Merge pull request #691 from 2i2c-org/enable_kops_hubs

Enable openscapes (and re-enable farallon) deployment by the CI

.github/workflows/deploy-hubs.yaml

@@ -30,9 +30,10 @@ jobs:
             provider: gcp
           - cluster_name: carbonplan
             provider: aws
-          # Uncomment openscapes once a deployer user is created in openscapes AWS land
-          # - cluster_name: openscapes
-          #   provider: aws
+          - cluster_name: farallon
+            provider: aws
+          - cluster_name: openscapes
+            provider: aws
           - cluster_name: meom-ige
             provider: gcp
           - cluster_name: pangeo-181919

config/hubs/openscapes.cluster.yaml

@@ -1,7 +1,11 @@
 name: openscapes
-provider: kubeconfig
-kubeconfig:
-  file: secrets/openscapes.yaml
+provider: aws
+aws:
+  key: secrets/openscapes.json
+  clusterType: kops
+  clusterName: openscapeshub.k8s.local
+  region: us-west-2
+  stateStore: s3://2i2c-openscapes-kops-state
 hubs:
   - name: staging
     domain: staging.openscapes.2i2c.cloud

deployer/hub.py

@@ -42,8 +42,6 @@ def auth(self):
             yield from self.auth_gcp()
         elif self.spec['provider'] == 'aws':
             yield from self.auth_aws()
-        elif self.spec['provider'] == 'kubeconfig':
-            yield from self.auth_kubeconfig()
         else:
             raise ValueError(f'Provider {self.spec["provider"]} not supported')
 
@@ -125,23 +123,6 @@ def deploy_support(self):
             ])
         print("Done!")
 
-    def auth_kubeconfig(self):
-        """
-        Context manager for authenticating with just a kubeconfig file
-
-        For the duration of the contextmanager, we:
-        1. Decrypt the file specified in kubeconfig.file with sops
-        2. Set `KUBECONFIG` env var to our decrypted file path, so applications
-           we call (primarily helm) will use that as config
-        """
-        config = self.spec['kubeconfig']
-        config_path = config['file']
-
-        with decrypt_file(config_path) as decrypted_key_path:
-            # FIXME: Unset this after our yield
-            os.environ['KUBECONFIG'] = decrypted_key_path
-            yield
-
     def auth_aws(self):
         """
         Reads `aws` nested config and temporarily sets environment variables

secrets/openscapes.json

@@ -0,0 +1,27 @@
+{
+	"AccessKey": {
+		"UserName": "ENC[AES256_GCM,data:UxJ1CPfwNMCuYb0XLabsI0o=,iv:iLiUn6fqhHQdQrLUGhzEMDPJ/f7d56oV+/sCtzpLjXs=,tag:WzQxYmGugCa1WllBXgwofw==,type:str]",
+		"AccessKeyId": "ENC[AES256_GCM,data:YkWRHgFkaArTj/FIgMgKwF+4uSw=,iv:vDn7l4fcrlwomNCzttokSo4MHiOJbm6A4CDG5tqRdT8=,tag:o9P6iuEA9lrzWggquyMlIA==,type:str]",
+		"Status": "ENC[AES256_GCM,data:5CuUpuJx,iv:DmZu1bjjZ9ZtbYmeDXaIBAlSvyeo8ddA+AxgXB2RNVQ=,tag:ghkGFU4MjibSaCzWrhChDg==,type:str]",
+		"SecretAccessKey": "ENC[AES256_GCM,data:2j7j9T/tjV+4aPo62TWNTlTg50IOlQFph9r/89MxxrwsRm2mdPFsiw==,iv:dRHikN/N0H60u/4mKPW/RFo2qPK1+7IA2/mGUZmpfZk=,tag:hZOVyG5e1R2aiJ29nfpPdg==,type:str]",
+		"CreateDate": "ENC[AES256_GCM,data:JSqmfw2dLbMgC8SrkK7MgfpZZd8=,iv:FO/rXG6+84wBU3zC5TbMdAzqXnWFbEk9BXycZ4z/yJ8=,tag:NrDLuklm4bRiTLaU9hkwYQ==,type:str]"
+	},
+	"sops": {
+		"kms": null,
+		"gcp_kms": [
+			{
+				"resource_id": "projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs",
+				"created_at": "2021-09-17T20:01:39Z",
+				"enc": "CiQA4OM7ePhTEOmboZc4QZL+uEPWSrMZpK/R/OW0SUxfBupHBF8SSQC9ZQbLgd/duMDaOGc25SzIe6PFBBvTV/Rrt8XpOXDMZZEVay390ifA/8RNJNW14a1tXrMjVZk4C5Jgd6VCrOA144N60lKtQrQ="
+			}
+		],
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2021-09-17T20:01:41Z",
+		"mac": "ENC[AES256_GCM,data:ofFKs6tuzNqNRdYLE6wo2iV/4FKHu4qd3Po/Bi+q3NYnBgsKpJI88n+A09ZxKXE8HuRxXhREaHFg8/H4lD3L3/vKrLi+roEywuYsKIAwmn3sTITxNIUdN+BJX8u8tw3cJygCHimoeaeUIJpZ7quLOlOfdRsnWDaORdzFj+vdH9s=,iv:/I/+L8o7ywRFGaEv9YOAMZWwjcvaFd4i3oD9Oa8+yWI=,tag:QbBbOmqSqfiKyk2Y7VZ7EA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.1"
+	}
+}