Skip to content

Commit

Permalink
[DDS-1944] Added key decrytion support to node images. (#263)
Browse files Browse the repository at this point in the history
  • Loading branch information
GROwen authored May 13, 2024
1 parent 96217bd commit 36d1f45
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 1 deletion.
14 changes: 13 additions & 1 deletion images/node/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,6 +1,18 @@
FROM uselagoon/node-20:latest
ARG BAY_CLI_VERSION=v0.1.1

RUN apk --update add curl git

RUN apk --update add curl git findutils && \
rm -rf /var/cache/apk/*

# Install bay-cli.
RUN curl -L "https://github.com/dpc-sdp/bay-cli/releases/download/${BAY_CLI_VERSION}/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz" --output /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz
RUN tar -C /tmp -xvf /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz
RUN chmod +x /tmp/bay
RUN mv /tmp/bay /bin/bay

# Bay entrypoints.
COPY entrypoints/ /lagoon/entrypoints

# Prevents installation of large binaries only used for development.
ENV CYPRESS_INSTALL_BINARY 0
Expand Down
39 changes: 39 additions & 0 deletions images/node/entrypoints/100-kms-decrypt.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
#!/usr/bin/env bash
set -euo pipefail

#/ Usage:
#/ Description: Locate files in /app/keys and attempt to decrypt them using stored IAM account details.
#/ Examples:
#/ Requires:
#/ AWS_ACCESS_KEY_ID
#/ AWS_SECRET_ACCESS_KEY
#/ AWS_DEFAULT_REGION
#/ Options:
#/ --help: Display this help message
usage() { grep '^#/' "$0" | cut -c4- ; exit 0 ; }
expr "$*" : ".*--help" > /dev/null && usage

echoerr() { printf "%s\n" "$*" >&2 ; }
info() { echoerr "[INFO] $*" ; }
warning() { echoerr "[WARNING] $*" ; }
error() { echoerr "[ERROR] $*" ; }
fatal() { echoerr "[FATAL] $*" ; exit 1 ; }

info "decrypting files"

encrypted_files=""
if [ -d "/app/keys" ]; then
encrypted_files=$(find /app/keys -type f -name "*.asc" -printf '%p ' 2>/dev/null)
fi

if [ ! -z "${encrypted_files:-x}" ] && [ ! -z "${AWS_ACCESS_KEY_ID:-x}" ] && [ ! -z "${AWS_SECRET_ACCESS_KEY:-x}" ]; then
for file in $encrypted_files; do
info " - ${file} > ${file%.asc}"
bay kms decrypt < "${file}" > "${file%.asc}" || error "unable to decrypt ${file}"
done
else
info "no files to decrypt"
fi

# Set options back to previous state.
set +eu

0 comments on commit 36d1f45

Please sign in to comment.