2mind · September 16, 2021 11:06
diff --git a/secrets.seal.sh b/secrets.seal.sh
 #! /usr/bin/env bash

 set -Eeuo pipefail

 scripts_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
 source "${scripts_dir}/functions.sh"

 test_jq
 test_yq
 test_kubeseal
 test_jsonnet

 component="${1}"
 debug "component: ${component}"

 environment_name=$(read_config environmentName)
 sealed_secret_scope=$(read_config kubernetes.sealedSecretScope)
 sealed_secrets_controller_name=$(read_config kubernetes.sealedSecretsControllerName)
 sealed_secrets_controller_namespace=$(read_config kubernetes.sealedSecretsControllerNamespace)
 kubernetes_namespace=$(read_config "${component}.namespace")
 kube_api_server=$(read_config kubernetes.apiServer)

 secret_jsonnet_file="${deploy_dir}/lib/kubernetes/secret.jsonnet"

 secrets_manager_secret_tmp_file="${my_temp_dir}/secretsmanager_secret.json"
 "${scripts_dir}/secretsmanager.get.sh" "${component}" > "${secrets_manager_secret_tmp_file}"
 secret_tmp_file="${my_temp_dir}/secret.json"

 $JSONNET --output-file "${secret_tmp_file}" \
    \
    --tla-str SEALED_SECRET_SCOPE="${sealed_secret_scope}" \
    --tla-str NAME_PREFIX="${component}" \
    --tla-code STRING_DATA="$(cat "${secrets_manager_secret_tmp_file}")" \
    \
    "${secret_jsonnet_file}" \

 deploy_env_dir="${deploy_dir}/environments/${environment_name}"
 sealed_secret_file="${deploy_env_dir}/environments/${environment_name}/${component}-sealed-secret.jsonnet"

 create_sealed_secret() {
    log "🔒 Sealing secret..."
    log "🔒 Kube ApiServer: ${kube_api_server}"
    log "🔒 Scope: ${sealed_secret_scope}"
    log "🔒 Namespace: ${kubernetes_namespace}"
    sealed_secret_contents=$(
        $KUBESEAL \
            --scope "${sealed_secret_scope}" \
            --namespace "${kubernetes_namespace}" \
            --controller-name "${sealed_secrets_controller_name}" \
            --controller-namespace "${sealed_secrets_controller_namespace}" \
            --server "${kube_api_server}" \
            -o json \
            < "${secret_tmp_file}"
    )
    echo "${sealed_secret_contents}" | cat "${repo_dir}/do-not-edit-header.txt" - > "${sealed_secret_file}"
    log "✍️  Created ${sealed_secret_file}"
    log "😀 This file is SAFE to check into git!"
    log "${green}✔${reset}  Seal Secret Created Successfully!"
    exit 0
 }

 # https://github.com/bitnami-labs/sealed-secrets/issues/376
 # sealed secrets are encrypted with a random salt each time
 # so when reencrypting, the encryptedData will change even if the original value does not
 # since that was a bit surprising during my normal workflow, I've implemented
 # a check to compare the secret sha before regenerating the sealed secret
 #
 # there is a security concern here, that an attacker would know the value of the secret sha
 # regardless of the encrypted string. This could make it easier to guess or attack
 #
 # this risk is mitigated though because these encrypted secrets are only ever stored in
 # private github repos

 # secret name includes md5 of the data
 # so if the secret is updated, the name will be updated
 debug "getting current secret name..."
 debug "$(cat "${secret_tmp_file}")"
 current_secret_name=$($JQ -r '.metadata.name' "${secret_tmp_file}")

 debug "getting existing secret name..."
 if [ -r "${sealed_secret_file}" ]; then
    existing_secret_name=$(jsonnet "${sealed_secret_file}" | jq -r '.spec.template.metadata.name')
    debug "found existing secret name: ${existing_secret_name}"
    if [ "${FORCE_CREATE:-0}" = "0" ] && [ "${existing_secret_name}" = "${current_secret_name}" ]; then
        log "📐 Secret matches, stopping early..."
        log "${green}✔${reset}  Sealed Secret Verified!"
        exit 0
    else
        create_sealed_secret
    fi
 else
    create_sealed_secret
 fi

 # two spaces here is not a mistake. Not all emojis have
 # the correct spacing to make it show up correct
 log "${green}✔${reset}  Done Editing Secrets!"
	#! /usr/bin/env bash

	set -Eeuo pipefail

	scripts_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
	source "${scripts_dir}/functions.sh"

	test_jq
	test_yq
	test_kubeseal
	test_jsonnet

	component="${1}"
	debug "component: ${component}"

	environment_name=$(read_config environmentName)
	sealed_secret_scope=$(read_config kubernetes.sealedSecretScope)
	sealed_secrets_controller_name=$(read_config kubernetes.sealedSecretsControllerName)
	sealed_secrets_controller_namespace=$(read_config kubernetes.sealedSecretsControllerNamespace)
	kubernetes_namespace=$(read_config "${component}.namespace")
	kube_api_server=$(read_config kubernetes.apiServer)

	secret_jsonnet_file="${deploy_dir}/lib/kubernetes/secret.jsonnet"

	secrets_manager_secret_tmp_file="${my_temp_dir}/secretsmanager_secret.json"
	"${scripts_dir}/secretsmanager.get.sh" "${component}" > "${secrets_manager_secret_tmp_file}"
	secret_tmp_file="${my_temp_dir}/secret.json"

	$JSONNET --output-file "${secret_tmp_file}" \
	\
	--tla-str SEALED_SECRET_SCOPE="${sealed_secret_scope}" \
	--tla-str NAME_PREFIX="${component}" \
	--tla-code STRING_DATA="$(cat "${secrets_manager_secret_tmp_file}")" \
	\
	"${secret_jsonnet_file}" \

	deploy_env_dir="${deploy_dir}/environments/${environment_name}"
	sealed_secret_file="${deploy_env_dir}/environments/${environment_name}/${component}-sealed-secret.jsonnet"

	create_sealed_secret() {
	log "🔒 Sealing secret..."
	log "🔒 Kube ApiServer: ${kube_api_server}"
	log "🔒 Scope: ${sealed_secret_scope}"
	log "🔒 Namespace: ${kubernetes_namespace}"
	sealed_secret_contents=$(
	$KUBESEAL \
	--scope "${sealed_secret_scope}" \
	--namespace "${kubernetes_namespace}" \
	--controller-name "${sealed_secrets_controller_name}" \
	--controller-namespace "${sealed_secrets_controller_namespace}" \
	--server "${kube_api_server}" \
	-o json \
	< "${secret_tmp_file}"
	)
	echo "${sealed_secret_contents}" \| cat "${repo_dir}/do-not-edit-header.txt" - > "${sealed_secret_file}"
	log "✍️ Created ${sealed_secret_file}"
	log "😀 This file is SAFE to check into git!"
	log "${green}✔${reset} Seal Secret Created Successfully!"
	exit 0
	}

	# https://github.com/bitnami-labs/sealed-secrets/issues/376
	# sealed secrets are encrypted with a random salt each time
	# so when reencrypting, the encryptedData will change even if the original value does not
	# since that was a bit surprising during my normal workflow, I've implemented
	# a check to compare the secret sha before regenerating the sealed secret
	#
	# there is a security concern here, that an attacker would know the value of the secret sha
	# regardless of the encrypted string. This could make it easier to guess or attack
	#
	# this risk is mitigated though because these encrypted secrets are only ever stored in
	# private github repos

	# secret name includes md5 of the data
	# so if the secret is updated, the name will be updated
	debug "getting current secret name..."
	debug "$(cat "${secret_tmp_file}")"
	current_secret_name=$($JQ -r '.metadata.name' "${secret_tmp_file}")

	debug "getting existing secret name..."
	if [ -r "${sealed_secret_file}" ]; then
	existing_secret_name=$(jsonnet "${sealed_secret_file}" \| jq -r '.spec.template.metadata.name')
	debug "found existing secret name: ${existing_secret_name}"
	if [ "${FORCE_CREATE:-0}" = "0" ] && [ "${existing_secret_name}" = "${current_secret_name}" ]; then
	log "📐 Secret matches, stopping early..."
	log "${green}✔${reset} Sealed Secret Verified!"
	exit 0
	else
	create_sealed_secret
	fi
	else
	create_sealed_secret
	fi

	# two spaces here is not a mistake. Not all emojis have
	# the correct spacing to make it show up correct
	log "${green}✔${reset} Done Editing Secrets!"
No results found