@mike/secrets (#521)

* refactor(snackager): use ExternalSecret * refactor(snackpub): use ExternalSecret * refactor(website): remove secret * refactor(ci): remove git-crypt usage
expo · Jan 8, 2024 · 88ecb01 · 88ecb01
1 parent 1745808
commit 88ecb01
Show file tree

Hide file tree

Showing 32 changed files with 581 additions and 122 deletions.
diff --git a/.github/actions/setup-secrets/action.yml b/.github/actions/setup-secrets/action.yml
diff --git a/.github/workflows/snackager-bundle.yml b/.github/workflows/snackager-bundle.yml
@@ -25,11 +25,6 @@ jobs:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
 
-      - name: 🏗 Setup secrets
-        uses: ./.github/actions/setup-secrets
-        with:
-          git-crypt-key: ${{ secrets.GIT_CRYPT_KEY }}
-
       - name: 🏗 Setup snackager
         uses: ./.github/actions/setup-snackager
         with:

diff --git a/.github/workflows/snackager.yml b/.github/workflows/snackager.yml
@@ -22,7 +22,6 @@ on:
   pull_request:
     paths:
       - .github/actions/setup-google-cloud/**
-      - .github/actions/setup-secrets/**
       - .github/actions/setup-snackager/**
       - .github/workflows/snackager.yml
       - snackager/**
@@ -37,7 +36,6 @@ on:
     branches: [main]
     paths:
       - .github/actions/setup-google-cloud/**
-      - .github/actions/setup-secrets/**
       - .github/actions/setup-snackager/**
       - .github/workflows/snackager.yml
       - snackager/**
@@ -56,11 +54,6 @@ jobs:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
 
-      - name: 🏗 Setup secrets
-        uses: ./.github/actions/setup-secrets
-        with:
-          git-crypt-key: ${{ secrets.GIT_CRYPT_KEY }}
-
       - name: 🏗 Setup snackager
         uses: ./.github/actions/setup-snackager
 
@@ -81,11 +74,6 @@ jobs:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
 
-      - name: 🏗 Setup secrets
-        uses: ./.github/actions/setup-secrets
-        with:
-          git-crypt-key: ${{ secrets.GIT_CRYPT_KEY }}
-
       - name: 🏗 Setup snackager
         uses: ./.github/actions/setup-snackager
 
@@ -102,11 +90,6 @@ jobs:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
 
-      - name: 🏗 Setup secrets
-        uses: ./.github/actions/setup-secrets
-        with:
-          git-crypt-key: ${{ secrets.GIT_CRYPT_KEY }}
-
       - name: 🏗 Setup Google Cloud SDK
         uses: ./.github/actions/setup-google-cloud
         with:
@@ -130,11 +113,6 @@ jobs:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
 
-      - name: 🏗 Setup secrets
-        uses: ./.github/actions/setup-secrets
-        with:
-          git-crypt-key: ${{ secrets.GIT_CRYPT_KEY }}
-
       - name: 🏗 Setup Google Cloud SDK
         uses: ./.github/actions/setup-google-cloud
         with:
@@ -185,11 +163,6 @@ jobs:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
 
-      - name: 🏗 Setup secrets
-        uses: ./.github/actions/setup-secrets
-        with:
-          git-crypt-key: ${{ secrets.GIT_CRYPT_KEY }}
-
       - name: 🏗 Setup Google Cloud SDK
         uses: ./.github/actions/setup-google-cloud
         with:
@@ -231,4 +204,3 @@ jobs:
           status: ${{ job.status }}
           author_name: Deploy Snackager to Production
           fields: message,commit,author,job,took
-
diff --git a/.github/workflows/snackpub.yml b/.github/workflows/snackpub.yml
@@ -22,7 +22,6 @@ on:
   pull_request:
     paths:
       - .github/actions/setup-google-cloud/**
-      - .github/actions/setup-secrets/**
       - .github/actions/setup-snackpub/**
       - .github/workflows/snackpub.yml
       - snackpub/**
@@ -34,7 +33,6 @@ on:
     branches: [main]
     paths:
       - .github/actions/setup-google-cloud/**
-      - .github/actions/setup-secrets/**
       - .github/actions/setup-snackpub/**
       - .github/workflows/snackpub.yml
       - snackpub/**
@@ -50,11 +48,6 @@ jobs:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
 
-      - name: 🏗 Setup secrets
-        uses: ./.github/actions/setup-secrets
-        with:
-          git-crypt-key: ${{ secrets.GIT_CRYPT_KEY }}
-
       - name: 🏗 Setup snackpub
         uses: ./.github/actions/setup-snackpub
 
@@ -71,11 +64,6 @@ jobs:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
 
-      - name: 🏗 Setup secrets
-        uses: ./.github/actions/setup-secrets
-        with:
-          git-crypt-key: ${{ secrets.GIT_CRYPT_KEY }}
-
       - name: 🏗 Setup Google Cloud SDK
         uses: ./.github/actions/setup-google-cloud
         with:
@@ -98,11 +86,6 @@ jobs:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
 
-      - name: 🏗 Setup secrets
-        uses: ./.github/actions/setup-secrets
-        with:
-          git-crypt-key: ${{ secrets.GIT_CRYPT_KEY }}
-
       - name: 🏗 Setup Google Cloud SDK
         uses: ./.github/actions/setup-google-cloud
         with:
@@ -148,11 +131,6 @@ jobs:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
 
-      - name: 🏗 Setup secrets
-        uses: ./.github/actions/setup-secrets
-        with:
-          git-crypt-key: ${{ secrets.GIT_CRYPT_KEY }}
-
       - name: 🏗 Setup Google Cloud SDK
         uses: ./.github/actions/setup-google-cloud
         with:

diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
@@ -22,7 +22,6 @@ on:
   pull_request:
     paths:
       - .github/actions/setup-google-cloud/**
-      - .github/actions/setup-secrets/**
       - .github/actions/setup-website/**
       - .github/workflows/website.yml
       - website/**
@@ -36,7 +35,6 @@ on:
     branches: [main]
     paths:
       - .github/actions/setup-google-cloud/**
-      - .github/actions/setup-secrets/**
       - .github/actions/setup-website/**
       - .github/workflows/website.yml
       - website/**
@@ -70,11 +68,6 @@ jobs:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
 
-      - name: 🏗 Setup secrets
-        uses: ./.github/actions/setup-secrets
-        with:
-          git-crypt-key: ${{ secrets.GIT_CRYPT_KEY }}
-
       - name: 🏗 Setup Google Cloud SDK
         uses: ./.github/actions/setup-google-cloud
         with:
@@ -94,11 +87,6 @@ jobs:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
 
-      - name: 🏗 Setup secrets
-        uses: ./.github/actions/setup-secrets
-        with:
-          git-crypt-key: ${{ secrets.GIT_CRYPT_KEY }}
-
       - name: 🏗 Setup Google Cloud SDK
         uses: ./.github/actions/setup-google-cloud
 
@@ -119,11 +107,6 @@ jobs:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
 
-      - name: 🏗 Setup secrets
-        uses: ./.github/actions/setup-secrets
-        with:
-          git-crypt-key: ${{ secrets.GIT_CRYPT_KEY }}
-
       - name: 🏗 Setup Google Cloud SDK
         uses: ./.github/actions/setup-google-cloud
         with:
@@ -174,11 +157,6 @@ jobs:
       - name: 🏗 Setup repository
         uses: actions/checkout@v3
 
-      - name: 🏗 Setup secrets
-        uses: ./.github/actions/setup-secrets
-        with:
-          git-crypt-key: ${{ secrets.GIT_CRYPT_KEY }}
-
       - name: 🏗 Setup Google Cloud SDK
         uses: ./.github/actions/setup-google-cloud
         with:

diff --git a/snackager/.env-cmdrc.js b/snackager/.env-cmdrc.js
@@ -1,27 +1,43 @@
 const fs = require('fs');
 const path = require('path');
+const yaml = require('js-yaml');
 const { GetEnvVars } = require('env-cmd');
+const { SecretManagerServiceClient } = require('@google-cloud/secret-manager').v1;
+
+async function getSecretEnv(name) {
+  const secretmanagerClient = new SecretManagerServiceClient();
+  try {
+    const response = await secretmanagerClient.accessSecretVersion({ name });
+    return JSON.parse(response[0].payload.data.toString());
+  } catch {
+    return {};
+  }
+}
 
 module.exports = (async function () {
   const processArgs = process.argv.join(' ');
   const baseEnv = await GetEnvVars({ envFile: { filePath: './k8s/base/snackager.env' } });
+  const stagingEnv = await GetEnvVars({ envFile: { filePath: './k8s/staging/snackager.env' } });
   const baseSecrets = {
-    SENTRY_DSN: fs.readFileSync('./k8s/base/secrets/SENTRY_DSN').toString(),
     REDIS_URL: 'redis://localhost:6379/0', // proxied by port-forward-redis
   };
-  const stagingEnv = await GetEnvVars({ envFile: { filePath: './k8s/staging/snackager.env' } });
-  const stagingSecrets = await GetEnvVars({
-    envFile: { filePath: './k8s/staging/secrets/snackager.env' },
-  });
-
+  const externalSecret = yaml.load(fs.readFileSync(
+    './k8s/staging/external-secret-env.yaml',
+    'utf8',
+  ));
+  const secretName = externalSecret.spec.dataFrom[0].extract.key;
+  const secretVersion = externalSecret.spec.dataFrom[0].extract.version;
+  const secretResourceName = `projects/77257980902/secrets/${secretName}/versions/${secretVersion}`;
+  const stagingSecrets = await getSecretEnv(secretResourceName);
   delete stagingSecrets['REDIS_URL']; // this is set above for the proxy
 
   if (!stagingSecrets.GIT_SESSION_SECRET && !processArgs.includes('env-cmd -e test')) {
     console.error(
-      'Secrets are locked, unable to start Snackager. External contributors cannot start Snackager and can ignore this error. snack-proxies will redirect traffic to the Snackager service running on the staging environment.\n'
+      'Cannot access secrets, unable to start Snackager. External contributors cannot start Snackager and can ignore this error. snack-proxies will redirect traffic to the Snackager service running on the staging environment.\n'
     );
     throw new Error('Secrets are locked.');
   }
+
   return {
     development: {
       NODE_ENV: 'development',

diff --git a/snackager/k8s/base/external-secrets-config.yaml b/snackager/k8s/base/external-secrets-config.yaml
@@ -0,0 +1,5 @@
+nameReference:
+- kind: Secret
+  fieldSpecs:
+  - kind: ExternalSecret
+    path: spec/target/name
diff --git a/snackager/k8s/base/kustomization.yaml b/snackager/k8s/base/kustomization.yaml
@@ -5,6 +5,8 @@ commonLabels:
 resources:
 - deployment.yaml
 - service.yaml
+configurations:
+  - external-secrets-config.yaml
 configMapGenerator:
 - name: snackager-config
   envs:
@@ -14,8 +16,4 @@ configMapGenerator:
   - NODE_ENV=production
 secretGenerator:
 - name: snackager-config
-  files:
-  - secrets/SENTRY_DSN
 - name: git-account-credentials
-  files:
-  - id_rsa=secrets/github-key.pem
diff --git a/snackager/k8s/base/secrets/SENTRY_DSN b/snackager/k8s/base/secrets/SENTRY_DSN
diff --git a/snackager/k8s/base/secrets/github-key.pem b/snackager/k8s/base/secrets/github-key.pem
diff --git a/snackager/k8s/production/external-secret-env.yaml b/snackager/k8s/production/external-secret-env.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: snackager-config
+spec:
+  refreshInterval: "0"
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: gcp-store
+  target:
+    name: snackager-config
+    creationPolicy: Owner
+  dataFrom:
+  - extract:
+      key: production__snack__snackager__env
+      version: "1"
diff --git a/snackager/k8s/production/external-secret-private-key.yaml b/snackager/k8s/production/external-secret-private-key.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: git-account-credentials
+spec:
+  refreshInterval: "0"
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: gcp-store
+  target:
+    name: snackager-config
+    creationPolicy: Owner
+  dataFrom:
+  - extract:
+      key: production__snack__snackager__gh_private_key
+      version: "1"
diff --git a/snackager/k8s/production/kustomization.yaml b/snackager/k8s/production/kustomization.yaml
@@ -4,6 +4,8 @@ namespace: production
 resources:
 - ../base
 - vertical-pod-autoscaler.yaml
+- external-secret-env.yaml
+- external-secret-private-key.yaml
 patchesStrategicMerge:
 - deployment-increase-replicas.yaml
 - service-backend.yaml
@@ -15,5 +17,9 @@ configMapGenerator:
 secretGenerator:
 - name: snackager-config
   behavior: merge
-  envs:
-  - secrets/snackager.env
+  files:
+  - ./external-secret-env.yaml
+- name: git-account-credentials
+  behavior: merge
+  files:
+  - ./external-secret-private-key.yaml
diff --git a/snackager/k8s/production/secrets/snackager.env b/snackager/k8s/production/secrets/snackager.env
diff --git a/snackager/k8s/staging/external-secret-env.yaml b/snackager/k8s/staging/external-secret-env.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: snackager-config
+spec:
+  refreshInterval: "0"
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: gcp-store
+  target:
+    name: snackager-config
+    creationPolicy: Owner
+  dataFrom:
+  - extract:
+      key: staging__snack__snackager__env
+      version: "1"