Commit 4e4d379b authored by DJ Mountney's avatar DJ Mountney

Change the way we do the rails-secret handling

Have the secrets generator always do an apply for rails secrets
But have it first populate the variables using any existing secret data
it finds

This allows us to generate secrets for new keys added in new gitlab
versions, while still respecting/retaining any existing key values.
parent 2b76a88f
Pipeline #60786974 passed with stages
in 89 minutes and 23 seconds
......@@ -9,15 +9,16 @@ function gen_random(){
head -c 4096 /dev/urandom | LC_CTYPE=C tr -cd $1 | head -c $2
}
# Args: secretname, args
function generate_secret_if_needed(){
secret_args=( "${@:2}")
secret_name=$1
if ! $(kubectl --namespace=$namespace get secret $secret_name > /dev/null 2>&1); then
kubectl --namespace=$namespace create secret generic $secret_name ${secret_args[@]}
else
echo "secret \"$secret_name\" already exists"
fi;
# Args: yaml file, search path
function fetch_rails_value(){
local value=$(yq read $1 "${2}")
# Don't return null values
if [ "${value}" != "null" ]; then echo "${value}"; fi
}
# Args: secretname
function label_secret(){
local secret_name=$1
{{- if not .Values.global.application.create }}
# Remove application labels if they exist
kubectl --namespace=$namespace label \
......@@ -28,6 +29,18 @@ function generate_secret_if_needed(){
secret $secret_name {{ include "gitlab.standardLabels" . | replace ": " "=" | replace "\n" " " }}
}
# Args: secretname, args
function generate_secret_if_needed(){
local secret_args=( "${@:2}")
local secret_name=$1
if ! $(kubectl --namespace=$namespace get secret $secret_name > /dev/null 2>&1); then
kubectl --namespace=$namespace create secret generic $secret_name ${secret_args[@]}
else
echo "secret \"$secret_name\" already exists"
fi;
label_secret $secret_name
}
# Initial root password
generate_secret_if_needed {{ template "gitlab.migrations.initialRootPassword.secret" . }} --from-literal={{ template "gitlab.migrations.initialRootPassword.key" . }}=$(gen_random 'a-zA-Z0-9' 64)
......@@ -62,23 +75,45 @@ generate_secret_if_needed {{ template "gitlab.registry.certificate.secret" . }}
# config/secrets.yaml
if [ -n "$env" ]; then
secret_key_base=$(gen_random 'a-f0-9' 128) # equavilent to secureRandom.hex(64)
otp_key_base=$(gen_random 'a-f0-9' 128) # equavilent to secureRandom.hex(64)
db_key_base=$(gen_random 'a-f0-9' 128) # equavilent to secureRandom.hex(64)
openid_connect_signing_key=$(openssl genrsa 2048);
lets_encrypt_private_key=$(openssl genrsa 2048);
cat << EOF > secrets.yml
$env:
secret_key_base: $secret_key_base
otp_key_base: $otp_key_base
db_key_base: $db_key_base
openid_connect_signing_key: |
$(openssl genrsa 2048 | awk '{print " " $0}')
lets_encrypt_private_key: |
$(openssl genrsa 2048 | awk '{print " " $0}')
rails_secret={{ template "gitlab.rails-secrets.secret" . }}
# Fetch the values from the existing secret if it exists
if $(kubectl --namespace=$namespace get secret $rails_secret > /dev/null 2>&1); then
kubectl --namespace=$namespace get secret $rails_secret -o jsonpath="{.data.secrets\.yml}" | base64 --decode > secrets.yml
secret_key_base=$(fetch_rails_value secrets.yml "${env}.secret_key_base")
otp_key_base=$(fetch_rails_value secrets.yml "${env}.otp_key_base")
db_key_base=$(fetch_rails_value secrets.yml "${env}.db_key_base")
openid_connect_signing_key=$(fetch_rails_value secrets.yml "${env}.openid_connect_signing_key")
lets_encrypt_private_key=$(fetch_rails_value secrets.yml "${env}.lets_encrypt_private_key")
fi;
# Generate defaults for any unset secrets
secret_key_base="${secret_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64)
otp_key_base="${otp_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64)
db_key_base="${db_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64)
openid_connect_signing_key="${openid_connect_signing_key:-$(openssl genrsa 2048)}"
lets_encrypt_private_key="${lets_encrypt_private_key:-$(openssl genrsa 2048)}"
# Update the existing secret
cat << EOF > rails-secrets.yml
apiVersion: v1
kind: Secret
metadata:
name: $rails_secret
type: Opaque
stringData:
secrets.yml: |-
$env:
secret_key_base: $secret_key_base
otp_key_base: $otp_key_base
db_key_base: $db_key_base
openid_connect_signing_key: |
$(echo "${openid_connect_signing_key}" | awk '{print " " $0}')
lets_encrypt_private_key: |
$(echo "${lets_encrypt_private_key}" | awk '{print " " $0}')
EOF
generate_secret_if_needed {{ template "gitlab.rails-secrets.secret" . }} --from-file secrets.yml
kubectl --namespace=$namespace apply -f rails-secrets.yml
label_secret $rails_secret
fi
# Shell ssh host keys
......
image:
repository: registry.gitlab.com/gitlab-org/build/cng/kubectl
tag: 1f8690f03f7aeef27e727396927ab3cc96ac89e7
tag: 54033d1192f85dbd4f30e84187818514b5b07ebd
# pullPolicy: Always
pullSecrets: []
selfsign:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment