wn/jupyter-scipy-database-extension
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

secrets
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source
This commit is contained in:
Wolfgang Hottgenroth
2025-01-22 15:08:18 +01:00
parent fcdf97a9fa
commit 87bb67365a
6 changed files with 19 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
deployment/decrypt-secrets.sh
View File

@ -1,43 +0,0 @@
#!/bin/bash
if [ "$ENCRYPTION_KEY" = "" ]; then
echo "ENCRYPTION_KEY not set"
exit 1
fi
if [ "$MD5_CHECKSUM" = "" ]; then
echo "No checksum given"
exit 1
fi
SECRETS_CIPHERTEXT_FILE=secrets.enc
SECRETS_PLAINTEXT_FILE=/tmp/secrets
TMP_FILE=`mktemp`
POD_NAME_SUFFIX=`date +%s`
cat $SECRETS_CIPHERTEXT_FILE | \
kubectl run openssl-$POD_NAME_SUFFIX \
--rm \
--image bitnami/debian-base-buildpack:latest \
--env KEY=$ENCRYPTION_KEY \
-i \
-q \
-- \
/bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a -d" > \
$TMP_FILE
if [ `uname` = "Darwin" ]; then
CALCULATED_CHECKSUM=`cat $TMP_FILE | md5`
elif [ `uname` = "Linux" ]; then
CALCULATED_CHECKSUM=`cat $TMP_FILE | md5sum - | awk '{print $1}'`
fi
if [ "$MD5_CHECKSUM" != "$CALCULATED_CHECKSUM" ]; then
echo "Invalid checksum"
exit 1
fi
# cat $TMP_FILE
mv $TMP_FILE $SECRETS_PLAINTEXT_FILE

12
deployment/deploy.sh
View File

@ -4,16 +4,20 @@ if [ "$IMAGE_TAG" == "" ]; then
echo "Make sure IMAGE_TAG is set"
exit 1
fi
if [ "$GPG_PASSPHRASE" == "" ]; then
echo "Make sure GPG_PASSPHRASE is set"
exit 1
fi
IMAGE_NAME=gitea.hottis.de/wn/jupyter-scipy-database-extension
NAMESPACE=jupyter
DEPLOYMENT_DIR=$PWD/deployment
pushd $DEPLOYMENT_DIR > /dev/null
./decrypt-secrets.sh || exit 1
. /tmp/secrets
rm /tmp/secrets
SECRETS_FILE=`mktemp`
gpg --decrypt --passphrase $GPG_PASSPHRASE --output $SECRETS_FILE secrets.asc
. $SECRETS_FILE
rm $SECRETS_FILE
kubectl create namespace $NAMESPACE \
--dry-run=client \

29
deployment/encrypt-secrets.sh
View File

@ -1,29 +0,0 @@
#!/bin/bash
ENCRYPTION_KEY=`openssl rand -hex 32`
echo "Secret: $ENCRYPTION_KEY"
SECRETS_PLAINTEXT_FILE=secrets.txt
SECRETS_CIPHERTEXT_FILE=secrets.enc
echo -n "Checksum: "
if [ `uname` = "Darwin" ]; then
cat $SECRETS_PLAINTEXT_FILE | md5
elif [ `uname` = "Linux" ]; then
cat $SECRETS_PLAINTEXT_FILE | md5sum - | awk '{print $1}'
fi
POD_NAME_SUFFIX=`date +%s`
cat $SECRETS_PLAINTEXT_FILE | \
kubectl run openssl-$POD_NAME_SUFFIX \
--rm \
--image bitnami/debian-base-buildpack:latest \
--env KEY=$ENCRYPTION_KEY \
-i \
-q \
-- \
/bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a" > \
$SECRETS_CIPHERTEXT_FILE

8
deployment/secrets.asc Normal file
View File

@ -0,0 +1,8 @@
-----BEGIN PGP MESSAGE-----
jA0ECQMIRRDA3tLPq/P80qEBBkf5y9YXGgVALu7PoL1Q9a4z+O3IvGZMpXMRW+tA
Y8Eg7m1il59YrCoHTLXMRHHaVB4hXh6b80Idb/39D5KhqI6I3vQkFiLikAqTa/pE
t+oPv7SPycPz86kn1+HC5O7VY12e5aMrtS7HQYJBwpCYew0efKTA0UsbThU5HtiL
kX0oy17vPl4332K5CHFYxZnZkuXis4OxJAOyt3f0+NOp5Q==
=ez3L
-----END PGP MESSAGE-----

3
deployment/secrets.enc
View File

@ -1,3 +0,0 @@
U2FsdGVkX1/DwEZGvknc8YAi/Q1qFosoM3KijruFtWGOpr7IDpW2cSGosg3Afc+t
d7D/pJFDAT+TZhZZyTLnf4Y4kTOkaTe5GrFBMDKM0w/qQW5eZGNvmOo6s5/a1RKH
OMRZOWrnDa4U1pgjVE6p225PSQf+IpKFherLnZ2QJIQ=