secrets

.woodpecker.yml

@@ -15,14 +15,12 @@ steps:
       - event: [push, tag]
 
   deploy:
-    image: portainer/kubectl-shell:latest
+    image: quay.io/wollud1969/k8s-admin-helper:0.1.1
     secrets:
       - source: kube_config
         target: KUBE_CONFIG_CONTENT
-      - source: encryption_key
+      - source: gpg_passphrase
-        target: ENCRYPTION_KEY
+        target: GPG_PASSPHRASE
-      - source: secrets_checksum
-        target: MD5_CHECKSUM
     commands:
       - export IMAGE_TAG=$CI_COMMIT_TAG
       - printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig

deployment/decrypt-secrets.sh

@@ -1,43 +0,0 @@
-#!/bin/bash
-
-if [ "$ENCRYPTION_KEY" = "" ]; then
-  echo "ENCRYPTION_KEY not set"
-  exit 1
-fi
-
-if [ "$MD5_CHECKSUM" = "" ]; then
-  echo "No checksum given"
-  exit 1
-fi
-
-SECRETS_CIPHERTEXT_FILE=secrets.enc
-SECRETS_PLAINTEXT_FILE=/tmp/secrets
-TMP_FILE=`mktemp`
-POD_NAME_SUFFIX=`date +%s`
-
-cat $SECRETS_CIPHERTEXT_FILE | \
-  kubectl run openssl-$POD_NAME_SUFFIX \
-    --rm \
-    --image bitnami/debian-base-buildpack:latest \
-    --env KEY=$ENCRYPTION_KEY \
-    -i \
-    -q \
-    -- \
-    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a -d" > \
-    $TMP_FILE
-
-if [ `uname` = "Darwin" ]; then
-  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5`
-elif [ `uname` = "Linux" ]; then
-  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5sum - | awk '{print $1}'`
-fi
-
-if [ "$MD5_CHECKSUM" != "$CALCULATED_CHECKSUM" ]; then
-  echo "Invalid checksum"
-  exit 1
-fi
-
-# cat $TMP_FILE
-mv $TMP_FILE $SECRETS_PLAINTEXT_FILE
-
-

deployment/deploy.sh

@@ -4,16 +4,20 @@ if [ "$IMAGE_TAG" == "" ]; then
   echo "Make sure IMAGE_TAG is set"
   exit 1
 fi
-
+if [ "$GPG_PASSPHRASE" == "" ]; then
+  echo "Make sure GPG_PASSPHRASE is set"
+  exit 1
+fi
 
 IMAGE_NAME=gitea.hottis.de/wn/jupyter-scipy-database-extension
 NAMESPACE=jupyter
 DEPLOYMENT_DIR=$PWD/deployment
 
 pushd $DEPLOYMENT_DIR > /dev/null
-./decrypt-secrets.sh || exit 1 
+SECRETS_FILE=`mktemp`
-. /tmp/secrets
+gpg --decrypt --passphrase $GPG_PASSPHRASE --output $SECRETS_FILE secrets.asc
-rm /tmp/secrets
+. $SECRETS_FILE
+rm $SECRETS_FILE
 
 kubectl create namespace $NAMESPACE \
   --dry-run=client \

deployment/encrypt-secrets.sh

@@ -1,29 +0,0 @@
-#!/bin/bash
-
-
-ENCRYPTION_KEY=`openssl rand -hex 32`
-echo "Secret: $ENCRYPTION_KEY"
-
-SECRETS_PLAINTEXT_FILE=secrets.txt
-SECRETS_CIPHERTEXT_FILE=secrets.enc
-
-echo -n "Checksum: "
-if [ `uname` = "Darwin" ]; then
-  cat $SECRETS_PLAINTEXT_FILE | md5
-elif [ `uname` = "Linux" ]; then
-  cat $SECRETS_PLAINTEXT_FILE | md5sum - | awk '{print $1}'
-fi
-
-POD_NAME_SUFFIX=`date +%s`
-
-cat $SECRETS_PLAINTEXT_FILE | \
-  kubectl run openssl-$POD_NAME_SUFFIX \
-    --rm \
-    --image bitnami/debian-base-buildpack:latest \
-    --env KEY=$ENCRYPTION_KEY \
-    -i \
-    -q \
-    -- \
-    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a" > \
-    $SECRETS_CIPHERTEXT_FILE
-

deployment/secrets.asc

@@ -0,0 +1,8 @@
+-----BEGIN PGP MESSAGE-----
+
+jA0ECQMIRRDA3tLPq/P80qEBBkf5y9YXGgVALu7PoL1Q9a4z+O3IvGZMpXMRW+tA
+Y8Eg7m1il59YrCoHTLXMRHHaVB4hXh6b80Idb/39D5KhqI6I3vQkFiLikAqTa/pE
+t+oPv7SPycPz86kn1+HC5O7VY12e5aMrtS7HQYJBwpCYew0efKTA0UsbThU5HtiL
+kX0oy17vPl4332K5CHFYxZnZkuXis4OxJAOyt3f0+NOp5Q==
+=ez3L
+-----END PGP MESSAGE-----

deployment/secrets.enc

@@ -1,3 +0,0 @@
-U2FsdGVkX1/DwEZGvknc8YAi/Q1qFosoM3KijruFtWGOpr7IDpW2cSGosg3Afc+t
-d7D/pJFDAT+TZhZZyTLnf4Y4kTOkaTe5GrFBMDKM0w/qQW5eZGNvmOo6s5/a1RKH
-OMRZOWrnDa4U1pgjVE6p225PSQf+IpKFherLnZ2QJIQ=