Prepare secret management

2023-03-15 10:28:09 +01:00 · 2023-03-15 10:28:09 +01:00 · 6f0dbea56b
commit 6f0dbea56b
parent ba7f204761
3 changed files with 26 additions and 20 deletions
--- a/README.md
+++ b/README.md
@ -13,7 +13,7 @@ we might do it in Albatros...

 ## Deploy 

-Requirements: Nomad, Consul
+Requirements: Nomad, Consul  
 Optional: Gitea

 ```
@ -39,16 +39,14 @@ The key must contain a JSON file with your desired token, trust conditions, and
  "trusted_if": {
    "sender": [ "quentin", "lx" ]
  }
-  "secrets": {
-    "SECRET1": "blabla",
-    "SECRET2": "hey hey"
-  }
+  "secret": "SECRET1=xx\nSECRET2=yy",
 }
 ```

-Your secrets will be passed as a job payload
-only if all trusted conditions are passing.
-(For now, we can only check that based on sender's login).
+Your secret will be injected in your build environment only
+when trustig condition are matched. It wil be available in a dedicated
+file. Its path is communicated through an environment variable (see below).
+For now, we can only check that based on sender's login.

 Then you can trigger a build as follow: 

@ -90,8 +88,7 @@ REPO_URL=https://git.deuxfleurs.fr/quentin/albatros.git
 COMMIT=3fff73597f8ca18ef04c0d9bf64132ba55aadcaa
 BRANCH=main
 FLAVOR=default
-SECRET1=xxx
-SECRET2=xxx
+SECRET_PATH=/var/run/secrets/albatros/secret.txt
 ```

 ## Gitea integration
@ -123,13 +120,6 @@ some IO. All of that must be handled by Nomad. Also,
 be careful to the local network in which your workload
 will be executed.

-Passing secrets through environment variables has been criticized
-as other process inspecting the process can dump the environment variables.
-It is your responsability to ensure that no malicious process can
-read the content of your environment variable. It should not be that hard,
-containers use PID namespace by default, so one containerized process
-can not access process information of other processes in the system.
-
 ## Ideas

 - [ ] Register the builder programatically
--- a/hcl/builder.hcl
+++ b/hcl/builder.hcl
@ -6,7 +6,7 @@ job "builder" {
  priority = 100

  parameterized {
-    payload = "forbidden"
+    payload = "optional"
    meta_required = [ "REPO_URL", "COMMIT", "BRANCH", "FLAVOR" ]
  }

@ -22,10 +22,15 @@ job "builder" {
      args = [ "/tmp/builder.sh" ]
      volumes = [ 
        "local/builder.sh:/tmp/builder.sh",
-        "local/nix.conf:/etc/nix/nix.conf"
+        "local/nix.conf:/etc/nix/nix.conf",
+        "local/secret.txt:/var/run/secrets/albatros/secret.txt",
      ]
    }

+    dispatch_payload {
+      file = "secret.txt"
+    }
+
    template {
      data = <<EOH
 #!/usr/bin/env bash
@ -41,6 +46,7 @@ export COMMIT=${NOMAD_META_COMMIT}
 export BRANCH=${NOMAD_META_BRANCH}
 export REPO_URL=${NOMAD_META_REPO_URL}
 export FLAVOR=${NOMAD_META_FLAVOR}
+export SECRET_PATH=/var/run/secrets/albatros/secret.txt
 ./.albatros

      EOH
--- a/main.go
+++ b/main.go
@ -71,7 +71,16 @@ func hook(w http.ResponseWriter, r *http.Request) {
        http.Error(w, "Hook only support POST requests", http.StatusBadRequest)
    }

-    //@FIXME check for key (in consul?)
+    q := r.URL.Query()
+    token, ok := q["token"]
+    if !ok || len(token) < 1 {
+        http.Error(w, "Missing query parameter 'token'. Try adding '?token=xxx'", http.StatusBadRequest)
+        return
+    }
+    flavor := "default"
+
+
+    //@FIXME check for token in consul

    var notification GiteaNotification
    dec := json.NewDecoder(r.Body)
@ -84,6 +93,7 @@ func hook(w http.ResponseWriter, r *http.Request) {
    meta := map[string]string{
        "REPO_URL": notification.Repository.CloneUrl,
        "COMMIT": notification.After,
+        "FLAVOR": flavor,
        // @FIXME: this code is not correct, this is a hack
        "BRANCH": strings.ReplaceAll(notification.Ref, "refs/heads/", ""),
    }