rescoped secrets

alphagov · Sep 29, 2023 · e385d3b · e385d3b
1 parent 114c0aa
commit e385d3b
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 26 deletions.
diff --git a/concourse/pipelines/create-cloudfoundry.yml b/concourse/pipelines/create-cloudfoundry.yml
@@ -3095,6 +3095,7 @@ jobs:
             CREDHUB_CLIENT_SECRET: ((bosh-credhub-admin))
             CREDHUB_CA_CERT: ((bosh-credhub-ca-cert))
             DEPLOY_ENV: ((deploy_env))
+            BOSH_EXPORTER_PASSWORD: ((bosh-exporter-password)) 
           run:
             path: sh
             args:
@@ -3170,7 +3171,8 @@ jobs:
                 credhub set --name="${PIPELINE_NS}/paas_admin_prometheus_password" --type password --password "${PAAS_ADMIN_PROMETHEUS_PASSWORD}"
                 credhub set --name="${PIPELINE_NS}/paas_prometheus_endpoints_aws_access_key_id" --type password --password "${PAAS_PROMETHEUS_ENDPOINTS_AWS_ACCESS_KEY_ID}"
                 credhub set --name="${PIPELINE_NS}/paas_prometheus_endpoints_aws_secret_access_key" --type password --password "${PAAS_PROMETHEUS_ENDPOINTS_AWS_SECRET_ACCESS_KEY}"
-                credhub set --name="${PIPELINE_NS}/uaa_clients_cf_exporter_secret" --type password --password "${UAA_CLIENTS_CF_EXPORTER_SECRET}"
+                credhub set --name="${DEPLOY_ENV}/prometheus/uaa_clients_cf_exporter_secret" --type password --password "${UAA_CLIENTS_CF_EXPORTER_SECRET}"
+                credhub set --name="${DEPLOY_ENV}/prometheus/uaa_bosh_exporter_client_secret" --type value --value "${BOSH_EXPORTER_PASSWORD}"
                 credhub set --name="${PIPELINE_NS}/secrets_rds_broker_admin_password" --type password --password "${RDS_BROKER_PASS}"
                 credhub set --name="${PIPELINE_NS}/secrets_cdn_broker_admin_password" --type password --password "${CDN_BROKER_PASS}"
                 credhub set --name="${PIPELINE_NS}/secrets_aiven_broker_admin_password" --type password --password "${AIVEN_BROKER_PASS}"
@@ -3247,11 +3249,7 @@ jobs:
             ENABLE_ALERT_NOTIFICATIONS: ((ENABLE_ALERT_NOTIFICATIONS))
             SLIM_DEV_DEPLOYMENT: ((slim_dev_deployment))
             ENV_SPECIFIC_BOSH_VARS_FILE: ((env_specific_bosh_vars_file))
-            GRAFANA_AUTH_GOOGLE_CLIENT_ID: ((grafana_auth_google_client_id))
-            GRAFANA_AUTH_GOOGLE_CLIENT_SECRET: ((grafana_auth_google_client_secret))
-            UAA_CLIENTS_CF_EXPORTER_SECRET: ((uaa_clients_cf_exporter_secret))
             BOSH_CA_CERT: ((bosh-ca-cert))
-            BOSH_EXPORTER_PASSWORD: ((bosh-exporter-password))
             VCAP_PASSWORD: ((vcap-password))
           run:
             path: bash

diff --git a/manifests/prometheus/scripts/generate-env-manifest.sh b/manifests/prometheus/scripts/generate-env-manifest.sh
@@ -22,8 +22,6 @@ STATE_BUCKET="gds-paas-${DEPLOY_ENV}-state"
 
 cd "${WORKDIR}"
 
-credhub find -n /concourse/main/bosh-exporter-password > /dev/null 2>&1 || (echo "You need to connect to credhub." && exit 1)
-
 mkdir -p "${WORKDIR}/terraform-tfstate"
 mkdir -p "${WORKDIR}/paas-trusted-people"
 mkdir -p "${WORKDIR}/terraform-outputs"
@@ -42,21 +40,6 @@ export BOSH_URL
 VCAP_PASSWORD=$(ruby -ryaml -e "puts YAML.load_file('$WORKDIR/bosh-secrets.yml')['secrets']['vcap_password']")
 export VCAP_PASSWORD
 
-# All these variables are scoped into the wrong part of credhub. Why? who knows. This means
-# this script needs access to credhub to extract them. Wouldn't it be lovely if they were
-# scoped right, then we could just refer to them as ((variable)) in the manifest.
-
-BOSH_EXPORTER_PASSWORD="$(credhub get -q -n /concourse/main/bosh-exporter-password)"
-export BOSH_EXPORTER_PASSWORD
-GRAFANA_AUTH_GOOGLE_CLIENT_ID="$(credhub get -q -n /concourse/main/create-cloudfoundry/grafana_auth_google_client_id)"
-export GRAFANA_AUTH_GOOGLE_CLIENT_ID
-GRAFANA_AUTH_GOOGLE_CLIENT_SECRET="$(credhub get -q -n /concourse/main/create-cloudfoundry/grafana_auth_google_client_secret)"
-export GRAFANA_AUTH_GOOGLE_CLIENT_SECRET
-UAA_CLIENTS_CF_EXPORTER_SECRET="$(credhub get -q -n /concourse/main/create-cloudfoundry/uaa_clients_cf_exporter_secret)"
-export UAA_CLIENTS_CF_EXPORTER_SECRET
-UAA_CLIENTS_FIREHOSE_EXPORTER_SECRET="$(credhub get -q -n /concourse/main/create-cloudfoundry/uaa_clients_firehose_exporter_secret)"
-export UAA_CLIENTS_FIREHOSE_EXPORTER_SECRET
-
 BOSH_CA_CERT="$(cat "${WORKDIR}/bosh-CA.crt")"
 BOSH_CA_CERT="$(awk -v ORS='\\n' '1' <(printenv BOSH_CA_CERT | tr -d '\r'))"
 export BOSH_CA_CERT

diff --git a/manifests/prometheus/scripts/generate-manifest.sh b/manifests/prometheus/scripts/generate-manifest.sh
@@ -34,18 +34,14 @@ cat <<EOF > "${variables_file}"
 ---
 metrics_environment: $DEPLOY_ENV
 bosh_url: $BOSH_URL
-uaa_bosh_exporter_client_secret: $BOSH_EXPORTER_PASSWORD
 system_domain: $SYSTEM_DNS_ZONE_NAME
 app_domain: $APPS_DNS_ZONE_NAME
 metron_deployment_name: $DEPLOY_ENV
 skip_ssl_verify: false
 traffic_controller_external_port: 443
 loggregator_ca_name: /$DEPLOY_ENV/$DEPLOY_ENV/loggregator_ca
-uaa_clients_cf_exporter_secret: $UAA_CLIENTS_CF_EXPORTER_SECRET
 aws_account: $AWS_ACCOUNT
 aws_region: $AWS_REGION
-grafana_auth_google_client_id: $GRAFANA_AUTH_GOOGLE_CLIENT_ID
-grafana_auth_google_client_secret: $GRAFANA_AUTH_GOOGLE_CLIENT_SECRET
 bosh_ca_cert: "$BOSH_CA_CERT"
 vcap_password: $VCAP_PASSWORD
 EOF

diff --git a/scripts/upload-secrets/upload-google-oauth-secrets.rb b/scripts/upload-secrets/upload-google-oauth-secrets.rb
@@ -11,6 +11,7 @@
 credhub_namespaces = [
   "/concourse/main/create-cloudfoundry",
   "/#{deploy_env}/#{deploy_env}",
+  "/#{deploy_env}/prometheus",
 ]
 
 google_oauth_client_id = ENV["GOOGLE_OAUTH_CLIENT_ID"] || get_secret("google/#{ENV['MAKEFILE_ENV_TARGET']}/oauth/client_id")