Migrate all Opaque kubernetes Secrets on k8s-infra clusters to ExternalSecrets

[spiffxp]

• Clusters that need kubernetes-external-secrets installed:

  • k8s-infra-prow-build/prow-build: terraform/k8s-infra-prow-build: add kubernetes-external-secrets #2827, Revert "Update infra/gcp/terraform/k8s-infra-prow-build/prow-build/resources/kubernetes-external-secrets/kubernetes-external-secrets.yaml" #2830

• Secrets that need to be migrated over for k8s-infra-prow-build/prow-build:
  $ k --context=prow-build get secrets -A | grep Opaque | awk '{print "- [ ] "$1"/"$2}';

  • test-pods/service-account: terraform: provision prow-related secrets via terraform #2845, tf/k8s-infra-prow-build: add ExternalSecrets #2858
  • test-pods/ssh-key-secret: terraform: provision prow-related secrets via terraform #2845, tf/k8s-infra-prow-build: add ExternalSecrets #2858

• Secrets that need to be migrated over for k8s-infra-prow-build-trusted/prow-build-trusted:
  $ k --context=prow-build-trusted get secrets -A | grep Opaque | awk '{print "- [ ] "$1"/"$2}'

  • test-pods/cncf-ci-github-token (prow: switch cncf-ci-github-token to ExternalSecret #2219)
  • test-pods/k8s-cip-test-prod-service-account: tf/k8s-infra-prow-build-trusted: add secrets #2859
  • test-pods/k8s-gcr-audit-test-prod-service-account: tf/k8s-infra-prow-build-trusted: add secrets #2859
  • test-pods/k8s-infra-ci-robot-github-token: tf/k8s-infra-prow-build-trusted: add secrets #2859
  • test-pods/k8s-triage-robot-github-token: tf/k8s-infra-prow-build-trusted: add secrets #2859
  • test-pods/service-account: tf/k8s-infra-prow-build-trusted: add secrets #2859
  • test-pods/slack-tempelis-auth: tf/k8s-infra-prow-build-trusted: add secrets #2859
  • test-pods/snyk-token* (prow: add snyk_token ExternalSecret #2222)

• Secrets that need to be migrated over for kubernetes-public/aaa
  $ k --context=aaa get secrets -A | grep Opaque | awk '{print "- [ ] "$1"/"$2}'

  • cert-manager/letencrypt-prod-account-key (generated by cert-manager)
  • cert-manager/letencrypt-staging-account-key (generated by cert-manager. still used)
  • elekto/elekto-secret
  • prow/k8s-infra-build-clusters-kubeconfig
  • prow/k8s-infra-ci-robot-github-token
  • prow/k8s-infra-prow-cookie
  • prow/k8s-infra-prow-github-oauth-config
  • prow/k8s-infra-prow-hmac-token
  • prow/k8s-infra-prow-sa-key
  • publishing-bot/github-token (kubernetes-public: Add GCP secret for publishing-bot #2825, publishing-bot: Add ExternalSecret #2829)
  • slack-infra/recaptcha: apps/slack-infra: use ExternalSecrets to manage secrets #2828
  • slack-infra/slack-event-log-config: apps/slack-infra: use ExternalSecrets to manage secrets #2828
  • slack-infra/slack-moderator-config: apps/slack-infra: use ExternalSecrets to manage secrets #2828
  • slack-infra/slack-moderator-words-config: apps/slack-infra: use ExternalSecrets to manage secrets #2828
  • slack-infra/slack-post-message-config: apps/slack-infra: use ExternalSecrets to manage secrets #2828
  • slack-infra/slack-welcomer-config: apps/slack-infra: use ExternalSecrets to manage secrets #2828
  • slack-infra/slackin-token: apps/slack-infra: use ExternalSecrets to manage secrets #2828
  • triageparty-release/triage-party-github-token: triage-party/relase: update ExternalSecret #2754
  • prow/k8s-infra-ci-robot-github-token* (prow: add k8s-infra-gci-robot-github-token ExternalSecret #2224)

* new secret, not a migration, but tracking here anyway

[spiffxp]

/wg k8s-infra
/sig testing
/area prow
/priority important-soon
/milestone v1.22
/assign

[spiffxp]

#2219 is a first attempt at migrating a secret for k8s-infra-prow-build-trusted

[ameukam]

cc @chaodaiG

[spiffxp]

/milestone v1.23

[spiffxp]

/close
All secrets in our kubernetes clusters now come from Google Secret Manager (or could come from other secret systems). This is great for DR, since if a cluster disappears, we can re-provision it with the existing secrets. Also nice for safe rotation, since new secret values can be added without implicitly deleting old values.

We could use some docs updates here, and kubernetes-public is still managed via bash instead of terraform. Will continue to track that work under #1731

[k8s-ci-robot]

@spiffxp: Closing this issue.

In response to this:

/close
All secrets in our kubernetes clusters now come from Google Secret Manager (or could come from other secret systems). This is great for DR, since if a cluster disappears, we can re-provision it with the existing secrets. Also nice for safe rotation, since new secret values can be added without implicitly deleting old values.

We could use some docs updates here, and kubernetes-public is still managed via bash instead of terraform. Will continue to track that work under #1731

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.