From b6f4979761b089e80cec440501a4f17152c2c157 Mon Sep 17 00:00:00 2001 From: Guy Owen Date: Tue, 7 May 2024 16:35:08 +1000 Subject: [PATCH 1/3] [DDS-1944] Added key decrytion support to node images. --- images/node/entrypoints/100-kms-decrypt.sh | 39 ++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100755 images/node/entrypoints/100-kms-decrypt.sh diff --git a/images/node/entrypoints/100-kms-decrypt.sh b/images/node/entrypoints/100-kms-decrypt.sh new file mode 100755 index 00000000..43bd2cea --- /dev/null +++ b/images/node/entrypoints/100-kms-decrypt.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash +set -euo pipefail + +#/ Usage: +#/ Description: Locate files in /app/keys and attempt to decrypt them using stored IAM account details. +#/ Examples: +#/ Requires: +#/ AWS_ACCESS_KEY_ID +#/ AWS_SECRET_ACCESS_KEY +#/ AWS_DEFAULT_REGION +#/ Options: +#/ --help: Display this help message +usage() { grep '^#/' "$0" | cut -c4- ; exit 0 ; } +expr "$*" : ".*--help" > /dev/null && usage + +echoerr() { printf "%s\n" "$*" >&2 ; } +info() { echoerr "[INFO] $*" ; } +warning() { echoerr "[WARNING] $*" ; } +error() { echoerr "[ERROR] $*" ; } +fatal() { echoerr "[FATAL] $*" ; exit 1 ; } + +info "decrypting files" + +encrypted_files="" +if [ -d "/app/keys" ]; then + encrypted_files=$(find /app/keys -type f -name "*.asc" -printf '%p ' 2>/dev/null) +fi + +if [ ! -z "${encrypted_files:-x}" ] && [ ! -z "${AWS_ACCESS_KEY_ID:-x}" ] && [ ! -z "${AWS_SECRET_ACCESS_KEY:-x}" ]; then + for file in $encrypted_files; do + info " - ${file} > ${file%.asc}" + bay kms decrypt < "${file}" > "${file%.asc}" || error "unable to decrypt ${file}" + done +else + info "no files to decrypt" +fi + +# Set options back to previous state. +set +eu From 02eaf85c78a09265639d9b2a980056f105d15fe7 Mon Sep 17 00:00:00 2001 From: Guy Owen Date: Fri, 10 May 2024 08:33:27 +1000 Subject: [PATCH 2/3] [DDS-1944] Added missing binary. --- images/node/Dockerfile | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/images/node/Dockerfile b/images/node/Dockerfile index f72128f1..025b0a59 100644 --- a/images/node/Dockerfile +++ b/images/node/Dockerfile @@ -1,7 +1,18 @@ FROM uselagoon/node-20:latest +ARG BAY_CLI_VERSION=v0.1.1 + RUN apk --update add curl git +# Install bay-cli. +RUN curl -L "https://github.com/dpc-sdp/bay-cli/releases/download/${BAY_CLI_VERSION}/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz" --output /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz +RUN tar -C /tmp -xvf /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz +RUN chmod +x /tmp/bay +RUN mv /tmp/bay /bin/bay + +# Bay entrypoints. +COPY entrypoints/ /lagoon/entrypoints + # Prevents installation of large binaries only used for development. ENV CYPRESS_INSTALL_BINARY 0 ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD 1 From f02cacb9fcd8127d09cd366a791d054c69f2c30f Mon Sep 17 00:00:00 2001 From: Guy Owen Date: Mon, 13 May 2024 09:45:24 +1000 Subject: [PATCH 3/3] [DDS-1944] Added findutils for key decrypt. --- images/node/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/images/node/Dockerfile b/images/node/Dockerfile index 025b0a59..38119119 100644 --- a/images/node/Dockerfile +++ b/images/node/Dockerfile @@ -2,7 +2,8 @@ FROM uselagoon/node-20:latest ARG BAY_CLI_VERSION=v0.1.1 -RUN apk --update add curl git +RUN apk --update add curl git findutils && \ + rm -rf /var/cache/apk/* # Install bay-cli. RUN curl -L "https://github.com/dpc-sdp/bay-cli/releases/download/${BAY_CLI_VERSION}/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz" --output /tmp/bay_$(echo ${TARGETPLATFORM:-linux/amd64} | tr '/' '_').tar.gz