build: inject Terraform secrets to tekton-pipelines namespace

2024-12-22 20:24:32 +07:00 · 2021-12-25 03:03:46 +07:00 · 2021-12-25 03:03:46 +07:00 · 27468592ce
commit 27468592ce
parent dd2bdff255
3 changed files with 32 additions and 23 deletions
--- a/.tekton/external.yaml
+++ b/.tekton/external.yaml
@ -1,13 +1,3 @@
-# TODO automate this
-# kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.5/git-clone.yaml
-# kubectl create secret generic -n tekton-pipelines kube-config --from-file=$PWD/../metal/kubeconfig.yaml
-# kubectl create secret generic -n tekton-pipelines terraform-env-vars \
-# --from-literal=CLOUDFLARE_EMAIL=xxx@yyy.com \
-# --from-literal=CLOUDFLARE_API_KEY=xxx \
-# --from-literal=B2_APPLICATION_KEY_ID=xxx \
-# --from-literal=B2_APPLICATION_KEY=xxx \
-# --from-literal=TF_VAR_cloudflare_account_id=xxx
-
 apiVersion: tekton.dev/v1beta1
 kind: Task
 metadata:
@ -18,18 +8,19 @@ spec:
  stepTemplate:
    image: hashicorp/terraform:1.1.2
    workingDir: /workspace/source/external
-    envFrom:
-      - secretRef:
-          name: terraform-env-vars
    volumeMounts:
-      - name: terraform-credentials
-        mountPath: /root/.terraform.d/
+      - name: terraform-secrets
+        mountPath: /root/.terraform.d/credentials.tfrc.json
+        subPath: credentials.tfrc.json
+      - name: terraform-secrets
+        mountPath: /workspace/source/external/terraform.tfvars
+        subPath: terraform.tfvars
    command:
      - terraform
  volumes:
-    - name: terraform-credentials
+    - name: terraform-secrets
      secret:
-        secretName: terraform-credentials
+        secretName: terraform
  steps:
    - name: lint
      args:
--- a/external/secrets.yml
+++ b/external/secrets.yml
@ -16,18 +16,30 @@
    - name: b2_application_key
      prompt: Enter Backblaze application key (sensitive)
  tasks:
+    - name: Render environment file
+      template:
+        src: ./terraform.tfvars.j2
+        dest: ./terraform.tfvars
    - name: Ensure required namespaces exist
      kubernetes.core.k8s:
-        name: "{{ item }}"
        api_version: v1
        kind: Namespace
+        name: "{{ item }}"
        state: present
      loop:
        - tekton-pipelines
        - cert-manager
        - external-dns
        - cloudflared
-    - name: Render environment file
-      template:
-        src: ./terraform.tfvars.j2
-        dest: ./terraform.tfvars
+    - name: Add Terraform secrets to Tekton namespace
+      kubernetes.core.k8s:
+        definition:
+          apiVersion: v1
+          kind: Secret
+          type: Opaque
+          metadata:
+            name: terraform
+            namespace: tekton-pipelines
+          data:
+            credentials.tfrc.json: "{{ lookup('file', '~/.terraform.d/credentials.tfrc.json') | b64encode }}"
+            terraform.tfvars: "{{ lookup('file', './terraform.tfvars') | b64encode }}"
--- a/platform/tekton-pipelines/kustomization.yaml
+++ b/platform/tekton-pipelines/kustomization.yaml
@ -2,10 +2,16 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
+# Pipeline
 - https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
+# Triggers
 - https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
 - https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml
+# Dashboard
 - https://storage.googleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release-readonly.yaml
+# Additional
 - ingress.yaml
- service-account.yaml
 - cluster-role-binding.yaml
+- service-account.yaml
+# Tasks
+- https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.5/git-clone.yaml