#!/usr/bin/env bash
set -eu -o pipefail
+FLUX_SOPS_KEY_NAME=${FLUX_SOPS_KEY_NAME:-"icn-site-vm"}
+FLUX_SOPS_PRIVATE_KEY="$(readlink -f $(dirname ${BASH_SOURCE[0]}))/secrets/sops.asc"
+SITE_NAMESPACE="${SITE_NAMESPACE:-metal3}"
+
function _gpg_key_fp {
gpg --with-colons --list-secret-keys $1 | awk -F: '/fpr/ {print $10;exit}'
}
gpg --export-secret-keys --armor "$(_gpg_key_fp $1)"
}
-function sops_encrypt_site {
- local -r site_yaml=$1
- local -r key_name=$2
+function sops_encrypt {
+ local -r yaml=$1
+ local -r yaml_dir=$(dirname ${yaml})
- local -r site_dir=$(dirname ${site_yaml})
+ local -r key_name=$2
local -r key_fp=$(_gpg_key_fp ${key_name})
+ local site_dir=${yaml_dir}
+ if [[ $# -eq 3 ]]; then
+ site_dir=$3
+ fi
+
# Commit the public key to the repository so that team members who
# clone the repo can encrypt new files
- echo "Creating ${site_dir}/sops.pub.asc with public key used to encrypt secrets"
+ echo "Creating ${yaml_dir}/sops.pub.asc with public key used to encrypt secrets"
gpg --export --armor "${key_fp}" >${site_dir}/sops.pub.asc
# Add .sops.yaml so users won't have to worry about specifying the
# proper key for the target cluster or namespace
echo "Creating ${site_dir}/.sops.yaml SOPS configuration file"
+ encrypted_regex="(bmcPassword|ca-key.pem|decryptionSecret|hashedPassword|emcoPassword|rootPassword)"
cat <<EOF > ${site_dir}/.sops.yaml
creation_rules:
- path_regex: .*.yaml
- encrypted_regex: ^(bmcPassword|hashedPassword)$
+ encrypted_regex: ^${encrypted_regex}$
pgp: ${key_fp}
EOF
- sops --encrypt --in-place --config=${site_dir}/.sops.yaml ${site_yaml}
+ if [[ $(grep -c $(echo ${encrypted_regex} | sed -e 's/(/\\(/g' -e 's/|/\\|/g' -e 's/)/\\)/') ${yaml}) -ne 0 ]]; then
+ sops --encrypt --in-place --config=${site_dir}/.sops.yaml ${yaml}
+ fi
}
-function sops_decrypt_site {
- local -r site_yaml=$1
+function sops_decrypt {
+ local -r yaml=$1
+ local -r yaml_dir=$(dirname ${yaml})
+ local site_dir=${yaml_dir}
+ if [[ $# -eq 2 ]]; then
+ site_dir=$2
+ fi
- local -r site_dir=$(dirname ${site_yaml})
- sops --decrypt --in-place --config=${site_dir}/.sops.yaml ${site_yaml}
+ if [[ $(grep -c "^sops:" ${yaml}) -ne 0 ]]; then
+ sops --decrypt --in-place --config=${site_dir}/.sops.yaml ${yaml}
+ fi
+}
+
+function flux_site_source_name {
+ local -r url=$1
+ local -r branch=$2
+ echo $(basename ${url})-${branch}
+}
+
+function flux_site_kustomization_name {
+ local -r url=$1
+ local -r branch=$2
+ local -r path=$3
+ echo $(flux_site_source_name ${url} ${branch})-site-$(basename ${path})
}
function flux_create_site {
local -r path=$3
local -r key_name=$4
- local -r source_name="$(basename ${url})-${branch}"
- local -r kustomization_name="${source_name}-site-$(basename ${path})"
+ local -r source_name=$(flux_site_source_name ${url} ${branch})
+ local -r kustomization_name=$(flux_site_kustomization_name ${url} ${branch} ${path})
local -r key_fp=$(gpg --with-colons --list-secret-keys ${key_name} | awk -F: '/fpr/ {print $10;exit}')
local -r secret_name="${key_name}-sops-gpg"
gpg --export-secret-keys --armor "$(_gpg_key_fp ${key_name})" |
kubectl -n flux-system create secret generic ${secret_name} --from-file=sops.asc=/dev/stdin --dry-run=client -o yaml |
kubectl apply -f -
- flux create kustomization ${kustomization_name} --path=${path} --source=GitRepository/${source_name} --prune=true \
+ kubectl create namespace ${SITE_NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -
+ flux create kustomization ${kustomization_name} --target-namespace=${SITE_NAMESPACE} --path=${path} --source=GitRepository/${source_name} --prune=true \
--decryption-provider=sops --decryption-secret=${secret_name}
}