Kubernetes 4 of ?? - rotate secrets (#991)

2026-01-08 23:18:15 -05:00 · 2018-11-29 09:35:17 -05:00
parent b9c8e65884
commit 108d05110d
21 changed files with 234 additions and 68 deletions
--- a/73
+++ b/73
@@ -51,7 +51,7 @@ yarn_install(
 # This requires rules_docker to be fully instantiated before it is pulled in.
 git_repository(
    name = "io_bazel_rules_k8s",
-    commit = "2054f7bf4d51f9e439313c56d7a208960a8a179f",  # 2018-07-29
+    commit = "2206972072d64e5d2d966d81cc6c5fb77fd58dcb",
    remote = "https://github.com/bazelbuild/rules_k8s.git",
 )

@@ -863,3 +863,74 @@ go_repository(
    commit = "b7bd5f2d334ce968edc54f5fdb2ac67ce39c56d5",
    importpath = "k8s.io/api",
 )
+
+go_repository(
+    name = "com_github_shyiko_kubesec",
+    commit = "b3b38efff0ecda7fd59ae59b5d09469fda51b5d7",
+    importpath = "github.com/shyiko/kubesec",
+    # Update after https://github.com/shyiko/kubesec/pull/19
+    remote = "https://github.com/prestonvanloon/kubesec",
+    vcs = "git",
+)
+
+go_repository(
+    name = "in_gopkg_yaml_v2",
+    commit = "5420a8b6744d3b0345ab293f6fcba19c978f1183",
+    importpath = "gopkg.in/yaml.v2",
+)
+
+go_repository(
+    name = "com_github_spf13_pflag",
+    commit = "aea12ed6721610dc6ed40141676d7ab0a1dac9e9",
+    importpath = "github.com/spf13/pflag",
+)
+
+go_repository(
+    name = "com_github_spf13_cobra",
+    commit = "d2d81d9a96e23f0255397222bb0b4e3165e492dc",
+    importpath = "github.com/spf13/cobra",
+)
+
+go_repository(
+    name = "com_github_aws_aws_sdk_go",
+    commit = "dbd68419518a1846f7cf787f424af62c2d0bb4f2",
+    importpath = "github.com/aws/aws-sdk-go",
+)
+
+go_repository(
+    name = "com_github_posener_complete",
+    commit = "699ede78373dfb0168f00170591b698042378437",
+    importpath = "github.com/posener/complete",
+    remote = "https://github.com/shyiko/complete",
+    vcs = "git",
+)
+
+go_repository(
+    name = "org_golang_x_oauth2",
+    commit = "8f65e3013ebad444f13bc19536f7865efc793816",
+    importpath = "golang.org/x/oauth2",
+)
+
+go_repository(
+    name = "com_github_hashicorp_go_multierror",
+    commit = "886a7fbe3eb1c874d46f623bfa70af45f425b3d1",
+    importpath = "github.com/hashicorp/go-multierror",
+)
+
+go_repository(
+    name = "com_github_hashicorp_errwrap",
+    commit = "8a6fb523712970c966eefc6b39ed2c5e74880354",
+    importpath = "github.com/hashicorp/errwrap",
+)
+
+go_repository(
+    name = "com_google_cloud_go",
+    commit = "41590e5e6d7a5a30921e686fbc57c45545d8bf29",
+    importpath = "cloud.google.com/go",
+)
+
+go_repository(
+    name = "com_github_inconshreveable_mousetrap",
+    commit = "76626ae9c91c4f2a10f34cad8ce83ea42c93bb75",
+    importpath = "github.com/inconshreveable/mousetrap",
+)
--- a/k8s/BUILD.bazel
+++ b/k8s/BUILD.bazel
@@ -9,6 +9,7 @@ k8s_objects(
        "//k8s/beacon-chain:everything",
        "//k8s/nginx:everything",
    ],
+    tags = ["manual"],
 )

 k8s_priority_class(
--- a/k8s/geth/BUILD.bazel
+++ b/k8s/geth/BUILD.bazel
@@ -1,25 +1,33 @@
 package(default_visibility = ["//k8s:__subpackages__"])

 load("@io_bazel_rules_k8s//k8s:objects.bzl", "k8s_objects")
+load("@k8s_configmap//:defaults.bzl", "k8s_configmap")
 load("@k8s_deploy//:defaults.bzl", "k8s_deploy")
 load("@k8s_ingress//:defaults.bzl", "k8s_ingress")
 load("@k8s_namespace//:defaults.bzl", "k8s_namespace")
 load("@k8s_secret//:defaults.bzl", "k8s_secret")
 load("@k8s_service//:defaults.bzl", "k8s_service")
+load("//tools:kubesec.bzl", "k8s_encrypted_secret")

 k8s_objects(
    name = "everything",
    objects = [
        ":namespace",  # Must be first
+        "configs",
        ":deployments",
        ":ingress",
        ":secrets",
        ":services",
    ],
+    tags = ["manual"],
 )

 _NAMESPACE = "pow"

+_configs = [
+    "genesis",
+]
+
 _deployments = [
    "bootnode",
    "ethstats",
@@ -39,7 +47,6 @@ _secrets = [
    "bootnode",
    "ethstats",
    "faucet",
-    "genesis",
 ]

 k8s_ingress(
@@ -53,6 +60,17 @@ k8s_namespace(
    template = "namespace.yaml",
 )

+k8s_objects(
+    name = "configs",
+    objects = [":" + name + ".config" for name in _configs],
+)
+
+[k8s_configmap(
+    name = name + ".config",
+    template = name + ".config.yaml",
+    namespace = _NAMESPACE,
+) for name in _configs]
+
 k8s_objects(
    name = "deployments",
    objects = [":" + name + ".deploy" for name in _deployments],
@@ -67,12 +85,24 @@ k8s_objects(
 k8s_objects(
    name = "secrets",
    objects = [":" + name + ".secret" for name in _secrets],
+    tags = ["manual"],
 )

 [k8s_secret(
    name = name + ".secret",
    template = name + ".secret.yaml",
    namespace = _NAMESPACE,
+    tags = ["manual"],
+) for name in _secrets]
+
+[k8s_encrypted_secret(
+    name = name + ".encrypted_secret",
+    template = name + ".encrypted_secret.yaml",
+    out = name + ".secret.yaml",
+    tags = [
+        "local",
+        "manual",
+    ],
 ) for name in _secrets]

 k8s_objects(
--- a/k8s/geth/bootnode.encrypted_secret.yaml
+++ b/k8s/geth/bootnode.encrypted_secret.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+data:
+  private_key: jQibEmxtsf71E+8OuTUxNAQTKK7G8cwslc/oD84QRuKTa+s3pGSy890XtbQIASbZ/oZ7zt6yVS8uuAILPqnM+KfOtvZihzVLBJ3o4qgPORVMw10i1bwzy/gEVcpSmmee.lzpeo+sQHCQIQYM1.WyjzRoKLkKxZ2lr8kOxheQ==
+  public_key: nTj8LizZ5Lcxpo80SZr3/ArU2fAqPam1nqK6iKW7mhSlN8+s2eTZhdeuX5VBSj6NvFcGzafX91+0Vr49Sn/iDwFWQpKEF6pg9VZLaof5G+Xd09l7LBWWNmszJ7R8sBugYWdH3sT1b5EamLvK+b/oDL/Our6FK5/QrldpdDS8rQHwBBIghp3+9pW2Q8XvU2TeHHuOH07P/m1o4I1F2HuLRQ9CNo88u2UPEer6o27mO5WVa6JeTJ/JfKzWIZYNnu0v.FJVfuDg09LE83EQ1.+1UgfraYgYYHUvEtkX2DLw==
+kind: Secret
+metadata:
+  name: geth-bootnode-secret
+  namespace: pow
+type: Opaque
+# kubesec:v:3
+# kubesec:gcp:projects/prysmaticlabs/locations/global/keyRings/prysmatic-k8s-secrets/cryptoKeys/testkey:CiQAaKPz55gg9s1oelF+GqLY4XCnHjd53I+ZcA9V6Ppg/JtgRjMSSQD23sIskpIEbBnbuvYAF/teEPC/aqmcD8NRLYvW6RSCfzChQftM0XiwwCvll7IN4y2iMzMjA+R09dyE/28hkGOA245jxH1VhAM=
+# kubesec:mac:sIbZWb/nAjt/irSw.PbpahngOYdBmYpkUjysxOw==
--- a/k8s/geth/bootnode.secret.yaml
+++ b/k8s/geth/bootnode.secret.yaml
@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name:  geth-bootnode-secret
-  namespace: pow
-data:
-  public_key: MDZmMmI0OGFhODY1OTQ2OTdiZjZjMmI0NjRhMjFhMmYwMWVhNzYyM2MxNGQxOWU5MTE3OGMzZTRkNDNhZDg2M2FjMzdjZmQwODA0OWY3OWIxOTgxN2VmNGZlZjk5NDUxNTYzNjM3N2M1ZjhjN2UyY2MwYWJlY2VmZjkyZTc0MWY=
-  private_key: OGUxMDg1YmQwZThmOGI2MTY0OWRjMWNlYjA2Y2Q1ZTQyNTllY2YwOWRmYTFmZWRlNGNmNDVhMmZiZDE0ODVmNg==
-type: Opaque
--- a/k8s/geth/ethstats.encrypted_secret.yaml
+++ b/k8s/geth/ethstats.encrypted_secret.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  ws: IeKGjutDYMvXfhoMrVcdx/WRZxDN6Fp6U9q7JaiQ8tR1HCss1YYAjePsvLRvbY5h.TE5myr1CuGVla/vY.NcylicemGDM+6Lz5NWrw/Q==
+kind: Secret
+metadata:
+  name: ethstats-secrets
+  namespace: pow
+type: Opaque
+# kubesec:v:3
+# kubesec:gcp:projects/prysmaticlabs/locations/global/keyRings/prysmatic-k8s-secrets/cryptoKeys/testkey:CiQAaKPz55imKn09+ay5Fipt8Ejsa0fl9RAiDUwIB8QjWJniNfESSQD23sIsO81pJ6gDAzc7733PGECLQ+ftcvluf41iLs5GUBBHrk6ziqmtDmfiTzc9E2YDuXYwAU4EejVjXoIHMESywm9EvetOEt4=
+# kubesec:mac:0YZUa66m5jP5wwuA.M6PWFcmPGuuilDWq2swebA==
--- a/k8s/geth/ethstats.secret.yaml
+++ b/k8s/geth/ethstats.secret.yaml
@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: ethstats-secrets
-  namespace: pow
-type: Opaque
-data:
-  # Secret for websocket connections
-  ws: cHJ5c20= # prysm
--- a/k8s/geth/faucet.deploy.yaml
+++ b/k8s/geth/faucet.deploy.yaml
@@ -37,7 +37,7 @@ spec:
            - "/bin/sh"
            - "-c"
            - > 
-              touch /tmp/pwd;
+              touch /tmp/pwd; # empty password file
              faucet
              -account.json=/data/accounts/account.json
              -account.pass=/tmp/pwd
@@ -45,7 +45,7 @@ spec:
              -bootnodes=enode://$(BOOTNODE_PUBKEY)@$(GETH_BOOTNODE_V5_SERVICE_HOST):$(GETH_BOOTNODE_V5_SERVICE_PORT_BOOTNODE_UDP)
              -ethport=30303
              -ethstats=$HOSTNAME:$(ETHSTATS_WS_SECRET)@$(GETH_ETHSTATS_SERVICE_HOST):$(GETH_ETHSTATS_SERVICE_PORT)
-              -faucet.amount=35
+              -faucet.amount=350
              -faucet.minutes=1440
              -faucet.name=validator-faucet
              -faucet.tiers=3
@@ -82,8 +82,8 @@ spec:
              cpu: "100m"
      volumes:
        - name: genesis
-          secret: 
-            secretName: geth-genesis
+          configMap: 
+            name: genesis
            items:
              - key: json
                path: genesis.json
@@ -93,7 +93,5 @@ spec:
            items: 
              - key: json
                path: account.json
-              - key: password
-                path: password
        - name: faucet-data
          emptyDir: {}
--- a/k8s/geth/faucet.encrypted_secret.yaml
+++ b/k8s/geth/faucet.encrypted_secret.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  json: JDe7rXgTCBhjk8XGsF0R0IsseBmQCOBFk07TF7JY49DkiY1FbbbrDPq0Dmeo8GIrO8RVJ6CMF6RD/GpTZbT8o7xadi9K3XC010Z3hSm7KkjH190sUqAmGm4hdNHeOJfyCHsY6eAE10XoTsb//P18u4drbL+9UXzeqT6DZE6z9lpLq0FvvN2mBes9iIPJ1o71IaE6hN1FPElCOwkLjTUuBfUrGaXiFm5GKaIjTTr9TAmkPzVm7LxAsX1vdfov3bhiVDcBQ4fWMArFZMRe4k5VaH83U18N+fIjPx02TQFHpopWNIZIOJM8657Kh+nQ8CEKOI3KWliqhcioU3Szl0Kfbx+jAxa65Aqc7xTooGViTJW/cH77Fmv9Vmd/pHsImDnxCkcgpEOA5Dmo+FFiSNQNyOX+WwSPM0e8SXHwTeZo+XZYMvLd8+eoJ11lMy0zfh9lVB/+coQSHUt7Fph7jPkdzmrZeXoMDIMo+FsPeUXZfAfnqmGptR65PWmBD0vlYicLMhZcefDOiyhYOQZQnLc2NhlSSiTNJ6QUKOn/0GSrli93PygTzsZ4miwZlRCylCESClYKJlTA9z2Vcn87gb/WXpD3RTjqj9M4zej9XXvqklPXqwf9NIZ9rzrfVBuUU7rTtehnigjH79b4AeUvE4iZ6O7njl7F603Dm6klTndRD31MO6981KQD95INkXa2/RKHNydwiC9yIDyR2RSuWv98V7QnKSZuFjUQSZKt3N7sj2RSRLibPrRC0ZADzp1F0HZSpt5s6Lvu50nY+C/R92lbT06meVSEYCjXFss8S42ryVNbCPzmEp8HEbXS9Lb/C+8r4ZP3msflOcGusv+h9Co87zI4Y03AdOkPIsKU0Y3TdBs8ch7JJR8DSI1B7SqxoLpR.IgbIjZjpv3ltq1US.WEGysEyBgvlgjOr0PnefZg==
+kind: Secret
+metadata:
+  name: geth-faucet-accounts-secret
+  namespace: pow
+type: Opaque
+# kubesec:v:3
+# kubesec:gcp:projects/prysmaticlabs/locations/global/keyRings/prysmatic-k8s-secrets/cryptoKeys/testkey:CiQAaKPz5+6N9EC53IjSMXUoxSv/u1/ZSo1BW7bMfyky/eAXPaQSSQD23sIs8C8Pzo/4qjR6fYd6pKSHvDRYDTTgt5Cxrzu+XCYCwm0jLUI1KL2VMohoXswZrEMP2r0JZzxzWTmDQUHCcsGY06uzpYI=
+# kubesec:mac:bcwLQScHxyWBk0ob.sR6Ss+HAwTBtspOpKlKuZw==
--- a/k8s/geth/faucet.secret.yaml
+++ b/k8s/geth/faucet.secret.yaml
@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name:  geth-faucet-accounts-secret
-  namespace: pow
-data: 
-  json: eyJhZGRyZXNzIjoiODg4MjA0MmI4ZTkzYzg1MzEyZjYyM2YwNThlZjI1MmM4MDI1YTdhZSIsImNyeXB0byI6eyJjaXBoZXIiOiJhZXMtMTI4LWN0ciIsImNpcGhlcnRleHQiOiJjZDYxMDM4N2ExZDU1MDgyMDRhNzExZTNkMGExZTkwMzMzMzE0NTI3MzllNzlkZGQzMmNhZTRmNjZhMzVkODI2IiwiY2lwaGVycGFyYW1zIjp7Iml2IjoiNGFkMzUyOTExMjNjNDEzYzg3YzBhODFjZDBkNjZhN2YifSwia2RmIjoic2NyeXB0Iiwia2RmcGFyYW1zIjp7ImRrbGVuIjozMiwibiI6MjYyMTQ0LCJwIjoxLCJyIjo4LCJzYWx0IjoiMGRiNmFiZDZiNDhmZGYxZjcxM2YzMjkyYjVmMjkwMTY0ZDYzYjQ1NGY0OWIzOTEzYjYyNTE3NGRmNDNmYTQ4NyJ9LCJtYWMiOiJkYWUzODFlZTAwM2JlNWFhZTMxZGVmYzg2YmMyNWMyYzlmNDJiZDlmYzgxNzc1OGU2MDhhMGI1YTFiYmIyMWYwIn0sImlkIjoiYjFmYmNiNTctNjJlYy00YTE4LTllN2YtOGQ4MjE2OTQ4N2M5IiwidmVyc2lvbiI6M30= 
-  password: Cgo= 
-type: Opaque
-
--- a/k8s/geth/genesis.config.yaml
+++ b/k8s/geth/genesis.config.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: ConfigMap
+metadata: 
+  name: genesis
+  namespace: pow
+data:
+  json: |
+    {
+      "config":{
+        "chainId":1337,
+        "homesteadBlock":0,
+        "eip155Block":0,
+        "eip158Block":0
+       },
+       "difficulty":"0x0",
+       "gasLimit":"0x2100000",
+       "alloc":{
+         "00c4ac4d2a14be6a9b55652f9aabdb70fdeb07bc":{
+           "balance":"0x1337000000000000000000"
+         }
+       }
+     }
--- a/k8s/geth/genesis.secret.yaml
+++ b/k8s/geth/genesis.secret.yaml
@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: geth-genesis
-  namespace: pow
-data:
-  json: eyJjb25maWciOnsiY2hhaW5JZCI6MTMzNywiaG9tZXN0ZWFkQmxvY2siOjAsImVpcDE1NUJsb2NrIjowLCJlaXAxNThCbG9jayI6MH0sImRpZmZpY3VsdHkiOiIweDAiLCJnYXNMaW1pdCI6IjB4MjEwMDAwMCIsImFsbG9jIjp7IjcxN2MzYTZlNGNiZDQ3NmMyMzEyNjEyMTU1ZWIyMzNiZjQ5OGRkNWIiOnsiYmFsYW5jZSI6IjB4MTMzNzAwMDAwMDAwMDAwMDAwMDAwMCJ9fX0K
-type: Opaque
--- a/k8s/geth/miners.deploy.yaml
+++ b/k8s/geth/miners.deploy.yaml
@@ -55,7 +55,7 @@ spec:
              --verbosity=4
              --mine
              --minerthreads=1
-              --etherbase=0x8882042b8e93c85312f623f058ef252c8025a7ae
+              --etherbase=0x00c4ac4d2a14be6a9b55652f9aabdb70fdeb07bc
              --extradata=$HOSTNAME
              --ethash.dagsinmem=1
              --ethash.dagsondisk=2
@@ -101,8 +101,8 @@ spec:
        - name: chaindata
          emptyDir: {}
        - name: genesis
-          secret: 
-            secretName: geth-genesis
+          configMap: 
+            name: genesis
            items:
              - key: json
                path: genesis.json
--- a/k8s/geth/nodes.deploy.yaml
+++ b/k8s/geth/nodes.deploy.yaml
@@ -93,8 +93,8 @@ spec:
        - name: chaindata
          emptyDir: {}
        - name: genesis
-          secret: 
-            secretName: geth-genesis
+          configMap: 
+            name: genesis
            items:
              - key: json
                path: genesis.json
--- a/k8s/monitoring/grafana.encrypted_secret.yaml
+++ b/k8s/monitoring/grafana.encrypted_secret.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+data:
+  admin-password: RxC7QFwhjSaacx2KdmWncuBw6/UlIsS9Ee6b6hEbhG+Ama4dI/+MsOjNra7BxfnU.+ImkgvsSymbqZBjl.ifSkqkDA40lRZLTxN39vFw==
+  admin-username: CsZ0DoxGjfmVvOFWpMaEMtCe8hiB5dKZGvLt3w2jCDp8rELcGoQW3FBhiQJ3FSm5.hygL38xmTfAZd4RP.Ptd5byovuqjl5nbvCxbuHw==
+kind: Secret
+metadata:
+  name: grafana
+  namespace: monitoring
+type: Opaque
+# kubesec:v:3
+# kubesec:gcp:projects/prysmaticlabs/locations/global/keyRings/prysmatic-k8s-secrets/cryptoKeys/testkey:CiQAaKPz57/7hO9EMYRC8NtU0ZMo+MYntECXExf1vQYyiEthcdESSQD23sIsin7lmGpMJ69eA7L2/WdSMT1CYOxVvwBrrR6Apu3tLuSQUT+h1faBSExVKaVpkWNf/kJzZfGVMzGX8QYbW9XFFN5D/zs=
+# kubesec:mac:rALXGgLZcGquXIU5.UKyzxpm22ir5EfK8eHTt/Q==
--- a/k8s/monitoring/manifests-all.yaml
+++ b/k8s/monitoring/manifests-all.yaml
@@ -2401,16 +2401,6 @@ spec:
 #          servicePort: 3000
 ---
 apiVersion: v1
-kind: Secret
-data:
-  admin-password: YWRtaW4=
-  admin-username: YWRtaW4=
-metadata:
-  name: grafana
-  namespace: monitoring
-type: Opaque
---
-apiVersion: v1
 kind: Service
 metadata:
  name: grafana
--- a/k8s/nginx/BUILD.bazel
+++ b/k8s/nginx/BUILD.bazel
@@ -8,6 +8,7 @@ load("@k8s_namespace//:defaults.bzl", "k8s_namespace")
 load("@k8s_secret//:defaults.bzl", "k8s_secret")
 load("@k8s_service//:defaults.bzl", "k8s_service")
 load("@k8s_service_account//:defaults.bzl", "k8s_service_account")
+load("//tools:kubesec.bzl", "k8s_encrypted_secret")

 k8s_objects(
    name = "everything",
@@ -20,6 +21,7 @@ k8s_objects(
        ":service",
        ":service_account",
    ],
+    tags = ["manual"],
 )

 _NAMESPACE = "nginx-ingress"
@@ -28,6 +30,17 @@ k8s_secret(
    name = "default_server_secret",
    template = ":default-server-secret.yaml",
    namespace = _NAMESPACE,
+    tags = ["manual"],
+)
+
+k8s_encrypted_secret(
+    name = "default_server_secret_encrypted",
+    template = "default-server-secret-encrypted.yaml",
+    out = "default-server-secret.yaml",
+    tags = [
+        "local",
+        "manual",
+    ],
 )

 k8s_deploy(
--- a/k8s/nginx/default-server-secret-encrypted.yaml
+++ b/k8s/nginx/default-server-secret-encrypted.yaml
--- a/k8s/nginx/default-server-secret.yaml
+++ b/k8s/nginx/default-server-secret.yaml
@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: default-server-secret
-  namespace: nginx-ingress
-type: Opaque
-data:
-  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN2akNDQWFZQ0NRREFPRjl0THNhWFhEQU5CZ2txaGtpRzl3MEJBUXNGQURBaE1SOHdIUVlEVlFRRERCWk8KUjBsT1dFbHVaM0psYzNORGIyNTBjbTlzYkdWeU1CNFhEVEU0TURreE1qRTRNRE16TlZvWERUSXpNRGt4TVRFNApNRE16TlZvd0lURWZNQjBHQTFVRUF3d1dUa2RKVGxoSmJtZHlaWE56UTI5dWRISnZiR3hsY2pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwvN2hIUEtFWGRMdjNyaUM3QlBrMTNpWkt5eTlyQ08KR2xZUXYyK2EzUDF0azIrS3YwVGF5aGRCbDRrcnNUcTZzZm8vWUk1Y2Vhbkw4WGM3U1pyQkVRYm9EN2REbWs1Qgo4eDZLS2xHWU5IWlg0Rm5UZ0VPaStlM2ptTFFxRlBSY1kzVnNPazFFeUZBL0JnWlJVbkNHZUtGeERSN0tQdGhyCmtqSXVuektURXUyaDU4Tlp0S21ScUJHdDEwcTNRYzhZT3ExM2FnbmovUWRjc0ZYYTJnMjB1K1lYZDdoZ3krZksKWk4vVUkxQUQ0YzZyM1lma1ZWUmVHd1lxQVp1WXN2V0RKbW1GNWRwdEMzN011cDBPRUxVTExSakZJOTZXNXIwSAo1TmdPc25NWFJNV1hYVlpiNWRxT3R0SmRtS3FhZ25TZ1JQQVpQN2MwQjFQU2FqYzZjNGZRVXpNQ0F3RUFBVEFOCkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWpLb2tRdGRPcEsrTzhibWVPc3lySmdJSXJycVFVY2ZOUitjb0hZVUoKdGhrYnhITFMzR3VBTWI5dm15VExPY2xxeC9aYzJPblEwMEJCLzlTb0swcitFZ1U2UlVrRWtWcitTTFA3NTdUWgozZWI4dmdPdEduMS9ienM3bzNBaS9kclkrcUI5Q2k1S3lPc3FHTG1US2xFaUtOYkcyR1ZyTWxjS0ZYQU80YTY3Cklnc1hzYktNbTQwV1U3cG9mcGltU1ZmaXFSdkV5YmN3N0NYODF6cFErUyt1eHRYK2VBZ3V0NHh3VlI5d2IyVXYKelhuZk9HbWhWNThDd1dIQnNKa0kxNXhaa2VUWXdSN0diaEFMSkZUUkk3dkhvQXprTWIzbjAxQjQyWjNrN3RXNQpJUDFmTlpIOFUvOWxiUHNoT21FRFZkdjF5ZytVRVJxbStGSis2R0oxeFJGcGZnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
-  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdi91RWM4b1JkMHUvZXVJTHNFK1RYZUprckxMMnNJNGFWaEMvYjVyYy9XMlRiNHEvClJOcktGMEdYaVN1eE9ycXgrajlnamx4NXFjdnhkenRKbXNFUkJ1Z1B0ME9hVGtIekhvb3FVWmcwZGxmZ1dkT0EKUTZMNTdlT1l0Q29VOUZ4amRXdzZUVVRJVUQ4R0JsRlNjSVo0b1hFTkhzbysyR3VTTWk2Zk1wTVM3YUhudzFtMApxWkdvRWEzWFNyZEJ6eGc2clhkcUNlUDlCMXl3VmRyYURiUzc1aGQzdUdETDU4cGszOVFqVUFQaHpxdmRoK1JWClZGNGJCaW9CbTVpeTlZTW1hWVhsMm0wTGZzeTZuUTRRdFFzdEdNVWozcGJtdlFmazJBNnljeGRFeFpkZFZsdmwKMm82MjBsMllxcHFDZEtCRThCay90elFIVTlKcU56cHpoOUJUTXdJREFRQUJBb0lCQVFDZklHbXowOHhRVmorNwpLZnZJUXQwQ0YzR2MxNld6eDhVNml4MHg4Mm15d1kxUUNlL3BzWE9LZlRxT1h1SENyUlp5TnUvZ2IvUUQ4bUFOCmxOMjRZTWl0TWRJODg5TEZoTkp3QU5OODJDeTczckM5bzVvUDlkazAvYzRIbjAzSkVYNzZ5QjgzQm9rR1FvYksKMjhMNk0rdHUzUmFqNjd6Vmc2d2szaEhrU0pXSzBwV1YrSjdrUkRWYmhDYUZhNk5nMUZNRWxhTlozVDhhUUtyQgpDUDNDeEFTdjYxWTk5TEI4KzNXWVFIK3NYaTVGM01pYVNBZ1BkQUk3WEh1dXFET1lvMU5PL0JoSGt1aVg2QnRtCnorNTZud2pZMy8yUytSRmNBc3JMTnIwMDJZZi9oY0IraVlDNzVWYmcydVd6WTY3TWdOTGQ5VW9RU3BDRkYrVm4KM0cyUnhybnhBb0dCQU40U3M0ZVlPU2huMVpQQjdhTUZsY0k2RHR2S2ErTGZTTXFyY2pOZjJlSEpZNnhubmxKdgpGenpGL2RiVWVTbWxSekR0WkdlcXZXaHFISy9iTjIyeWJhOU1WMDlRQ0JFTk5jNmtWajJTVHpUWkJVbEx4QzYrCk93Z0wyZHhKendWelU0VC84ajdHalRUN05BZVpFS2FvRHFyRG5BYWkyaW5oZU1JVWZHRXFGKzJyQW9HQkFOMVAKK0tZL0lsS3RWRzRKSklQNzBjUis3RmpyeXJpY05iWCtQVzUvOXFHaWxnY2grZ3l4b25BWlBpd2NpeDN3QVpGdwpaZC96ZFB2aTBkWEppc1BSZjRMazg5b2pCUmpiRmRmc2l5UmJYbyt3TFU4NUhRU2NGMnN5aUFPaTVBRHdVU0FkCm45YWFweUNweEFkREtERHdObit3ZFhtaTZ0OHRpSFRkK3RoVDhkaVpBb0dCQUt6Wis1bG9OOTBtYlF4VVh5YUwKMjFSUm9tMGJjcndsTmVCaWNFSmlzaEhYa2xpSVVxZ3hSZklNM2hhUVRUcklKZENFaHFsV01aV0xPb2I2NTNyZgo3aFlMSXM1ZUtka3o0aFRVdnpldm9TMHVXcm9CV2xOVHlGanIrSWhKZnZUc0hpOGdsU3FkbXgySkJhZUFVWUNXCndNdlQ4NmNLclNyNkQrZG8wS05FZzFsL0FvR0FlMkFVdHVFbFNqLzBmRzgrV3hHc1RFV1JqclRNUzRSUjhRWXQKeXdjdFA4aDZxTGxKUTRCWGxQU05rMXZLTmtOUkxIb2pZT2pCQTViYjhibXNVU1BlV09NNENoaFJ4QnlHbmR2eAphYkJDRkFwY0IvbEg4d1R0alVZYlN5T294ZGt5OEp0ek90ajJhS0FiZHd6NlArWDZDODhjZmxYVFo5MWpYL3RMCjF3TmRKS2tDZ1lCbyt0UzB5TzJ2SWFmK2UwSkN5TGhzVDQ5cTN3Zis2QWVqWGx2WDJ1VnRYejN5QTZnbXo5aCsKcDNlK2JMRUxwb3B0WFhNdUFRR0xhUkcrYlNNcjR5dERYbE5ZSndUeThXczNKY3dlSTdqZVp2b0ZpbmNvVlVIMwphdmxoTUVCRGYxSjltSDB5cDBwWUNaS2ROdHNvZEZtQktzVEtQMjJhTmtsVVhCS3gyZzR6cFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
--- a/tools/BUILD.bazel
+++ b/tools/BUILD.bazel
--- a/tools/kubesec.bzl
+++ b/tools/kubesec.bzl
@@ -0,0 +1,29 @@
+"""TODO: Add doc here"""
+
+load("@k8s_secret//:defaults.bzl", "k8s_secret")
+
+def _k8s_encrypted_secret_impl(ctx):
+  ctx.actions.run_shell(
+    inputs = [ctx.file.template],
+    outputs = [ctx.outputs.out],
+    progress_message = "Decrypting %s" % ctx.file.template,
+    tools = [ctx.executable._kubesec],
+    command = "%s decrypt %s > %s" % (ctx.executable._kubesec.path, ctx.file.template.path, ctx.outputs.out.path)
+  )
+
+k8s_encrypted_secret = rule(
+    implementation = _k8s_encrypted_secret_impl,
+    attrs = {
+      "_kubesec": attr.label(
+        executable = True,
+        cfg = "host",
+        default = "@com_github_shyiko_kubesec//:kubesec",
+      ),
+      "template": attr.label(
+          allow_files = True, 
+          single_file = True, 
+          mandatory = True
+      ),
+      "out": attr.output(mandatory = True),
+    },
+)