Prepare secret management
This commit is contained in:
parent
ba7f204761
commit
6f0dbea56b
3 changed files with 26 additions and 20 deletions
22
README.md
22
README.md
|
@ -39,16 +39,14 @@ The key must contain a JSON file with your desired token, trust conditions, and
|
|||
"trusted_if": {
|
||||
"sender": [ "quentin", "lx" ]
|
||||
}
|
||||
"secrets": {
|
||||
"SECRET1": "blabla",
|
||||
"SECRET2": "hey hey"
|
||||
}
|
||||
"secret": "SECRET1=xx\nSECRET2=yy",
|
||||
}
|
||||
```
|
||||
|
||||
Your secrets will be passed as a job payload
|
||||
only if all trusted conditions are passing.
|
||||
(For now, we can only check that based on sender's login).
|
||||
Your secret will be injected in your build environment only
|
||||
when trustig condition are matched. It wil be available in a dedicated
|
||||
file. Its path is communicated through an environment variable (see below).
|
||||
For now, we can only check that based on sender's login.
|
||||
|
||||
Then you can trigger a build as follow:
|
||||
|
||||
|
@ -90,8 +88,7 @@ REPO_URL=https://git.deuxfleurs.fr/quentin/albatros.git
|
|||
COMMIT=3fff73597f8ca18ef04c0d9bf64132ba55aadcaa
|
||||
BRANCH=main
|
||||
FLAVOR=default
|
||||
SECRET1=xxx
|
||||
SECRET2=xxx
|
||||
SECRET_PATH=/var/run/secrets/albatros/secret.txt
|
||||
```
|
||||
|
||||
## Gitea integration
|
||||
|
@ -123,13 +120,6 @@ some IO. All of that must be handled by Nomad. Also,
|
|||
be careful to the local network in which your workload
|
||||
will be executed.
|
||||
|
||||
Passing secrets through environment variables has been criticized
|
||||
as other process inspecting the process can dump the environment variables.
|
||||
It is your responsability to ensure that no malicious process can
|
||||
read the content of your environment variable. It should not be that hard,
|
||||
containers use PID namespace by default, so one containerized process
|
||||
can not access process information of other processes in the system.
|
||||
|
||||
## Ideas
|
||||
|
||||
- [ ] Register the builder programatically
|
||||
|
|
|
@ -6,7 +6,7 @@ job "builder" {
|
|||
priority = 100
|
||||
|
||||
parameterized {
|
||||
payload = "forbidden"
|
||||
payload = "optional"
|
||||
meta_required = [ "REPO_URL", "COMMIT", "BRANCH", "FLAVOR" ]
|
||||
}
|
||||
|
||||
|
@ -22,10 +22,15 @@ job "builder" {
|
|||
args = [ "/tmp/builder.sh" ]
|
||||
volumes = [
|
||||
"local/builder.sh:/tmp/builder.sh",
|
||||
"local/nix.conf:/etc/nix/nix.conf"
|
||||
"local/nix.conf:/etc/nix/nix.conf",
|
||||
"local/secret.txt:/var/run/secrets/albatros/secret.txt",
|
||||
]
|
||||
}
|
||||
|
||||
dispatch_payload {
|
||||
file = "secret.txt"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOH
|
||||
#!/usr/bin/env bash
|
||||
|
@ -41,6 +46,7 @@ export COMMIT=${NOMAD_META_COMMIT}
|
|||
export BRANCH=${NOMAD_META_BRANCH}
|
||||
export REPO_URL=${NOMAD_META_REPO_URL}
|
||||
export FLAVOR=${NOMAD_META_FLAVOR}
|
||||
export SECRET_PATH=/var/run/secrets/albatros/secret.txt
|
||||
./.albatros
|
||||
|
||||
EOH
|
||||
|
|
12
main.go
12
main.go
|
@ -71,7 +71,16 @@ func hook(w http.ResponseWriter, r *http.Request) {
|
|||
http.Error(w, "Hook only support POST requests", http.StatusBadRequest)
|
||||
}
|
||||
|
||||
//@FIXME check for key (in consul?)
|
||||
q := r.URL.Query()
|
||||
token, ok := q["token"]
|
||||
if !ok || len(token) < 1 {
|
||||
http.Error(w, "Missing query parameter 'token'. Try adding '?token=xxx'", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
flavor := "default"
|
||||
|
||||
|
||||
//@FIXME check for token in consul
|
||||
|
||||
var notification GiteaNotification
|
||||
dec := json.NewDecoder(r.Body)
|
||||
|
@ -84,6 +93,7 @@ func hook(w http.ResponseWriter, r *http.Request) {
|
|||
meta := map[string]string{
|
||||
"REPO_URL": notification.Repository.CloneUrl,
|
||||
"COMMIT": notification.After,
|
||||
"FLAVOR": flavor,
|
||||
// @FIXME: this code is not correct, this is a hack
|
||||
"BRANCH": strings.ReplaceAll(notification.Ref, "refs/heads/", ""),
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue