diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index cac5dd0c..ee0c8693 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -107,6 +107,14 @@ runs: source ./bin/activate "$AZIMUTH_CONFIG_ENVIRONMENT" "$AZIMUTH_ENVIRONMENT" ansible-galaxy install -f -r requirements.yml + - name: Generate secrets for environment + shell: bash + run: | + set -e + source ci.env + source ./bin/activate "$AZIMUTH_CONFIG_ENVIRONMENT" "$AZIMUTH_ENVIRONMENT" + ./bin/generate-secrets + # Generate and append the S3 credential to the CI environment file - name: Configure S3 lock id: s3-lock-config diff --git a/.gitignore b/.gitignore index 1edc0d15..9009b8d9 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,6 @@ .python-version /clouds.yaml* tilt-settings.yaml +# Ignore generated secrets in demo and CI environments +environments/demo/inventory/group_vars/all/secrets.yml +.github/environments/**/secrets.yml diff --git a/bin/generate-secrets b/bin/generate-secrets new file mode 100755 index 00000000..044e21cc --- /dev/null +++ b/bin/generate-secrets @@ -0,0 +1,90 @@ +#!/usr/bin/env bash + +##### +## This script generates a secrets file for an environment. +## +## The environment can either be given as an argument or activated. +##### + +set -eo pipefail + + +# Parse the command line arguments +# The environment defaults to the active environment, if set +COMMAND_ENVIRONMENT="${AZIMUTH_CONFIG_ENVIRONMENT:-""}" +FORCE_OVERWRITE= +while [[ $# -gt 0 ]]; do + case $1 in + -f|--force) + FORCE_OVERWRITE="yes" + shift + ;; + *) + COMMAND_ENVIRONMENT="$1" + shift + ;; + esac +done + +# If the environment is unknown at this point, bail +if [ -z "$COMMAND_ENVIRONMENT" ]; then + echo "Target environment must either be specified as an argument or activated" >&2 + exit 1 +fi + +# Work out where the secrets file for the specified environment lives +CONFIG_ROOT="$(dirname $(dirname $(realpath ${BASH_SOURCE[0]:-${(%):-%x}})))" +# We check environments and .github/environments, as in activate +if [ -d "$CONFIG_ROOT/environments/$COMMAND_ENVIRONMENT" ]; then + CONFIG_ENVIRONMENT_ROOT="$CONFIG_ROOT/environments/$COMMAND_ENVIRONMENT" +elif [ -d "$CONFIG_ROOT/.github/environments/$COMMAND_ENVIRONMENT" ]; then + CONFIG_ENVIRONMENT_ROOT="$CONFIG_ROOT/.github/environments/$COMMAND_ENVIRONMENT" +else + echo "Unrecognised config environment '$COMMAND_ENVIRONMENT'" >&2 + exit 1 +fi +SECRETS_FILE="$CONFIG_ENVIRONMENT_ROOT/inventory/group_vars/all/secrets.yml" +echo "Writing secrets to $SECRETS_FILE" + +# If the secrets file already exists, do not overwrite it unless explicitly requested +if [ -f "$SECRETS_FILE" ]; then + if [ "$FORCE_OVERWRITE" = "yes" ]; then + echo "$SECRETS_FILE already exists - overwriting" + else + echo "$SECRETS_FILE already exists - will not overwrite" >&2 + exit 1 + fi +fi + +# Write the secrets file, making sure the directory exists first +mkdir -p "$(dirname $SECRETS_FILE)" +cat < $SECRETS_FILE +##### +# This file contains secrets for the $COMMAND_ENVIRONMENT environment +# +# It should be encrypted if stored in version control +# https://azimuth-config.readthedocs.io/en/stable/repository/secrets/ +##### + +# https://azimuth-config.readthedocs.io/en/stable/configuration/05-secret-key/ +# The secret key for signing Azimuth cookies +azimuth_secret_key: "$(openssl rand -hex 32)" + +# https://azimuth-config.readthedocs.io/en/stable/configuration/07-platform-identity/#keycloak-admin-password +# The admin password for the Keycloak master realm +keycloak_admin_password: "$(openssl rand -hex 16)" + +# https://azimuth-config.readthedocs.io/en/stable/configuration/08-zenith/ +# The secret key for signing Zenith registrar tokens +zenith_registrar_subdomain_token_signing_key: "$(openssl rand -hex 32)" + +# https://azimuth-config.readthedocs.io/en/stable/configuration/10-kubernetes-clusters/#harbor-registry +# The password for the Harbor admin account +harbor_admin_password: "$(openssl rand -hex 16)" +# The secret key for Harbor +harbor_secret_key: "$(openssl rand -hex 8)" + +# https://azimuth-config.readthedocs.io/en/stable/configuration/14-monitoring/#accessing-web-interfaces +# The admin password for Azimuth administrative dashboards +admin_dashboard_ingress_basic_auth_password: "$(openssl rand -hex 16)" +EOF diff --git a/bin/kube-connect b/bin/kube-connect index 5df52519..d8503776 100755 --- a/bin/kube-connect +++ b/bin/kube-connect @@ -1,8 +1,8 @@ #!/usr/bin/env bash ##### -## This script uses Tilt (tilt.dev) to allow easier code development on the -## currently activated environment +## This script allows access to the Azimuth Kubernetes cluster from the machine +## where the script is executed by using a SOCKS proxy ##### set -eo pipefail diff --git a/docs/configuration/05-secret-key.md b/docs/configuration/05-secret-key.md index e081c088..cf4f8b33 100644 --- a/docs/configuration/05-secret-key.md +++ b/docs/configuration/05-secret-key.md @@ -9,7 +9,12 @@ azimuth_secret_key: "" !!! tip This key should be a long, random string - at least 32 bytes (256 bits) is recommended. - A suitable key can be generated using `openssl rand -hex 32`. + + `azimuth-config` includes a utility for generating secrets for an environment: + + ```sh + ./bin/generate-secrets [--force] + ``` !!! danger diff --git a/docs/configuration/07-platform-identity.md b/docs/configuration/07-platform-identity.md index 4eaa3e2f..a139c171 100644 --- a/docs/configuration/07-platform-identity.md +++ b/docs/configuration/07-platform-identity.md @@ -79,6 +79,14 @@ The only required configuration for platform identity is to set the admin passwo keycloak_admin_password: "" ``` +!!! tip + + `azimuth-config` includes a utility for generating secrets for an environment: + + ```sh + ./bin/generate-secrets [--force] + ``` + !!! danger This password should be kept secret. If you want to keep the password in Git - which is diff --git a/docs/configuration/08-zenith.md b/docs/configuration/08-zenith.md index 3410e6d5..6023dd89 100644 --- a/docs/configuration/08-zenith.md +++ b/docs/configuration/08-zenith.md @@ -18,7 +18,12 @@ zenith_registrar_subdomain_token_signing_key: "" !!! tip This key must be a long, random string - at least 32 bytes (256 bits) is required. - A suitable key can be generated using `openssl rand -hex 32`. + + `azimuth-config` includes a utility for generating secrets for an environment: + + ```sh + ./bin/generate-secrets [--force] + ``` !!! danger diff --git a/docs/configuration/10-kubernetes-clusters.md b/docs/configuration/10-kubernetes-clusters.md index fdf1914d..f7a327da 100644 --- a/docs/configuration/10-kubernetes-clusters.md +++ b/docs/configuration/10-kubernetes-clusters.md @@ -159,6 +159,14 @@ harbor_admin_password: "" harbor_secret_key: "" ``` +!!! tip + + `azimuth-config` includes a utility for generating secrets for an environment: + + ```sh + ./bin/generate-secrets [--force] + ``` + !!! danger These values should be kept secret. If you want to keep them in Git - which is recommended - diff --git a/docs/configuration/14-monitoring.md b/docs/configuration/14-monitoring.md index b470498b..98dab58e 100644 --- a/docs/configuration/14-monitoring.md +++ b/docs/configuration/14-monitoring.md @@ -51,6 +51,14 @@ admin_dashboard_ingress_basic_auth_password: "" As such you should ensure that a strong password is used, and take care when sharing it. +!!! tip + + `azimuth-config` includes a utility for generating secrets for an environment: + + ```sh + ./bin/generate-secrets [--force] + ``` + !!! danger This password should be kept secret. If you want to keep the password in Git - which is diff --git a/docs/developing/index.md b/docs/developing/index.md index 2a6de917..de2b638b 100644 --- a/docs/developing/index.md +++ b/docs/developing/index.md @@ -70,6 +70,10 @@ export OS_CLIENT_CONFIG_FILE=/path/to/clouds.yaml # with other deployments that use the dev environment source ./bin/activate dev jbloggs-dev +# Generate secrets locally for the active environment, if required +# DO NOT COMMIT THE GENERATED FILE TO GIT +./bin/generate-secrets + # Install Azimuth as usual ansible-galaxy install -f -r requirements.yml ansible-playbook azimuth_cloud.azimuth_ops.provision diff --git a/docs/repository/index.md b/docs/repository/index.md index 947fd001..1b73e8b0 100644 --- a/docs/repository/index.md +++ b/docs/repository/index.md @@ -54,7 +54,7 @@ to do this is to copy the `example` environment as a starting point: cp -r ./environments/example ./environments/my-site ``` -!!! tip +!!! tip "Copy instead of rename" Copying the `example` environment, rather than just renaming it, avoids conflicts when synchronising changes from the `azimuth-config` repository where the `example` @@ -62,6 +62,18 @@ cp -r ./environments/example ./environments/my-site Once you have your new environment, you can make the required changes for your site. +!!! tip "Generating secrets" + + `azimuth-config` includes a utility that can be used to generate secrets for your + environment: + + ```sh + ./bin/generate-secrets --force my-site + ``` + + `--force` is required because the `example` environment includes an example secrets + file that we want to overwrite with the generated secrets. + As you make changes to your environment, remember to commit and push them regularly: ```sh diff --git a/docs/try.md b/docs/try.md index c844223f..5c58a1cf 100644 --- a/docs/try.md +++ b/docs/try.md @@ -46,6 +46,10 @@ source ./bin/activate demo # Install Ansible dependencies ansible-galaxy install -f -r requirements.yml +# Generate deployment secrets +# N.B. for the demo environment, these are excluded from git using .gitignore +./bin/generate-secrets + # Deploy Azimuth ansible-playbook azimuth_cloud.azimuth_ops.provision ``` diff --git a/environments/demo/inventory/group_vars/all/variables.yml b/environments/demo/inventory/group_vars/all/variables.yml index fe6fa3de..9665d0f9 100644 --- a/environments/demo/inventory/group_vars/all/variables.yml +++ b/environments/demo/inventory/group_vars/all/variables.yml @@ -54,12 +54,3 @@ azimuth_openstack_external_net_template: >- azimuth_openstack_verify_ssl: false azimuth_current_cloud_name: demo - -# Use secrets that are not really secret for ease -admin_dashboard_ingress_basic_auth_password: admin -harbor_admin_password: admin -harbor_secret_key: abcdefghijklmnop -keycloak_admin_password: admin -coral_credits_admin_password: admin -zenith_registrar_subdomain_token_signing_key: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AA -azimuth_secret_key: 9876543210ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcda00