Prepare secret management

README.md

@@ -13,7 +13,7 @@ we might do it in Albatros...
 
 ## Deploy 
 
-Requirements: Nomad, Consul
+Requirements: Nomad, Consul  
 Optional: Gitea
 
 ```
@@ -39,16 +39,14 @@ The key must contain a JSON file with your desired token, trust conditions, and
   "trusted_if": {
     "sender": [ "quentin", "lx" ]
   }
-  "secrets": {
+  "secret": "SECRET1=xx\nSECRET2=yy",
-    "SECRET1": "blabla",
-    "SECRET2": "hey hey"
-  }
 }
 ```
 
-Your secrets will be passed as a job payload
+Your secret will be injected in your build environment only
-only if all trusted conditions are passing.
+when trustig condition are matched. It wil be available in a dedicated
-(For now, we can only check that based on sender's login).
+file. Its path is communicated through an environment variable (see below).
+For now, we can only check that based on sender's login.
 
 Then you can trigger a build as follow: 
 
@@ -90,8 +88,7 @@ REPO_URL=https://git.deuxfleurs.fr/quentin/albatros.git
 COMMIT=3fff73597f8ca18ef04c0d9bf64132ba55aadcaa
 BRANCH=main
 FLAVOR=default
-SECRET1=xxx
+SECRET_PATH=/var/run/secrets/albatros/secret.txt
-SECRET2=xxx
 ```
 
 ## Gitea integration
@@ -123,13 +120,6 @@ some IO. All of that must be handled by Nomad. Also,
 be careful to the local network in which your workload
 will be executed.
 
-Passing secrets through environment variables has been criticized
-as other process inspecting the process can dump the environment variables.
-It is your responsability to ensure that no malicious process can
-read the content of your environment variable. It should not be that hard,
-containers use PID namespace by default, so one containerized process
-can not access process information of other processes in the system.
-
 ## Ideas
 
 - [ ] Register the builder programatically

hcl/builder.hcl

@@ -6,7 +6,7 @@ job "builder" {
   priority = 100
 
   parameterized {
-    payload = "forbidden"
+    payload = "optional"
     meta_required = [ "REPO_URL", "COMMIT", "BRANCH", "FLAVOR" ]
   }
 
@@ -22,10 +22,15 @@ job "builder" {
       args = [ "/tmp/builder.sh" ]
       volumes = [ 
         "local/builder.sh:/tmp/builder.sh",
-        "local/nix.conf:/etc/nix/nix.conf"
+        "local/nix.conf:/etc/nix/nix.conf",
+        "local/secret.txt:/var/run/secrets/albatros/secret.txt",
       ]
     }
 
+    dispatch_payload {
+      file = "secret.txt"
+    }
+
     template {
       data = <<EOH
 #!/usr/bin/env bash
@@ -41,6 +46,7 @@ export COMMIT=${NOMAD_META_COMMIT}
 export BRANCH=${NOMAD_META_BRANCH}
 export REPO_URL=${NOMAD_META_REPO_URL}
 export FLAVOR=${NOMAD_META_FLAVOR}
+export SECRET_PATH=/var/run/secrets/albatros/secret.txt
 ./.albatros
 
       EOH

main.go

@@ -71,7 +71,16 @@ func hook(w http.ResponseWriter, r *http.Request) {
         http.Error(w, "Hook only support POST requests", http.StatusBadRequest)
     }
 
-    //@FIXME check for key (in consul?)
+    q := r.URL.Query()
+    token, ok := q["token"]
+    if !ok || len(token) < 1 {
+        http.Error(w, "Missing query parameter 'token'. Try adding '?token=xxx'", http.StatusBadRequest)
+        return
+    }
+    flavor := "default"
+
+
+    //@FIXME check for token in consul
 
     var notification GiteaNotification
     dec := json.NewDecoder(r.Body)
@@ -84,6 +93,7 @@ func hook(w http.ResponseWriter, r *http.Request) {
     meta := map[string]string{
         "REPO_URL": notification.Repository.CloneUrl,
         "COMMIT": notification.After,
+        "FLAVOR": flavor,
         // @FIXME: this code is not correct, this is a hack
         "BRANCH": strings.ReplaceAll(notification.Ref, "refs/heads/", ""),
     }