comfusion/flux: GitOps for k8s - High Tea: Gitea with Traefik

GitOps for k8s

Michael Bridgen 24e3e6061c Generate keys in a separate tmpfs volume In Kubernetes >= 1.10, secrets (and config-maps) will be mounted read-only. This means we cannot use the tmpfs volume used for the deploy secret as a workspace for generating new keys (and that we have to mount the secret with the right mode, since we won't be able to `chmod` it). Instead, require _another_ tmpfs to be mounted, and use that. The new, mandatory flag `--ssh-keygen-dir` is for providing the path. It's mandatory so that it's harder to accidentally just use a "regular" bit of the filesystem to generate keys and thereby put them on disk. So we can still use stable paths, both possible stable locations of the private key are mentioned in ~/.ssh/config (in the Docker image).		1 year ago
..
keygen.go	Generate keys in a separate tmpfs volume	1 year ago
keyring.go	SSH keyring backed by k8s secret resource	2 years ago

Michael Bridgen 24e3e6061c Generate keys in a separate tmpfs volume

In Kubernetes >= 1.10, secrets (and config-maps) will be mounted
read-only. This means we cannot use the tmpfs volume used for the
deploy secret as a workspace for generating new keys (and that we have
to mount the secret with the right mode, since we won't be able to
`chmod` it).

Instead, require _another_ tmpfs to be mounted, and use that. The new,
mandatory flag `--ssh-keygen-dir` is for providing the path. It's
mandatory so that it's harder to accidentally just use a "regular" bit
of the filesystem to generate keys and thereby put them on disk.

So we can still use stable paths, both possible stable locations of
the private key are mentioned in ~/.ssh/config (in the Docker image).

1 year ago

keygen.go

Generate keys in a separate tmpfs volume

1 year ago

keyring.go

SSH keyring backed by k8s secret resource

2 years ago