From 7eb7ec479836da52e145ff679261a861f76efe51 Mon Sep 17 00:00:00 2001
From: Wolfgang Hottgenroth <wolfgang.hottgenroth@icloud.com>
Date: Tue, 19 Dec 2023 11:43:29 +0100
Subject: [PATCH] secrets handling

---
 .gitignore                    |  2 ++
 deployment/decrypt-secrets.sh | 43 +++++++++++++++++++++++++++++++++++
 deployment/encrypt-secrets.sh | 29 +++++++++++++++++++++++
 deployment/secrets.enc        |  4 ++++
 4 files changed, 78 insertions(+)
 create mode 100755 deployment/decrypt-secrets.sh
 create mode 100755 deployment/encrypt-secrets.sh
 create mode 100644 deployment/secrets.enc

diff --git a/.gitignore b/.gitignore
index c87032e..6c5c728 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,5 @@ src/udi/migrate_schema
 tmp/
 ENVDB
 ENVDB.cluster
+deployment/secrets.txt
+deployment/secrets
diff --git a/deployment/decrypt-secrets.sh b/deployment/decrypt-secrets.sh
new file mode 100755
index 0000000..aa7febb
--- /dev/null
+++ b/deployment/decrypt-secrets.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+if [ "$ENCRYPTION_KEY" = "" ]; then
+  echo "ENCRYPTION_KEY not set"
+  exit 1
+fi
+
+MD5_CHECKSUM=$1
+if [ "$MD5_CHECKSUM" = "" ]; then
+  echo "No checksum given"
+  exit 1
+fi
+
+SECRETS_CIPHERTEXT_FILE=secrets.enc
+SECRETS_PLAINTEXT_FILE=secrets
+TMP_FILE=`mktemp`
+POD_NAME_SUFFIX=`date +%s`
+
+cat $SECRETS_CIPHERTEXT_FILE | \
+  kubectl run openssl-$POD_NAME_SUFFIX \
+    --rm \
+    --image bitnami/debian-base-buildpack:latest \
+    --env KEY=$ENCRYPTION_KEY \
+    -i \
+    -q \
+    -- \
+    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a -d" > \
+    $TMP_FILE
+
+if [ `uname` = "Darwin" ]; then
+  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5`
+elif [ `uname` = "Linux" ]; then
+  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5sum - | awk '{print $1}'`
+fi
+
+if [ "$MD5_CHECKSUM" != "$CALCULATED_CHECKSUM" ]; then
+  echo "Invalid checksum"
+  exit 1
+fi
+
+mv $TMP_FILE $SECRETS_PLAINTEXT_FILE
+
+
diff --git a/deployment/encrypt-secrets.sh b/deployment/encrypt-secrets.sh
new file mode 100755
index 0000000..7a191bd
--- /dev/null
+++ b/deployment/encrypt-secrets.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+if [ "$ENCRYPTION_KEY" = "" ]; then
+  echo "ENCRYPTION_KEY not set"
+  exit 1
+fi
+
+SECRETS_PLAINTEXT_FILE=secrets.txt
+SECRETS_CIPHERTEXT_FILE=secrets.enc
+
+if [ `uname` = "Darwin" ]; then
+  cat $SECRETS_PLAINTEXT_FILE | md5
+elif [ `uname` = "Linux" ]; then
+  cat $SECRETS_PLAINTEXT_FILE | md5sum - | awk '{print $1}'
+fi
+
+POD_NAME_SUFFIX=`date +%s`
+
+cat $SECRETS_PLAINTEXT_FILE | \
+  kubectl run openssl-$POD_NAME_SUFFIX \
+    --rm \
+    --image bitnami/debian-base-buildpack:latest \
+    --env KEY=$ENCRYPTION_KEY \
+    -i \
+    -q \
+    -- \
+    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a" > \
+    $SECRETS_CIPHERTEXT_FILE
+
diff --git a/deployment/secrets.enc b/deployment/secrets.enc
new file mode 100644
index 0000000..677797d
--- /dev/null
+++ b/deployment/secrets.enc
@@ -0,0 +1,4 @@
+U2FsdGVkX1+235sIaS3YkXthSjtLu/5ky8o0KGw4E0Bh2avnKV6Qg9XiKe5JnJOk
+IQcWgB9rwqg1oNFD1diaotk5AEGvejJawiUcsvHywx7U0XqGt7vhNdf3tp/Mjc0z
+BzbHykKfwnFzX3PACw78HJb+zk10DyDgEQ09o7wE6CZVCx5MXdbcZzrJ1a7a3edQ
++FKkrwK5L/byPJk7lOmdOxC+Kq+uVGWRToUniABbYYaBDvtpXytan8BVZcKSjQQ/