-
Notifications
You must be signed in to change notification settings - Fork 22
/
decrypt_tls_assets_script.go
51 lines (42 loc) · 1.18 KB
/
decrypt_tls_assets_script.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
package template
const DecryptTLSAssetsScript = `#!/bin/bash -e
set -o errexit
kms_tls_assets_decrypt() {
AWS_CLI_IMAGE="{{.RegistryDomain}}/giantswarm/awscli:1.18.3"
while ! docker pull ${AWS_CLI_IMAGE};
do
echo "Failed to fetch docker image ${AWS_CLI_IMAGE}, retrying in 5 sec."
sleep 5s
done
echo "Successfully fetched docker image ${AWS_CLI_IMAGE}."
while ! docker run --net=host -v /etc/kubernetes/ssl:/etc/kubernetes/ssl \
--entrypoint=/bin/sh \
${AWS_CLI_IMAGE} \
-ec \
'set -o errexit
echo decrypting tls assets
for encKey in $(find /etc/kubernetes/ssl -name "*.pem.enc"); do
echo decrypting $encKey
f=$(mktemp $encKeyb64.XXXXXXXX)
f2=$(mktemp $encKey.XXXXXXXX)
aws \
--region {{.AWSRegion}} kms decrypt \
--ciphertext-blob fileb://$encKey \
--output text \
--query Plaintext > $f
base64 -d $f > $f2
mv -f $f2 ${encKey%.enc}
done;'
do
echo "Failed to decrypt TLS assets, retrying in 5 sec."
sleep 5s
done
}
main() {
kms_tls_assets_decrypt
if [ -d "/etc/kubernetes/ssl/etcd" ]; then
chown -R etcd:etcd /etc/kubernetes/ssl/etcd
fi
}
main
`