Utility for generating secrets for an environment (#191)

* Add utility for generating secrets for an environment * Add documentation for generating secrets
azimuth-cloud · Nov 14, 2024 · 14052b0 · 14052b0
1 parent eee08d3
commit 14052b0
Show file tree

Hide file tree

Showing 13 changed files with 160 additions and 14 deletions.
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -107,6 +107,14 @@ runs:
         source ./bin/activate "$AZIMUTH_CONFIG_ENVIRONMENT" "$AZIMUTH_ENVIRONMENT"
         ansible-galaxy install -f -r requirements.yml
 
+    - name: Generate secrets for environment
+      shell: bash
+      run: |
+        set -e
+        source ci.env
+        source ./bin/activate "$AZIMUTH_CONFIG_ENVIRONMENT" "$AZIMUTH_ENVIRONMENT"
+        ./bin/generate-secrets
+
     # Generate and append the S3 credential to the CI environment file
     - name: Configure S3 lock
       id: s3-lock-config

diff --git a/.gitignore b/.gitignore
@@ -5,3 +5,6 @@
 .python-version
 /clouds.yaml*
 tilt-settings.yaml
+# Ignore generated secrets in demo and CI environments
+environments/demo/inventory/group_vars/all/secrets.yml
+.github/environments/**/secrets.yml
diff --git a/bin/generate-secrets b/bin/generate-secrets
@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+#####
+## This script generates a secrets file for an environment.
+##
+## The environment can either be given as an argument or activated.
+#####
+
+set -eo pipefail
+
+
+# Parse the command line arguments
+# The environment defaults to the active environment, if set
+COMMAND_ENVIRONMENT="${AZIMUTH_CONFIG_ENVIRONMENT:-""}"
+FORCE_OVERWRITE=
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        -f|--force)
+            FORCE_OVERWRITE="yes"
+            shift
+            ;;
+        *)
+            COMMAND_ENVIRONMENT="$1"
+            shift
+            ;;
+    esac
+done
+
+# If the environment is unknown at this point, bail
+if [ -z "$COMMAND_ENVIRONMENT" ]; then
+    echo "Target environment must either be specified as an argument or activated" >&2
+    exit 1
+fi
+
+# Work out where the secrets file for the specified environment lives
+CONFIG_ROOT="$(dirname $(dirname $(realpath ${BASH_SOURCE[0]:-${(%):-%x}})))"
+# We check environments and .github/environments, as in activate
+if [ -d "$CONFIG_ROOT/environments/$COMMAND_ENVIRONMENT" ]; then
+  CONFIG_ENVIRONMENT_ROOT="$CONFIG_ROOT/environments/$COMMAND_ENVIRONMENT"
+elif [ -d "$CONFIG_ROOT/.github/environments/$COMMAND_ENVIRONMENT" ]; then
+  CONFIG_ENVIRONMENT_ROOT="$CONFIG_ROOT/.github/environments/$COMMAND_ENVIRONMENT"
+else
+  echo "Unrecognised config environment '$COMMAND_ENVIRONMENT'" >&2
+  exit 1
+fi
+SECRETS_FILE="$CONFIG_ENVIRONMENT_ROOT/inventory/group_vars/all/secrets.yml"
+echo "Writing secrets to $SECRETS_FILE"
+
+# If the secrets file already exists, do not overwrite it unless explicitly requested
+if [ -f "$SECRETS_FILE" ]; then
+    if [ "$FORCE_OVERWRITE" = "yes" ]; then
+        echo "$SECRETS_FILE already exists - overwriting"
+    else
+        echo "$SECRETS_FILE already exists - will not overwrite" >&2
+        exit 1
+    fi
+fi
+
+# Write the secrets file, making sure the directory exists first
+mkdir -p "$(dirname $SECRETS_FILE)"
+cat <<EOF > $SECRETS_FILE
+#####
+# This file contains secrets for the $COMMAND_ENVIRONMENT environment
+#
+# It should be encrypted if stored in version control
+# https://azimuth-config.readthedocs.io/en/stable/repository/secrets/
+#####
+
+# https://azimuth-config.readthedocs.io/en/stable/configuration/05-secret-key/
+# The secret key for signing Azimuth cookies
+azimuth_secret_key: "$(openssl rand -hex 32)"
+
+# https://azimuth-config.readthedocs.io/en/stable/configuration/07-platform-identity/#keycloak-admin-password
+# The admin password for the Keycloak master realm
+keycloak_admin_password: "$(openssl rand -hex 16)"
+
+# https://azimuth-config.readthedocs.io/en/stable/configuration/08-zenith/
+# The secret key for signing Zenith registrar tokens
+zenith_registrar_subdomain_token_signing_key: "$(openssl rand -hex 32)"
+
+# https://azimuth-config.readthedocs.io/en/stable/configuration/10-kubernetes-clusters/#harbor-registry
+# The password for the Harbor admin account
+harbor_admin_password: "$(openssl rand -hex 16)"
+# The secret key for Harbor
+harbor_secret_key: "$(openssl rand -hex 8)"
+
+# https://azimuth-config.readthedocs.io/en/stable/configuration/14-monitoring/#accessing-web-interfaces
+# The admin password for Azimuth administrative dashboards
+admin_dashboard_ingress_basic_auth_password: "$(openssl rand -hex 16)"
+EOF
diff --git a/bin/kube-connect b/bin/kube-connect
@@ -1,8 +1,8 @@
 #!/usr/bin/env bash
 
 #####
-## This script uses Tilt (tilt.dev) to allow easier code development on the
-## currently activated environment
+## This script allows access to the Azimuth Kubernetes cluster from the machine
+## where the script is executed by using a SOCKS proxy
 #####
 
 set -eo pipefail

diff --git a/docs/configuration/05-secret-key.md b/docs/configuration/05-secret-key.md
@@ -9,7 +9,12 @@ azimuth_secret_key: "<some secret key>"
 !!! tip
 
     This key should be a long, random string - at least 32 bytes (256 bits) is recommended.
-    A suitable key can be generated using `openssl rand -hex 32`.
+
+    `azimuth-config` includes a utility for generating secrets for an environment:
+
+    ```sh
+    ./bin/generate-secrets [--force] <environment-name>
+    ```
 
 !!! danger
 

diff --git a/docs/configuration/07-platform-identity.md b/docs/configuration/07-platform-identity.md
@@ -79,6 +79,14 @@ The only required configuration for platform identity is to set the admin passwo
 keycloak_admin_password: "<secure password>"
 ```
 
+!!! tip
+
+    `azimuth-config` includes a utility for generating secrets for an environment:
+
+    ```sh
+    ./bin/generate-secrets [--force] <environment-name>
+    ```
+
 !!! danger
 
     This password should be kept secret. If you want to keep the password in Git - which is

diff --git a/docs/configuration/08-zenith.md b/docs/configuration/08-zenith.md
@@ -18,7 +18,12 @@ zenith_registrar_subdomain_token_signing_key: "<some secret key>"
 !!! tip
 
     This key must be a long, random string - at least 32 bytes (256 bits) is required.
-    A suitable key can be generated using `openssl rand -hex 32`.
+
+    `azimuth-config` includes a utility for generating secrets for an environment:
+
+    ```sh
+    ./bin/generate-secrets [--force] <environment-name>
+    ```
 
 !!! danger
 

diff --git a/docs/configuration/10-kubernetes-clusters.md b/docs/configuration/10-kubernetes-clusters.md
@@ -159,6 +159,14 @@ harbor_admin_password: "<secure password>"
 harbor_secret_key: "<secure secret key>"
 ```
 
+!!! tip
+
+    `azimuth-config` includes a utility for generating secrets for an environment:
+
+    ```sh
+    ./bin/generate-secrets [--force] <environment-name>
+    ```
+
 !!! danger
 
     These values should be kept secret. If you want to keep them in Git - which is recommended -

diff --git a/docs/configuration/14-monitoring.md b/docs/configuration/14-monitoring.md
@@ -51,6 +51,14 @@ admin_dashboard_ingress_basic_auth_password: "<secure password>"
     As such you should ensure that a strong password is used, and take care when sharing
     it.
 
+!!! tip
+
+    `azimuth-config` includes a utility for generating secrets for an environment:
+
+    ```sh
+    ./bin/generate-secrets [--force] <environment-name>
+    ```
+
 !!! danger
 
     This password should be kept secret. If you want to keep the password in Git - which is

diff --git a/docs/developing/index.md b/docs/developing/index.md
@@ -70,6 +70,10 @@ export OS_CLIENT_CONFIG_FILE=/path/to/clouds.yaml
 # with other deployments that use the dev environment
 source ./bin/activate dev jbloggs-dev
 
+# Generate secrets locally for the active environment, if required
+# DO NOT COMMIT THE GENERATED FILE TO GIT
+./bin/generate-secrets
+
 # Install Azimuth as usual
 ansible-galaxy install -f -r requirements.yml
 ansible-playbook azimuth_cloud.azimuth_ops.provision

diff --git a/docs/repository/index.md b/docs/repository/index.md
@@ -54,14 +54,26 @@ to do this is to copy the `example` environment as a starting point:
 cp -r ./environments/example ./environments/my-site
 ```
 
-!!! tip
+!!! tip  "Copy instead of rename"
 
     Copying the `example` environment, rather than just renaming it, avoids conflicts
     when synchronising changes from the `azimuth-config` repository where the `example`
     environment has changed.
 
 Once you have your new environment, you can make the required changes for your site.
 
+!!! tip  "Generating secrets"
+
+    `azimuth-config` includes a utility that can be used to generate secrets for your
+    environment:
+
+    ```sh
+    ./bin/generate-secrets --force my-site
+    ```
+
+    `--force` is required because the `example` environment includes an example secrets
+    file that we want to overwrite with the generated secrets.
+
 As you make changes to your environment, remember to commit and push them regularly:
 
 ```sh

diff --git a/docs/try.md b/docs/try.md
@@ -46,6 +46,10 @@ source ./bin/activate demo
 # Install Ansible dependencies
 ansible-galaxy install -f -r requirements.yml
 
+# Generate deployment secrets
+# N.B. for the demo environment, these are excluded from git using .gitignore
+./bin/generate-secrets
+
 # Deploy Azimuth
 ansible-playbook azimuth_cloud.azimuth_ops.provision
 ```

diff --git a/environments/demo/inventory/group_vars/all/variables.yml b/environments/demo/inventory/group_vars/all/variables.yml
@@ -54,12 +54,3 @@ azimuth_openstack_external_net_template: >-
 azimuth_openstack_verify_ssl: false
 
 azimuth_current_cloud_name: demo
-
-# Use secrets that are not really secret for ease
-admin_dashboard_ingress_basic_auth_password: admin
-harbor_admin_password: admin
-harbor_secret_key: abcdefghijklmnop
-keycloak_admin_password: admin
-coral_credits_admin_password: admin
-zenith_registrar_subdomain_token_signing_key: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AA
-azimuth_secret_key: 9876543210ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcda00