diff --git a/images/node/Dockerfile b/images/node/Dockerfile index f72128f1..38119119 100644 --- a/images/node/Dockerfile +++ b/images/node/Dockerfile @@ -1,6 +1,18 @@ FROM uselagoon/node-20:latest +ARG BAY_CLI_VERSION=v0.1.1 -RUN apk --update add curl git + +RUN apk --update add curl git findutils && \ + rm -rf /var/cache/apk/* + +# Install bay-cli. +RUN curl -L "https://github.com/dpc-sdp/bay-cli/releases/download/${BAY_CLI_VERSION}/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz" --output /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz +RUN tar -C /tmp -xvf /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz +RUN chmod +x /tmp/bay +RUN mv /tmp/bay /bin/bay + +# Bay entrypoints. +COPY entrypoints/ /lagoon/entrypoints # Prevents installation of large binaries only used for development. ENV CYPRESS_INSTALL_BINARY 0 diff --git a/images/node/entrypoints/100-kms-decrypt.sh b/images/node/entrypoints/100-kms-decrypt.sh new file mode 100755 index 00000000..43bd2cea --- /dev/null +++ b/images/node/entrypoints/100-kms-decrypt.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash +set -euo pipefail + +#/ Usage: +#/ Description: Locate files in /app/keys and attempt to decrypt them using stored IAM account details. +#/ Examples: +#/ Requires: +#/ AWS_ACCESS_KEY_ID +#/ AWS_SECRET_ACCESS_KEY +#/ AWS_DEFAULT_REGION +#/ Options: +#/ --help: Display this help message +usage() { grep '^#/' "$0" | cut -c4- ; exit 0 ; } +expr "$*" : ".*--help" > /dev/null && usage + +echoerr() { printf "%s\n" "$*" >&2 ; } +info() { echoerr "[INFO] $*" ; } +warning() { echoerr "[WARNING] $*" ; } +error() { echoerr "[ERROR] $*" ; } +fatal() { echoerr "[FATAL] $*" ; exit 1 ; } + +info "decrypting files" + +encrypted_files="" +if [ -d "/app/keys" ]; then + encrypted_files=$(find /app/keys -type f -name "*.asc" -printf '%p ' 2>/dev/null) +fi + +if [ ! -z "${encrypted_files:-x}" ] && [ ! -z "${AWS_ACCESS_KEY_ID:-x}" ] && [ ! -z "${AWS_SECRET_ACCESS_KEY:-x}" ]; then + for file in $encrypted_files; do + info " - ${file} > ${file%.asc}" + bay kms decrypt < "${file}" > "${file%.asc}" || error "unable to decrypt ${file}" + done +else + info "no files to decrypt" +fi + +# Set options back to previous state. +set +eu