containerized
This commit is contained in:
43
deployment/decrypt-secrets.sh
Executable file
43
deployment/decrypt-secrets.sh
Executable file
@ -0,0 +1,43 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ "$ENCRYPTION_KEY" = "" ]; then
|
||||
echo "ENCRYPTION_KEY not set"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$MD5_CHECKSUM" = "" ]; then
|
||||
echo "No checksum given"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
SECRETS_CIPHERTEXT_FILE=secrets.enc
|
||||
SECRETS_PLAINTEXT_FILE=/tmp/secrets
|
||||
TMP_FILE=`mktemp`
|
||||
POD_NAME_SUFFIX=`date +%s`
|
||||
|
||||
cat $SECRETS_CIPHERTEXT_FILE | \
|
||||
kubectl run openssl-$POD_NAME_SUFFIX \
|
||||
--rm \
|
||||
--image bitnami/debian-base-buildpack:latest \
|
||||
--env KEY=$ENCRYPTION_KEY \
|
||||
-i \
|
||||
-q \
|
||||
-- \
|
||||
/bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a -d" > \
|
||||
$TMP_FILE
|
||||
|
||||
if [ `uname` = "Darwin" ]; then
|
||||
CALCULATED_CHECKSUM=`cat $TMP_FILE | md5`
|
||||
elif [ `uname` = "Linux" ]; then
|
||||
CALCULATED_CHECKSUM=`cat $TMP_FILE | md5sum - | awk '{print $1}'`
|
||||
fi
|
||||
|
||||
if [ "$MD5_CHECKSUM" != "$CALCULATED_CHECKSUM" ]; then
|
||||
echo "Invalid checksum"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# cat $TMP_FILE
|
||||
mv $TMP_FILE $SECRETS_PLAINTEXT_FILE
|
||||
|
||||
|
||||
62
deployment/deploy-yml.tmpl
Normal file
62
deployment/deploy-yml.tmpl
Normal file
@ -0,0 +1,62 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: oidc-python-example
|
||||
labels:
|
||||
app: oidc-python-example
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: oidc-python-example
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: oidc-python-example
|
||||
spec:
|
||||
containers:
|
||||
- name: oidc-python-example
|
||||
image: %IMAGE%
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: secrets
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
protocol: TCP
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: oidc-python-example
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: oidc-python-example
|
||||
ports:
|
||||
- name: http
|
||||
targetPort: 8080
|
||||
port: 80
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: oidc-python-example
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-production-http
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- oidc-python-example.hottis.de
|
||||
secretName: oidc-python-example-cert
|
||||
rules:
|
||||
- host: oidc-python-example.hottis.de
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: oidc-python-example
|
||||
port:
|
||||
number: 80
|
||||
|
||||
43
deployment/deploy.sh
Executable file
43
deployment/deploy.sh
Executable file
@ -0,0 +1,43 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ "$IMAGE_TAG" == "" ]; then
|
||||
echo "Make sure IMAGE_TAG is set"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
IMAGE_NAME=gitea.hottis.de/wn/oidc-python-example
|
||||
NAMESPACE=oidc-python-example
|
||||
DEPLOYMENT_DIR=$PWD/deployment
|
||||
|
||||
pushd $DEPLOYMENT_DIR > /dev/null
|
||||
./decrypt-secrets.sh || exit 1
|
||||
. /tmp/secrets
|
||||
rm /tmp/secrets
|
||||
|
||||
CLIENT_SECRETS=`cat oidc-config.json | sed -e's!%CLIENT_SECRET%!'$CLIENT_SECRET'!'`
|
||||
|
||||
kubectl create namespace $NAMESPACE \
|
||||
--dry-run=client \
|
||||
-o yaml | \
|
||||
kubectl -f - apply
|
||||
|
||||
kubectl create secret generic secrets \
|
||||
--dry-run=client \
|
||||
-o yaml \
|
||||
--save-config \
|
||||
--from-literal=SECRET="$SECRET" \
|
||||
--from-literal=CLIENT_SECRETS="$CLIENT_SECRETS" \
|
||||
--from-literal=PGUSER="$PGUSER" \
|
||||
--from-literal=PGPASSWORD="$PGPASSWORD" \
|
||||
--from-literal=PGDATABASE="$PGDATABASE" \
|
||||
--from-literal=PGHOST="timescaledb.database.svc.cluster.local" \
|
||||
--from-literal=PGSSLMODE="require" | \
|
||||
kubectl apply -f - -n $NAMESPACE
|
||||
|
||||
cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \
|
||||
sed -e 's,%IMAGE%,'$IMAGE_NAME':'$IMAGE_TAG','g | \
|
||||
kubectl apply -f - -n $NAMESPACE
|
||||
|
||||
popd > /dev/null
|
||||
|
||||
27
deployment/encrypt-secrets.sh
Executable file
27
deployment/encrypt-secrets.sh
Executable file
@ -0,0 +1,27 @@
|
||||
#!/bin/bash
|
||||
|
||||
ENCRYPTION_KEY=`openssl rand -hex 32`
|
||||
echo $ENCRYPTION_KEY
|
||||
|
||||
SECRETS_PLAINTEXT_FILE=secrets.txt
|
||||
SECRETS_CIPHERTEXT_FILE=secrets.enc
|
||||
|
||||
if [ `uname` = "Darwin" ]; then
|
||||
cat $SECRETS_PLAINTEXT_FILE | md5
|
||||
elif [ `uname` = "Linux" ]; then
|
||||
cat $SECRETS_PLAINTEXT_FILE | md5sum - | awk '{print $1}'
|
||||
fi
|
||||
|
||||
POD_NAME_SUFFIX=`date +%s`
|
||||
|
||||
cat $SECRETS_PLAINTEXT_FILE | \
|
||||
kubectl run openssl-$POD_NAME_SUFFIX \
|
||||
--rm \
|
||||
--image bitnami/debian-base-buildpack:latest \
|
||||
--env KEY=$ENCRYPTION_KEY \
|
||||
-i \
|
||||
-q \
|
||||
-- \
|
||||
/bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a" > \
|
||||
$SECRETS_CIPHERTEXT_FILE
|
||||
|
||||
13
deployment/oidc-config.json
Normal file
13
deployment/oidc-config.json
Normal file
@ -0,0 +1,13 @@
|
||||
{
|
||||
"web": {
|
||||
"issuer": "https://auth2.hottis.de/realms/hottis",
|
||||
"auth_uri": "https://auth2.hottis.de/ealms/hottis/protocol/openid-connect/auth",
|
||||
"client_id": "oidc-python-example",
|
||||
"client_secret": "%CLIENT_SECRET%",
|
||||
"redirect_uris": [
|
||||
"https://oidc-python-example.hottis.de/*"
|
||||
],
|
||||
"userinfo_uri": "https://auth2.hottis.de/realms/hottis/protocol/openid-connect/userinfo",
|
||||
"token_uri": "https://auth2.hottis.de/realms/hottis/protocol/openid-connect/token"
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user