Skip to content

Commit

Permalink
Merge pull request #1417 from dsalaza4/main
Browse files Browse the repository at this point in the history
refac(back): #1378 deprecate secrets for gpg
  • Loading branch information
drestrepom authored Dec 19, 2024
2 parents addffc7 + 9a27d5a commit c341bbd
Show file tree
Hide file tree
Showing 16 changed files with 10 additions and 493 deletions.
64 changes: 0 additions & 64 deletions .github/workflows/dev.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,22 +55,6 @@ jobs:
env:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

linux_envVars_example:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
name: /envVars/example
with:
args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /envVars/example"
macos_envVars_example:
runs-on: macos-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
- name: /envVars/example
run: nix-env -if . && m . /envVars/example

linux_formatBash:
runs-on: ubuntu-latest
steps:
Expand Down Expand Up @@ -244,38 +228,6 @@ jobs:
with:
args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /lintWithAjv/test"

linux_secretsForEnvFromSops_example:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
name: /secretsForEnvFromSops/example
with:
args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /secretsForEnvFromSops/example"
macos_secretsForEnvFromSops_example:
runs-on: macos-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
- name: /secretsForEnvFromSops/example
run: nix-env -if . && m . /secretsForEnvFromSops/example

linux_secretsForGpgFromEnv_example:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
name: /secretsForGpgFromEnv/example
with:
args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /secretsForGpgFromEnv/example"
macos_secretsForGpgFromEnv_example:
runs-on: macos-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
- name: /secretsForGpgFromEnv/example
run: nix-env -if . && m . /secretsForGpgFromEnv/example

linux_testLicense:
runs-on: ubuntu-latest
steps:
Expand Down Expand Up @@ -340,22 +292,6 @@ jobs:
- name: /tests/makeScript
run: nix-env -if . && m . /tests/makeScript

linux_tests_secretsForGpgFromEnv:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
name: /tests/secretsForGpgFromEnv
with:
args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /tests/secretsForGpgFromEnv"
macos_tests_secretsForGpgFromEnv:
runs-on: macos-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
- name: /tests/secretsForGpgFromEnv
run: nix-env -if . && m . /tests/secretsForGpgFromEnv

linux_testTerraform_module:
runs-on: ubuntu-latest
steps:
Expand Down
80 changes: 0 additions & 80 deletions .github/workflows/prod.yml
Original file line number Diff line number Diff line change
Expand Up @@ -133,26 +133,6 @@ jobs:
env:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

linux_envVars_example:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
name: /envVars/example
with:
args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /envVars/example"
env:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
macos_envVars_example:
runs-on: macos-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
- name: /envVars/example
run: nix-env -if . && m . /envVars/example
env:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

linux_formatBash:
runs-on: ubuntu-latest
steps:
Expand Down Expand Up @@ -368,46 +348,6 @@ jobs:
env:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

linux_secretsForEnvFromSops_example:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
name: /secretsForEnvFromSops/example
with:
args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /secretsForEnvFromSops/example"
env:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
macos_secretsForEnvFromSops_example:
runs-on: macos-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
- name: /secretsForEnvFromSops/example
run: nix-env -if . && m . /secretsForEnvFromSops/example
env:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

linux_secretsForGpgFromEnv_example:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
name: /secretsForGpgFromEnv/example
with:
args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /secretsForGpgFromEnv/example"
env:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
macos_secretsForGpgFromEnv_example:
runs-on: macos-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
- name: /secretsForGpgFromEnv/example
run: nix-env -if . && m . /secretsForGpgFromEnv/example
env:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

linux_testLicense:
runs-on: ubuntu-latest
steps:
Expand Down Expand Up @@ -484,26 +424,6 @@ jobs:
env:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

linux_tests_secretsForGpgFromEnv:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: docker://docker.io/nixos/nix@sha256:c3db4c484f6b1ee6c9bb8ca90307cfbeca8ef88156840911356a677eeaff4845
name: /tests/secretsForGpgFromEnv
with:
args: sh -c "chown -R root:root /github/workspace && nix-env -if . && m . /tests/secretsForGpgFromEnv"
env:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
macos_tests_secretsForGpgFromEnv:
runs-on: macos-latest
steps:
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
- uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
- name: /tests/secretsForGpgFromEnv
run: nix-env -if . && m . /tests/secretsForGpgFromEnv
env:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

linux_testTerraform_module:
runs-on: ubuntu-latest
steps:
Expand Down
84 changes: 0 additions & 84 deletions docs/src/api/builtins/secrets.md
Original file line number Diff line number Diff line change
Expand Up @@ -192,90 +192,6 @@ Example:
}
```

## secretsForGpgFromEnv

Load GPG public or private keys
from environment variables
into an ephemeral key-ring.

Each key content must be stored
in a environment variable
in [ASCII Armor](https://www.techopedia.com/definition/23150/ascii-armor) format.

Types:

- secretsForGpgFromEnv (`attrsOf (listOf str)`): Optional.
Mapping of name
to a list of environment variable names
where the GPG key contents are stored.
Defaults to `{ }`.

Example:

=== "secrets.yaml"

```yaml
# /path/to/my/project/secrets.yaml
password: ENC[AES256_GCM,data:cLbgzNHgBN5drfsDAS+RTV5fL6I=,iv:2YHhHxKg+lbGqdB5nhhG2YemeKB6XWvthGfNNkVgytQ=,tag:cj/el3taq1w7UOp/JQSNwA==,type:str]
# ...
```

=== "makes.nix"

```nix
# /path/to/my/project/makes.nix
{
outputs,
...
}: {
# Load keys into an ephemeral GPG keyring
secretsForGpgFromEnv = {
example = [
"ENV_VAR_FOR_PRIVATE_KEY_CONTENT"
"ENV_VAR_FOR_PUB_KEY_CONTENT"
];
};
# Use sops to decrypt an encrypted file
secretsForEnvFromSops = {
example = {
manifest = "/secrets.yaml";
vars = [ "password" ];
};
};
}
```

=== "main.nix"

```nix
# /path/to/my/project/makes/example/main.nix
{
makeScript,
outputs,
...
}:
makeScript {
name = "example";
searchPaths.source = [
# First setup an ephemeral GPG keyring
outputs."/secretsForGpgFromEnv/example"
# Now sops will decrypt secrets using the GPG keys in the ring
outputs."/secretsForEnvFromSops/example"
];
entrypoint = ''
echo Decrypted password: $password
'';
}
```

=== "Invocation"

```bash
$ m . /example

Decrypted password: 123
```

## secretsForTerraformFromEnv

Export secrets in a format suitable for Terraform
Expand Down
3 changes: 1 addition & 2 deletions docs/src/security/threat-model.md
Original file line number Diff line number Diff line change
Expand Up @@ -118,8 +118,7 @@
For example:
`secretsForAwsFromEnv`,
`secretsForAwsFromGitlab`,
`secretsForEnvFromSops`,
`secretsForGpgFromEnv`, and
`secretsForEnvFromSops`, and
`secretsForTerraformFromEnv`.
However, we don't currently have a way to protect the user
Expand Down
2 changes: 0 additions & 2 deletions src/args/agnostic.nix
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,6 @@ let
import ./make-secret-for-aws-from-gitlab/default.nix self;
makeSecretForEnvFromSops =
import ./make-secret-for-env-from-sops/default.nix self;
makeSecretForGpgFromEnv =
import ./make-secret-for-gpg-from-env/default.nix self;
makeSecretForKubernetesConfigFromAws =
import ./make-secret-for-kubernetes-config-from-aws/default.nix self;
makeSecretForNomadFromEnv =
Expand Down
11 changes: 0 additions & 11 deletions src/args/make-secret-for-gpg-from-env/default.nix

This file was deleted.

18 changes: 0 additions & 18 deletions src/args/make-secret-for-gpg-from-env/template.sh

This file was deleted.

1 change: 0 additions & 1 deletion src/evaluator/modules/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@
(import ./secrets-for-aws-from-env/default.nix args)
(import ./secrets-for-aws-from-gitlab/default.nix args)
(import ./secrets-for-env-from-sops/default.nix args)
(import ./secrets-for-gpg-from-env/default.nix args)
(import ./secrets-for-terraform-from-env/default.nix args)
(import ./test-license/default.nix args)
(import ./test-terraform/default.nix args)
Expand Down
22 changes: 0 additions & 22 deletions src/evaluator/modules/secrets-for-gpg-from-env/default.nix

This file was deleted.

2 changes: 0 additions & 2 deletions tests/makes.nix
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,6 @@
./makeSearchPaths/makes.nix
./makeTemplate/makes.nix
./pipelines/makes.nix
./secretsForEnvFromSops/makes.nix
./secretsForGpgFromEnv/makes.nix
./terraform/makes.nix
];
}
8 changes: 0 additions & 8 deletions tests/secretsForEnvFromSops/makes.nix

This file was deleted.

20 changes: 0 additions & 20 deletions tests/secretsForGpgFromEnv/makes.nix

This file was deleted.

Loading

0 comments on commit c341bbd

Please sign in to comment.