Warning
This is a WIP repository, it is not yet stable.
This repository contains all the manifests for Cat+ to deploy on Kubernetes.
Cat+ is composed of automated pipelines, a front-end and a databases. All of these need to be deployed on Kubernetes. This repository allows for maintenance and easy deployment.
[!NOTE] We assume that you already have access to a kubernetes cluster and that nix is installed (install here).
We provide a nix-based development shell which includes all dependencies required to manage and deploy manifests.
To build and enter the development shell, use just nix-develop.
We use kustomize to configure and deploy resources. To deploy all resources, use just deploy.
Secrets are encrypted using sops and age. A just module is provided to simplify operations.
Type just secrets to see the list of operations available.
To add a new recipient (i.e. someone whose key can be used to decrypt secrets), take the following steps.
- New recipient runs
just secrets generate-keyand sends the public key (only!) to an existing recipient (see `.sops.agekey``). - Existing recipient adds the public key to
.sops.yaml(keys are comma-separated) - Existing recipient runs
just update-keysto re-encrypt secrets with the new key. - Existing recipient commits changes.
Running just secrets deploy will decrypt the secrets into a temporary file, deploy them with kubectl and delete the temporary file.
To edit secrets:
- Run
just secrets decryptand open the newly createdsecrets/secrets.dec.yamlin your editor. - Once the changes are made, re-encrypt them using
just secrets encrypt. - Commit changes.
To be defined.