about summary refs log tree commit diff
path: root/tools
diff options
context:
space:
mode:
authorVincent Ambo <tazjin@google.com>2019-09-03T14·56+0100
committerVincent Ambo <tazjin@google.com>2019-09-03T15·12+0100
commitbcd7710be565a4711a43d56122b37c7b38514b81 (patch)
tree8c53fe436606cea3ffd50ee4d42753b1340b8a5b /tools
parentabd5d7538c727e1aca7712455a799cf034d0fbaf (diff)
feat(tools): Introduce pass-compatible wrapper using Cloud KMS
Adds a shell script that supports a subset of the 'pass' interface for
compatibility with kontemplate, and wraps kontemplate in a script that
places this version on the PATH.

This makes it possible to use Cloud KMS encrypted secrets with kontemplate.
Diffstat (limited to 'tools')
-rwxr-xr-xtools/bin/__dispatch.sh3
l---------tools/bin/pass1
-rw-r--r--tools/kms_pass/default.nix60
3 files changed, 64 insertions, 0 deletions
diff --git a/tools/bin/__dispatch.sh b/tools/bin/__dispatch.sh
index 09b404f3b33d..20848bd5118c 100755
--- a/tools/bin/__dispatch.sh
+++ b/tools/bin/__dispatch.sh
@@ -22,6 +22,9 @@ case "${TARGET_TOOL}" in
   stern)
     attr="stern"
     ;;
+  pass)
+    attr="tazjin.kms_pass"
+    ;;
   *)
     echo "The tool '${TARGET_TOOL}' is currently not installed in this repository."
     exit 1
diff --git a/tools/bin/pass b/tools/bin/pass
new file mode 120000
index 000000000000..8390ec9c9652
--- /dev/null
+++ b/tools/bin/pass
@@ -0,0 +1 @@
+__dispatch.sh
\ No newline at end of file
diff --git a/tools/kms_pass/default.nix b/tools/kms_pass/default.nix
new file mode 100644
index 000000000000..fbc17650a948
--- /dev/null
+++ b/tools/kms_pass/default.nix
@@ -0,0 +1,60 @@
+# This tool mimics a subset of the interface of 'pass', but uses
+# Google Cloud KMS for encryption.
+#
+# It is intended to be compatible with how 'kontemplate' invokes
+# 'pass.'
+#
+# Only the 'show' and 'insert' commands are supported.
+
+{ google-cloud-sdk, tree, writeShellScriptBin
+, project, region, keyring, key }:
+
+writeShellScriptBin "pass" ''
+  set -eo pipefail
+
+  CMD="$1"
+  readonly SECRET=$2
+  readonly SECRET_PATH="$SECRETS_DIR/$SECRET"
+
+  function secret_check {
+    if [[ -z $SECRET ]]; then
+      echo 'Secret must be specified'
+      exit 1
+    fi
+  }
+
+  if [[ -z $CMD ]]; then
+    CMD="ls"
+  fi
+
+  case "$CMD" in
+    ls)
+       ${tree}/bin/tree $SECRETS_DIR
+       ;;
+    show)
+      secret_check
+      ${google-cloud-sdk}/bin/gcloud kms decrypt \
+        --project ${project} \
+        --location ${region} \
+        --keyring ${keyring} \
+        --key ${key} \
+        --ciphertext-file $SECRET_PATH \
+        --plaintext-file -
+      ;;
+    insert)
+      secret_check
+      ${google-cloud-sdk}/bin/gcloud kms encrypt \
+        --project ${project} \
+        --location ${region} \
+        --keyring ${keyring} \
+        --key ${key} \
+        --ciphertext-file $SECRET_PATH \
+        --plaintext-file -
+      echo "Inserted secret '$SECRET'"
+      ;;
+    *)
+      echo "Usage: pass show/insert <secret>"
+      exit 1
+      ;;
+  esac
+''