public
/
stack
5
0
Fork 0
Code Issues 4 Pull Requests 1 Packages Projects Releases Wiki Activity

Make decryption more make-like, use counter-party for setting modtime for encrypted/decrypted pairs

This commit is contained in:
Danny Grove 2025-10-22 00:50:58 -07:00
parent c589078f3a
commit 7b11840e68
Signed by: danny
GPG Key ID: E1F4160251DB4C2E
2 changed files with 25 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
Makefile
View File

@ -5,13 +5,6 @@ BACKEND_TF := $(wildcard infra/backend/*.tf)
MAIN_TF := $(wildcard infra/main/*.tf) MAIN_TF := $(wildcard infra/main/*.tf)
ENVIRONMENT := production ENVIRONMENT := production
REGION := sfo3 REGION := sfo3
ROOT_DIR := $(shell pwd)
KEYS := \
6B61ECD76088748C70590D55E90A401336C8AAA9 \
88823A75ECAA786B0FF38B148E401478A3FBEF72 \
3D7C8D39E8C4DF771583D3F0A8A091FD346001CA \
F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D
EXTRA_ARGS := EXTRA_ARGS :=
GPG_TTY ?= $(shell tty) GPG_TTY ?= $(shell tty)
PLATFORM ?= linux/amd64 PLATFORM ?= linux/amd64
@ -19,7 +12,6 @@ PROGRESS ?= auto
REGISTRY ?= git.distrust.co/public REGISTRY ?= git.distrust.co/public
VERSION := latest VERSION := latest
SHELL=/bin/bash SHELL=/bin/bash
SOPS := sops
ifeq ($(NOCACHE), 1) ifeq ($(NOCACHE), 1)
NOCACHE_FLAG=--no-cache NOCACHE_FLAG=--no-cache
@ -30,6 +22,12 @@ export NOCACHE_FLAG
include $(PWD)/src/make/macros.mk include $(PWD)/src/make/macros.mk
TALOS_SECRETS := \
infra/main/talos/controlplane.yaml \
infra/main/talos/worker.yaml \
infra/main/talos/kubeconfig \
infra/main/talos/talosconfig
.ONESHELL: .ONESHELL:
.DEFAULT_GOAL := .DEFAULT_GOAL :=
@ -48,10 +46,6 @@ out:
shell: build-tools load-tools shell: build-tools load-tools
$(call run-container, -v $${PWD}:/home/user/stack:rw, $(REGISTRY)/tools:latest, /bin/bash) $(call run-container, -v $${PWD}:/home/user/stack:rw, $(REGISTRY)/tools:latest, /bin/bash)
.PHONY: credentials
credentials: \
$(CACHE_DIR)/secrets/credentials.tfvars
infra/backend/.terraform: $(BACKEND_TF) infra/backend/.terraform: $(BACKEND_TF)
sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\ sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
tofu -chdir=infra/backend init -upgrade && \ tofu -chdir=infra/backend init -upgrade && \
@ -63,7 +57,8 @@ infra/backend/.terraform: $(BACKEND_TF)
infra/main/.terraform: \ infra/main/.terraform: \
config/$(ENVIRONMENT).tfbackend \ config/$(ENVIRONMENT).tfbackend \
$(MAIN_TF) $(MAIN_TF) \
$(TALOS_SECRETS)
sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\ sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
tofu -chdir=infra/main init -upgrade \ tofu -chdir=infra/main init -upgrade \
-backend-config="../../config/$(ENVIRONMENT).tfbackend" && \ -backend-config="../../config/$(ENVIRONMENT).tfbackend" && \
@ -109,14 +104,17 @@ infra/main/talos:
mkdir -p $@ mkdir -p $@
infra/main/talos/%: secrets/$(ENVIRONMENT).% | infra/main/talos infra/main/talos/%: secrets/$(ENVIRONMENT).% | infra/main/talos
$(SOPS) --decrypt $< > $@ sops --decrypt $< > $@ && \
touch -r $< $@ || true
secrets/$(ENVIRONMENT).%: infra/main/talos/%
sops --encrypt $< > $@ && \
touch -r $< $@ || true
.PHONY: tofu-plan .PHONY: tofu-plan
tofu-plan: infra/main/.terraform tofu-plan: \
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig) infra/main/.terraform \
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig) $(TALOS_SECRETS)
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml)
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml)
sops exec-env secrets/$(ENVIRONMENT).enc.env -- \ sops exec-env secrets/$(ENVIRONMENT).enc.env -- \
'tofu -chdir=infra/main plan \ 'tofu -chdir=infra/main plan \
-var environment=$(ENVIRONMENT) \ -var environment=$(ENVIRONMENT) \
@ -130,16 +128,10 @@ tofu-plan: infra/main/.terraform
.PHONY: tofu-apply .PHONY: tofu-apply
tofu-apply: \ tofu-apply: \
$(TERRAFORM) \
$(SOPS) \
infra/main/.terraform infra/main/.terraform
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig) sops exec-env secrets/$(ENVIRONMENT).enc.env '\
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig)
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml)
$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml)
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
env -C infra/main \ env -C infra/main \
$(TERRAFORM) apply \ tofu apply \
-var environment=$(ENVIRONMENT) \ -var environment=$(ENVIRONMENT) \
-var namespace=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \
-var region=$(REGION) \ -var region=$(REGION) \

15
src/make/macros.mk
View File

@ -5,19 +5,16 @@
define maybe_encrypt_secret define maybe_encrypt_secret
test \( -f $(1) -a -f $(2) -a $(1) -nt $(2) \) -o \ test \( -f $(1) -a -f $(2) -a $(1) -nt $(2) \) -o \
\( -f $(1) -a ! -f $(2) \) && \ \( -f $(1) -a ! -f $(2) \) && \
$(SOPS) --encrypt $(1) > $(2) || true sops --encrypt $(1) > $(2) || true
endef endef
# Only decrypt when local files don't exist # Decrypt if the file is missing or older than it's encrypted counterpart.
# Unfortunately, this means we can't decrypt if the secrets update. We can't # When a decryption is done, set the files age to be the same as it's encrypted counterpart.
# do that because otherwise it creates a loop. The secrets update, therefore we
# decrypt secrets, but because the modtime of the decrypted secrets is newer
# than the encrypted secrets, we want to reencrypt encrypted secrets.
define maybe_decrypt_secret define maybe_decrypt_secret
test -f $(1) -a ! -f $(2) && \ test -f $(1) -a ! -f $(2) && \
mkdir -p `dirname $(2)` && \ mkdir -p $(dir $(2)) && \
$(SOPS) --decrypt $(1) > $(2) && \ sops --decrypt $(1) > $(2) && \
touch -d 1970-01-01 $(2) || \ touch -r $(1) $(2) || \
true true
endef endef