gitea-admin
/
communication-keys
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'ADP-216-uat-sops-step2_003' into 'master'

Browse Source 
ADP-216 uat sops step2 003

See merge request smardigo-hetzner/communication-keys!21
ADP-216-wrapup
Lee Watson 10 months ago
parent f607db9b97 0164502ef0
commit 9877df6455
3 changed files with 53 additions and 7 deletions
Show Stats Download Patch File Download Diff File

6
README.md
Unescape Escape View File

@ -89,7 +89,7 @@ Note: For a worked-through example, see next section.
- CLI: `${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh --list_groups` - CLI: `${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh --list_groups`
- Reminder: Group Name usually corresponds to Repository Name - Reminder: Group Name usually corresponds to Repository Name
1. Update sops config AND all secrets files: 1. Update sops config AND all secrets files:
- CLI: `${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g <group_name> $(find . -name secrets.yaml)` - CLI: `${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh --group <group_name> --find_secrets
1. **Commit the changes, Create Change Request (PR/MR)** 1. **Commit the changes, Create Change Request (PR/MR)**
1. git: commit the changes to `.sops.yaml` and secrets files (`secrets.yaml`) files 1. git: commit the changes to `.sops.yaml` and secrets files (`secrets.yaml`) files
- CLI: `git add .sops.yaml $(find . -name secrets.yaml)` - CLI: `git add .sops.yaml $(find . -name secrets.yaml)`
@ -132,7 +132,7 @@ devnso-adp-argocd
# For a given group, update sops config AND all secrets files - New Users cannot add themselves! # For a given group, update sops config AND all secrets files - New Users cannot add themselves!
# Output: # Output:
% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd $(find . -name secrets.yaml) % ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh --group devnso-adp-argocd --find_secrets
# RUN: generate SOPS config # RUN: generate SOPS config
# RUN: gpg --import *.gpg.pub # RUN: gpg --import *.gpg.pub
# RUN: sops updatekeys ./loki/loki/secrets.yaml # RUN: sops updatekeys ./loki/loki/secrets.yaml
@ -218,7 +218,7 @@ find groups/ -name ${keyname}
# For each group, update sops config in that repo # For each group, update sops config in that repo
# Example: # Example:
% cd devnso-adp-argocd % cd devnso-adp-argocd
% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd $(find . -name secrets.yaml) % ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh --group devnso-adp-argocd --find_secrets
# now git commit, push, etc # now git commit, push, etc
``` ```

19
bin/update_sops.sh
Unescape Escape View File

@ -124,18 +124,17 @@ function main(){
fi fi
# "anchor" for actions relevant to this script # "anchor" for actions relevant to this script
repo_root="$(realpath $(dirname "${BASH_SOURCE[0]}")/..)" repo_root="$(realpath $(dirname "${BASH_SOURCE[0]}")/..)"
# OPTIONS: ARGPARSING and VALIDATION # OPTIONS: ARGPARSING and VALIDATION
# assume location of script as running directly from repo with keys (instead of as a standalone packaged tool) # assume location of script as running directly from repo with keys (instead of as a standalone packaged tool)
keyfiles_dir="${repo_root}" keyfiles_dir="${repo_root}"
# assume location of secrets config file in pwd # dir containing .sops.yaml
sops_config_dir="" sops_config_dir=""
# path to group definitions # path to group definitions
groups_def_dir="${repo_root}/groups" groups_def_dir="${repo_root}/groups"
# optional:
opt_list_groups=0 opt_list_groups=0
# optional: specify "groups"
groups_list=() groups_list=()
# optional: secrets files to be updated opt_find_secrets=0
secrets_file_list=() secrets_file_list=()
while (( $# >= 1 ));do while (( $# >= 1 ));do
@ -151,6 +150,8 @@ function main(){
-lg|--list_groups) opt_list_groups=1 ;; -lg|--list_groups) opt_list_groups=1 ;;
# ARGS: [optional] [list] specify "groups" which correspond to e.g. job groups, projects, etc # ARGS: [optional] [list] specify "groups" which correspond to e.g. job groups, projects, etc
-g|--group) groups_list+=( "${2}" ); shift ;; -g|--group) groups_list+=( "${2}" ); shift ;;
# ARGS: [optional] update all "secrets.yaml" files found below .sops.yaml location
-f|--find_secrets) opt_find_secrets=1;;
# ARGS: [optional] [list] specify files containing sops-encrypted secrets # ARGS: [optional] [list] specify files containing sops-encrypted secrets
-s|--secrets_file|-f|--file) secrets_file_list+=( "${2}" ); shift ;; -s|--secrets_file|-f|--file) secrets_file_list+=( "${2}" ); shift ;;
# ARGS: [optional] [list] specify files containing sops-encrypted secrets # ARGS: [optional] [list] specify files containing sops-encrypted secrets
@ -184,12 +185,22 @@ function main(){
# locate appropriate sops config if default assumption not found # locate appropriate sops config if default assumption not found
# dev note: '2> /dev/null' to disable debug output # dev note: '2> /dev/null' to disable debug output
sops_config="$(fn_sops_locate_config_in_git_repo 2> /dev/null)" sops_config="$(fn_sops_locate_config_in_git_repo 2> /dev/null)"
sops_config_dir="$(dirname "${sops_config}")"
fi fi
# Paths to Secrets Files
if [[ "${#secrets_file_list[@]}" != "0" ]]; then if [[ "${#secrets_file_list[@]}" != "0" ]]; then
for secrets_file in "${secrets_file_list[@]}"; do for secrets_file in "${secrets_file_list[@]}"; do
test -e "${secrets_file}" || (echo "E: could not locate file with secrets, tried: ${secrets_file}" && exit 1) test -e "${secrets_file}" || (echo "E: could not locate file with secrets, tried: ${secrets_file}" && exit 1)
done done
fi fi
if [[ "${opt_find_secrets}" -eq 1 ]]; then
# DEV NOTE: this is far too complicated
# loop through find, src: https://stackoverflow.com/questions/9612090/how-to-loop-through-file-names-returned-by-find
while IFS= read -r -d $'\0'; do
secrets_file_list+=("${REPLY}")
done < <( find "${sops_config_dir}" -name secrets.yaml -print0 )
fi
# /VALIDATE INPUTS # /VALIDATE INPUTS
# /OPTIONS: ARGPARSING and VALIDATION # /OPTIONS: ARGPARSING and VALIDATION

35
verify/test.sh
Unescape Escape View File

@ -77,6 +77,41 @@ else
>&2 echo "# INFO: skipping ...." >&2 echo "# INFO: skipping ...."
fi fi
# ---
if [[ 1 -eq 1 ]]; then
>&2 echo -e "# ---\n# TEST: auto-find secrets files"
# SETUP
_tmp_mock_secrets_dir='mock_hierarchy'
_tmp_mock_secrets_filepath_1="${_tmp_mock_secrets_dir}/one/secrets.yaml"
mkdir -p "$(dirname "${_tmp_mock_secrets_filepath_1}")"
touch "${_tmp_mock_secrets_filepath_1}"
_tmp_mock_secrets_filepath_2='mock_hierarchy/Tw o/secrets.yaml'
mkdir -p "$(dirname "${_tmp_mock_secrets_filepath_2}")"
touch "${_tmp_mock_secrets_filepath_2}"
# RUN
# set -x
# suspend strict: check output for errors
set +e
# move 'set -x' within the sub-shell, otherwise all output dumped to tty
# ... bug: stderr still gets printed, not sure why. E.g. '# RUN: sops updatekeys mock_secrets.yaml'
_out="$(set -x; ../bin/update_sops.sh --find_secrets -s "${secrets_file}" 2>&1 )"
echo "$_out}"
# re-enable strict
set -e
set +x
grep "${_tmp_mock_secrets_filepath_1}" <<< "${_out}"
grep "${_tmp_mock_secrets_filepath_2}" <<< "${_out}"
grep "${secrets_file}" <<< "${_out}"
set -e
# TEARDOWN
set -x
rm -rf "${_tmp_mock_secrets_dir}"
# enmesh: restore, since this particular one is checked in
git checkout "${PWD}/.sops.yaml" > /dev/null 2>&1
else
>&2 echo "# INFO: skipping ...."
fi
# --- # ---
if [[ 1 -eq 1 ]]; then if [[ 1 -eq 1 ]]; then
>&2 echo -e "# ---\n# TEST: induce error: invalid file" >&2 echo -e "# ---\n# TEST: induce error: invalid file"

Write Preview
Loading…
Cancel
Save