Seed Vault with Secret Values needed by Helm Chart

ploigos / infra-ops

GitOps repository for the infrastructure that contributors use to develop and test the Ploigos ecosystem

Apache License 2.0

0 stars 1 forks source link

Seed Vault with Secret Values needed by Helm Chart #35

Closed dwinchell closed 2 years ago

dwinchell commented 2 years ago

Acceptance Criteria:

Vault has all values used by our fork of the openshift-actions-runner-chart
- https://github.com/ploigos/openshift-actions-runner-chart
There is a reasonable level of toil associated with keeping these values in vault (vault is ephemeral, and the cluster goes away every 2 weeks anyway)

Notes:

We could use a file backup, and every time we change a value in Vault, we export the file to Google Drive
Someday we could integrate w/ S3 or something
https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar

aarongreen85 commented 2 years ago

Breaking this point out on its own - Vault has all values currently stored in GitHub Actions secrets

aarongreen85 commented 2 years ago

Created a script that looks like below and stored it within the Google Drive team folder. Every time vault is stood up, this script needs run. It can be ran and reran and not hurt anything.

#!/bin/bash

# Configure Vault Secrets
oc exec -n vault -it vault-0 -- vault kv put secret/github pat=**********
oc exec -n vault -it vault-0 -- vault kv put secret/registry0 host=registry.access.redhat.com user=********** \
                       password=**********
oc exec -n vault -it vault-0 -- vault kv put secret/registry1 host=quay.io user=********** \
                       password=**********

aarongreen85 commented 2 years ago

Note: the load-vault script was moved to our shared vault instead of the google team folder.