gitea-admin
/
communication-keys
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'ADP-216-uat-sops-step2' into 'master'

Browse Source 
ADP-216: sops automation UAT

See merge request smardigo-hetzner/communication-keys!18
ADP-216-uat-sops-step1
Lee Watson 10 months ago
parent cf80808240 76e26d7f77
commit 8a035c2fd3
3 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File

11
README.md
Unescape Escape View File

@ -81,23 +81,26 @@ The following commands explain how to update the `.sops.yaml` for a repository:
```shell ```shell
# List available groups # List available groups
% ${PATH_TO_THIS_REPO}/bin/update_sops.sh --list_groups % ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh --list_groups
# INFO: listing groups # INFO: listing groups
admin admin
automation automation
devnso-adp-argocd devnso-adp-argocd
# For a given group, update sops config # For a given group, update sops config
% ${PATH_TO_THIS_REPO}/bin/update_sops.sh -g devnso-adp-argocd % ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd
# RUN: generate SOPS config # RUN: generate SOPS config
# WARN: no secrets file passed in, make sure to call 'sops updatekeys' on secrets files # WARN: no secrets file passed in, make sure to call 'sops updatekeys' on secrets files
# [OPTIONAL] For a given group, update sops config AND specified secrets file # [OPTIONAL] For a given group, update sops config AND specified secrets file
% ${PATH_TO_THIS_REPO}/bin/update_sops.sh -g devnso-adp-argocd -s ./adp-api-devs/adp-api-devs/secrets.yaml % ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd -s ./adp-api-devs/adp-api-devs/secrets.yaml
# commit the changes to any .sops.yaml or secrets files, e.g. with # commit the changes to any .sops.yaml or secrets files, e.g. with
## OPINIONATED GIT - use preferred method ## OPINIONATED GIT - use preferred method
% git add -p % git add -p
# 1. review changes to the .sops.yaml
# 2. press 'y' to accept the changes
y
% git commit -m "adds <firstname>.<lastname> to sops config" % git commit -m "adds <firstname>.<lastname> to sops config"
% git push % git push
``` ```
@ -154,7 +157,7 @@ find groups/ -name ${keyname}
# For each group, update sops config in that repo # For each group, update sops config in that repo
# Example: # Example:
% cd devnso-adp-argocd % cd devnso-adp-argocd
% ${PATH_TO_THIS_REPO}/bin/update_sops.sh -g devnso-adp-argocd % ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd
# now git commit, push, etc # now git commit, push, etc
``` ```

10
bin/update_sops.sh
Unescape Escape View File

@ -10,7 +10,7 @@ function fn_gpg_extract_fpr(){
# uid ... <...@mehrwerk.net> # uid ... <...@mehrwerk.net>
# uid ... <...@netgo.de> # uid ... <...@netgo.de>
# fancy gpg src: https://unix.stackexchange.com/a/731872 # fancy gpg src: https://unix.stackexchange.com/a/731872
fpr="$(gpg --show-keys --list-options show-only-fpr-mbox "${gpgkeyfile}" | grep '@netgo.de' | awk "{print \$1}")" fpr="$(gpg --show-keys --list-options show-only-fpr-mbox "$(readlink -f "${gpgkeyfile}")" | grep '@netgo.de' | awk "{print \$1}")"
echo "${fpr}" echo "${fpr}"
} }
@ -22,7 +22,7 @@ function fn_gpg_extract_uid(){
# uid ... <...@mehrwerk.net> # uid ... <...@mehrwerk.net>
# uid ... <...@netgo.de> # uid ... <...@netgo.de>
# fancy gpg src: https://unix.stackexchange.com/a/731872 # fancy gpg src: https://unix.stackexchange.com/a/731872
uid="$(gpg --show-keys --with-colons "${gpgkeyfile}" | awk -F':' '$1=="uid" {print $10}' | grep '@netgo.de')" uid="$(gpg --show-keys --with-colons "$(readlink -f "${gpgkeyfile}")" | awk -F':' '$1=="uid" {print $10}' | grep '@netgo.de')"
echo "${uid}" echo "${uid}"
} }
@ -113,10 +113,8 @@ fn_sops_updatekeys_and_verify(){
# "update the keys of SOPS files using the config file" # "update the keys of SOPS files using the config file"
>&2 echo "# RUN: sops updatekeys ${sops_enc_file}" >&2 echo "# RUN: sops updatekeys ${sops_enc_file}"
sops updatekeys "${sops_enc_file}" # HAAAACK: loop through all passed-in files, ignore any errors, always say "yes" -> rely on git diff to verify!
sops updatekeys -y "${sops_enc_file}" || echo "SKIPPING"
# verify: dump secrets, GPG_TTY src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/
GPG_TTY=$(tty) sops -d "${sops_enc_file}"
} }
function main(){ function main(){

3
verify/usr_confirm_keycfg.sh
Unescape Escape View File

@ -14,6 +14,9 @@ set -x
# within current dir: update .sops.yaml, update keys in encrypted file # within current dir: update .sops.yaml, update keys in encrypted file
../bin/update_sops.sh -c "${PWD}" "${secrets_file}" ../bin/update_sops.sh -c "${PWD}" "${secrets_file}"
# verify: dump secrets, GPG_TTY src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/
GPG_TTY=$(tty) sops -d "${secrets_file}"
# Special Case: Add caveat header # Special Case: Add caveat header
cat <<EOM > .sops.yaml.tmp cat <<EOM > .sops.yaml.tmp
# PURPOSE: BLUEPRINT for .sops.yaml config # PURPOSE: BLUEPRINT for .sops.yaml config

Write Preview
Loading…
Cancel
Save