fix ci, 3

fix ci, 2
fix ci
2023-12-19 11:56:45 +01:00 · 2023-12-19 11:53:08 +01:00 · 2023-12-19 11:50:22 +01:00 · 2023-12-19 11:47:37 +01:00 · 2023-12-19 11:43:29 +01:00 · 2023-12-18 22:05:31 +01:00
6 changed files with 91 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,5 @@ src/udi/migrate_schema
 tmp/
 ENVDB
 ENVDB.cluster
 deployment/secrets.txt
 deployment/secrets
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@ -2,8 +2,7 @@ steps:
  build:
    image: plugins/kaniko
    settings:
-      repo:
+      repo: gitea.hottis.de/wn/udi
        from_secret: image_name
      registry: 
        from_secret: container_registry
      tags: latest,${CI_COMMIT_SHA},${CI_COMMIT_TAG}
@ -20,6 +19,10 @@ steps:
    secrets:
      - source: kube_config
        target: KUBE_CONFIG_CONTENT
      - source: encryption_key
        target: ENCRYPTION_KEY
      - source: secrets_checksum
        target: MD5_CHECKSUM
    commands:
      - export IMAGE_TAG=$CI_COMMIT_TAG
      - printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig
--- a/deployment/decrypt-secrets.sh
+++ b/deployment/decrypt-secrets.sh
@ -0,0 +1,42 @@
 #!/bin/bash
 if [ "$ENCRYPTION_KEY" = "" ]; then
  echo "ENCRYPTION_KEY not set"
  exit 1
 fi
 if [ "$MD5_CHECKSUM" = "" ]; then
  echo "No checksum given"
  exit 1
 fi
 SECRETS_CIPHERTEXT_FILE=secrets.enc
 SECRETS_PLAINTEXT_FILE=secrets
 TMP_FILE=`mktemp`
 POD_NAME_SUFFIX=`date +%s`
 cat $SECRETS_CIPHERTEXT_FILE | \
  kubectl run openssl-$POD_NAME_SUFFIX \
    --rm \
    --image bitnami/debian-base-buildpack:latest \
    --env KEY=$ENCRYPTION_KEY \
    -i \
    -q \
    -- \
    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a -d" > \
    $TMP_FILE
 if [ `uname` = "Darwin" ]; then
  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5`
 elif [ `uname` = "Linux" ]; then
  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5sum - | awk '{print $1}'`
 fi
 if [ "$MD5_CHECKSUM" != "$CALCULATED_CHECKSUM" ]; then
  echo "Invalid checksum"
  exit 1
 fi
 mv $TMP_FILE $SECRETS_PLAINTEXT_FILE
--- a/deployment/deploy.sh
+++ b/deployment/deploy.sh
@ -5,6 +5,7 @@ if [ "$IMAGE_TAG" == "" ]; then
  exit 1
 fi
 IMAGE_NAME=gitea.hottis.de/wn/udi
 CONFIG_FILE=config.json
@ -13,6 +14,11 @@ CONFIG_FILE=config.json
 DEPLOYMENT_DIR=$PWD/deployment
 INSTANCES_DIR=$DEPLOYMENT_DIR/instances
 pushd $DEPLOYMENT_DIR > /dev/null
 ./decrypt-secrets.sh || exit 1 
 . secrets
 rm secrets
 popd > /dev/null
 for NAMESPACE_DIR in `find $INSTANCES_DIR -type d -mindepth 1 -maxdepth 1`; do
  NAMESPACE=`basename $NAMESPACE_DIR`
@ -44,13 +50,13 @@ for NAMESPACE_DIR in `find $INSTANCES_DIR -type d -mindepth 1 -maxdepth 1`; do
    # set database configuration as secret
    ## prepare configuration to access database to set udi database password
-    PGUSER=`kubectl get secret -n database timescaledb -o jsonpath="{.data.superuser-username}" | base64 --decode`
+    PGUSER=`kubectl get secret -n database timescaledb -o jsonpath="{.data.superuser-username}" | base64 -d`
    PGHOST=`kubectl get services traefik -n system -o jsonpath="{.status.loadBalancer.ingress[0].ip}"`
-    PGPASSWORD=`kubectl get secret -n database timescaledb -o jsonpath="{.data.superuser-password}" | base64 --decode`
+    PGPASSWORD=`kubectl get secret -n database timescaledb -o jsonpath="{.data.superuser-password}" | base64 -d`
    PGSSLMODE=require
    NEW_UDI_DB_LOGIN="udi""-""$NAMESPACE""-""$INSTANCE"
-    NEW_UDI_DB_PASSWORD=`openssl rand -base64 32`
+    NEW_UDI_DB_PASSWORD=`tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 32`
    NEW_UDI_DB_DATABASE="udi""-""$NAMESPACE""-""$INSTANCE"
    NEW_UDI_DB_HOST=timescaledb.database.svc.cluster.local
--- a/deployment/encrypt-secrets.sh
+++ b/deployment/encrypt-secrets.sh
@ -0,0 +1,29 @@
 #!/bin/bash
 if [ "$ENCRYPTION_KEY" = "" ]; then
  echo "ENCRYPTION_KEY not set"
  exit 1
 fi
 SECRETS_PLAINTEXT_FILE=secrets.txt
 SECRETS_CIPHERTEXT_FILE=secrets.enc
 if [ `uname` = "Darwin" ]; then
  cat $SECRETS_PLAINTEXT_FILE | md5
 elif [ `uname` = "Linux" ]; then
  cat $SECRETS_PLAINTEXT_FILE | md5sum - | awk '{print $1}'
 fi
 POD_NAME_SUFFIX=`date +%s`
 cat $SECRETS_PLAINTEXT_FILE | \
  kubectl run openssl-$POD_NAME_SUFFIX \
    --rm \
    --image bitnami/debian-base-buildpack:latest \
    --env KEY=$ENCRYPTION_KEY \
    -i \
    -q \
    -- \
    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a" > \
    $SECRETS_CIPHERTEXT_FILE
--- a/deployment/secrets.enc
+++ b/deployment/secrets.enc
@ -0,0 +1,4 @@
 U2FsdGVkX1+235sIaS3YkXthSjtLu/5ky8o0KGw4E0Bh2avnKV6Qg9XiKe5JnJOk
 IQcWgB9rwqg1oNFD1diaotk5AEGvejJawiUcsvHywx7U0XqGt7vhNdf3tp/Mjc0z
 BzbHykKfwnFzX3PACw78HJb+zk10DyDgEQ09o7wE6CZVCx5MXdbcZzrJ1a7a3edQ
 +FKkrwK5L/byPJk7lOmdOxC+Kq+uVGWRToUniABbYYaBDvtpXytan8BVZcKSjQQ/
Author	SHA1	Message	Date
Wolfgang Hottgenroth	f6728eb898	fix ci, 3 Some checks failed ci/woodpecker/push/woodpecker Pipeline was successful Details ci/woodpecker/tag/woodpecker Pipeline failed Details	2023-12-19 11:56:45 +01:00
Wolfgang Hottgenroth	e18aeed273	fix ci, 2 Some checks failed ci/woodpecker/push/woodpecker Pipeline was successful Details ci/woodpecker/tag/woodpecker Pipeline failed Details	2023-12-19 11:53:08 +01:00
Wolfgang Hottgenroth	4eab542960	fix ci Some checks failed ci/woodpecker/push/woodpecker Pipeline was successful Details ci/woodpecker/tag/woodpecker Pipeline failed Details	2023-12-19 11:50:22 +01:00
Wolfgang Hottgenroth	c77394bf4d	secrets handling, part 2	2023-12-19 11:47:37 +01:00
Wolfgang Hottgenroth	7eb7ec4798	secrets handling	2023-12-19 11:43:29 +01:00
Wolfgang Hottgenroth	bcc74dda29	ci fixed All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details ci/woodpecker/tag/woodpecker Pipeline was successful Details	2023-12-18 22:05:31 +01:00