build: inject Terraform secrets to tekton-pipelines namespace

.tekton/external.yaml

@@ -1,13 +1,3 @@
-# TODO automate this
-# kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.5/git-clone.yaml
-# kubectl create secret generic -n tekton-pipelines kube-config --from-file=$PWD/../metal/kubeconfig.yaml
-# kubectl create secret generic -n tekton-pipelines terraform-env-vars \
-# --from-literal=CLOUDFLARE_EMAIL=xxx@yyy.com \
-# --from-literal=CLOUDFLARE_API_KEY=xxx \
-# --from-literal=B2_APPLICATION_KEY_ID=xxx \
-# --from-literal=B2_APPLICATION_KEY=xxx \
-# --from-literal=TF_VAR_cloudflare_account_id=xxx
-
 apiVersion: tekton.dev/v1beta1
 kind: Task
 metadata:
@@ -18,18 +8,19 @@ spec:
   stepTemplate:
     image: hashicorp/terraform:1.1.2
     workingDir: /workspace/source/external
-    envFrom:
-      - secretRef:
-          name: terraform-env-vars
     volumeMounts:
-      - name: terraform-credentials
+      - name: terraform-secrets
-        mountPath: /root/.terraform.d/
+        mountPath: /root/.terraform.d/credentials.tfrc.json
+        subPath: credentials.tfrc.json
+      - name: terraform-secrets
+        mountPath: /workspace/source/external/terraform.tfvars
+        subPath: terraform.tfvars
     command:
       - terraform
   volumes:
-    - name: terraform-credentials
+    - name: terraform-secrets
       secret:
-        secretName: terraform-credentials
+        secretName: terraform
   steps:
     - name: lint
       args:

external/secrets.yml

@@ -16,18 +16,30 @@
     - name: b2_application_key
       prompt: Enter Backblaze application key (sensitive)
   tasks:
+    - name: Render environment file
+      template:
+        src: ./terraform.tfvars.j2
+        dest: ./terraform.tfvars
     - name: Ensure required namespaces exist
       kubernetes.core.k8s:
-        name: "{{ item }}"
         api_version: v1
         kind: Namespace
+        name: "{{ item }}"
         state: present
       loop:
         - tekton-pipelines
         - cert-manager
         - external-dns
         - cloudflared
-    - name: Render environment file
+    - name: Add Terraform secrets to Tekton namespace
-      template:
+      kubernetes.core.k8s:
-        src: ./terraform.tfvars.j2
+        definition:
-        dest: ./terraform.tfvars
+          apiVersion: v1
+          kind: Secret
+          type: Opaque
+          metadata:
+            name: terraform
+            namespace: tekton-pipelines
+          data:
+            credentials.tfrc.json: "{{ lookup('file', '~/.terraform.d/credentials.tfrc.json') | b64encode }}"
+            terraform.tfvars: "{{ lookup('file', './terraform.tfvars') | b64encode }}"

platform/tekton-pipelines/kustomization.yaml

@@ -2,10 +2,16 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
+# Pipeline
 - https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
+# Triggers
 - https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
 - https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml
+# Dashboard
 - https://storage.googleapis.com/tekton-releases/dashboard/latest/tekton-dashboard-release-readonly.yaml
+# Additional
 - ingress.yaml
-- service-account.yaml
 - cluster-role-binding.yaml
+- service-account.yaml
+# Tasks
+- https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.5/git-clone.yaml