Merge pull request #114 from OpsMx/encp_secrets

Implemented Encrypted Secrets and Folder Structure for GitOps Style of Spinnaker Implement…
OpsMx · Apr 12, 2021 · 3c196f3 · 3c196f3
2 parents db3f7b3 + 0f43f16
commit 3c196f3
Show file tree

Hide file tree

Showing 6 changed files with 85 additions and 6 deletions.
diff --git a/charts/oes/Chart.yaml b/charts/oes/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: oes
-version: 3.6.5
+version: 3.6.6
 appVersion: 3.6.2
 description: OES is a non-forked version of OSS spinnaker
 icon: https://www.opsmx.com/images/logo.png

diff --git a/charts/oes/charts/spinnaker/templates/configmap/halyard-init-script.yaml b/charts/oes/charts/spinnaker/templates/configmap/halyard-init-script.yaml
@@ -47,7 +47,9 @@ data:
     {{- else }}
     #!/bin/bash -x
     rm -rf /tmp/spinnaker/.hal
-    git clone $GIT_CLONE_PARAM /tmp/spinnaker/.hal
+    git clone $GIT_CLONE_PARAM /tmp/spinnaker/test
+    cp -pr /tmp/spinnaker/test/{{ .Values.gitopsHalyard.repo.halConfigPath }} /tmp/spinnaker/.hal
+    rm -rf /tmp/spinnaker/test
     GIT_USER=`echo $GIT_USER | sed 's/ *$//g'`
     GIT_TOKEN=`echo $GIT_TOKEN | sed 's/ *$//g'`
     DYNAMIC_ACCOUNTS_REPO=`echo $DYNAMIC_ACCOUNTS_REPO | sed 's/ *$//g'`

diff --git a/charts/oes/charts/spinnaker/templates/configmap/secret-decoder.yaml b/charts/oes/charts/spinnaker/templates/configmap/secret-decoder.yaml
@@ -0,0 +1,56 @@
+{{- if .Values.gitopsHalyard.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "spinnaker.fullname" . }}-spin-secret-decoder
+  labels:
+{{ include "spinnaker.standard-labels" . | indent 4 }}
+data:
+  run.sh: |-
+    #!/bin/bash
+    echo "##########Replacing Secret#########"
+    grep -ir encrypted: /tmp/spinnaker/.hal | sort -t: -u -k1,1 |cut -d : -f1 > tmp.list
+    while IFS= read -r file; do
+    grep encrypted: $file > tmp1.list
+    while read line ; do
+    echo ${line#*encrypted:} ;
+    done < tmp1.list > secret-strings.list
+    while read secret ; do
+    secretName=${secret%%:*}
+    echo "---------$secretName---" 
+    keyName=${secret#*:} 
+    echo "----------$keyName--"
+    #echo "secret Name= $secretName and key is = $keyName"
+    #kubectl get secret -o jis
+    #echo kubectl --kubeconfig /home/srini/ibm-cloud/staging/ibmstaging.config -n ninja-srini get secret $secretName -o json  jq -r ".data.$keyName"
+    jqParam=".data.\"$keyName\""
+    value=$(kubectl get secret $secretName -o json | jq -r $jqParam | base64 -d)
+    value=$(echo $value | sed -e 's`[][\\/.*^$]`\\&`g')
+    echo "-----------$value---"
+    #echo "secret Name= $secretName and key is = $keyName and value is $value"
+    sed -i s/encrypted:$secret/$value/g $file
+    done < secret-strings.list
+    done < tmp.list
+
+    echo "########### Replacing Kubeconfigs ############"
+    grep encryptedFile /tmp/spinnaker/.hal/config > tmp.list
+    while read line ; do
+    echo ${line#*encryptedFile:} ;
+    done < tmp.list  > secret-files.list
+
+    while read secret ; do
+    secretName=${secret%%:*} 
+    keyName=${secret#*:} 
+    #echo "secret Name= $secretName and key is = $keyName"
+    jqParam=".data.\"$keyName\""
+    mkdir -p /tmp/spinnaker/kubeconfigdir
+    kubectl get secret $secretName -o json | jq -r $jqParam | base64 -d > /tmp/spinnaker/kubeconfigdir/$keyName
+    #echo "secret Name= $secretName and key is = $keyName and value is in $keyName"
+    old_value="encryptedFile:$secret"
+    new_value="/home/spinnaker/kubeconfigdir/$keyName"
+    #echo $old_value
+    #echo $new_value
+    sed -i "s/${old_value}/$(echo $new_value | sed 's_/_\\/_g')/g" /tmp/spinnaker/.hal/config
+    done < secret-files.list
+    rm -rf secret-files.list secret-strings.list tmp.list
+{{- end -}}
diff --git a/charts/oes/charts/spinnaker/templates/statefulsets/halyard.yaml b/charts/oes/charts/spinnaker/templates/statefulsets/halyard.yaml
@@ -107,6 +107,20 @@ spec:
 {{ toYaml .Values.halyard.env | indent 8 }}
         {{- end }}
       {{- if .Values.gitopsHalyard.enabled }}
+      - name: "halyardconfig-update"
+        command:
+        - sh
+        - /tmp/akv2k8s/run.sh
+        image: quay.io/opsmxpublic/k8s-decoder:hal
+        imagePullPolicy: IfNotPresent
+        resources: {}
+        volumeMounts:
+        - name: halyard-home
+          mountPath: /tmp/spinnaker
+        - name: secret-decoder
+          mountPath: /tmp/akv2k8s
+        {{- end }}
+      {{- if .Values.gitopsHalyard.enabled }}
       - name: "halyard-overrideurl"
         command:
         - sh
@@ -161,6 +175,11 @@ spec:
         configMap:
           name: {{ template "spinnaker.fullname" . }}-halyard-overrideurl
       {{- end }}
+      {{- if .Values.gitopsHalyard.enabled }}
+      - name: secret-decoder
+        configMap:
+          name: {{ template "spinnaker.fullname" . }}-spin-secret-decoder
+      {{- end }}
       {{- if .Values.gitopsHalyard.mTLS.enabled }}
       - name: sslcerts
         secret:

diff --git a/charts/oes/templates/secrets/opsmx-gitops-secret.yaml b/charts/oes/templates/secrets/opsmx-gitops-secret.yaml
@@ -3,10 +3,10 @@
 apiVersion: v1
 stringData:
   # Repo uri to fetch halyard configuration
-  gitcloneparam: https://{{ .Values.spinnaker.gitopsHalyard.repo.username }}:{{ .Values.spinnaker.gitopsHalyard.repo.token }}@github.com/{{ .Values.spinnaker.gitopsHalyard.repo.organization }}/{{ .Values.spinnaker.gitopsHalyard.repo.halRepository }}.git
+  gitcloneparam: https://{{ .Values.spinnaker.gitopsHalyard.repo.username }}:{{ .Values.spinnaker.gitopsHalyard.repo.token }}@github.com/{{ .Values.spinnaker.gitopsHalyard.repo.organization }}/{{ .Values.spinnaker.gitopsHalyard.repo.repository }}.git
 
   # Repo details to fetch dynamic configuration
-  dynamicaccountsgituri: https://github.com/{{ .Values.spinnaker.gitopsHalyard.repo.organization }}/{{ .Values.spinnaker.gitopsHalyard.dynamicAccRepository }}.git
+  dynamicaccountsgituri: https://github.com/{{ .Values.spinnaker.gitopsHalyard.repo.organization }}/{{ .Values.spinnaker.gitopsHalyard.repo.dynamicAccRepository }}.git
   gituser: {{ .Values.spinnaker.gitopsHalyard.repo.username }}
   gittoken: {{ .Values.spinnaker.gitopsHalyard.repo.token }}
 kind: Secret

diff --git a/charts/oes/values.yaml b/charts/oes/values.yaml
@@ -977,8 +977,10 @@ spinnaker:
     repo:
       type: git # git, S3, vault, only git support at this point
       organization: OpsMx
-      halRepository: gitops-haldir # Please provide the repo URL of the GitOps Halyard Directory.
-      dynamicAccRepository: standard-dynamic-account # Please provide the repo URL of the GitOps Dynamic Accounts Directory.
+      repository: standard-gitops-repo # Please provide the repo name for GitOps Halyard Directory (Sample Reference: https://github.com/OpsMx/gitops-hal-sample.git).
+      dynamicAccRepository: standard-gitops-repo # Please provide the repo name of the GitOps Dynamic Accounts Directory.Can be same as Hal repo or can be different if needed. (Sample Reference: https://github.com/OpsMx/gitops-accounts-sample.git)
+      # Directory in gitops halyard repo under which halyard config exists; change this to / if config is directly available in root directory
+      halConfigPath: gitops-haldir/
       username: <GitHub_UserName>
       token: <GitHub_Token>
     secretName: opsmx-gitops-auth