Make decryption more make-like, use counter-party for setting modtime for encrypted/decrypted pairs
This commit is contained in:
parent
c589078f3a
commit
7b11840e68
GPG Key ID:
E1F4160251DB4C2E
46
Makefile
46
Makefile
|
|
@ -5,13 +5,6 @@ BACKEND_TF := $(wildcard infra/backend/*.tf)
|
|||
MAIN_TF := $(wildcard infra/main/*.tf)
|
||||
ENVIRONMENT := production
|
||||
REGION := sfo3
|
||||
ROOT_DIR := $(shell pwd)
|
||||
KEYS := \
|
||||
6B61ECD76088748C70590D55E90A401336C8AAA9 \
|
||||
88823A75ECAA786B0FF38B148E401478A3FBEF72 \
|
||||
3D7C8D39E8C4DF771583D3F0A8A091FD346001CA \
|
||||
F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D
|
||||
|
||||
EXTRA_ARGS :=
|
||||
GPG_TTY ?= $(shell tty)
|
||||
PLATFORM ?= linux/amd64
|
||||
|
|
@ -19,7 +12,6 @@ PROGRESS ?= auto
|
|||
REGISTRY ?= git.distrust.co/public
|
||||
VERSION := latest
|
||||
SHELL=/bin/bash
|
||||
SOPS := sops
|
||||
|
||||
ifeq ($(NOCACHE), 1)
|
||||
NOCACHE_FLAG=--no-cache
|
||||
|
|
@ -30,6 +22,12 @@ export NOCACHE_FLAG
|
|||
|
||||
include $(PWD)/src/make/macros.mk
|
||||
|
||||
TALOS_SECRETS := \
|
||||
infra/main/talos/controlplane.yaml \
|
||||
infra/main/talos/worker.yaml \
|
||||
infra/main/talos/kubeconfig \
|
||||
infra/main/talos/talosconfig
|
||||
|
||||
.ONESHELL:
|
||||
|
||||
.DEFAULT_GOAL :=
|
||||
|
|
@ -48,10 +46,6 @@ out:
|
|||
shell: build-tools load-tools
|
||||
$(call run-container, -v $${PWD}:/home/user/stack:rw, $(REGISTRY)/tools:latest, /bin/bash)
|
||||
|
||||
.PHONY: credentials
|
||||
credentials: \
|
||||
$(CACHE_DIR)/secrets/credentials.tfvars
|
||||
|
||||
infra/backend/.terraform: $(BACKEND_TF)
|
||||
sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
|
||||
tofu -chdir=infra/backend init -upgrade && \
|
||||
|
|
@ -63,7 +57,8 @@ infra/backend/.terraform: $(BACKEND_TF)
|
|||
|
||||
infra/main/.terraform: \
|
||||
config/$(ENVIRONMENT).tfbackend \
|
||||
$(MAIN_TF)
|
||||
$(MAIN_TF) \
|
||||
$(TALOS_SECRETS)
|
||||
sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
|
||||
tofu -chdir=infra/main init -upgrade \
|
||||
-backend-config="../../config/$(ENVIRONMENT).tfbackend" && \
|
||||
|
|
@ -109,14 +104,17 @@ infra/main/talos:
|
|||
mkdir -p $@
|
||||
|
||||
infra/main/talos/%: secrets/$(ENVIRONMENT).% | infra/main/talos
|
||||
$(SOPS) --decrypt $< > $@
|
||||
sops --decrypt $< > $@ && \
|
||||
touch -r $< $@ || true
|
||||
|
||||
secrets/$(ENVIRONMENT).%: infra/main/talos/%
|
||||
sops --encrypt $< > $@ && \
|
||||
touch -r $< $@ || true
|
||||
|
||||
.PHONY: tofu-plan
|
||||
tofu-plan: infra/main/.terraform
|
||||
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig)
|
||||
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig)
|
||||
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml)
|
||||
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml)
|
||||
tofu-plan: \
|
||||
infra/main/.terraform \
|
||||
$(TALOS_SECRETS)
|
||||
sops exec-env secrets/$(ENVIRONMENT).enc.env -- \
|
||||
'tofu -chdir=infra/main plan \
|
||||
-var environment=$(ENVIRONMENT) \
|
||||
|
|
@ -130,16 +128,10 @@ tofu-plan: infra/main/.terraform
|
|||
|
||||
.PHONY: tofu-apply
|
||||
tofu-apply: \
|
||||
$(TERRAFORM) \
|
||||
$(SOPS) \
|
||||
infra/main/.terraform
|
||||
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig)
|
||||
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig)
|
||||
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml)
|
||||
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml)
|
||||
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
|
||||
sops exec-env secrets/$(ENVIRONMENT).enc.env '\
|
||||
env -C infra/main \
|
||||
$(TERRAFORM) apply \
|
||||
tofu apply \
|
||||
-var environment=$(ENVIRONMENT) \
|
||||
-var namespace=$(ENVIRONMENT) \
|
||||
-var region=$(REGION) \
|
||||
|
|
|
|||
|
|
@ -5,19 +5,16 @@
|
|||
define maybe_encrypt_secret
|
||||
test \( -f $(1) -a -f $(2) -a $(1) -nt $(2) \) -o \
|
||||
\( -f $(1) -a ! -f $(2) \) && \
|
||||
$(SOPS) --encrypt $(1) > $(2) || true
|
||||
sops --encrypt $(1) > $(2) || true
|
||||
endef
|
||||
|
||||
# Only decrypt when local files don't exist
|
||||
# Unfortunately, this means we can't decrypt if the secrets update. We can't
|
||||
# do that because otherwise it creates a loop. The secrets update, therefore we
|
||||
# decrypt secrets, but because the modtime of the decrypted secrets is newer
|
||||
# than the encrypted secrets, we want to reencrypt encrypted secrets.
|
||||
# Decrypt if the file is missing or older than it's encrypted counterpart.
|
||||
# When a decryption is done, set the files age to be the same as it's encrypted counterpart.
|
||||
define maybe_decrypt_secret
|
||||
test -f $(1) -a ! -f $(2) && \
|
||||
mkdir -p `dirname $(2)` && \
|
||||
$(SOPS) --decrypt $(1) > $(2) && \
|
||||
touch -d 1970-01-01 $(2) || \
|
||||
mkdir -p $(dir $(2)) && \
|
||||
sops --decrypt $(1) > $(2) && \
|
||||
touch -r $(1) $(2) || \
|
||||
true
|
||||
endef
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue