Move the purse account passphrase to kube secrets

This is kind of just a gesture at this stage, but trying to set the stage for improvements down the line, both in terms of security and in terms of the ability to add config for different networks This particular passphrase - and all the config hard-coded in this script - is for our internal private testnet, so we are not too concerned about this
thesis · Jan 24, 2020 · 259d188 · 259d188
1 parent 4e56394
commit 259d188
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/env-var.list b/env-var.list
@@ -8,3 +8,4 @@ RELEASE_NOTIFICATION_ROOM=$RELEASE_NOTIFICATION_ROOM
 SUGGESTION_ALERT_ROOM=$SUGGESTION_ALERT_ROOM
 HUBOT_SCHEDULE_DEBUG=$HUBOT_SCHEDULE_DEBUG
 ZOOM_EXPECTED_MEETING_DURATION=$ZOOM_EXPECTED_MEETING_DURATION
+ETH_PURSE_ACCOUNT_PASSWORD_KEEP_TEST=$ETH_PURSE_ACCOUNT_PASSWORD_KEEP_TEST
diff --git a/infrastructure/kube/thesis-ops/heimdall-hubot-deployment.yaml b/infrastructure/kube/thesis-ops/heimdall-hubot-deployment.yaml
@@ -79,6 +79,11 @@ spec:
                   key: zoom_api_secret
             - name: ZOOM_EXPECTED_MEETING_DURATION
               value: "60"
+            - name: ETH_PURSE_ACCOUNT_PASSWORD_KEEP_TEST
+              valueFrom:
+                secretKeyRef:
+                  name: heimdall-hubot
+                  key: eth_purse_account_password_keep_test
           ports:
             - containerPort: 8080
           resources:

diff --git a/scripts/eth-account.js b/scripts/eth-account.js
@@ -4,6 +4,9 @@
 //
 //  Most things are hardcoded with purpose.
 //
+// Configuration:
+//   ETH_PURSE_ACCOUNT_PASSWORD_KEEP_TEST - Passphrase for the keep-test network purse account. Note: since this is an internal private testnet, we're storing the password in plaintext.
+//
 // Commands:
 //   hubot eth-account fund <ETH account address> - Transfers 10 ether to the specified address.
 //   hubot eth-account create - Creates a new account on the Keep ethereum testnet and returns a keyfile JSON (including private key! This is not for use in production!). This command funds the new account as well.
@@ -27,8 +30,10 @@ const ethNetworkId = "1101"
 const purse = "0x0f0977c4161a371b5e5ee6a8f43eb798cd1ae1db"
 
 // These are throw away accounts on an internal private testnet, hence the plaintext.
-const purseAccountPassword =
-  "doughnut_armenian_parallel_firework_backbite_employer_singlet"
+const purseAccountPassword = {
+  keepTest: process.env.ETH_PURSE_ACCOUNT_PASSWORD_KEEP_TEST,
+}
+
 const etherToTransfer = "10"
 
 // We override transactionConfirmationBlocks and transactionBlockTimeout because they're
@@ -95,7 +100,7 @@ module.exports = function(robot) {
 
     msg.send(`Unlocking purse account: ${purse}`)
     web3.eth.personal
-      .unlockAccount(purse, purseAccountPassword, 150000)
+      .unlockAccount(purse, purseAccountPassword.keepTest, 150000)
       .then(receipt => {
         msg.send(
           `Purse account unlocked! Funding account ${account} with ${etherToTransfer} ETH.  Don't panic, this may take several seconds.`,
@@ -133,7 +138,10 @@ module.exports = function(robot) {
       msg.send(`Creating account on the keep test network.`)
       let newAccount = web3.eth.accounts.create()
       let keyfileJSON = JSON.stringify(
-        web3.eth.accounts.encrypt(newAccount.privateKey, purseAccountPassword),
+        web3.eth.accounts.encrypt(
+          newAccount.privateKey,
+          purseAccountPassword.keepTest,
+        ),
       )
 
       let content = Buffer.from(keyfileJSON, "binary").toString("base64")