Kubernetes与Flux和Terraform的秘密 [英] Kubernetes secret with Flux and Terraform

问题描述

我一般都不熟悉terraform和devops.首先，我需要从URL到已知主机获取ssh密钥，以供以后用于Flux.

I am new to terraform and devops in general. First I need to get ssh key from url to known host to later use for Flux.

data "helm_repository" "fluxcd" {
  name = "fluxcd"
  url  = "https://charts.fluxcd.io"
}

resource "helm_release" "flux" {
  name      = "flux"
  namespace = "flux"

  repository = data.helm_repository.fluxcd.metadata[0].name
  chart      = "flux"

  set {
    name  = "git.url"
    value = "git.project"
  }

  set {
    name  = "git.secretName"
    value = "flux-git-deploy"
  }

  set {
    name  = "syncGarbageCollection.enabled"
    value = true
  }

  
  set_string {
    name  = "ssh.known_hosts"
    value = Need this value from url
  }

}

然后，我需要生成密钥并使用它来创建与gitlab存储库通信的kubernetes机密.

Then I need to generate key and use it to create kubernetes secret to communicate with gitlab repository.

resource "kubernetes_secret" "flux-git-deploy" {
  metadata {
    name      = "flux-git-deploy"
    namespace = "flux"
  }

  type = "Opaque"

  data = {
    identity = tls_private_key.flux.private_key_pem
  }
}

resource "gitlab_deploy_key" "flux_deploy_key" {
    title = "Title"
    project = "ProjectID"
    key = tls_private_key.flux.public_key_openssh
    can_push = true
}

我不确定自己是否走对了.任何建议都会有所帮助.

I am not sure if I am on the right track. Any advice will help.

推荐答案

您可以使用几种方法.这些可以分为两个类别":

There are few approaches you could use. These can be divided into "two categories":

• 手动生成ssh_known_hosts并通过变量或文件使用输出
  • 使用命令ssh-keyscan <git_domain>在运行terraform的计算机上创建文件，并将路径设置为ssh.known_hosts的值.
  • 您也可以直接在变量中使用文件功能或将文件输出直接用作env变量.我个人不建议这样做，因为该值直接保存在terraform状态中，但是在这种情况下，这不是关键问题.至关重要的是您使用的是ssh_keys还是凭据.
  • generate manually the ssh_known_hosts and use the output through variables or files
    • create the file on the machine where you're running terraform with the command ssh-keyscan <git_domain> and set the path as value for ssh.known_hosts.
    • You can also use the file function directly in the variable or use the file output directly as env variable. Personally I would not recommend it because the value is saved directly in the terraform state but in this case it is not a critical issue. Critical would be if you're using ssh_keys or credentials.

    通常，我不会将terraform用于此类事情.可以提供直接绑定到基础结构的基础结构(如AWS资源或服务)，但是要创建和运行服务，您需要诸如ansible的配置工具，在其中可以运行诸如"ssh-keyscan"之类的命令.直接作为模块.最后，您需要一个稳定的管道，在该管道中您可以在terraform更改后运行ansible(或您喜欢的配置工具).

    In general, I would not use terraform for such things. It is fine to provide infrastructure like aws resources or services which are directly bound to the infrastructure but in order to create and run services you need a provisioning tool like ansible where you can run commands like "ssh-keyscan" directly as module. At the end you need a stable pipeline where you run ansible (or your favorite provisioning tool) after a terraform change.

    但是，如果您只想使用地形，那将是正确的方法.

    But if you want to use only terraform you're going to right way.

    这篇关于Kubernetes与Flux和Terraform的秘密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！