feat(tools): Introduce pass-compatible wrapper using Cloud KMS
Adds a shell script that supports a subset of the 'pass' interface for compatibility with kontemplate, and wraps kontemplate in a script that places this version on the PATH. This makes it possible to use Cloud KMS encrypted secrets with kontemplate.
This commit is contained in:
parent
abd5d7538c
commit
bcd7710be5
5 changed files with 78 additions and 0 deletions
1
.envrc
1
.envrc
|
@ -4,3 +4,4 @@
|
|||
export PATH="${PWD}/tools/bin:${PATH}"
|
||||
export NIX_PATH="nixpkgs=${PWD}/default.nix"
|
||||
export REPO_ROOT="${PWD}"
|
||||
export SECRETS_DIR="${PWD}/secrets"
|
||||
|
|
13
default.nix
13
default.nix
|
@ -28,6 +28,13 @@ let
|
|||
blog = self.callPackage ./services/tazblog {};
|
||||
blog_cli = self.callPackage ./tools/blog_cli {};
|
||||
gemma = self.callPackage ./services/gemma {};
|
||||
|
||||
kms_pass = self.callPackage ./tools/kms_pass {
|
||||
project = "tazjins-infrastructure";
|
||||
region = "europe-north1";
|
||||
keyring = "tazjins-keys";
|
||||
key = "kontemplate-key";
|
||||
};
|
||||
};
|
||||
|
||||
# Third-party projects (either vendored or modified from nixpkgs) go here:
|
||||
|
@ -49,6 +56,12 @@ let
|
|||
sha256 = "1wn7nmb1cqfk2j91l3rwc6yhimfkzxprb8wknw5wi57yhq9m6lv1";
|
||||
}) {}).elmPackages;
|
||||
|
||||
# Wrap kontemplate to inject the Cloud KMS version of 'pass'
|
||||
kontemplate = self.writeShellScriptBin "kontemplate" ''
|
||||
export PATH="${self.tazjin.kms_pass}/bin:$PATH"
|
||||
exec ${super.kontemplate}/bin/kontemplate $@
|
||||
'';
|
||||
|
||||
# One of Gemma's dependencies is missing in nixpkgs' Quicklisp
|
||||
# package set, it is overlaid locally here.
|
||||
lispPackages = import ./third_party/common_lisp/quicklisp.nix {
|
||||
|
|
|
@ -22,6 +22,9 @@ case "${TARGET_TOOL}" in
|
|||
stern)
|
||||
attr="stern"
|
||||
;;
|
||||
pass)
|
||||
attr="tazjin.kms_pass"
|
||||
;;
|
||||
*)
|
||||
echo "The tool '${TARGET_TOOL}' is currently not installed in this repository."
|
||||
exit 1
|
||||
|
|
1
tools/bin/pass
Symbolic link
1
tools/bin/pass
Symbolic link
|
@ -0,0 +1 @@
|
|||
__dispatch.sh
|
60
tools/kms_pass/default.nix
Normal file
60
tools/kms_pass/default.nix
Normal file
|
@ -0,0 +1,60 @@
|
|||
# This tool mimics a subset of the interface of 'pass', but uses
|
||||
# Google Cloud KMS for encryption.
|
||||
#
|
||||
# It is intended to be compatible with how 'kontemplate' invokes
|
||||
# 'pass.'
|
||||
#
|
||||
# Only the 'show' and 'insert' commands are supported.
|
||||
|
||||
{ google-cloud-sdk, tree, writeShellScriptBin
|
||||
, project, region, keyring, key }:
|
||||
|
||||
writeShellScriptBin "pass" ''
|
||||
set -eo pipefail
|
||||
|
||||
CMD="$1"
|
||||
readonly SECRET=$2
|
||||
readonly SECRET_PATH="$SECRETS_DIR/$SECRET"
|
||||
|
||||
function secret_check {
|
||||
if [[ -z $SECRET ]]; then
|
||||
echo 'Secret must be specified'
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
if [[ -z $CMD ]]; then
|
||||
CMD="ls"
|
||||
fi
|
||||
|
||||
case "$CMD" in
|
||||
ls)
|
||||
${tree}/bin/tree $SECRETS_DIR
|
||||
;;
|
||||
show)
|
||||
secret_check
|
||||
${google-cloud-sdk}/bin/gcloud kms decrypt \
|
||||
--project ${project} \
|
||||
--location ${region} \
|
||||
--keyring ${keyring} \
|
||||
--key ${key} \
|
||||
--ciphertext-file $SECRET_PATH \
|
||||
--plaintext-file -
|
||||
;;
|
||||
insert)
|
||||
secret_check
|
||||
${google-cloud-sdk}/bin/gcloud kms encrypt \
|
||||
--project ${project} \
|
||||
--location ${region} \
|
||||
--keyring ${keyring} \
|
||||
--key ${key} \
|
||||
--ciphertext-file $SECRET_PATH \
|
||||
--plaintext-file -
|
||||
echo "Inserted secret '$SECRET'"
|
||||
;;
|
||||
*)
|
||||
echo "Usage: pass show/insert <secret>"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
''
|
Loading…
Reference in a new issue