From e7d16d053f55560eb07075b0750fad1f0280f635 Mon Sep 17 00:00:00 2001 From: Charlie Briggs Date: Tue, 7 Dec 2021 10:30:41 +0000 Subject: [PATCH] cb: Use chamber export rather than chamber env This supports multiple services - and likely avoids rate limits when accesing SSM --- Dockerfile | 5 ----- Dockerfile.al2 | 15 +++++++++++++++ Dockerfile.alpine | 15 +++++++++++++++ Dockerfile.debian | 20 ++++++++++++++++++++ Makefile | 36 ++++++++++++++++++++++++++++++++++++ README.md | 4 +++- init.sh | 12 +++++------- test-command.sh | 9 +++++++++ 8 files changed, 103 insertions(+), 13 deletions(-) delete mode 100644 Dockerfile create mode 100644 Dockerfile.al2 create mode 100644 Dockerfile.alpine create mode 100644 Dockerfile.debian create mode 100644 Makefile create mode 100755 test-command.sh diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index e4c5a09..0000000 --- a/Dockerfile +++ /dev/null @@ -1,5 +0,0 @@ -FROM alpine:3.11 - -ADD ./init.sh / - -RUN chmod +x /init.sh && /init.sh diff --git a/Dockerfile.al2 b/Dockerfile.al2 new file mode 100644 index 0000000..920be2d --- /dev/null +++ b/Dockerfile.al2 @@ -0,0 +1,15 @@ +FROM amazonlinux:2 + +ENV SECRET_SERVICES="global signal" + +ENV ROLLBAR_TOKEN=SECRET +ENV CIRCLECI_TOKEN=SECRET +ENV OTHER_ENV_VAR=test_var + +COPY ./init.sh / + +RUN chmod +x /init.sh && /init.sh + +COPY ./test-command.sh /test-command.sh + +CMD ["/init.sh", "/test-command.sh"] diff --git a/Dockerfile.alpine b/Dockerfile.alpine new file mode 100644 index 0000000..c86a493 --- /dev/null +++ b/Dockerfile.alpine @@ -0,0 +1,15 @@ +FROM alpine:3.12 + +ENV SECRET_SERVICES="global signal" + +ENV ROLLBAR_TOKEN=SECRET +ENV CIRCLECI_TOKEN=SECRET +ENV OTHER_ENV_VAR=test_var + +COPY ./init.sh / + +RUN chmod +x /init.sh && /init.sh + +COPY ./test-command.sh /test-command.sh + +CMD ["/init.sh", "/test-command.sh"] diff --git a/Dockerfile.debian b/Dockerfile.debian new file mode 100644 index 0000000..7860798 --- /dev/null +++ b/Dockerfile.debian @@ -0,0 +1,20 @@ +FROM debian:stable-slim + +ENV SECRET_SERVICES="global signal" + +ENV ROLLBAR_TOKEN=SECRET +ENV CIRCLECI_TOKEN=SECRET +ENV OTHER_ENV_VAR=test_var + +RUN apt-get update -yy && apt-get install --no-install-recommends -yy \ + curl \ + ca-certificates \ + && update-ca-certificates + +COPY ./init.sh / + +RUN chmod +x /init.sh && /init.sh + +COPY ./test-command.sh /test-command.sh + +CMD ["/init.sh", "/test-command.sh"] diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..6024d2e --- /dev/null +++ b/Makefile @@ -0,0 +1,36 @@ +.PHONY: +test: + @echo "Running amazon linux 2..." + @docker build . -f Dockerfile.al2 -t signal-secret-service-al2 + @docker run \ + -e AWS_PROFILE=signal-prod \ + -e ROLLBAR_TOKEN=SECRET \ + -e CIRCLECI_TOKEN=SECRET \ + -e OTHER_ENV_VAR=test_var \ + -v $$HOME/.aws:/root/.aws \ + --rm \ + signal-secret-service-al2 + @echo + + @echo "Running alpine..." + @docker build . -f Dockerfile.alpine -t signal-secret-service-alpine + @docker run \ + -e AWS_PROFILE=signal-prod \ + -e ROLLBAR_TOKEN=SECRET \ + -e CIRCLECI_TOKEN=SECRET \ + -e OTHER_ENV_VAR=test_var \ + -v $$HOME/.aws:/root/.aws \ + --rm \ + signal-secret-service-alpine + @echo + + @echo "Running debian" + @docker build . -f Dockerfile.debian -t signal-secret-service-debian + @docker run \ + -e AWS_PROFILE=signal-prod \ + -e ROLLBAR_TOKEN=SECRET \ + -e CIRCLECI_TOKEN=SECRET \ + -e OTHER_ENV_VAR=test_var \ + -v $$HOME/.aws:/root/.aws \ + --rm \ + signal-secret-service-debian diff --git a/README.md b/README.md index 08a903e..cf05e19 100644 --- a/README.md +++ b/README.md @@ -207,4 +207,6 @@ aws ssm get-parameters-by-path --path /service/secret_key --with-decryption | jq ## Local testing -Run `docker build -t test .` to test build `init.sh` with alpine. You can change the base image in `Dockerfile`. +Run `make test` to test build `init.sh` with amazon linux 2/alpine/debian base images. + +This outputs three environment variables with secrets. diff --git a/init.sh b/init.sh index 2791a70..defd8a9 100755 --- a/init.sh +++ b/init.sh @@ -78,9 +78,7 @@ original_variables=$(export | cut -f2 -d ' ') # Call chamber with services from ENV $SECRET_SERVICES and export decrypted ENV variables echo "Fetching ENV secrets with chamber for systems $SECRET_SERVICES..." -# We have to loop through $SECRET_SERVICES because 'chamber env' doesn't support -# multiple services -chamber_env=$(for s in $SECRET_SERVICES ; do /chamber env $s || rc=$? ; done ; exit $rc) +chamber_env=$(/chamber export --format dotenv $SECRET_SERVICES) chamber_result=$? if [ $chamber_result != 0 ]; then @@ -91,12 +89,12 @@ if [ $chamber_result != 0 ]; then fi fi -# We want to remove 'export' from the env output and also convert - into _ for env names -to_secrets=$(echo $chamber_env | sed 's/export //g' | for e in $(cat -) ; do echo $e | awk '{ gsub("-", "_", $1) } 1' FS='=' OFS='='; done) +# We want to remove convert - into _ for env names +to_secrets=$(echo $chamber_env | for e in $(cat -) ; do echo $e | awk '{ gsub("-", "_", $1) } 1' FS='=' OFS='='; done) eval_export $to_secrets # Perform overrides -to_override=$(for k in $keys ; do for v in $original_variables ; do echo $v |grep ^$k |grep -v SECRET ; done ; done) +to_override=$(for k in $keys ; do for v in $original_variables ; do echo $v | grep ^$k |grep -v SECRET ; done ; done) if [ ! -z "$to_override" -a "$to_override" != " " ]; then echo "Applying ENV overrides..." eval_export $to_override @@ -104,7 +102,7 @@ fi # Perform variable extrapolation secret_keys=$(for v in $to_secrets ; do echo $v | awk -F '=' '{print $1}' ; done) -to_extrapolate=$(for k in $secret_keys ; do env |grep "\$$k" ; done | uniq | sed 's/\(=[[:blank:]]*\)\(.*\)/\1"\2"/') +to_extrapolate=$(for k in $secret_keys ; do env | grep "\$$k" ; done | uniq | sed 's/\(=[[:blank:]]*\)\(.*\)/\1"\2"/') if [ ! -z "$to_extrapolate" -a "$to_extrapolate" != " " ]; then echo "Applying ENV extrapolation..." eval_export $to_extrapolate diff --git a/test-command.sh b/test-command.sh new file mode 100755 index 0000000..48ec1ef --- /dev/null +++ b/test-command.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env sh + +set -e + +echo +echo "Result environment variables:" +echo + +env | grep -E "ROLLBAR_TOKEN|CIRCLECI_TOKEN|OTHER_ENV_VAR"