Added simple helper script to encrypt secrets

cms-DQM · Sep 1, 2023 · fe0f464 · fe0f464
1 parent 1e291bb
commit fe0f464
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 4 deletions.
diff --git a/.gitignore b/.gitignore
@@ -7,4 +7,5 @@ __pycache__/
 dqm2m_production.db_test
 *.env*
 *.pkl
-*.log.*
+*.log.*
+*.yaml
diff --git a/k8_encrypt_secret.sh b/k8_encrypt_secret.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Script that encodes k8s secrets with base64. 
+# Might have many bugs!!!
+
+# Unencoded file to read secrets from
+IN_FILE=k8_secret.yaml
+
+# File to write output to
+OUT_FILE=k8_secret_encrypted.yaml
+
+# Files can also be passed as arguments to the script
+if [ ! -z $1 ]; 
+then
+    IN_FILE=$1
+fi
+
+if [ ! -z $2 ]; 
+then
+    OUT_FILE=$2
+fi
+
+# Do not split with spaces in for loop
+IFS=$'\n'
+
+# Copy input file to output, so that we can start replacing it in-place.
+cat $IN_FILE > $OUT_FILE
+# Use awk to get the secrets out of k8_secret, found under the "data" section in the yaml.
+for i in $(awk '/^[^ ]/{ f=/^data:/; next } f{ if (match($0, /^\s+[a-zA-Z0-9_]+\s*:.+/)) { print $0 }}' $OUT_FILE); do
+    # For each line containing a secret, encode its value in the OUT_FILE in place.
+    # Set base64's wrap to zero to have it all in one line.
+    # Use commas in the sed regexp, as we may have '/' in the values (e.g. CMSWEB_FRONTEND_PROXY_URL).
+    # Leading spaces are not preserved in the replacement string, so we're adding them manually.
+    sed -r "s,^$i$,  $(echo $i | awk '{print $1}') $(echo $i | awk '{printf $2}' | base64 --wrap 0) # $(echo $i | awk '{printf $2}'),g"  -i $OUT_FILE
+done
diff --git a/k8_secret.yaml b/k8_secret.yaml
@@ -7,9 +7,9 @@ metadata:
   namespace: dqm
 type: Opaque
 data:
-  # Remember that, before applying this file with kubectl, 
+  # Remember that, before applying this file with kubectl,
   # you will need to base64-encode the values and replace them
-  # with the encoded ones. E.g, "ENV: production" must 
+  # with the encoded ones. E.g, "ENV: production" must
   # be replaced with "ENV: cHJvZHVjdGlvbg=="
   # To encode it:
   #
@@ -28,4 +28,4 @@ data:
   SERVER_FFF_MACHINE: bu-c2f11-13-01
   CMSWEB_FRONTEND_PROXY_URL: https://cmsweb.cern.ch/dqm/dqm-square-origin
   FFF_PRODUCTION_MACHINES: bu-c2f11-09-01;fu-c2f11-11-01;fu-c2f11-11-02;fu-c2f11-11-03;fu-c2f11-11-04
-  FFF_PLAYBACK_MACHINES: bu-c2f11-13-01;fu-c2f11-15-01;fu-c2f11-15-02;fu-c2f11-15-03;fu-c2f11-15-04
+  FFF_PLAYBACK_MACHINES: bu-c2f11-13-01;fu-c2f11-15-01;fu-c2f11-15-02;fu-c2f11-15-03;fu-c2f11-15-04