feat: deploy secret encryption key via terraform

public-transport · Sep 18, 2023 · 9320539 · 9320539
1 parent ed4dc8f
commit 9320539
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/cloud-resources/flux.tf b/cloud-resources/flux.tf
@@ -1,3 +1,5 @@
+variable "flux_encryption_private_key" {}
+
 provider "flux" {
   kubernetes = {
     host                   = module.kube-hetzner.kubeconfig_data.host
@@ -14,8 +16,26 @@ provider "flux" {
   }
 }
 
+provider "kubernetes" {
+  host                   = module.kube-hetzner.kubeconfig_data.host
+  client_certificate     = module.kube-hetzner.kubeconfig_data.client_certificate
+  client_key             = module.kube-hetzner.kubeconfig_data.client_key
+  cluster_ca_certificate = module.kube-hetzner.kubeconfig_data.cluster_ca_certificate
+}
+
 resource "flux_bootstrap_git" "flux_tilia" {
   depends_on       = [github_repository_deploy_key.github_deploy_key_flux]
   path             = "kubernetes/clusters/tilia"
   components_extra = ["image-reflector-controller", "image-automation-controller"]
 }
+
+resource "kubernetes_secret" "flux_encryption_key" {
+  depends_on = [flux_bootstrap_git.flux_tilia]
+  metadata {
+    name      = "sops-gpg"
+    namespace = "flux-system"
+  }
+  data = {
+    "sops.asc" = var.flux_encryption_private_key
+  }
+}
diff --git a/cloud-resources/main.tf b/cloud-resources/main.tf
@@ -35,6 +35,10 @@ terraform {
       source  = "fluxcd/flux"
       version = "~> 1.1.0"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.23.0"
+    }
     github = {
       source  = "integrations/github"
       version = "~> 5.37.0"