-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsecrets.sh
executable file
·89 lines (70 loc) · 2.42 KB
/
secrets.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/usr/bin/env bash
set -euo pipefail
TASK="$1"
ENVIRONMENT="$2"
SECRET_VERSION="${3:-latest}"
PROJECT="${INFRA_GCP_PROJECT:-acs-team-automation}"
# Downloads secrets files for an ENVIRONMENT.
download_secrets() {
mkdir -p chart/infra-server/configuration
gcloud secrets versions access "${SECRET_VERSION}" \
--secret "infra-values-${ENVIRONMENT}" \
--project "${PROJECT}" \
> "chart/infra-server/configuration/${ENVIRONMENT}-values.yaml"
gcloud secrets versions access "${SECRET_VERSION}" \
--secret "infra-values-from-files-${ENVIRONMENT}" \
--project "${PROJECT}" \
> "chart/infra-server/configuration/${ENVIRONMENT}-values-from-files.yaml"
}
# Uploads secrets files for an ENVIRONMENT.
upload_secrets() {
gcloud secrets versions add \
"infra-values-${ENVIRONMENT}" \
--project "${PROJECT}" \
--data-file "chart/infra-server/configuration/${ENVIRONMENT}-values.yaml"
gcloud secrets versions add \
"infra-values-from-files-${ENVIRONMENT}" \
--project "${PROJECT}" \
--data-file "chart/infra-server/configuration/${ENVIRONMENT}-values-from-files.yaml"
}
# Shows all available keys in a secrets file.
show_available_secret_files() {
yq 'keys' "chart/infra-server/configuration/${ENVIRONMENT}-values-from-files.yaml"
}
# Downloads secrets, asks for which secret file to show, and displayed decoded value.
show() {
download_secrets
show_available_secret_files
echo "> Secret file to show:"
read -r secret_name
echo "> Contents:"
yq \
".${secret_name}" \
"chart/infra-server/configuration/${ENVIRONMENT}-values-from-files.yaml" \
| base64 --decode
}
# Downloads secrets, asks for which secret file to change and what to, and uploads new values.
edit() {
download_secrets
show_available_secret_files
echo "> Secret file to change:"
read -r secret_name
echo "> Enter new value. Type 'EOF' on a line by itself to finish:"
new_value=""
while IFS= read -r line; do
if [ "$line" = "EOF" ]; then
break
fi
new_value+="$line\n"
done
yq eval \
--inplace ".${secret_name} = \"$(echo -e -n "${new_value}" | base64)\"" \
"chart/infra-server/configuration/${ENVIRONMENT}-values-from-files.yaml"
upload_secrets
}
# Revert downloads a specific secrets version, and uploads it as the latest
revert() {
download_secrets
upload_secrets
}
eval "$TASK"