X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=deploy%2Fsite%2Fsite.sh;h=4d232477a10a1923103b941603ae6b55144c3e65;hb=a4b13b17060ad388fa14ba6393c449146c6cf9ec;hp=d0c970a05a6a2f0d69467906bee0f12e3d6a6388;hpb=9098160f02327e2454375310eda4c53f43fad05b;p=icn.git diff --git a/deploy/site/site.sh b/deploy/site/site.sh index d0c970a..4d23247 100755 --- a/deploy/site/site.sh +++ b/deploy/site/site.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -set -eu -o pipefail +set -eux -o pipefail SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))" LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib" @@ -7,19 +7,103 @@ LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib" source $LIBDIR/common.sh source $SCRIPTDIR/common.sh +# !!!NOTE!!! THE KEYS USED BELOW ARE FOR TEST PURPOSES ONLY. DO NOT +# USE THESE OUTSIDE OF THIS ICN VIRTUAL TEST ENVIRONMENT. + +function build_istio_root_certs { + # Create root CA certs for use by Istio in each cluster + clone_istio_repository + local -r certs_dir=${SCRIPTDIR}/secrets/certs + rm -rf ${certs_dir} + mkdir -p ${certs_dir} + certs=${ISTIOPATH}/tools/certs + make -C ${certs} -f Makefile.selfsigned.mk ROOT_CN="EMCO Root CA" ROOTCA_ORG=project-emco.io root-ca + find ${certs}/root-* -exec cp '{}' ${certs_dir} ';' +} + +function build_site_source { + local -r site_dir=$1 + local -r reuse_credentials=${2:-false} + + # First decrypt the existing site YAML, otherwise we'll be + # attempting to encrypt it twice below + if [[ -f ${FLUX_SOPS_PRIVATE_KEY} ]]; then + gpg --import ${FLUX_SOPS_PRIVATE_KEY} + for yaml in ${site_dir}/cluster/*/*.yaml ${site_dir}/deployment/*.yaml; do + sops_decrypt ${yaml} ${site_dir} + done + fi + + if ! ${reuse_credentials}; then + # Generate user password and authorized key in site YAML + # To login to guest, ssh -i ${site_dir}/id_rsa + HASHED_PASSWORD=$(mkpasswd --method=SHA-512 --rounds 10000 "mypasswd") + ssh-keygen -t rsa -N "" -f ${site_dir}/id_rsa <<${site_dir}/cluster/${name}/istio-cacerts.yaml + fi + done + + # Encrypt the site YAML + for yaml in ${site_dir}/cluster/*/*.yaml ${site_dir}/deployment/*.yaml; do + sops_encrypt ${yaml} ${FLUX_SOPS_KEY_NAME} ${site_dir} + done +} + +function build_source { + create_gpg_key ${FLUX_SOPS_KEY_NAME} + # ONLY FOR TEST ENVIRONMENT: save the private key used + export_gpg_private_key ${FLUX_SOPS_KEY_NAME} >${FLUX_SOPS_PRIVATE_KEY} + + build_istio_root_certs + + build_site_source ${SCRIPTDIR}/vm-mc + build_site_source ${SCRIPTDIR}/vm + build_site_source ${SCRIPTDIR}/pod11 true # re-use existing credentials in site +} + case $1 in "create-gpg-key") create_gpg_key $2 ;; - "sops-encrypt-site") sops_encrypt_site $2 $3 ;; - "sops-decrypt-site") sops_decrypt_site $2 ;; + "sops-encrypt-site") sops_encrypt $2 $3 ;; + "sops-decrypt-site") + if [[ $# -eq 2 ]]; then + sops_decrypt $2 + else + sops_decrypt $2 $3 + fi + ;; "flux-create-site") flux_create_site $2 $3 $4 $5;; + "build-source") build_source ;; *) cat <