#!/usr/bin/env bash # Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 set -euo pipefail # Require env vars. if [[ -z "${GITHUB_CLIENT_ID:-}" ]]; then echo "GITHUB_CLIENT_ID env var must be set" exit 1 fi if [[ -z "${GITHUB_CLIENT_SECRET:-}" ]]; then echo "GITHUB_CLIENT_SECRET env var must be set" exit 1 fi if [[ -z "${PINNIPED_GCP_PROJECT:-}" ]]; then echo "PINNIPED_GCP_PROJECT env var must be set" exit 1 fi # Check pre-reqs. if ! command -v gcloud &>/dev/null; then echo "Please install the gcloud CLI" exit fi if ! command -v yq &>/dev/null; then echo "Please install the yq CLI" exit fi if ! gcloud auth print-access-token &>/dev/null; then echo "Please run \`gcloud auth login\` and try again." exit 1 fi # Create a temporary directory for secrets, cleaned up at the end of this script. trap 'rm -rf "$TEMP_DIR"' EXIT TEMP_DIR=$(mktemp -d) || exit 1 # Create the three keys required to install the Concourse web component. # See https://github.com/concourse/concourse-chart/tree/master#secrets docker run -v "$TEMP_DIR":/keys --rm -it concourse/concourse generate-key -t rsa -f /keys/session-signing-key docker run -v "$TEMP_DIR":/keys --rm -it concourse/concourse generate-key -t ssh -f /keys/worker-key docker run -v "$TEMP_DIR":/keys --rm -it concourse/concourse generate-key -t ssh -f /keys/host-key # Create an extra keypair for our external workers so they can use a different private key # to avoid sharing the private key of the internal workers to other Kubernetes clusters. docker run -v "$TEMP_DIR":/keys --rm -it concourse/concourse generate-key -t ssh -f /keys/external-worker-key # Create an encryption key for DB encryption at rest. printf "%s" "$(openssl rand -base64 24)" >"$TEMP_DIR/encryption-key" # Write a tmp yaml file which bundles together all of the secrets from above. # The structure of the keys in this file matches the concourse helm chart's values.yaml inputs, # except for .secrets.externalWorkerKey which is our own custom key. SECRETS_FILE="$TEMP_DIR/secrets.yaml" echo "# This secret is auto-generated by infra/concourse-install/bootstrap-secrets.sh" >"$SECRETS_FILE" yq -i e ".secrets.hostKey = \"$(cat "$TEMP_DIR/host-key")\"" "$SECRETS_FILE" # TSA host key yq -i e ".secrets.hostKeyPub = \"$(cat "$TEMP_DIR/host-key.pub")\"" "$SECRETS_FILE" # TSA host key pub yq -i e ".secrets.sessionSigningKey = \"$(cat "$TEMP_DIR/session-signing-key")\"" "$SECRETS_FILE" yq -i e ".secrets.workerKey = \"$(cat "$TEMP_DIR/worker-key")\"" "$SECRETS_FILE" yq -i e ".secrets.externalWorkerKey = \"$(cat "$TEMP_DIR/external-worker-key")\"" "$SECRETS_FILE" # Put both public keys into the workerKeyPub secret, one on each line. yq -i e ".secrets.workerKeyPub = \"$(cat "$TEMP_DIR/worker-key.pub" "$TEMP_DIR/external-worker-key.pub")\"" "$SECRETS_FILE" yq -i e ".secrets.encryptionKey = \"$(cat "$TEMP_DIR/encryption-key")\"" "$SECRETS_FILE" yq -i e ".secrets.githubClientId = \"$GITHUB_CLIENT_ID\"" "$SECRETS_FILE" yq -i e ".secrets.githubClientSecret = \"$GITHUB_CLIENT_SECRET\"" "$SECRETS_FILE" # Save the tmp yaml file into the GCP Secrets Manager for later use. gcloud secrets create concourse-install-bootstrap \ --data-file "$SECRETS_FILE" \ --project "$PINNIPED_GCP_PROJECT"