Last active
March 7, 2018 20:03
-
-
Save rogeruiz/f6ce4752548f9c37fe2b1c28b3b9e89a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The Concourse commands here assume that you target your Concourse | |
# instance with the `fr` name. Modify anything matchin `-t fr` as | |
# necessary. | |
# Search through cf-cli commands using an alias | |
# @usage: wtcf bind | |
searchCf() { | |
cf help -a | grep $@ | |
} | |
alias wtcf=searchCf | |
# Create a new enviromnet to allow multiple logins into CF from the same machine. | |
# @usage cfagain | |
newCf() { | |
echo "Logging you out of Cloud Foundry in this shell" | |
export CF_HOME=$(mktemp -d) | |
cf target | |
} | |
alias cfagain=newCf | |
# Alias your temporary secrets directory so you keep sensitive info in a | |
# single place on your machine and not in Git repositories. | |
export shh=~/Developer/cloud.gov/secrets | |
# Interact with the UAA cli using the admin `client_secret` found in the | |
# environment's Bosh manifest. | |
# @usage uaa-get [0, 1, 4] | |
# @arguments 0 = staging | |
# @arguments 1 = production | |
# @arguments 4 = tooling | |
authUaaEnvironment() { | |
local target_index=$1 | |
if [ $target_index -eq 0 ] | |
then | |
secret=$( | |
aws --profile fr s3 cp s3://cloud-gov-varz-stage/cf-staging.main.yml - | \ | |
openssl enc -aes-256-cbc -d -a -pass "pass:$(fly -t fr gp -p deploy-cf-new | spruce json | jq -r '.resources | map(select(.name == "common-staging")) | .[].source.secrets_passphrase')" | \ | |
sed '/\( merge \)/d' | \ | |
spruce json | \ | |
jq -r .properties.uaa.admin.client_secret | |
) | |
elif [ $target_index -eq 1 ] | |
then | |
secret=$( | |
aws --profile fr s3 cp s3://cloud-gov-varz/cf.main.yml - | \ | |
openssl enc -aes-256-cbc -d -a -pass "pass:$(fly -t fr gp -p deploy-cf-new | spruce json | jq -r '.resources | map(select(.name == "common-production")) | .[].source.secrets_passphrase')" | \ | |
sed '/\( merge \)/d' | \ | |
spruce json | \ | |
jq -r .properties.uaa.admin.client_secret | |
) | |
elif [ $target_index -eq 4 ] | |
then | |
secret=$( | |
aws --profile fr s3 cp s3://cloud-gov-varz/tooling-bosh-main.yml - | \ | |
openssl enc -aes-256-cbc -d -a -pass "pass:$(fly -t fr gp -p deploy-bosh | spruce json | jq -r '.resources | map(select(.name == "common-tooling")) | .[].source.secrets_passphrase')" | \ | |
sed '/\( merge \)/d' | \ | |
spruce json | \ | |
jq -r '.instance_groups[] | select( .name == "bosh" ) | .jobs[] | select( .name == "uaa" ) | .properties.uaa.admin.client_secret' ) | |
fi | |
if [[ $target_index == 0 || $target_index == 1 || $target_index == 4 ]] | |
then | |
uaac target "${target_index}" | |
uaac token client get admin -s ${secret} | |
else | |
echo "You can't target a UAA I don't know about. Please run \`uaac targets\` and modify this shell function to leverage the indexes found from the output." | |
fi | |
} | |
alias uaac-get=authUaaEnvironment | |
# Use Concourse to download secrets from S3 without ever seeing the passphrase | |
# @usage cg-get ${s3/path/to/filename.yml} ${concourse-pipeline-name} ${environment} | |
# @usage cg-put ${s3/path/to/filename.yml} ${concourse-pipeline-name} ${environment} | |
downloadSecrets() { | |
if [[ $AWS_DEFAULT_PROFILE == '' ]] | |
then | |
echo 'You have to set your $AWS_DEFAULT_PROFILE.' | |
return | |
fi | |
s3_path=$1 | |
file_name=$(echo $s3_path | cut -d '/' -f 2) | |
pipeline=$2 | |
common_env=$3 | |
echo "Getting passphrase from ${pipeline} for common-${common_env}" | |
passphrase=$( | |
fly -t fr get-pipeline --pipeline ${pipeline} --json | \ | |
jq -er '.resources[] | select(.name == "common-'${common_env}'") | .source.secrets_passphrase' | |
) | |
if [[ -n ${passphrase} ]] | |
then | |
echo "Downloading ${s3_path} and saving to ${file_name}" | |
aws s3 cp "s3://${s3_path}" - | \ | |
openssl enc -aes-256-cbc -d -a -pass "pass:${passphrase}" > ${file_name} | |
else | |
echo "There was an error getting the passphrase from the pipeline ${pipeline} for resource common-${common_env}." | |
return | |
fi | |
} | |
uploadSecrets() { | |
if [[ $AWS_DEFAULT_PROFILE == '' ]] | |
then | |
echo 'You have to set your $AWS_DEFAULT_PROFILE.' | |
return | |
fi | |
s3_path=$1 | |
file_name=$(echo $s3_path | cut -d '/' -f 2) | |
pipeline=$2 | |
common_env=$3 | |
echo "Getting passphrase from ${pipeline} for common-${common_env}" | |
passphrase=$( | |
fly -t fr get-pipeline --pipeline ${pipeline} --json | \ | |
jq -er '.resources[] | select(.name == "common-'${common_env}'") | .source.secrets_passphrase' | |
) | |
if [ $? -gt 0 ] | |
then | |
echo "There was an error getting the passphrase from the pipeline ${pipeline} for resource common-${common_env}." | |
return | |
fi | |
if [[ -s ./${file_name} ]] | |
then | |
echo "Uploading ${file_name} and saving to ${s3_path}" | |
cat ${file_name} | \ | |
openssl enc -aes-256-cbc -e -a -pass "pass:${passphrase}" | \ | |
aws s3 cp - "s3://${s3_path}" --sse AES256 | |
else | |
echo "${file_name} doesn't exist here or is empty." | |
return | |
fi | |
} | |
alias cg-get=downloadSecrets | |
alias cg-put=uploadSecrets |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -e | |
if [[ -z $AWS_DEFAULT_PROFILE ]] | |
then | |
echo "Environmental variable \$AWS_DEFAULT_PROFILE isn't set, so bailing" | |
exit 99 | |
else | |
echo "Using ${AWS_DEFAULT_PROFILE} as the AWS region." | |
fi | |
aws s3 \ | |
cp \ | |
"s3://concourse-credentials/${PWD##*/}.yml" \ | |
"${1}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -e | |
CI_URL="${CI_URL:-"https://ci.fr.cloud.gov"}" | |
FLY_TARGET=$(fly targets | grep "${CI_URL}" | head -n 1 | awk '{print $1}') | |
if ! fly --target "${FLY_TARGET}" workers > /dev/null; then | |
echo "Not logged in to concourse" | |
exit 1 | |
fi | |
pipelines=$( | |
fly -t "${FLY_TARGET}" pipelines | \ | |
grep -vE 'yes.+no' | \ | |
grep -Eo '^[a-z0-9\-]+' | |
) | |
for p in $pipelines | |
do | |
f=$(mktemp) | |
fly -t "${FLY_TARGET}" gp -p "${p}" > "${f}"; | |
vim "$f" -c 'setlocal ft=concourse' | |
fly -t "${FLY_TARGET}" sp -p "${p}" -c "${f}"; | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
if [[ -z $ci_env ]] | |
then | |
echo "Environmental variable \$ci_env isn't set, so defaulting to \`fr\`" | |
ci_env=fr | |
fi | |
pipelines=$(fly -t $ci_env pipelines | grep -Eo '^[a-z0-9\-]+') | |
pattern=$1 | |
name=$2 | |
for pipeline in $pipelines | |
do | |
match=$(fly -t $ci_env gp -p "$pipeline" | grep -E "${pattern}") | |
if [ "$?" -eq 0 ] | |
then | |
echo | |
echo "match in ${pipeline} for ${name}" | |
echo "${match}" | |
echo "match in ${pipeline} for ${name}" | |
else | |
echo "no match for ${name} in ${pipeline}" | |
fi | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -e | |
aws --profile fr \ | |
s3 \ | |
cp \ | |
"${1}" \ | |
"s3://concourse-credentials/${PWD##*/}.yml" \ | |
--sse AES256 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment