From 6f0dbea56bb12ae461f167ef77c472bb2e97310b Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 15 Mar 2023 10:28:09 +0100 Subject: [PATCH] Prepare secret management --- README.md | 24 +++++++----------------- hcl/builder.hcl | 10 ++++++++-- main.go | 12 +++++++++++- 3 files changed, 26 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 2885356..a5ac1ee 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ we might do it in Albatros... ## Deploy -Requirements: Nomad, Consul +Requirements: Nomad, Consul Optional: Gitea ``` @@ -39,16 +39,14 @@ The key must contain a JSON file with your desired token, trust conditions, and "trusted_if": { "sender": [ "quentin", "lx" ] } - "secrets": { - "SECRET1": "blabla", - "SECRET2": "hey hey" - } + "secret": "SECRET1=xx\nSECRET2=yy", } ``` -Your secrets will be passed as a job payload -only if all trusted conditions are passing. -(For now, we can only check that based on sender's login). +Your secret will be injected in your build environment only +when trustig condition are matched. It wil be available in a dedicated +file. Its path is communicated through an environment variable (see below). +For now, we can only check that based on sender's login. Then you can trigger a build as follow: @@ -90,8 +88,7 @@ REPO_URL=https://git.deuxfleurs.fr/quentin/albatros.git COMMIT=3fff73597f8ca18ef04c0d9bf64132ba55aadcaa BRANCH=main FLAVOR=default -SECRET1=xxx -SECRET2=xxx +SECRET_PATH=/var/run/secrets/albatros/secret.txt ``` ## Gitea integration @@ -123,13 +120,6 @@ some IO. All of that must be handled by Nomad. Also, be careful to the local network in which your workload will be executed. -Passing secrets through environment variables has been criticized -as other process inspecting the process can dump the environment variables. -It is your responsability to ensure that no malicious process can -read the content of your environment variable. It should not be that hard, -containers use PID namespace by default, so one containerized process -can not access process information of other processes in the system. - ## Ideas - [ ] Register the builder programatically diff --git a/hcl/builder.hcl b/hcl/builder.hcl index fa6f2d4..fdaff74 100644 --- a/hcl/builder.hcl +++ b/hcl/builder.hcl @@ -6,7 +6,7 @@ job "builder" { priority = 100 parameterized { - payload = "forbidden" + payload = "optional" meta_required = [ "REPO_URL", "COMMIT", "BRANCH", "FLAVOR" ] } @@ -22,10 +22,15 @@ job "builder" { args = [ "/tmp/builder.sh" ] volumes = [ "local/builder.sh:/tmp/builder.sh", - "local/nix.conf:/etc/nix/nix.conf" + "local/nix.conf:/etc/nix/nix.conf", + "local/secret.txt:/var/run/secrets/albatros/secret.txt", ] } + dispatch_payload { + file = "secret.txt" + } + template { data = <