X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=deploy%2Fsite%2Fcommon.sh;h=ade492401e52f40dcf8120ce4179f6aba54cc614;hb=41776ab3743c491e4ff4c31e7a2ea48abe6451a2;hp=deafdae2723ca9f73a3711f6cc38f9dde865dc98;hpb=d85af5c74b2be9115a7874a1baaae3945a312ccb;p=icn.git

diff --git a/deploy/site/common.sh b/deploy/site/common.sh
index deafdae..ade4924 100644
--- a/deploy/site/common.sh
+++ b/deploy/site/common.sh
@@ -1,6 +1,10 @@
 #!/usr/bin/env bash
 set -eu -o pipefail
 
+FLUX_SOPS_KEY_NAME=${FLUX_SOPS_KEY_NAME:-"icn-site-vm"}
+FLUX_SOPS_PRIVATE_KEY="$(readlink -f $(dirname ${BASH_SOURCE[0]}))/secrets/sops.asc"
+SITE_NAMESPACE="${SITE_NAMESPACE:-metal3}"
+
 function _gpg_key_fp {
     gpg --with-colons --list-secret-keys $1 | awk -F: '/fpr/ {print $10;exit}'
 }
@@ -24,36 +28,50 @@ function export_gpg_private_key {
     gpg --export-secret-keys --armor "$(_gpg_key_fp $1)"
 }
 
-function sops_encrypt_site {
-    local -r site_yaml=$1
-    local -r key_name=$2
+function sops_encrypt {
+    local -r yaml=$1
+    local -r yaml_dir=$(dirname ${yaml})
 
-    local -r site_dir=$(dirname ${site_yaml})
+    local -r key_name=$2
     local -r key_fp=$(_gpg_key_fp ${key_name})
 
+    local site_dir=${yaml_dir}
+    if [[ $# -eq 3 ]]; then
+	site_dir=$3
+    fi
+
     # Commit the public key to the repository so that team members who
     # clone the repo can encrypt new files
-    echo "Creating ${site_dir}/sops.pub.asc with public key used to encrypt secrets"
+    echo "Creating ${yaml_dir}/sops.pub.asc with public key used to encrypt secrets"
     gpg --export --armor "${key_fp}" >${site_dir}/sops.pub.asc
 
     # Add .sops.yaml so users won't have to worry about specifying the
     # proper key for the target cluster or namespace
     echo "Creating ${site_dir}/.sops.yaml SOPS configuration file"
+    encrypted_regex="(bmcPassword|ca-key.pem|decryptionSecret|hashedPassword|emcoPassword|rootPassword)"
     cat <<EOF > ${site_dir}/.sops.yaml
 creation_rules:
   - path_regex: .*.yaml
-    encrypted_regex: ^(bmcPassword|hashedPassword)$
+    encrypted_regex: ^${encrypted_regex}$
     pgp: ${key_fp}
 EOF
 
-    sops --encrypt --in-place --config=${site_dir}/.sops.yaml ${site_yaml}
+    if [[ $(grep -c $(echo ${encrypted_regex} | sed -e 's/(/\\(/g' -e 's/|/\\|/g' -e 's/)/\\)/') ${yaml}) -ne 0 ]]; then
+	sops --encrypt --in-place --config=${site_dir}/.sops.yaml ${yaml}
+    fi
 }
 
-function sops_decrypt_site {
-    local -r site_yaml=$1
-
-    local -r site_dir=$(dirname ${site_yaml})
-    sops --decrypt --in-place --config=${site_dir}/.sops.yaml ${site_yaml}
+function sops_decrypt {
+    local -r yaml=$1
+    local -r yaml_dir=$(dirname ${yaml})
+    local site_dir=${yaml_dir}
+    if [[ $# -eq 2 ]]; then
+	site_dir=$2
+    fi
+
+    if [[ $(grep -c "^sops:" ${yaml}) -ne 0 ]]; then
+	sops --decrypt --in-place --config=${site_dir}/.sops.yaml ${yaml}
+    fi
 }
 
 function flux_site_source_name {
@@ -84,6 +102,7 @@ function flux_create_site {
     gpg --export-secret-keys --armor "$(_gpg_key_fp ${key_name})" |
 	kubectl -n flux-system create secret generic ${secret_name} --from-file=sops.asc=/dev/stdin --dry-run=client -o yaml |
 	kubectl apply -f -
-    flux create kustomization ${kustomization_name} --path=${path} --source=GitRepository/${source_name} --prune=true \
+    kubectl create namespace ${SITE_NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -
+    flux create kustomization ${kustomization_name} --target-namespace=${SITE_NAMESPACE} --path=${path} --source=GitRepository/${source_name} --prune=true \
 	 --decryption-provider=sops --decryption-secret=${secret_name}
 }