secrets

2024-01-29 17:32:14 +01:00 · 2024-01-29 17:32:14 +01:00 · cb4c5ab769
commit cb4c5ab769
parent 84dc821eca
7 changed files with 90 additions and 9 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+deployment/secrets.txt
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@ -19,6 +19,10 @@ steps:
    secrets:
      - source: kube_config
        target: KUBE_CONFIG_CONTENT
+      - source: encryption_key
+        target: ENCRYPTION_KEY
+      - source: secrets_checksum
+        target: MD5_CHECKSUM
    commands:
      - export IMAGE_TAG=$CI_COMMIT_TAG
      - printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig
--- a/deployment/decrypt-secrets.sh
+++ b/deployment/decrypt-secrets.sh
@ -0,0 +1,43 @@
+#!/bin/bash
+
+if [ "$ENCRYPTION_KEY" = "" ]; then
+  echo "ENCRYPTION_KEY not set"
+  exit 1
+fi
+
+if [ "$MD5_CHECKSUM" = "" ]; then
+  echo "No checksum given"
+  exit 1
+fi
+
+SECRETS_CIPHERTEXT_FILE=secrets.enc
+SECRETS_PLAINTEXT_FILE=/tmp/secrets
+TMP_FILE=`mktemp`
+POD_NAME_SUFFIX=`date +%s`
+
+cat $SECRETS_CIPHERTEXT_FILE | \
+  kubectl run openssl-$POD_NAME_SUFFIX \
+    --rm \
+    --image bitnami/debian-base-buildpack:latest \
+    --env KEY=$ENCRYPTION_KEY \
+    -i \
+    -q \
+    -- \
+    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a -d" > \
+    $TMP_FILE
+
+if [ `uname` = "Darwin" ]; then
+  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5`
+elif [ `uname` = "Linux" ]; then
+  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5sum - | awk '{print $1}'`
+fi
+
+if [ "$MD5_CHECKSUM" != "$CALCULATED_CHECKSUM" ]; then
+  echo "Invalid checksum"
+  exit 1
+fi
+
+# cat $TMP_FILE
+mv $TMP_FILE $SECRETS_PLAINTEXT_FILE
+
+
--- a/deployment/deploy.sh
+++ b/deployment/deploy.sh
@ -11,12 +11,23 @@ NAMESPACE=jupyter
 DEPLOYMENT_DIR=$PWD/deployment

 pushd $DEPLOYMENT_DIR > /dev/null
+./decrypt-secrets.sh || exit 1 
+. /tmp/secrets
+rm /tmp/secrets

 kubectl create namespace $NAMESPACE \
  --dry-run=client \
  -o yaml | \
  kubectl -f - apply

+kubectl create secret generic locsrv-db-cred \
+  --dry-run=client \
+  -o yaml \
+  --save-config \
+  --from-literal=PROVIDERS_OIDC_CLIENT_SECRET="$PROVIDERS_OIDC_CLIENT_SECRET" \
+  --from-literal=SECRET="$SECRET" | \
+  kubectl apply -f - -n $NAMESPACE
+

 cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \
  sed -e 's,%IMAGE%,'$IMAGE_NAME':'$IMAGE_TAG','g | \
--- a/deployment/encrypt-secrets.sh
+++ b/deployment/encrypt-secrets.sh
@ -0,0 +1,28 @@
+#!/bin/bash
+
+
+ENCRYPTION_KEY=`openssl rand -hex 32`
+echo $ENCRYPTION_KEY
+
+SECRETS_PLAINTEXT_FILE=secrets.txt
+SECRETS_CIPHERTEXT_FILE=secrets.enc
+
+if [ `uname` = "Darwin" ]; then
+  cat $SECRETS_PLAINTEXT_FILE | md5
+elif [ `uname` = "Linux" ]; then
+  cat $SECRETS_PLAINTEXT_FILE | md5sum - | awk '{print $1}'
+fi
+
+POD_NAME_SUFFIX=`date +%s`
+
+cat $SECRETS_PLAINTEXT_FILE | \
+  kubectl run openssl-$POD_NAME_SUFFIX \
+    --rm \
+    --image bitnami/debian-base-buildpack:latest \
+    --env KEY=$ENCRYPTION_KEY \
+    -i \
+    -q \
+    -- \
+    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a" > \
+    $SECRETS_CIPHERTEXT_FILE
+
--- a/deployment/secret.yml
+++ b/deployment/secret.yml
@ -1,9 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: traefik-forward-auth
-type: Opaque
-data:
-  PROVIDERS_OIDC_CLIENT_SECRET: PLACEHOLDER
-  SECRET: PLACEHOLDER
-
--- a/deployment/secrets.enc
+++ b/deployment/secrets.enc
@ -0,0 +1,3 @@
+U2FsdGVkX1+ieFWR0PfwpZvaYyk9EzC6noAzAyjeRxrX4UDdQ5cIE1Rdtymt/eo5
+acU7SqzyrCRaJyCvAgqrqbNCn3qgL+PENLZbcyT8115MlIVSmMfkBXhN6Mc1KMOo
+todGAfQ9twY/tsuoxwTeb621IBiq4XwhRPMI1+xsoNk=