feat(artifactapi): mount terraform registry signing key
Wires the GPG signing key the terraform provider registry needs into the api
deployment. The secret is mounted optional so the pod runs before it exists;
artifactapi leaves the registry disabled until a readable key is present.
- mount secret artifactapi-tf-signing at /etc/artifactapi/tf-signing (optional)
- set TF_SIGNING_KEY_PATH, and TF_SIGNING_KEY_PASSPHRASE from the secret's
optional passphrase key
Create the secret out of band with an armored private key:
kubectl -n artifactapi create secret generic artifactapi-tf-signing \
--from-file=private-key.asc=./private-key.asc
This commit is contained in:
@@ -48,10 +48,25 @@ spec:
|
||||
- secretRef:
|
||||
name: environment
|
||||
optional: false
|
||||
env:
|
||||
# Terraform provider registry signing. The secret is mounted
|
||||
# optional, so the pod runs before it exists; artifactapi keeps the
|
||||
# registry disabled until a readable key is present.
|
||||
- name: TF_SIGNING_KEY_PATH
|
||||
value: /etc/artifactapi/tf-signing/private-key.asc
|
||||
- name: TF_SIGNING_KEY_PASSPHRASE
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: artifactapi-tf-signing
|
||||
key: passphrase
|
||||
optional: true
|
||||
volumeMounts:
|
||||
- name: combined-certs
|
||||
mountPath: /etc/ssl/combined
|
||||
readOnly: true
|
||||
- name: tf-signing-key
|
||||
mountPath: /etc/artifactapi/tf-signing
|
||||
readOnly: true
|
||||
livenessProbe:
|
||||
failureThreshold: 3
|
||||
httpGet:
|
||||
@@ -88,4 +103,8 @@ spec:
|
||||
path: ca.crt
|
||||
- name: combined-certs
|
||||
emptyDir: {}
|
||||
- name: tf-signing-key
|
||||
secret:
|
||||
secretName: artifactapi-tf-signing
|
||||
optional: true
|
||||
restartPolicy: Always
|
||||
|
||||
Reference in New Issue
Block a user