Skip to content

Latest commit

 

History

History
104 lines (80 loc) · 2.79 KB

README.org

File metadata and controls

104 lines (80 loc) · 2.79 KB

Manage Azure resources using Terraform

README

Terraform scripts and documents that I use to provision resources in Azure cloud.

Install Istio in AKS

  1. install
    istioctl install --set profile=default
        
  2. create and label a namespace in Kubernetes
    kubectl create namespace demo
    kubectl label namespace demo istio-injection=enabled --overwrite
        
  3. apply aks.yaml
    kubectl apply --namespace demo -f ./modules/aks/k8s-example/aks.yaml
        
  4. get the ingress gateway external ip
    kubectl describe -n istio-system service/istio-ingressgateway
        

Create encrypted Github secret

:header-args+: :var repo=”tf-az”

Each Github repository has a encryptic key pair. Only the public key can be obtained by the user. So only github can decrept the values. We can encrypt our secrets and commit them in the code. We can also use Terraform to create/update repository secrets.

Git repository public key

Setup the Github CLI.

gh api repos/${owner}/${repo}/actions/secrets/public-key
jq '.key_id'<<EOF
${f}
EOF
jq .'key'<<EOF
${f}
EOF

Encrypt values using the public key

This simple python script can encrypt the `secret_value` using the public key we obtained from Github. The `SealedBox` object will add salt automatically, so the results are different everytime even with the same public key and value.

from base64 import b64encode
from nacl import encoding, public
import json

secret_value = 'ok'

public_key = public.PublicKey(public_key.encode('utf-8'), encoding.Base64Encoder())
sealed_box = public.SealedBox(public_key)
encrypted = sealed_box.encrypt(secret_value.encode('utf-8'))

return b64encode(encrypted).decode('utf-8')

Create new secret

cat<<EOF | gh api -X PUT repos/${owner}/${repo}/actions/secrets/${secret_name} --input -
{
  "key_id": "${key_id}",
  "encrypted_value": "${secret_value}"
}
EOF

List secrets

gh api repos/${owner}/${repo}/actions/secrets