mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-08 07:11:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
move_ci
pinniped/infra/concourse-install/bootstrap-secrets.sh
Ryan Richard e1464c379c improve how scripts check for gcloud auth
2024-11-15 09:40:22 -08:00

72 lines
3.2 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
set -euo pipefail
# Require env vars.
if [[ -z "${GITHUB_CLIENT_ID:-}" ]]; then
echo "GITHUB_CLIENT_ID env var must be set"
exit 1
fi
if [[ -z "${GITHUB_CLIENT_SECRET:-}" ]]; then
echo "GITHUB_CLIENT_SECRET env var must be set"
exit 1
fi
if [[ -z "${PINNIPED_GCP_PROJECT:-}" ]]; then
echo "PINNIPED_GCP_PROJECT env var must be set"
exit 1
fi
# Check pre-reqs.
if ! command -v gcloud &>/dev/null; then
echo "Please install the gcloud CLI"
exit
fi
if ! command -v yq &>/dev/null; then
echo "Please install the yq CLI"
exit
fi
if ! gcloud auth print-access-token &>/dev/null; then
echo "Please run \`gcloud auth login\` and try again."
exit 1
fi
# Create a temporary directory for secrets, cleaned up at the end of this script.
trap 'rm -rf "$TEMP_DIR"' EXIT
TEMP_DIR=$(mktemp -d) || exit 1
# Create the three keys required to install the Concourse web component.
# See https://github.com/concourse/concourse-chart/tree/master#secrets
docker run -v "$TEMP_DIR":/keys --rm -it concourse/concourse generate-key -t rsa -f /keys/session-signing-key
docker run -v "$TEMP_DIR":/keys --rm -it concourse/concourse generate-key -t ssh -f /keys/worker-key
docker run -v "$TEMP_DIR":/keys --rm -it concourse/concourse generate-key -t ssh -f /keys/host-key
# Create an extra keypair for our external workers so they can use a different private key
# to avoid sharing the private key of the internal workers to other Kubernetes clusters.
docker run -v "$TEMP_DIR":/keys --rm -it concourse/concourse generate-key -t ssh -f /keys/external-worker-key
# Create an encryption key for DB encryption at rest.
printf "%s" "$(openssl rand -base64 24)" >"$TEMP_DIR/encryption-key"
# Write a tmp yaml file which bundles together all of the secrets from above.
# The structure of the keys in this file matches the concourse helm chart's values.yaml inputs,
# except for .secrets.externalWorkerKey which is our own custom key.
SECRETS_FILE="$TEMP_DIR/secrets.yaml"
echo "# This secret is auto-generated by infra/concourse-install/bootstrap-secrets.sh" >"$SECRETS_FILE"
yq -i e ".secrets.hostKey = \"$(cat "$TEMP_DIR/host-key")\"" "$SECRETS_FILE" # TSA host key
yq -i e ".secrets.hostKeyPub = \"$(cat "$TEMP_DIR/host-key.pub")\"" "$SECRETS_FILE" # TSA host key pub
yq -i e ".secrets.sessionSigningKey = \"$(cat "$TEMP_DIR/session-signing-key")\"" "$SECRETS_FILE"
yq -i e ".secrets.workerKey = \"$(cat "$TEMP_DIR/worker-key")\"" "$SECRETS_FILE"
yq -i e ".secrets.externalWorkerKey = \"$(cat "$TEMP_DIR/external-worker-key")\"" "$SECRETS_FILE"
# Put both public keys into the workerKeyPub secret, one on each line.
yq -i e ".secrets.workerKeyPub = \"$(cat "$TEMP_DIR/worker-key.pub" "$TEMP_DIR/external-worker-key.pub")\"" "$SECRETS_FILE"
yq -i e ".secrets.encryptionKey = \"$(cat "$TEMP_DIR/encryption-key")\"" "$SECRETS_FILE"
yq -i e ".secrets.githubClientId = \"$GITHUB_CLIENT_ID\"" "$SECRETS_FILE"
yq -i e ".secrets.githubClientSecret = \"$GITHUB_CLIENT_SECRET\"" "$SECRETS_FILE"
# Save the tmp yaml file into the GCP Secrets Manager for later use.
gcloud secrets create concourse-install-bootstrap \
--data-file "$SECRETS_FILE" \
--project "$PINNIPED_GCP_PROJECT"
Reference in New Issue View Git Blame Copy Permalink