61WUANo7smy1W1Ctfb1Xuv/5kOTKaqaMu5osk7DTBihtXTuQIgTKqvnWaZ/V0PAQJpu6kt5SoUmfzL3QeVUbvrWhKd2EpWhncD1ZmL7WvpLYXTD6a2ubGm7n+4NuwgYXZbG4xy/Q+ASDeum4MthgtE=,iv:h6+ah6wQDMkcaj4+Hy+7jWF58XeepJKW+tnW6bLF1gg=,tag:j4telEtpvSWqkwk7U3OWZA==,type:str]