add udi-berresheim

.gitignore

@@ -3,3 +3,5 @@ src/udi/migrate_schema
 tmp/
 ENVDB
 ENVDB.cluster
+deployment/secrets.txt
+deployment/secrets

.woodpecker.yml

@@ -2,8 +2,7 @@ steps:
   build:
     image: plugins/kaniko
     settings:
-      repo:
-        from_secret: image_name
+      repo: gitea.hottis.de/wn/udi
       registry: 
         from_secret: container_registry
       tags: latest,${CI_COMMIT_SHA},${CI_COMMIT_TAG}
@@ -20,6 +19,10 @@ steps:
     secrets:
       - source: kube_config
         target: KUBE_CONFIG_CONTENT
+      - source: encryption_key
+        target: ENCRYPTION_KEY
+      - source: secrets_checksum
+        target: MD5_CHECKSUM
     commands:
       - export IMAGE_TAG=$CI_COMMIT_TAG
       - printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig

deployment/decrypt-secrets.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+if [ "$ENCRYPTION_KEY" = "" ]; then
+  echo "ENCRYPTION_KEY not set"
+  exit 1
+fi
+
+if [ "$MD5_CHECKSUM" = "" ]; then
+  echo "No checksum given"
+  exit 1
+fi
+
+SECRETS_CIPHERTEXT_FILE=secrets.enc
+SECRETS_PLAINTEXT_FILE=/tmp/secrets
+TMP_FILE=`mktemp`
+POD_NAME_SUFFIX=`date +%s`
+
+cat $SECRETS_CIPHERTEXT_FILE | \
+  kubectl run openssl-$POD_NAME_SUFFIX \
+    --rm \
+    --image bitnami/debian-base-buildpack:latest \
+    --env KEY=$ENCRYPTION_KEY \
+    -i \
+    -q \
+    -- \
+    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a -d" > \
+    $TMP_FILE
+
+if [ `uname` = "Darwin" ]; then
+  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5`
+elif [ `uname` = "Linux" ]; then
+  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5sum - | awk '{print $1}'`
+fi
+
+if [ "$MD5_CHECKSUM" != "$CALCULATED_CHECKSUM" ]; then
+  echo "Invalid checksum"
+  exit 1
+fi
+
+# cat $TMP_FILE
+mv $TMP_FILE $SECRETS_PLAINTEXT_FILE
+
+

deployment/deploy.sh

@@ -5,6 +5,7 @@ if [ "$IMAGE_TAG" == "" ]; then
   exit 1
 fi
 
+
 IMAGE_NAME=gitea.hottis.de/wn/udi
 
 CONFIG_FILE=config.json
@@ -13,8 +14,13 @@ CONFIG_FILE=config.json
 DEPLOYMENT_DIR=$PWD/deployment
 INSTANCES_DIR=$DEPLOYMENT_DIR/instances
 
+pushd $DEPLOYMENT_DIR > /dev/null
+./decrypt-secrets.sh || exit 1 
+. /tmp/secrets
+rm /tmp/secrets
+popd > /dev/null
 
-for NAMESPACE_DIR in `find $INSTANCES_DIR -type d -depth 1`; do
+for NAMESPACE_DIR in `find $INSTANCES_DIR -type d -mindepth 1 -maxdepth 1`; do
   NAMESPACE=`basename $NAMESPACE_DIR`
   echo "Namespace: $NAMESPACE"
 
@@ -24,7 +30,7 @@ for NAMESPACE_DIR in `find $INSTANCES_DIR -type d -depth 1`; do
     kubectl -f - apply
 
   pushd $NAMESPACE_DIR > /dev/null
-  for INSTANCE_DIR in `find . -type d -depth 1`; do
+  for INSTANCE_DIR in `find . -type d -mindepth 1 -maxdepth 1`; do
     pushd $INSTANCE_DIR > /dev/null
     INSTANCE=`basename $INSTANCE_DIR`
     echo "Instance: $INSTANCE"
@@ -33,8 +39,8 @@ for NAMESPACE_DIR in `find $INSTANCES_DIR -type d -depth 1`; do
     MQTT_PASSWORD_VARIABLE="$NAMESPACE""_""$INSTANCE""_MQTT_PASSWORD"
     MQTT_PASSWORD_VARIABLE=`echo $MQTT_PASSWORD_VARIABLE | tr - _`
     MQTT_PASSWORD="${!MQTT_PASSWORD_VARIABLE}"
-    echo "MQTT_PASSWORD_VARIABLE: $MQTT_PASSWORD_VARIABLE"
-    echo "MQTT_PASSWORD: $MQTT_PASSWORD"
+    # echo "MQTT_PASSWORD_VARIABLE: $MQTT_PASSWORD_VARIABLE"
+    # echo "MQTT_PASSWORD: $MQTT_PASSWORD"
     kubectl create secret generic $INSTANCE-mqtt-password \
       --from-literal=MQTT_PASSWORD="$MQTT_PASSWORD" \
       --dry-run=client \
@@ -44,13 +50,13 @@ for NAMESPACE_DIR in `find $INSTANCES_DIR -type d -depth 1`; do
 
     # set database configuration as secret
     ## prepare configuration to access database to set udi database password
-    PGUSER=`kubectl get secret -n database timescaledb -o jsonpath="{.data.superuser-username}" | base64 --decode`
+    PGUSER=`kubectl get secret -n database timescaledb -o jsonpath="{.data.superuser-username}" | base64 -d`
     PGHOST=`kubectl get services traefik -n system -o jsonpath="{.status.loadBalancer.ingress[0].ip}"`
-    PGPASSWORD=`kubectl get secret -n database timescaledb -o jsonpath="{.data.superuser-password}" | base64 --decode`
+    PGPASSWORD=`kubectl get secret -n database timescaledb -o jsonpath="{.data.superuser-password}" | base64 -d`
     PGSSLMODE=require
 
     NEW_UDI_DB_LOGIN="udi""-""$NAMESPACE""-""$INSTANCE"
-    NEW_UDI_DB_PASSWORD=`openssl rand -base64 32`
+    NEW_UDI_DB_PASSWORD=`tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 32`
     NEW_UDI_DB_DATABASE="udi""-""$NAMESPACE""-""$INSTANCE"
     NEW_UDI_DB_HOST=timescaledb.database.svc.cluster.local
 

deployment/encrypt-secrets.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+if [ "$ENCRYPTION_KEY" = "" ]; then
+  echo "ENCRYPTION_KEY not set"
+  exit 1
+fi
+
+SECRETS_PLAINTEXT_FILE=secrets.txt
+SECRETS_CIPHERTEXT_FILE=secrets.enc
+
+if [ `uname` = "Darwin" ]; then
+  cat $SECRETS_PLAINTEXT_FILE | md5
+elif [ `uname` = "Linux" ]; then
+  cat $SECRETS_PLAINTEXT_FILE | md5sum - | awk '{print $1}'
+fi
+
+POD_NAME_SUFFIX=`date +%s`
+
+cat $SECRETS_PLAINTEXT_FILE | \
+  kubectl run openssl-$POD_NAME_SUFFIX \
+    --rm \
+    --image bitnami/debian-base-buildpack:latest \
+    --env KEY=$ENCRYPTION_KEY \
+    -i \
+    -q \
+    -- \
+    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a" > \
+    $SECRETS_CIPHERTEXT_FILE
+

deployment/load-config.sh

@@ -1,55 +0,0 @@
-#!/bin/bash
-
-FILE=$1
-if [ "$FILE" = "" ]; then
-  echo "give config file to load as first argument"
-  exit 1
-fi
-MQTT_PASSWORD=$2
-if [ "$MQTT_PASSWORD" = "" ]; then
-  echo "give mqtt password as second argument"
-  exit 1
-fi
-NAMESPACE=$3
-if [ "$NAMESPACE" = "" ]; then
-  echo "give namespace as third argument"
-  exit 1
-fi
-
-kubectl create secret generic udi-conf \
-  --from-literal=UDI_CONF="`cat $FILE`" \
-  -n $NAMESPACE \
-  --dry-run=client \
-  -o yaml \
-  --save-config | \
-kubectl apply -f -
-
-kubectl create secret generic mqtt-password \
-  --from-literal=MQTT_PASSWORD="$MQTT_PASSWORD" \
-  -n $NAMESPACE \
-  --dry-run=client \
-  -o yaml \
-  --save-config | \
-kubectl apply -f -
-
-. ~/Workspace/MyKubernetesEnv/ENVDB
-DATABASE="udi-$NAMESPACE"
-LOGIN="udi-$NAMESPACE"
-PASSWORD=`openssl rand -base64 24` 
-psql <<EOF
-ALTER USER "$LOGIN" WITH PASSWORD '$PASSWORD';
-GRANT ALL PRIVILEGES ON DATABASE "$DATABASE" TO "$LOGIN";
-COMMIT;
-EOF
-
-kubectl create secret generic udi-db-cred \
-  --dry-run=client \
-  -o yaml \
-  --save-config \
-  --from-literal=PGUSER="$LOGIN" \
-  --from-literal=PGHOST="timescaledb.database.svc.cluster.local" \
-  --from-literal=PGPASSWORD="$PASSWORD" \
-  --from-literal=PGSSLMODE="require" \
-  --from-literal=PGDATABASE="$DATABASE" | \
-kubectl apply -f - -n $NAMESPACE
-

deployment/secrets.enc

@@ -0,0 +1,7 @@
+U2FsdGVkX18MnwKVJuGzBEYaQZ74xtcnsCE5MkWYg91pKG16suIW8scUjW14Bdxt
+Q4UfE5cMeGMOYP2Yj/HY7gXZeDMJlAh/2d09DhL17h44Gdi8q3TMLJTSEGxx83cT
+RyrbLIRwne8QDQipxzNRp2PdDrOwflxOCB1cdrhBg63OM7o37NIdYUIPtbsSl0td
+rdcDsPC6c214JKKl3FvZGKVgVWo3EUBj9QUwK0IqucI6UHy3D2PaJ8/H++M6gA3U
+u3qbPMCjqvjBFRnMxKrMVhfkHPxM3tLyF9+932Gj6DFlJZbZInDNAEf9mty7z5Zm
+u4WbzejtKqnnZznwAesrlV9DndEkr1QGJkXBmkfZ5gMrfZSaLlXadUklGoOjDZ+K
+Z2Z9wAgA8UjyMEYFO5ZrJ8t7FG6uMlZpILv8HshrGUY=