Commit fb6d99c6 authored by Jason Plum's avatar Jason Plum

Merge branch 'update-secrets' into 'master'

Update the rails secret generator code to smoothly add new secrets

A proposed fix for: #1326

Replaces: !785

Depends on: gitlab-org/build/CNG!226

Have the secrets generator always do an apply for rails secrets
But have it first populate the variables using any existing secret data
it finds via Go variant of `yq` command.

This allows us to generate secrets for new keys added in new gitlab
versions, while still respecting/retaining any existing key values.

See merge request !786
parents a128ba74 4e4d379b
Pipeline #61461295 (#4928) passed with stages
in 39 minutes and 53 seconds
......@@ -9,15 +9,16 @@ function gen_random(){
head -c 4096 /dev/urandom | LC_CTYPE=C tr -cd $1 | head -c $2
}
# Args: secretname, args
function generate_secret_if_needed(){
secret_args=( "${@:2}")
secret_name=$1
if ! $(kubectl --namespace=$namespace get secret $secret_name > /dev/null 2>&1); then
kubectl --namespace=$namespace create secret generic $secret_name ${secret_args[@]}
else
echo "secret \"$secret_name\" already exists"
fi;
# Args: yaml file, search path
function fetch_rails_value(){
local value=$(yq read $1 "${2}")
# Don't return null values
if [ "${value}" != "null" ]; then echo "${value}"; fi
}
# Args: secretname
function label_secret(){
local secret_name=$1
{{- if not .Values.global.application.create }}
# Remove application labels if they exist
kubectl --namespace=$namespace label \
......@@ -28,6 +29,18 @@ function generate_secret_if_needed(){
secret $secret_name {{ include "gitlab.standardLabels" . | replace ": " "=" | replace "\n" " " }}
}
# Args: secretname, args
function generate_secret_if_needed(){
local secret_args=( "${@:2}")
local secret_name=$1
if ! $(kubectl --namespace=$namespace get secret $secret_name > /dev/null 2>&1); then
kubectl --namespace=$namespace create secret generic $secret_name ${secret_args[@]}
else
echo "secret \"$secret_name\" already exists"
fi;
label_secret $secret_name
}
# Initial root password
generate_secret_if_needed {{ template "gitlab.migrations.initialRootPassword.secret" . }} --from-literal={{ template "gitlab.migrations.initialRootPassword.key" . }}=$(gen_random 'a-zA-Z0-9' 64)
......@@ -62,23 +75,45 @@ generate_secret_if_needed {{ template "gitlab.registry.certificate.secret" . }}
# config/secrets.yaml
if [ -n "$env" ]; then
secret_key_base=$(gen_random 'a-f0-9' 128) # equavilent to secureRandom.hex(64)
otp_key_base=$(gen_random 'a-f0-9' 128) # equavilent to secureRandom.hex(64)
db_key_base=$(gen_random 'a-f0-9' 128) # equavilent to secureRandom.hex(64)
openid_connect_signing_key=$(openssl genrsa 2048);
lets_encrypt_private_key=$(openssl genrsa 2048);
cat << EOF > secrets.yml
$env:
secret_key_base: $secret_key_base
otp_key_base: $otp_key_base
db_key_base: $db_key_base
openid_connect_signing_key: |
$(openssl genrsa 2048 | awk '{print " " $0}')
lets_encrypt_private_key: |
$(openssl genrsa 2048 | awk '{print " " $0}')
rails_secret={{ template "gitlab.rails-secrets.secret" . }}
# Fetch the values from the existing secret if it exists
if $(kubectl --namespace=$namespace get secret $rails_secret > /dev/null 2>&1); then
kubectl --namespace=$namespace get secret $rails_secret -o jsonpath="{.data.secrets\.yml}" | base64 --decode > secrets.yml
secret_key_base=$(fetch_rails_value secrets.yml "${env}.secret_key_base")
otp_key_base=$(fetch_rails_value secrets.yml "${env}.otp_key_base")
db_key_base=$(fetch_rails_value secrets.yml "${env}.db_key_base")
openid_connect_signing_key=$(fetch_rails_value secrets.yml "${env}.openid_connect_signing_key")
lets_encrypt_private_key=$(fetch_rails_value secrets.yml "${env}.lets_encrypt_private_key")
fi;
# Generate defaults for any unset secrets
secret_key_base="${secret_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64)
otp_key_base="${otp_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64)
db_key_base="${db_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64)
openid_connect_signing_key="${openid_connect_signing_key:-$(openssl genrsa 2048)}"
lets_encrypt_private_key="${lets_encrypt_private_key:-$(openssl genrsa 2048)}"
# Update the existing secret
cat << EOF > rails-secrets.yml
apiVersion: v1
kind: Secret
metadata:
name: $rails_secret
type: Opaque
stringData:
secrets.yml: |-
$env:
secret_key_base: $secret_key_base
otp_key_base: $otp_key_base
db_key_base: $db_key_base
openid_connect_signing_key: |
$(echo "${openid_connect_signing_key}" | awk '{print " " $0}')
lets_encrypt_private_key: |
$(echo "${lets_encrypt_private_key}" | awk '{print " " $0}')
EOF
generate_secret_if_needed {{ template "gitlab.rails-secrets.secret" . }} --from-file secrets.yml
kubectl --namespace=$namespace apply -f rails-secrets.yml
label_secret $rails_secret
fi
# Shell ssh host keys
......
image:
repository: registry.gitlab.com/gitlab-org/build/cng/kubectl
tag: 1f8690f03f7aeef27e727396927ab3cc96ac89e7
tag: 54033d1192f85dbd4f30e84187818514b5b07ebd
# pullPolicy: Always
pullSecrets: []
selfsign:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment