forked from public/stack
Makefile: improve encryption and decryption of secrets
This commit is contained in:
parent
430622c716
commit
2906f910c0
34
Makefile
34
Makefile
|
@ -92,6 +92,10 @@ apply: \
|
||||||
$(OUT_DIR)/terraform \
|
$(OUT_DIR)/terraform \
|
||||||
$(OUT_DIR)/sops \
|
$(OUT_DIR)/sops \
|
||||||
infra/main/.terraform
|
infra/main/.terraform
|
||||||
|
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig)
|
||||||
|
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig)
|
||||||
|
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml)
|
||||||
|
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml)
|
||||||
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
|
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
|
||||||
env -C infra/main \
|
env -C infra/main \
|
||||||
$(TERRAFORM) apply \
|
$(TERRAFORM) apply \
|
||||||
|
@ -99,10 +103,10 @@ apply: \
|
||||||
-var namespace=$(ENVIRONMENT) \
|
-var namespace=$(ENVIRONMENT) \
|
||||||
-var region=$(REGION) \
|
-var region=$(REGION) \
|
||||||
'
|
'
|
||||||
$(SOPS) --encrypt infra/main/talos/talosconfig > secrets/$(ENVIRONMENT).talosconfig
|
$(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig)
|
||||||
$(SOPS) --encrypt infra/main/talos/kubeconfig > secrets/$(ENVIRONMENT).kubeconfig
|
$(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig)
|
||||||
$(SOPS) --encrypt infra/main/talos/controlplane.yaml > secrets/$(ENVIRONMENT).controlplane.yaml
|
$(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml)
|
||||||
$(SOPS) --encrypt infra/main/talos/worker.yaml > secrets/$(ENVIRONMENT).worker.yaml
|
$(call maybe_encrypt_secret,infra/main/talos/worker.yaml,secrets/$(ENVIRONMENT).worker.yaml)
|
||||||
|
|
||||||
$(CACHE_DIR)/secrets:
|
$(CACHE_DIR)/secrets:
|
||||||
mkdir -p $@
|
mkdir -p $@
|
||||||
|
@ -155,3 +159,25 @@ $(OUT_DIR)/talosctl: $(FETCH_DIR)/talosctl
|
||||||
-ldflags='-w -extldflags=-static' \
|
-ldflags='-w -extldflags=-static' \
|
||||||
-o /home/build/$@ $(TALOSCTL_PKG) \
|
-o /home/build/$@ $(TALOSCTL_PKG) \
|
||||||
")
|
")
|
||||||
|
|
||||||
|
# Note: Decryption MUST reset the mod time to avoid encryption/decryption loops
|
||||||
|
# Encrypt if:
|
||||||
|
# - Both files exist, local is newer than remote
|
||||||
|
# - Only local exists
|
||||||
|
define maybe_encrypt_secret
|
||||||
|
test \( -f $(1) -a -f $(2) -a $(1) -nt $(2) \) -o \
|
||||||
|
\( -f $(1) -a ! -f $(2) \) && \
|
||||||
|
$(SOPS) --encrypt $(1) > $(2) || true
|
||||||
|
endef
|
||||||
|
|
||||||
|
# Only decrypt when local files don't exist
|
||||||
|
# Unfortunately, this means we can't decrypt if the secrets update. We can't
|
||||||
|
# do that because otherwise it creates a loop. The secrets update, therefore we
|
||||||
|
# decrypt secrets, but because the modtime of the decrypted secrets is newer
|
||||||
|
# than the encrypted secrets, we want to reencrypt encrypted secrets.
|
||||||
|
define maybe_decrypt_secret
|
||||||
|
test -f $(1) -a ! -f $(2) && \
|
||||||
|
$(SOPS) --decrypt $(1) > $(2) && \
|
||||||
|
touch -d 1970-01-01 $(2) || \
|
||||||
|
true
|
||||||
|
endef
|
||||||
|
|
Loading…
Reference in New Issue