diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f3768d6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +deployment/secrets.txt diff --git a/.woodpecker.yml b/.woodpecker.yml index 5707c7a..64d5ee9 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -19,6 +19,10 @@ steps: secrets: - source: kube_config target: KUBE_CONFIG_CONTENT + - source: encryption_key + target: ENCRYPTION_KEY + - source: secrets_checksum + target: MD5_CHECKSUM commands: - export IMAGE_TAG=$CI_COMMIT_TAG - printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig diff --git a/deployment/decrypt-secrets.sh b/deployment/decrypt-secrets.sh new file mode 100755 index 0000000..d971ca7 --- /dev/null +++ b/deployment/decrypt-secrets.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +if [ "$ENCRYPTION_KEY" = "" ]; then + echo "ENCRYPTION_KEY not set" + exit 1 +fi + +if [ "$MD5_CHECKSUM" = "" ]; then + echo "No checksum given" + exit 1 +fi + +SECRETS_CIPHERTEXT_FILE=secrets.enc +SECRETS_PLAINTEXT_FILE=/tmp/secrets +TMP_FILE=`mktemp` +POD_NAME_SUFFIX=`date +%s` + +cat $SECRETS_CIPHERTEXT_FILE | \ + kubectl run openssl-$POD_NAME_SUFFIX \ + --rm \ + --image bitnami/debian-base-buildpack:latest \ + --env KEY=$ENCRYPTION_KEY \ + -i \ + -q \ + -- \ + /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a -d" > \ + $TMP_FILE + +if [ `uname` = "Darwin" ]; then + CALCULATED_CHECKSUM=`cat $TMP_FILE | md5` +elif [ `uname` = "Linux" ]; then + CALCULATED_CHECKSUM=`cat $TMP_FILE | md5sum - | awk '{print $1}'` +fi + +if [ "$MD5_CHECKSUM" != "$CALCULATED_CHECKSUM" ]; then + echo "Invalid checksum" + exit 1 +fi + +# cat $TMP_FILE +mv $TMP_FILE $SECRETS_PLAINTEXT_FILE + + diff --git a/deployment/deploy.sh b/deployment/deploy.sh index d0d1bdd..6a5fb23 100755 --- a/deployment/deploy.sh +++ b/deployment/deploy.sh @@ -11,12 +11,23 @@ NAMESPACE=jupyter DEPLOYMENT_DIR=$PWD/deployment pushd $DEPLOYMENT_DIR > /dev/null +./decrypt-secrets.sh || exit 1 +. /tmp/secrets +rm /tmp/secrets kubectl create namespace $NAMESPACE \ --dry-run=client \ -o yaml | \ kubectl -f - apply +kubectl create secret generic locsrv-db-cred \ + --dry-run=client \ + -o yaml \ + --save-config \ + --from-literal=PROVIDERS_OIDC_CLIENT_SECRET="$PROVIDERS_OIDC_CLIENT_SECRET" \ + --from-literal=SECRET="$SECRET" | \ + kubectl apply -f - -n $NAMESPACE + cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \ sed -e 's,%IMAGE%,'$IMAGE_NAME':'$IMAGE_TAG','g | \ diff --git a/deployment/encrypt-secrets.sh b/deployment/encrypt-secrets.sh new file mode 100755 index 0000000..440c3b7 --- /dev/null +++ b/deployment/encrypt-secrets.sh @@ -0,0 +1,28 @@ +#!/bin/bash + + +ENCRYPTION_KEY=`openssl rand -hex 32` +echo $ENCRYPTION_KEY + +SECRETS_PLAINTEXT_FILE=secrets.txt +SECRETS_CIPHERTEXT_FILE=secrets.enc + +if [ `uname` = "Darwin" ]; then + cat $SECRETS_PLAINTEXT_FILE | md5 +elif [ `uname` = "Linux" ]; then + cat $SECRETS_PLAINTEXT_FILE | md5sum - | awk '{print $1}' +fi + +POD_NAME_SUFFIX=`date +%s` + +cat $SECRETS_PLAINTEXT_FILE | \ + kubectl run openssl-$POD_NAME_SUFFIX \ + --rm \ + --image bitnami/debian-base-buildpack:latest \ + --env KEY=$ENCRYPTION_KEY \ + -i \ + -q \ + -- \ + /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a" > \ + $SECRETS_CIPHERTEXT_FILE + diff --git a/deployment/secret.yml b/deployment/secret.yml deleted file mode 100644 index eb841a8..0000000 --- a/deployment/secret.yml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: traefik-forward-auth -type: Opaque -data: - PROVIDERS_OIDC_CLIENT_SECRET: PLACEHOLDER - SECRET: PLACEHOLDER - diff --git a/deployment/secrets.enc b/deployment/secrets.enc new file mode 100644 index 0000000..6ecf04f --- /dev/null +++ b/deployment/secrets.enc @@ -0,0 +1,3 @@ +U2FsdGVkX1+ieFWR0PfwpZvaYyk9EzC6noAzAyjeRxrX4UDdQ5cIE1Rdtymt/eo5 +acU7SqzyrCRaJyCvAgqrqbNCn3qgL+PENLZbcyT8115MlIVSmMfkBXhN6Mc1KMOo +todGAfQ9twY/tsuoxwTeb621IBiq4XwhRPMI1+xsoNk=