From 87bb67365a8fb1828d7e4b4dd3aee1e4513ffa08 Mon Sep 17 00:00:00 2001
From: Wolfgang Hottgenroth <wolfgang.hottgenroth@icloud.com>
Date: Wed, 22 Jan 2025 15:08:18 +0100
Subject: [PATCH] secrets

---
 .woodpecker.yml               |  8 +++----
 deployment/decrypt-secrets.sh | 43 -----------------------------------
 deployment/deploy.sh          | 12 ++++++----
 deployment/encrypt-secrets.sh | 29 -----------------------
 deployment/secrets.asc        |  8 +++++++
 deployment/secrets.enc        |  3 ---
 6 files changed, 19 insertions(+), 84 deletions(-)
 delete mode 100755 deployment/decrypt-secrets.sh
 delete mode 100755 deployment/encrypt-secrets.sh
 create mode 100644 deployment/secrets.asc
 delete mode 100644 deployment/secrets.enc

diff --git a/.woodpecker.yml b/.woodpecker.yml
index 64d5ee9..1a26545 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -15,14 +15,12 @@ steps:
       - event: [push, tag]
 
   deploy:
-    image: portainer/kubectl-shell:latest
+    image: quay.io/wollud1969/k8s-admin-helper:0.1.1
     secrets:
       - source: kube_config
         target: KUBE_CONFIG_CONTENT
-      - source: encryption_key
-        target: ENCRYPTION_KEY
-      - source: secrets_checksum
-        target: MD5_CHECKSUM
+      - source: gpg_passphrase
+        target: GPG_PASSPHRASE
     commands:
       - export IMAGE_TAG=$CI_COMMIT_TAG
       - printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig
diff --git a/deployment/decrypt-secrets.sh b/deployment/decrypt-secrets.sh
deleted file mode 100755
index d971ca7..0000000
--- a/deployment/decrypt-secrets.sh
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/bin/bash
-
-if [ "$ENCRYPTION_KEY" = "" ]; then
-  echo "ENCRYPTION_KEY not set"
-  exit 1
-fi
-
-if [ "$MD5_CHECKSUM" = "" ]; then
-  echo "No checksum given"
-  exit 1
-fi
-
-SECRETS_CIPHERTEXT_FILE=secrets.enc
-SECRETS_PLAINTEXT_FILE=/tmp/secrets
-TMP_FILE=`mktemp`
-POD_NAME_SUFFIX=`date +%s`
-
-cat $SECRETS_CIPHERTEXT_FILE | \
-  kubectl run openssl-$POD_NAME_SUFFIX \
-    --rm \
-    --image bitnami/debian-base-buildpack:latest \
-    --env KEY=$ENCRYPTION_KEY \
-    -i \
-    -q \
-    -- \
-    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a -d" > \
-    $TMP_FILE
-
-if [ `uname` = "Darwin" ]; then
-  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5`
-elif [ `uname` = "Linux" ]; then
-  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5sum - | awk '{print $1}'`
-fi
-
-if [ "$MD5_CHECKSUM" != "$CALCULATED_CHECKSUM" ]; then
-  echo "Invalid checksum"
-  exit 1
-fi
-
-# cat $TMP_FILE
-mv $TMP_FILE $SECRETS_PLAINTEXT_FILE
-
-
diff --git a/deployment/deploy.sh b/deployment/deploy.sh
index 5f2448b..3f7c1f3 100755
--- a/deployment/deploy.sh
+++ b/deployment/deploy.sh
@@ -4,16 +4,20 @@ if [ "$IMAGE_TAG" == "" ]; then
   echo "Make sure IMAGE_TAG is set"
   exit 1
 fi
-
+if [ "$GPG_PASSPHRASE" == "" ]; then
+  echo "Make sure GPG_PASSPHRASE is set"
+  exit 1
+fi
 
 IMAGE_NAME=gitea.hottis.de/wn/jupyter-scipy-database-extension
 NAMESPACE=jupyter
 DEPLOYMENT_DIR=$PWD/deployment
 
 pushd $DEPLOYMENT_DIR > /dev/null
-./decrypt-secrets.sh || exit 1 
-. /tmp/secrets
-rm /tmp/secrets
+SECRETS_FILE=`mktemp`
+gpg --decrypt --passphrase $GPG_PASSPHRASE --output $SECRETS_FILE secrets.asc
+. $SECRETS_FILE
+rm $SECRETS_FILE
 
 kubectl create namespace $NAMESPACE \
   --dry-run=client \
diff --git a/deployment/encrypt-secrets.sh b/deployment/encrypt-secrets.sh
deleted file mode 100755
index 1af3f5f..0000000
--- a/deployment/encrypt-secrets.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/bash
-
-
-ENCRYPTION_KEY=`openssl rand -hex 32`
-echo "Secret: $ENCRYPTION_KEY"
-
-SECRETS_PLAINTEXT_FILE=secrets.txt
-SECRETS_CIPHERTEXT_FILE=secrets.enc
-
-echo -n "Checksum: "
-if [ `uname` = "Darwin" ]; then
-  cat $SECRETS_PLAINTEXT_FILE | md5
-elif [ `uname` = "Linux" ]; then
-  cat $SECRETS_PLAINTEXT_FILE | md5sum - | awk '{print $1}'
-fi
-
-POD_NAME_SUFFIX=`date +%s`
-
-cat $SECRETS_PLAINTEXT_FILE | \
-  kubectl run openssl-$POD_NAME_SUFFIX \
-    --rm \
-    --image bitnami/debian-base-buildpack:latest \
-    --env KEY=$ENCRYPTION_KEY \
-    -i \
-    -q \
-    -- \
-    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a" > \
-    $SECRETS_CIPHERTEXT_FILE
-
diff --git a/deployment/secrets.asc b/deployment/secrets.asc
new file mode 100644
index 0000000..88a6f0b
--- /dev/null
+++ b/deployment/secrets.asc
@@ -0,0 +1,8 @@
+-----BEGIN PGP MESSAGE-----
+
+jA0ECQMIRRDA3tLPq/P80qEBBkf5y9YXGgVALu7PoL1Q9a4z+O3IvGZMpXMRW+tA
+Y8Eg7m1il59YrCoHTLXMRHHaVB4hXh6b80Idb/39D5KhqI6I3vQkFiLikAqTa/pE
+t+oPv7SPycPz86kn1+HC5O7VY12e5aMrtS7HQYJBwpCYew0efKTA0UsbThU5HtiL
+kX0oy17vPl4332K5CHFYxZnZkuXis4OxJAOyt3f0+NOp5Q==
+=ez3L
+-----END PGP MESSAGE-----
diff --git a/deployment/secrets.enc b/deployment/secrets.enc
deleted file mode 100644
index ad2669c..0000000
--- a/deployment/secrets.enc
+++ /dev/null
@@ -1,3 +0,0 @@
-U2FsdGVkX1/DwEZGvknc8YAi/Q1qFosoM3KijruFtWGOpr7IDpW2cSGosg3Afc+t
-d7D/pJFDAT+TZhZZyTLnf4Y4kTOkaTe5GrFBMDKM0w/qQW5eZGNvmOo6s5/a1RKH
-OMRZOWrnDa4U1pgjVE6p225PSQf+IpKFherLnZ2QJIQ=