Rotate operator secrets into agenix and deepen caches
This commit is contained in:
Conrad Kramer
parent
7039bf5aad
commit
03415e579b
28 changed files with 526 additions and 126 deletions
|
|
@ -6,31 +6,35 @@ REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
|
|||
|
||||
# shellcheck source=Scripts/_burrow-flake.sh
|
||||
source "${SCRIPT_DIR}/_burrow-flake.sh"
|
||||
# shellcheck source=Scripts/_burrow-secrets.sh
|
||||
source "${SCRIPT_DIR}/_burrow-secrets.sh"
|
||||
|
||||
usage() {
|
||||
cat <<'EOF'
|
||||
Usage: Scripts/provision-forgejo-nsc.sh [options]
|
||||
|
||||
Generate Burrow forgejo-nsc runtime inputs in intake/ and optionally refresh the
|
||||
Namespace token from the currently logged-in namespace account.
|
||||
Generate Burrow forgejo-nsc runtime inputs and refresh the authoritative
|
||||
`secrets/forgejo/*.age` files, optionally refreshing the Namespace token from
|
||||
the currently logged-in namespace account.
|
||||
|
||||
Options:
|
||||
--host <user@host> SSH target used to mint the Forgejo PAT.
|
||||
Default: root@git.burrow.net
|
||||
--ssh-key <path> SSH private key for the forge host.
|
||||
Default: intake/agent_at_burrow_net_ed25519
|
||||
Default: secrets/forgejo/agent-ssh-key.age, then intake/
|
||||
--nsc-bin <path> Override the nsc binary.
|
||||
--no-refresh-token Reuse intake/forgejo_nsc_token.txt if it already exists.
|
||||
--no-refresh-token Reuse the existing encrypted Namespace token if it already exists.
|
||||
--token-name <name> Forgejo PAT name prefix (default: forgejo-nsc)
|
||||
--contact-user <name> Forgejo username used for PAT creation (default: contact)
|
||||
--scope-owner <name> Forgejo org/user owner for the default NSC scope (default: hackclub)
|
||||
--scope-name <name> Forgejo repository name for the default NSC scope (default: burrow)
|
||||
--write-intake Also write plaintext runtime inputs to intake/ for local debugging.
|
||||
-h, --help Show this help text.
|
||||
EOF
|
||||
}
|
||||
|
||||
HOST="${BURROW_FORGE_HOST:-root@git.burrow.net}"
|
||||
SSH_KEY="${BURROW_FORGE_SSH_KEY:-${REPO_ROOT}/intake/agent_at_burrow_net_ed25519}"
|
||||
SSH_KEY="${BURROW_FORGE_SSH_KEY:-}"
|
||||
NSC_BIN="${NSC_BIN:-}"
|
||||
KNOWN_HOSTS_FILE="${BURROW_FORGE_KNOWN_HOSTS_FILE:-${HOME}/.cache/burrow/forge-known_hosts}"
|
||||
REFRESH_TOKEN=1
|
||||
|
|
@ -39,8 +43,12 @@ CONTACT_USER="${FORGEJO_CONTACT_USER:-contact}"
|
|||
SCOPE_OWNER="${FORGEJO_SCOPE_OWNER:-hackclub}"
|
||||
SCOPE_NAME="${FORGEJO_SCOPE_NAME:-burrow}"
|
||||
BURROW_FLAKE_TMPDIRS=()
|
||||
WRITE_INTAKE=0
|
||||
TMP_DIR=""
|
||||
|
||||
cleanup() {
|
||||
[[ -n "${TMP_DIR}" ]] && rm -rf "${TMP_DIR}" >/dev/null 2>&1 || true
|
||||
burrow_cleanup_secret_tmpfiles
|
||||
burrow_cleanup_flake_tmpdirs
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
|
@ -79,6 +87,10 @@ while [[ $# -gt 0 ]]; do
|
|||
SCOPE_NAME="${2:?missing value for --scope-name}"
|
||||
shift 2
|
||||
;;
|
||||
--write-intake)
|
||||
WRITE_INTAKE=1
|
||||
shift
|
||||
;;
|
||||
-h|--help)
|
||||
usage
|
||||
exit 0
|
||||
|
|
@ -97,13 +109,15 @@ burrow_require_cmd nix
|
|||
burrow_require_cmd ssh
|
||||
burrow_require_cmd python3
|
||||
|
||||
if [[ ! -f "${SSH_KEY}" ]]; then
|
||||
echo "forge SSH key not found: ${SSH_KEY}" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mkdir -p "${REPO_ROOT}/intake"
|
||||
chmod 700 "${REPO_ROOT}/intake"
|
||||
SSH_KEY="$(
|
||||
burrow_resolve_secret_file \
|
||||
"${REPO_ROOT}" \
|
||||
"${SSH_KEY}" \
|
||||
"${REPO_ROOT}/intake/agent_at_burrow_net_ed25519" \
|
||||
"${REPO_ROOT}/secrets/forgejo/agent-ssh-key.age" \
|
||||
"${HOME}/.ssh/agent_at_burrow_net_ed25519"
|
||||
)"
|
||||
TMP_DIR="$(mktemp -d "${TMPDIR:-/tmp}/burrow-forgejo-nsc.XXXXXX")"
|
||||
|
||||
flake_ref="$(burrow_prepare_flake_ref "${REPO_ROOT}")"
|
||||
if [[ -z "${NSC_BIN}" ]]; then
|
||||
|
|
@ -128,13 +142,16 @@ if [[ ! -x "${NSC_BIN}" ]]; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
token_file="${REPO_ROOT}/intake/forgejo_nsc_token.txt"
|
||||
dispatcher_out="${REPO_ROOT}/intake/forgejo_nsc_dispatcher.yaml"
|
||||
autoscaler_out="${REPO_ROOT}/intake/forgejo_nsc_autoscaler.yaml"
|
||||
token_file="${TMP_DIR}/forgejo_nsc_token.txt"
|
||||
dispatcher_out="${TMP_DIR}/forgejo_nsc_dispatcher.yaml"
|
||||
autoscaler_out="${TMP_DIR}/forgejo_nsc_autoscaler.yaml"
|
||||
dispatcher_src="${REPO_ROOT}/services/forgejo-nsc/deploy/dispatcher.yaml"
|
||||
autoscaler_src="${REPO_ROOT}/services/forgejo-nsc/deploy/autoscaler.yaml"
|
||||
token_secret="${REPO_ROOT}/secrets/forgejo/nsc-token.age"
|
||||
dispatcher_secret="${REPO_ROOT}/secrets/forgejo/nsc-dispatcher-config.age"
|
||||
autoscaler_secret="${REPO_ROOT}/secrets/forgejo/nsc-autoscaler-config.age"
|
||||
|
||||
if [[ "${REFRESH_TOKEN}" -eq 1 || ! -s "${token_file}" ]]; then
|
||||
if [[ "${REFRESH_TOKEN}" -eq 1 ]]; then
|
||||
"${NSC_BIN}" auth check-login --duration 20m >/dev/null
|
||||
raw_token_file="$(mktemp)"
|
||||
trap 'rm -f "${raw_token_file}"; cleanup' EXIT
|
||||
|
|
@ -155,7 +172,13 @@ Path(os.environ["TOKEN_FILE"]).write_text(
|
|||
PY
|
||||
rm -f "${raw_token_file}"
|
||||
chmod 600 "${token_file}"
|
||||
elif [[ -s "${token_file}" ]]; then
|
||||
elif [[ -f "${token_secret}" ]]; then
|
||||
burrow_decrypt_age_secret_to_temp "${REPO_ROOT}" "${token_secret}" > "${token_file}"
|
||||
elif [[ -s "${REPO_ROOT}/intake/forgejo_nsc_token.txt" ]]; then
|
||||
cp "${REPO_ROOT}/intake/forgejo_nsc_token.txt" "${token_file}"
|
||||
fi
|
||||
|
||||
if [[ -s "${token_file}" ]]; then
|
||||
TOKEN_FILE="${token_file}" python3 - <<'PY'
|
||||
import json
|
||||
import os
|
||||
|
|
@ -271,6 +294,24 @@ PY
|
|||
|
||||
chmod 600 "${dispatcher_out}" "${autoscaler_out}"
|
||||
|
||||
echo "Rendered intake/forgejo_nsc_token.txt, intake/forgejo_nsc_dispatcher.yaml, and intake/forgejo_nsc_autoscaler.yaml."
|
||||
echo "Re-encrypt them into secrets/forgejo/{nsc-token,nsc-dispatcher-config,nsc-autoscaler-config}.age before deploying the forge host."
|
||||
burrow_encrypt_secret_from_file "${REPO_ROOT}" "${token_secret}" "${token_file}"
|
||||
burrow_encrypt_secret_from_file "${REPO_ROOT}" "${dispatcher_secret}" "${dispatcher_out}"
|
||||
burrow_encrypt_secret_from_file "${REPO_ROOT}" "${autoscaler_secret}" "${autoscaler_out}"
|
||||
|
||||
if [[ "${WRITE_INTAKE}" -eq 1 ]]; then
|
||||
mkdir -p "${REPO_ROOT}/intake"
|
||||
chmod 700 "${REPO_ROOT}/intake"
|
||||
cp "${token_file}" "${REPO_ROOT}/intake/forgejo_nsc_token.txt"
|
||||
cp "${dispatcher_out}" "${REPO_ROOT}/intake/forgejo_nsc_dispatcher.yaml"
|
||||
cp "${autoscaler_out}" "${REPO_ROOT}/intake/forgejo_nsc_autoscaler.yaml"
|
||||
chmod 600 \
|
||||
"${REPO_ROOT}/intake/forgejo_nsc_token.txt" \
|
||||
"${REPO_ROOT}/intake/forgejo_nsc_dispatcher.yaml" \
|
||||
"${REPO_ROOT}/intake/forgejo_nsc_autoscaler.yaml"
|
||||
fi
|
||||
|
||||
echo "Updated secrets/forgejo/{nsc-token,nsc-dispatcher-config,nsc-autoscaler-config}.age."
|
||||
if [[ "${WRITE_INTAKE}" -eq 1 ]]; then
|
||||
echo "Also refreshed intake/forgejo_nsc_{token,dispatcher,autoscaler} for local debugging."
|
||||
fi
|
||||
echo "Minted Forgejo PAT ${token_name} for ${CONTACT_USER} on ${HOST}."
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue