Wire namespace caches and agenix secrets
This commit is contained in:
Conrad Kramer
parent
5bd95b7a7c
commit
028627bfcb
8 changed files with 66 additions and 102 deletions
|
|
@ -84,13 +84,13 @@ burrow_resolve_secret_file() {
|
|||
return 0
|
||||
fi
|
||||
|
||||
if [[ -n "${intake_path}" && -s "${intake_path}" ]]; then
|
||||
printf '%s\n' "${intake_path}"
|
||||
if [[ -n "${age_path}" && -f "${age_path}" ]]; then
|
||||
burrow_decrypt_age_secret_to_temp "${repo_root}" "${age_path}"
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [[ -n "${age_path}" && -f "${age_path}" ]]; then
|
||||
burrow_decrypt_age_secret_to_temp "${repo_root}" "${age_path}"
|
||||
if [[ -n "${intake_path}" && -s "${intake_path}" ]]; then
|
||||
printf '%s\n' "${intake_path}"
|
||||
return 0
|
||||
fi
|
||||
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@ Options:
|
|||
--contact-user <name> Forgejo username used for PAT creation (default: contact)
|
||||
--scope-owner <name> Forgejo org/user owner for the default NSC scope (default: hackclub)
|
||||
--scope-name <name> Forgejo repository name for the default NSC scope (default: burrow)
|
||||
--write-intake Also write plaintext runtime inputs to intake/ for local debugging.
|
||||
-h, --help Show this help text.
|
||||
EOF
|
||||
}
|
||||
|
|
@ -43,7 +42,6 @@ CONTACT_USER="${FORGEJO_CONTACT_USER:-contact}"
|
|||
SCOPE_OWNER="${FORGEJO_SCOPE_OWNER:-hackclub}"
|
||||
SCOPE_NAME="${FORGEJO_SCOPE_NAME:-burrow}"
|
||||
BURROW_FLAKE_TMPDIRS=()
|
||||
WRITE_INTAKE=0
|
||||
TMP_DIR=""
|
||||
|
||||
cleanup() {
|
||||
|
|
@ -87,10 +85,6 @@ while [[ $# -gt 0 ]]; do
|
|||
SCOPE_NAME="${2:?missing value for --scope-name}"
|
||||
shift 2
|
||||
;;
|
||||
--write-intake)
|
||||
WRITE_INTAKE=1
|
||||
shift
|
||||
;;
|
||||
-h|--help)
|
||||
usage
|
||||
exit 0
|
||||
|
|
@ -174,8 +168,6 @@ PY
|
|||
chmod 600 "${token_file}"
|
||||
elif [[ -f "${token_secret}" ]]; then
|
||||
burrow_decrypt_age_secret_to_temp "${REPO_ROOT}" "${token_secret}" > "${token_file}"
|
||||
elif [[ -s "${REPO_ROOT}/intake/forgejo_nsc_token.txt" ]]; then
|
||||
cp "${REPO_ROOT}/intake/forgejo_nsc_token.txt" "${token_file}"
|
||||
fi
|
||||
|
||||
if [[ -s "${token_file}" ]]; then
|
||||
|
|
@ -298,20 +290,5 @@ burrow_encrypt_secret_from_file "${REPO_ROOT}" "${token_secret}" "${token_file}"
|
|||
burrow_encrypt_secret_from_file "${REPO_ROOT}" "${dispatcher_secret}" "${dispatcher_out}"
|
||||
burrow_encrypt_secret_from_file "${REPO_ROOT}" "${autoscaler_secret}" "${autoscaler_out}"
|
||||
|
||||
if [[ "${WRITE_INTAKE}" -eq 1 ]]; then
|
||||
mkdir -p "${REPO_ROOT}/intake"
|
||||
chmod 700 "${REPO_ROOT}/intake"
|
||||
cp "${token_file}" "${REPO_ROOT}/intake/forgejo_nsc_token.txt"
|
||||
cp "${dispatcher_out}" "${REPO_ROOT}/intake/forgejo_nsc_dispatcher.yaml"
|
||||
cp "${autoscaler_out}" "${REPO_ROOT}/intake/forgejo_nsc_autoscaler.yaml"
|
||||
chmod 600 \
|
||||
"${REPO_ROOT}/intake/forgejo_nsc_token.txt" \
|
||||
"${REPO_ROOT}/intake/forgejo_nsc_dispatcher.yaml" \
|
||||
"${REPO_ROOT}/intake/forgejo_nsc_autoscaler.yaml"
|
||||
fi
|
||||
|
||||
echo "Updated secrets/forgejo/{nsc-token,nsc-dispatcher-config,nsc-autoscaler-config}.age."
|
||||
if [[ "${WRITE_INTAKE}" -eq 1 ]]; then
|
||||
echo "Also refreshed intake/forgejo_nsc_{token,dispatcher,autoscaler} for local debugging."
|
||||
fi
|
||||
echo "Minted Forgejo PAT ${token_name} for ${CONTACT_USER} on ${HOST}."
|
||||
|
|
|
|||
|
|
@ -5,14 +5,13 @@ usage() {
|
|||
cat <<'EOF'
|
||||
Usage: Scripts/sync-forgejo-nsc-config.sh [options]
|
||||
|
||||
Copy Burrow forgejo-nsc runtime inputs from age secrets or intake/ onto the forge host and
|
||||
restart the dispatcher/autoscaler units.
|
||||
Deploy Burrow forgejo-nsc runtime inputs from age secrets onto the forge host.
|
||||
|
||||
Options:
|
||||
--host <user@host> SSH target (default: root@git.burrow.net)
|
||||
--ssh-key <path> SSH private key (default: secrets/forgejo/agent-ssh-key.age, then intake/)
|
||||
--rotate-pat Re-render the intake files before syncing.
|
||||
--no-restart Copy files only.
|
||||
--rotate-pat Re-render the encrypted runtime inputs before deploying.
|
||||
--no-restart Validate the encrypted inputs only; do not deploy.
|
||||
-h, --help Show this help text.
|
||||
EOF
|
||||
}
|
||||
|
|
@ -75,7 +74,6 @@ burrow_require_cmd() {
|
|||
}
|
||||
|
||||
burrow_require_cmd ssh
|
||||
burrow_require_cmd scp
|
||||
|
||||
SSH_KEY="$(
|
||||
burrow_resolve_secret_file \
|
||||
|
|
@ -90,26 +88,25 @@ if [[ "${ROTATE_PAT}" -eq 1 ]]; then
|
|||
"${SCRIPT_DIR}/provision-forgejo-nsc.sh" --host "${HOST}" --ssh-key "${SSH_KEY}"
|
||||
fi
|
||||
|
||||
TMP_DIR="$(mktemp -d "${TMPDIR:-/tmp}/burrow-nsc-sync.XXXXXX")"
|
||||
token_file="$(
|
||||
burrow_resolve_secret_file \
|
||||
"${REPO_ROOT}" \
|
||||
"" \
|
||||
"${REPO_ROOT}/intake/forgejo_nsc_token.txt" \
|
||||
"" \
|
||||
"${REPO_ROOT}/secrets/forgejo/nsc-token.age"
|
||||
)"
|
||||
dispatcher_file="$(
|
||||
burrow_resolve_secret_file \
|
||||
"${REPO_ROOT}" \
|
||||
"" \
|
||||
"${REPO_ROOT}/intake/forgejo_nsc_dispatcher.yaml" \
|
||||
"" \
|
||||
"${REPO_ROOT}/secrets/forgejo/nsc-dispatcher-config.age"
|
||||
)"
|
||||
autoscaler_file="$(
|
||||
burrow_resolve_secret_file \
|
||||
"${REPO_ROOT}" \
|
||||
"" \
|
||||
"${REPO_ROOT}/intake/forgejo_nsc_autoscaler.yaml" \
|
||||
"" \
|
||||
"${REPO_ROOT}/secrets/forgejo/nsc-autoscaler-config.age"
|
||||
)"
|
||||
|
||||
|
|
@ -120,45 +117,11 @@ for path in "${token_file}" "${dispatcher_file}" "${autoscaler_file}"; do
|
|||
fi
|
||||
done
|
||||
|
||||
ssh_opts=(
|
||||
-i "${SSH_KEY}"
|
||||
-o IdentitiesOnly=yes
|
||||
-o UserKnownHostsFile="${KNOWN_HOSTS_FILE}"
|
||||
-o StrictHostKeyChecking=accept-new
|
||||
)
|
||||
|
||||
remote_tmp="$(ssh "${ssh_opts[@]}" "${HOST}" "mktemp -d")"
|
||||
cleanup_remote() {
|
||||
if [[ -n "${remote_tmp:-}" ]]; then
|
||||
ssh "${ssh_opts[@]}" "${HOST}" "rm -rf '${remote_tmp}'" >/dev/null 2>&1 || true
|
||||
fi
|
||||
}
|
||||
trap 'cleanup_remote; cleanup' EXIT
|
||||
|
||||
scp "${ssh_opts[@]}" \
|
||||
"${token_file}" \
|
||||
"${dispatcher_file}" \
|
||||
"${autoscaler_file}" \
|
||||
"${HOST}:${remote_tmp}/"
|
||||
|
||||
ssh "${ssh_opts[@]}" "${HOST}" "
|
||||
set -euo pipefail
|
||||
install -d -m 0755 /var/lib/burrow/intake
|
||||
install -m 0400 -o forgejo-nsc -g forgejo-nsc '${remote_tmp}/$(basename "${token_file}")' /var/lib/burrow/intake/forgejo_nsc_token.txt
|
||||
install -m 0400 -o forgejo-nsc -g forgejo-nsc '${remote_tmp}/$(basename "${dispatcher_file}")' /var/lib/burrow/intake/forgejo_nsc_dispatcher.yaml
|
||||
install -m 0400 -o forgejo-nsc -g forgejo-nsc '${remote_tmp}/$(basename "${autoscaler_file}")' /var/lib/burrow/intake/forgejo_nsc_autoscaler.yaml
|
||||
"
|
||||
|
||||
if [[ "${NO_RESTART}" -eq 0 ]]; then
|
||||
ssh "${ssh_opts[@]}" "${HOST}" "
|
||||
set -euo pipefail
|
||||
systemctl restart forgejo-nsc-dispatcher.service forgejo-nsc-autoscaler.service
|
||||
systemctl is-active forgejo-nsc-dispatcher.service forgejo-nsc-autoscaler.service
|
||||
ls -l \
|
||||
/var/lib/burrow/intake/forgejo_nsc_token.txt \
|
||||
/var/lib/burrow/intake/forgejo_nsc_dispatcher.yaml \
|
||||
/var/lib/burrow/intake/forgejo_nsc_autoscaler.yaml
|
||||
"
|
||||
BURROW_FORGE_HOST="${HOST}" \
|
||||
BURROW_FORGE_SSH_KEY="${SSH_KEY}" \
|
||||
BURROW_FORGE_KNOWN_HOSTS_FILE="${KNOWN_HOSTS_FILE}" \
|
||||
"${SCRIPT_DIR}/forge-deploy.sh" --switch
|
||||
fi
|
||||
|
||||
echo "forgejo-nsc runtime sync complete (host=${HOST}, restarted=$((1 - NO_RESTART)))."
|
||||
echo "forgejo-nsc runtime sync complete (host=${HOST}, deployed=$((1 - NO_RESTART)))."
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue