feat(tools): Introduce pass-compatible wrapper using Cloud KMS

Adds a shell script that supports a subset of the 'pass' interface for
compatibility with kontemplate, and wraps kontemplate in a script that
places this version on the PATH.

This makes it possible to use Cloud KMS encrypted secrets with kontemplate.
This commit is contained in:
Vincent Ambo 2019-09-03 15:56:31 +01:00
parent abd5d7538c
commit bcd7710be5
5 changed files with 78 additions and 0 deletions

1
.envrc
View file

@ -4,3 +4,4 @@
export PATH="${PWD}/tools/bin:${PATH}"
export NIX_PATH="nixpkgs=${PWD}/default.nix"
export REPO_ROOT="${PWD}"
export SECRETS_DIR="${PWD}/secrets"

View file

@ -28,6 +28,13 @@ let
blog = self.callPackage ./services/tazblog {};
blog_cli = self.callPackage ./tools/blog_cli {};
gemma = self.callPackage ./services/gemma {};
kms_pass = self.callPackage ./tools/kms_pass {
project = "tazjins-infrastructure";
region = "europe-north1";
keyring = "tazjins-keys";
key = "kontemplate-key";
};
};
# Third-party projects (either vendored or modified from nixpkgs) go here:
@ -49,6 +56,12 @@ let
sha256 = "1wn7nmb1cqfk2j91l3rwc6yhimfkzxprb8wknw5wi57yhq9m6lv1";
}) {}).elmPackages;
# Wrap kontemplate to inject the Cloud KMS version of 'pass'
kontemplate = self.writeShellScriptBin "kontemplate" ''
export PATH="${self.tazjin.kms_pass}/bin:$PATH"
exec ${super.kontemplate}/bin/kontemplate $@
'';
# One of Gemma's dependencies is missing in nixpkgs' Quicklisp
# package set, it is overlaid locally here.
lispPackages = import ./third_party/common_lisp/quicklisp.nix {

View file

@ -22,6 +22,9 @@ case "${TARGET_TOOL}" in
stern)
attr="stern"
;;
pass)
attr="tazjin.kms_pass"
;;
*)
echo "The tool '${TARGET_TOOL}' is currently not installed in this repository."
exit 1

1
tools/bin/pass Symbolic link
View file

@ -0,0 +1 @@
__dispatch.sh

View file

@ -0,0 +1,60 @@
# This tool mimics a subset of the interface of 'pass', but uses
# Google Cloud KMS for encryption.
#
# It is intended to be compatible with how 'kontemplate' invokes
# 'pass.'
#
# Only the 'show' and 'insert' commands are supported.
{ google-cloud-sdk, tree, writeShellScriptBin
, project, region, keyring, key }:
writeShellScriptBin "pass" ''
set -eo pipefail
CMD="$1"
readonly SECRET=$2
readonly SECRET_PATH="$SECRETS_DIR/$SECRET"
function secret_check {
if [[ -z $SECRET ]]; then
echo 'Secret must be specified'
exit 1
fi
}
if [[ -z $CMD ]]; then
CMD="ls"
fi
case "$CMD" in
ls)
${tree}/bin/tree $SECRETS_DIR
;;
show)
secret_check
${google-cloud-sdk}/bin/gcloud kms decrypt \
--project ${project} \
--location ${region} \
--keyring ${keyring} \
--key ${key} \
--ciphertext-file $SECRET_PATH \
--plaintext-file -
;;
insert)
secret_check
${google-cloud-sdk}/bin/gcloud kms encrypt \
--project ${project} \
--location ${region} \
--keyring ${keyring} \
--key ${key} \
--ciphertext-file $SECRET_PATH \
--plaintext-file -
echo "Inserted secret '$SECRET'"
;;
*)
echo "Usage: pass show/insert <secret>"
exit 1
;;
esac
''