more secrets iteration

walac · Aug 9, 2019 · d9ae3c0 · d9ae3c0
1 parent c014ed0
commit d9ae3c0
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 8 deletions.
diff --git a/.gitignore b/.gitignore
@@ -15,3 +15,6 @@ packer-artifacts.json
 ### Vagrant ###
 
 output-vagrant/
+
+### Secrets ###
+real_secrets.yaml
diff --git a/TODO.md b/TODO.md
@@ -1,4 +1,5 @@
 - [ ] No separation of trusted/untrusted builders
-- [ ] docker-worker/generic-worker scripts are run on all builders
-- [ ] No process to install docker-worker yet
+- [x] docker-worker/generic-worker specific scripts should not be run on all builders
+- [x] No process to install docker-worker yet
 - [ ] Version of docker et al are not specified
+- [ ] Figure out where the line is between scripts that provision files and files that get untarred onto the file system
diff --git a/fake_secrets.yaml b/fake_secrets.yaml
@@ -1,7 +1,7 @@
 ---
 # generated with ssh-keygen -t rsa
 - name: worker_private_key
-  path: /etc/taskcluster/worker_private_key
+  path: /etc/taskcluster/secrets/worker_private_key
   value: |
     -----BEGIN RSA PRIVATE KEY-----
     MIIEowIBAAKCAQEAwjwEarILpzMKeyAGibgwV133FP8h/v72dElV0LWSOW/Ce3eM
@@ -31,7 +31,7 @@
     ZxLjjrJeuwM02PiSdxIGUCSlDqjy7H7qTZqenACN4fjImB87MJZ5
     -----END RSA PRIVATE KEY-----
 - name: worker_public_key
-  path: /etc/taskcluster/worker_public_key
+  path: /etc/taskcluster/secrets/worker_public_key
   value: |
     -----BEGIN PUBLIC KEY-----
     MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwjwEarILpzMKeyAGibgw
@@ -44,7 +44,7 @@
     -----END PUBLIC KEY-----
 # generated with: ssh-keygen -t ed25519
 - name: worker_cot_key
-  path: /etc/taskcluster/cot_key
+  path: /etc/taskcluster/secrets/worker_cot_key
   value: |
     -----BEGIN OPENSSH PRIVATE KEY-----
     b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
@@ -55,5 +55,5 @@
     -----END OPENSSH PRIVATE KEY-----
 # generated with: openssl rand -hex 20
 - name: papertrail_logging_secret
-  path: /etc/taskcluster/papertrail_secret
+  path: /etc/taskcluster/secrets/papertrail_secret
   value: "f2f3475398392f2783b8fd11c7a9fe1914346ed9"
diff --git a/packer.yaml b/packer.yaml
@@ -68,8 +68,8 @@ provisioners:
   - type: shell
     inline:
       - sudo tar xvf /tmp/secrets.tar -C /
-      - chown root:root -R /etc/taskcluster
-      - chmod 0600 -R /etc/taskcluster
+      - sudo chown root:root -R /etc/taskcluster
+      - sudo chmod 0400 -R /etc/taskcluster/secrets
       # FIXME
       # actually delete, just for testing
       # - rm /tmp/secrets.tar

diff --git a/util/pack_secrets.py b/util/pack_secrets.py
@@ -30,6 +30,17 @@
     with tarfile.open(outfile, 'w') as tar:
         with tempfile.TemporaryDirectory() as d:
             for secret in secrets:
+                # name is optional
+                if 'name' not in secret:
+                    name = 'unnamed'
+                if 'path' not in secret:
+                    print(
+                        f'Encountered secret {name} without `path` key, exiting.'
+                    )
+                if 'value' not in secret:
+                    print(
+                        f'Encountered secret {name} without `value` key, exiting.'
+                    )
                 path = Path(d + secret['path'])
                 os.makedirs(path.parent, exist_ok=True)
                 with open(path, 'w') as secret_file: