Currently the wmcs.toolforge.component.deploy just runs deploy.sh script from the git url passed, that does not allow us to inject somehow secrets to the deployed k8s elements.
Some examples of secrets we currently need:
- User/pass of the account to push images to harbor (for the toolforge build service)
- (add more if you find more)
This task is to brainstorm ways on how to get those secrets there, will create a decision task once we have a few ideas (and no clear consensus arises here first).
Feel free to add comment/change the task to add ideas etc.
Puppet + helmfile
One way is to use the current puppet private repo to store the secrets as hiera values, then have a puppet module that creates a values.yaml file that helmfile would include when generating the k8s objects (exact process to be investigated/defined).
K8s manually entered secrets
We could use k8s secrets for it, and manually create and maintain them.
Helm-secrets
Commit encrypted secret files to the Git repositories and provision decryption keys to the control nodes via Puppet. Helmfile supports integration with the helm-secrets plugin.