wn/universal-data-ingest
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

secrets handling

Browse Source
This commit is contained in:
Wolfgang Hottgenroth
2023-12-19 11:43:29 +01:00
parent bcc74dda29
commit 7eb7ec4798
4 changed files with 78 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -3,3 +3,5 @@ src/udi/migrate_schema
tmp/
ENVDB
ENVDB.cluster
deployment/secrets.txt
deployment/secrets

43
deployment/decrypt-secrets.sh Executable file
View File

@ -0,0 +1,43 @@
#!/bin/bash
if [ "$ENCRYPTION_KEY" = "" ]; then
echo "ENCRYPTION_KEY not set"
exit 1
fi
MD5_CHECKSUM=$1
if [ "$MD5_CHECKSUM" = "" ]; then
echo "No checksum given"
exit 1
fi
SECRETS_CIPHERTEXT_FILE=secrets.enc
SECRETS_PLAINTEXT_FILE=secrets
TMP_FILE=`mktemp`
POD_NAME_SUFFIX=`date +%s`
cat $SECRETS_CIPHERTEXT_FILE | \
kubectl run openssl-$POD_NAME_SUFFIX \
--rm \
--image bitnami/debian-base-buildpack:latest \
--env KEY=$ENCRYPTION_KEY \
-i \
-q \
-- \
/bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a -d" > \
$TMP_FILE
if [ `uname` = "Darwin" ]; then
CALCULATED_CHECKSUM=`cat $TMP_FILE | md5`
elif [ `uname` = "Linux" ]; then
CALCULATED_CHECKSUM=`cat $TMP_FILE | md5sum - | awk '{print $1}'`
fi
if [ "$MD5_CHECKSUM" != "$CALCULATED_CHECKSUM" ]; then
echo "Invalid checksum"
exit 1
fi
mv $TMP_FILE $SECRETS_PLAINTEXT_FILE

29
deployment/encrypt-secrets.sh Executable file
View File

@ -0,0 +1,29 @@
#!/bin/bash
if [ "$ENCRYPTION_KEY" = "" ]; then
echo "ENCRYPTION_KEY not set"
exit 1
fi
SECRETS_PLAINTEXT_FILE=secrets.txt
SECRETS_CIPHERTEXT_FILE=secrets.enc
if [ `uname` = "Darwin" ]; then
cat $SECRETS_PLAINTEXT_FILE | md5
elif [ `uname` = "Linux" ]; then
cat $SECRETS_PLAINTEXT_FILE | md5sum - | awk '{print $1}'
fi
POD_NAME_SUFFIX=`date +%s`
cat $SECRETS_PLAINTEXT_FILE | \
kubectl run openssl-$POD_NAME_SUFFIX \
--rm \
--image bitnami/debian-base-buildpack:latest \
--env KEY=$ENCRYPTION_KEY \
-i \
-q \
-- \
/bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a" > \
$SECRETS_CIPHERTEXT_FILE

4
deployment/secrets.enc Normal file
View File

@ -0,0 +1,4 @@
U2FsdGVkX1+235sIaS3YkXthSjtLu/5ky8o0KGw4E0Bh2avnKV6Qg9XiKe5JnJOk
IQcWgB9rwqg1oNFD1diaotk5AEGvejJawiUcsvHywx7U0XqGt7vhNdf3tp/Mjc0z
BzbHykKfwnFzX3PACw78HJb+zk10DyDgEQ09o7wE6CZVCx5MXdbcZzrJ1a7a3edQ
+FKkrwK5L/byPJk7lOmdOxC+Kq+uVGWRToUniABbYYaBDvtpXytan8BVZcKSjQQ/