Skip to content

update bin/secrets.sh to aid in creating fresh environments with fres…#428

Merged
jschaul merged 4 commits intodevelopfrom
secrets-generation
Mar 2, 2021
Merged

update bin/secrets.sh to aid in creating fresh environments with fres…#428
jschaul merged 4 commits intodevelopfrom
secrets-generation

Conversation

@jschaul
Copy link
Copy Markdown
Member

@jschaul jschaul commented Feb 25, 2021

…h secrets

Motivation: as I was creating new environments, I needed to create fresh secrets for them, and add them to a secrets.yaml file. This is currently a tedious process involving copy-pasting the right bits of string to the rightly-indented json.

If this PR is accepted, FUTUREWORK could be to A) add the existence of this script to docs.wire.com and B) we could make it even easier by providing a docker image containing zauth, openssl, and htpasswd.

arianvp
arianvp reviewed Feb 26, 2021
View reviewed changes
bin/secrets.sh

mkdir -p "$OUTPUT_DIR"

zrest="${OUTPUT_DIR}/restund_zrest_secret.txt"
Copy link
Copy Markdown
Contributor

@arianvp arianvp Feb 26, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great minds think alike. I actually wrote the exact same script yesterday 8f9683f

:)

However I removed the writing to .txt files I wrote the secrets directly to the ansible inventory instead (through a group_vars file).

Perhaps that's also something we want to do here? Then you don't have to copy the secrets into your ansible inventory manually

Copy link
Copy Markdown
Member Author

@jschaul jschaul Mar 1, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah well we could have saved some time by not doing that concurrently. Oh well :)

I took your ansible-inventory-generating code from the linked commit and added it here. Thanks! I also took the ZAUTH_CONTAINER idea and integrated it here.

As for the question of saving to text file: well, this PR also adds a basicAuth secret, which needs to be shared via group password manager and is neither used by helm nor by ansible. So at least that one needs its own file. Storing individual secrets in a file makes it easier to re-generate something or change the script. Do you think it's necessary/better to remove the writing-one-secret-to-file?

arianvp
arianvp approved these changes Mar 2, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@arianvp arianvp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good! Would you want to add openssl and apacheHttpd to the default.nix file? This will make htpasswd and openssl CLI available for people with direnv and for people using the wire-server-deploy docker container (e.g. in offline deploys)

@jschaul
Copy link
Copy Markdown
Member Author

jschaul commented Mar 2, 2021

This looks good! Would you want to add openssl and apacheHttpd to the default.nix file? This will make htpasswd and openssl CLI available for people with direnv and for people using the wire-server-deploy docker container (e.g. in offline deploys)

Will do in a follow-up PR!

@jschaul jschaul merged commit 7599ee8 into develop Mar 2, 2021
@jschaul jschaul deleted the secrets-generation branch March 2, 2021 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmatsushita jmatsushita Awaiting requested review from jmatsushita

@lucendio lucendio Awaiting requested review from lucendio

1 more reviewer

@arianvp arianvp arianvp approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jschaul @arianvp