Created
August 28, 2020 17:49
-
-
Save ghostsquad/e305a36c37519df54d9c42c3dfb9e673 to your computer and use it in GitHub Desktop.
secrets.seal.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /usr/bin/env bash | |
set -Eeuo pipefail | |
scripts_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)" | |
source "${scripts_dir}/functions.sh" | |
test_jq | |
test_yq | |
test_kubeseal | |
test_jsonnet | |
component="${1}" | |
debug "component: ${component}" | |
environment_name=$(read_config environmentName) | |
sealed_secret_scope=$(read_config kubernetes.sealedSecretScope) | |
sealed_secrets_controller_name=$(read_config kubernetes.sealedSecretsControllerName) | |
sealed_secrets_controller_namespace=$(read_config kubernetes.sealedSecretsControllerNamespace) | |
kubernetes_namespace=$(read_config "${component}.namespace") | |
kube_api_server=$(read_config kubernetes.apiServer) | |
secret_jsonnet_file="${deploy_dir}/lib/kubernetes/secret.jsonnet" | |
secrets_manager_secret_tmp_file="${my_temp_dir}/secretsmanager_secret.json" | |
"${scripts_dir}/secretsmanager.get.sh" "${component}" > "${secrets_manager_secret_tmp_file}" | |
secret_tmp_file="${my_temp_dir}/secret.json" | |
$JSONNET --output-file "${secret_tmp_file}" \ | |
\ | |
--tla-str SEALED_SECRET_SCOPE="${sealed_secret_scope}" \ | |
--tla-str NAME_PREFIX="${component}" \ | |
--tla-code STRING_DATA="$(cat "${secrets_manager_secret_tmp_file}")" \ | |
\ | |
"${secret_jsonnet_file}" \ | |
deploy_env_dir="${deploy_dir}/environments/${environment_name}" | |
sealed_secret_file="${deploy_env_dir}/environments/${environment_name}/${component}-sealed-secret.jsonnet" | |
create_sealed_secret() { | |
log "π Sealing secret..." | |
log "π Kube ApiServer: ${kube_api_server}" | |
log "π Scope: ${sealed_secret_scope}" | |
log "π Namespace: ${kubernetes_namespace}" | |
sealed_secret_contents=$( | |
$KUBESEAL \ | |
--scope "${sealed_secret_scope}" \ | |
--namespace "${kubernetes_namespace}" \ | |
--controller-name "${sealed_secrets_controller_name}" \ | |
--controller-namespace "${sealed_secrets_controller_namespace}" \ | |
--server "${kube_api_server}" \ | |
-o json \ | |
< "${secret_tmp_file}" | |
) | |
echo "${sealed_secret_contents}" | cat "${repo_dir}/do-not-edit-header.txt" - > "${sealed_secret_file}" | |
log "βοΈ Created ${sealed_secret_file}" | |
log "π This file is SAFE to check into git!" | |
log "${green}β${reset} Seal Secret Created Successfully!" | |
exit 0 | |
} | |
# https://github.com/bitnami-labs/sealed-secrets/issues/376 | |
# sealed secrets are encrypted with a random salt each time | |
# so when reencrypting, the encryptedData will change even if the original value does not | |
# since that was a bit surprising during my normal workflow, I've implemented | |
# a check to compare the secret sha before regenerating the sealed secret | |
# | |
# there is a security concern here, that an attacker would know the value of the secret sha | |
# regardless of the encrypted string. This could make it easier to guess or attack | |
# | |
# this risk is mitigated though because these encrypted secrets are only ever stored in | |
# private github repos | |
# secret name includes md5 of the data | |
# so if the secret is updated, the name will be updated | |
debug "getting current secret name..." | |
debug "$(cat "${secret_tmp_file}")" | |
current_secret_name=$($JQ -r '.metadata.name' "${secret_tmp_file}") | |
debug "getting existing secret name..." | |
if [ -r "${sealed_secret_file}" ]; then | |
existing_secret_name=$(jsonnet "${sealed_secret_file}" | jq -r '.spec.template.metadata.name') | |
debug "found existing secret name: ${existing_secret_name}" | |
if [ "${FORCE_CREATE:-0}" = "0" ] && [ "${existing_secret_name}" = "${current_secret_name}" ]; then | |
log "π Secret matches, stopping early..." | |
log "${green}β${reset} Sealed Secret Verified!" | |
exit 0 | |
else | |
create_sealed_secret | |
fi | |
else | |
create_sealed_secret | |
fi | |
# two spaces here is not a mistake. Not all emojis have | |
# the correct spacing to make it show up correct | |
log "${green}β${reset} Done Editing Secrets!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment