From 8d0a7a806da952adccca51b0a806a4c28732ea90 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sun, 25 Dec 2022 21:03:16 +0100 Subject: New secretmgr --- cluster/staging/app/convertsecrets | 1 + cluster/staging/app/core/secrets.toml | 4 ++ cluster/staging/app/core/secrets/d53/gandi_api_key | 1 - cluster/staging/app/directory/secrets.toml | 48 ++++++++++++++++++++++ .../secrets/directory/guichet/mail_domain | 1 - .../directory/secrets/directory/guichet/mail_from | 1 - .../secrets/directory/guichet/s3_access_key | 1 - .../directory/secrets/directory/guichet/s3_bucket | 1 - .../secrets/directory/guichet/s3_endpoint | 1 - .../directory/secrets/directory/guichet/s3_region | 1 - .../secrets/directory/guichet/s3_secret_key | 1 - .../directory/secrets/directory/guichet/smtp_pass | 1 - .../secrets/directory/guichet/smtp_server | 1 - .../directory/secrets/directory/guichet/smtp_user | 1 - .../secrets/directory/guichet/web_hostname | 1 - .../app/directory/secrets/directory/ldap_base_dn | 1 - cluster/staging/app/dummy/secrets.toml | 36 ++++++++++++++++ cluster/staging/app/garage/secrets.toml | 15 +++++++ .../app/garage/secrets/garage-staging/admin_token | 1 - .../garage/secrets/garage-staging/metrics_token | 1 - .../app/garage/secrets/garage-staging/rpc_secret | 1 - cluster/staging/app/im/secrets.toml | 27 ++++++++++++ cluster/staging/app/im/secrets/synapse/form_secret | 1 - .../app/im/secrets/synapse/macaroon_secret_key | 1 - .../im/secrets/synapse/registration_shared_secret | 1 - .../staging/app/im/secrets/synapse/s3_access_key | 1 - .../staging/app/im/secrets/synapse/s3_secret_key | 1 - cluster/staging/app/im/secrets/synapse/signing_key | 1 - cluster/staging/app/telemetry/secrets.toml | 13 ++++++ .../secrets/telemetry/grafana/admin_password | 1 - .../secrets/telemetry/grafana/s3_access_key | 1 - .../secrets/telemetry/grafana/s3_secret_key | 1 - cluster/staging/secretmgr.toml | 9 ++++ 33 files changed, 153 insertions(+), 25 deletions(-) create mode 120000 cluster/staging/app/convertsecrets create mode 100644 cluster/staging/app/core/secrets.toml delete mode 100644 cluster/staging/app/core/secrets/d53/gandi_api_key create mode 100644 cluster/staging/app/directory/secrets.toml delete mode 100644 cluster/staging/app/directory/secrets/directory/guichet/mail_domain delete mode 100644 cluster/staging/app/directory/secrets/directory/guichet/mail_from delete mode 100644 cluster/staging/app/directory/secrets/directory/guichet/s3_access_key delete mode 100644 cluster/staging/app/directory/secrets/directory/guichet/s3_bucket delete mode 100644 cluster/staging/app/directory/secrets/directory/guichet/s3_endpoint delete mode 100644 cluster/staging/app/directory/secrets/directory/guichet/s3_region delete mode 100644 cluster/staging/app/directory/secrets/directory/guichet/s3_secret_key delete mode 100644 cluster/staging/app/directory/secrets/directory/guichet/smtp_pass delete mode 100644 cluster/staging/app/directory/secrets/directory/guichet/smtp_server delete mode 100644 cluster/staging/app/directory/secrets/directory/guichet/smtp_user delete mode 100644 cluster/staging/app/directory/secrets/directory/guichet/web_hostname delete mode 100644 cluster/staging/app/directory/secrets/directory/ldap_base_dn create mode 100644 cluster/staging/app/dummy/secrets.toml create mode 100644 cluster/staging/app/garage/secrets.toml delete mode 100644 cluster/staging/app/garage/secrets/garage-staging/admin_token delete mode 100644 cluster/staging/app/garage/secrets/garage-staging/metrics_token delete mode 100644 cluster/staging/app/garage/secrets/garage-staging/rpc_secret create mode 100644 cluster/staging/app/im/secrets.toml delete mode 100644 cluster/staging/app/im/secrets/synapse/form_secret delete mode 100644 cluster/staging/app/im/secrets/synapse/macaroon_secret_key delete mode 100644 cluster/staging/app/im/secrets/synapse/registration_shared_secret delete mode 100644 cluster/staging/app/im/secrets/synapse/s3_access_key delete mode 100644 cluster/staging/app/im/secrets/synapse/s3_secret_key delete mode 100644 cluster/staging/app/im/secrets/synapse/signing_key create mode 100644 cluster/staging/app/telemetry/secrets.toml delete mode 100644 cluster/staging/app/telemetry/secrets/telemetry/grafana/admin_password delete mode 100644 cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_access_key delete mode 100644 cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_secret_key create mode 100644 cluster/staging/secretmgr.toml (limited to 'cluster') diff --git a/cluster/staging/app/convertsecrets b/cluster/staging/app/convertsecrets new file mode 120000 index 0000000..3e30b0f --- /dev/null +++ b/cluster/staging/app/convertsecrets @@ -0,0 +1 @@ +../../../secretmgr/convertsecrets \ No newline at end of file diff --git a/cluster/staging/app/core/secrets.toml b/cluster/staging/app/core/secrets.toml new file mode 100644 index 0000000..8da8561 --- /dev/null +++ b/cluster/staging/app/core/secrets.toml @@ -0,0 +1,4 @@ +[secrets."d53/gandi_api_key"] +type = 'user' +description = 'Gandi API key' + diff --git a/cluster/staging/app/core/secrets/d53/gandi_api_key b/cluster/staging/app/core/secrets/d53/gandi_api_key deleted file mode 100644 index b3936c9..0000000 --- a/cluster/staging/app/core/secrets/d53/gandi_api_key +++ /dev/null @@ -1 +0,0 @@ -USER Gandi API key diff --git a/cluster/staging/app/directory/secrets.toml b/cluster/staging/app/directory/secrets.toml new file mode 100644 index 0000000..0ebd77f --- /dev/null +++ b/cluster/staging/app/directory/secrets.toml @@ -0,0 +1,48 @@ +[secrets."directory/ldap_base_dn"] +type = 'user' +description = 'LDAP base DN for everything (e.g. dc=example,dc=com)' + +[secrets."directory/guichet/smtp_user"] +type = 'user' +description = 'SMTP username' + +[secrets."directory/guichet/s3_access_key"] +type = 'user' +description = 'Garage access key for Guichet profile pictures' + +[secrets."directory/guichet/s3_endpoint"] +type = 'user' +description = 'S3 endpoint URL' + +[secrets."directory/guichet/s3_region"] +type = 'user' +description = 'S3 region' + +[secrets."directory/guichet/smtp_pass"] +type = 'user' +description = 'SMTP password' + +[secrets."directory/guichet/web_hostname"] +type = 'user' +description = 'Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com)' + +[secrets."directory/guichet/s3_bucket"] +type = 'user' +description = 'S3 bucket in which to store data files (such as profile pictures)' + +[secrets."directory/guichet/smtp_server"] +type = 'user' +description = 'SMTP server address (hostname:port)' + +[secrets."directory/guichet/s3_secret_key"] +type = 'user' +description = 'Garage secret key for Guichet profile pictures' + +[secrets."directory/guichet/mail_from"] +type = 'user' +description = 'E-mail address from which to send welcome emails to new users' + +[secrets."directory/guichet/mail_domain"] +type = 'user' +description = 'E-mail domain for new users (e.g. example.com)' + diff --git a/cluster/staging/app/directory/secrets/directory/guichet/mail_domain b/cluster/staging/app/directory/secrets/directory/guichet/mail_domain deleted file mode 100644 index 5db1ba3..0000000 --- a/cluster/staging/app/directory/secrets/directory/guichet/mail_domain +++ /dev/null @@ -1 +0,0 @@ -USER E-mail domain for new users (e.g. example.com) diff --git a/cluster/staging/app/directory/secrets/directory/guichet/mail_from b/cluster/staging/app/directory/secrets/directory/guichet/mail_from deleted file mode 100644 index 9075cbf..0000000 --- a/cluster/staging/app/directory/secrets/directory/guichet/mail_from +++ /dev/null @@ -1 +0,0 @@ -USER E-mail address from which to send welcome emails to new users diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_access_key b/cluster/staging/app/directory/secrets/directory/guichet/s3_access_key deleted file mode 100644 index e5b37ff..0000000 --- a/cluster/staging/app/directory/secrets/directory/guichet/s3_access_key +++ /dev/null @@ -1 +0,0 @@ -USER Garage access key for Guichet profile pictures diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_bucket b/cluster/staging/app/directory/secrets/directory/guichet/s3_bucket deleted file mode 100644 index cb059cf..0000000 --- a/cluster/staging/app/directory/secrets/directory/guichet/s3_bucket +++ /dev/null @@ -1 +0,0 @@ -USER S3 bucket in which to store data files (such as profile pictures) diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_endpoint b/cluster/staging/app/directory/secrets/directory/guichet/s3_endpoint deleted file mode 100644 index b414269..0000000 --- a/cluster/staging/app/directory/secrets/directory/guichet/s3_endpoint +++ /dev/null @@ -1 +0,0 @@ -USER S3 endpoint URL diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_region b/cluster/staging/app/directory/secrets/directory/guichet/s3_region deleted file mode 100644 index ef16924..0000000 --- a/cluster/staging/app/directory/secrets/directory/guichet/s3_region +++ /dev/null @@ -1 +0,0 @@ -USER S3 region diff --git a/cluster/staging/app/directory/secrets/directory/guichet/s3_secret_key b/cluster/staging/app/directory/secrets/directory/guichet/s3_secret_key deleted file mode 100644 index f3e7f0f..0000000 --- a/cluster/staging/app/directory/secrets/directory/guichet/s3_secret_key +++ /dev/null @@ -1 +0,0 @@ -USER Garage secret key for Guichet profile pictures diff --git a/cluster/staging/app/directory/secrets/directory/guichet/smtp_pass b/cluster/staging/app/directory/secrets/directory/guichet/smtp_pass deleted file mode 100644 index fc9d1e3..0000000 --- a/cluster/staging/app/directory/secrets/directory/guichet/smtp_pass +++ /dev/null @@ -1 +0,0 @@ -USER SMTP password diff --git a/cluster/staging/app/directory/secrets/directory/guichet/smtp_server b/cluster/staging/app/directory/secrets/directory/guichet/smtp_server deleted file mode 100644 index c453935..0000000 --- a/cluster/staging/app/directory/secrets/directory/guichet/smtp_server +++ /dev/null @@ -1 +0,0 @@ -USER SMTP server address (hostname:port) diff --git a/cluster/staging/app/directory/secrets/directory/guichet/smtp_user b/cluster/staging/app/directory/secrets/directory/guichet/smtp_user deleted file mode 100644 index c9c8bd0..0000000 --- a/cluster/staging/app/directory/secrets/directory/guichet/smtp_user +++ /dev/null @@ -1 +0,0 @@ -USER SMTP username diff --git a/cluster/staging/app/directory/secrets/directory/guichet/web_hostname b/cluster/staging/app/directory/secrets/directory/guichet/web_hostname deleted file mode 100644 index afe2512..0000000 --- a/cluster/staging/app/directory/secrets/directory/guichet/web_hostname +++ /dev/null @@ -1 +0,0 @@ -USER Public hostname from which Guichet is accessible via HTTP (e.g. guichet.example.com) diff --git a/cluster/staging/app/directory/secrets/directory/ldap_base_dn b/cluster/staging/app/directory/secrets/directory/ldap_base_dn deleted file mode 100644 index ea5c7ae..0000000 --- a/cluster/staging/app/directory/secrets/directory/ldap_base_dn +++ /dev/null @@ -1 +0,0 @@ -USER LDAP base DN for everything (e.g. dc=example,dc=com) diff --git a/cluster/staging/app/dummy/secrets.toml b/cluster/staging/app/dummy/secrets.toml new file mode 100644 index 0000000..378ec46 --- /dev/null +++ b/cluster/staging/app/dummy/secrets.toml @@ -0,0 +1,36 @@ +[service_users."dummy"] +description = 'Service user for dummy database access' +username_secret = "dummy/db_username" +password_secret = "dummy/db_password" +rotate_password = true + +[secrets."dummy/s3_access_key"] +type = 'user' +description = 'S3 access key ID for database storage' + +[secrets."dummy/s3_secret_key"] +description = 'S3 secret key for database storage' +type = 'user' + +[secrets."dummy/public_domain"] +description = 'Publicly accessible domain for dummy resource' +type = 'user' + +[secrets."dummy/form_secret"] +description = 'Form secret for dummy web pages' +type = 'command' +command = 'openssl rand -base64 42' +rotate = true + +[secrets."dummy/signing_key"] +description = 'Key to use to sign dummy service data' +type = 'command' +command = 'openssl rand -base64 42' + +[secrets."dummy/rpc_secret"] +description = 'RPC secret for communication between dummy nodes' +type = 'command' +command = 'openssl rand -base64 42' +rotate = true + + diff --git a/cluster/staging/app/garage/secrets.toml b/cluster/staging/app/garage/secrets.toml new file mode 100644 index 0000000..26ecd5e --- /dev/null +++ b/cluster/staging/app/garage/secrets.toml @@ -0,0 +1,15 @@ +[secrets."garage-staging/admin_token"] +type = 'command' +rotate = true +command = 'openssl rand -hex 32' + +[secrets."garage-staging/rpc_secret"] +type = 'command' +rotate = true +command = 'openssl rand -hex 32' + +[secrets."garage-staging/metrics_token"] +type = 'command' +rotate = true +command = 'openssl rand -hex 32' + diff --git a/cluster/staging/app/garage/secrets/garage-staging/admin_token b/cluster/staging/app/garage/secrets/garage-staging/admin_token deleted file mode 100644 index 5fa4e3c..0000000 --- a/cluster/staging/app/garage/secrets/garage-staging/admin_token +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -hex 32 diff --git a/cluster/staging/app/garage/secrets/garage-staging/metrics_token b/cluster/staging/app/garage/secrets/garage-staging/metrics_token deleted file mode 100644 index 5fa4e3c..0000000 --- a/cluster/staging/app/garage/secrets/garage-staging/metrics_token +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -hex 32 diff --git a/cluster/staging/app/garage/secrets/garage-staging/rpc_secret b/cluster/staging/app/garage/secrets/garage-staging/rpc_secret deleted file mode 100644 index 5fa4e3c..0000000 --- a/cluster/staging/app/garage/secrets/garage-staging/rpc_secret +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -hex 32 diff --git a/cluster/staging/app/im/secrets.toml b/cluster/staging/app/im/secrets.toml new file mode 100644 index 0000000..7acad55 --- /dev/null +++ b/cluster/staging/app/im/secrets.toml @@ -0,0 +1,27 @@ +[secrets."synapse/s3_access_key"] +type = 'user' +description = 'S3 access key ID for database storage' + +[secrets."synapse/form_secret"] +type = 'command' +rotate = true +command = 'openssl rand -base64 42' + +[secrets."synapse/signing_key"] +type = 'user' +description = 'Signing key for messages' + +[secrets."synapse/macaroon_secret_key"] +type = 'command' +rotate = true +command = 'openssl rand -base64 42' + +[secrets."synapse/registration_shared_secret"] +type = 'command' +rotate = true +command = 'openssl rand -base64 42' + +[secrets."synapse/s3_secret_key"] +type = 'user' +description = 'S3 secret key for database storage' + diff --git a/cluster/staging/app/im/secrets/synapse/form_secret b/cluster/staging/app/im/secrets/synapse/form_secret deleted file mode 100644 index f601137..0000000 --- a/cluster/staging/app/im/secrets/synapse/form_secret +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -base64 42 diff --git a/cluster/staging/app/im/secrets/synapse/macaroon_secret_key b/cluster/staging/app/im/secrets/synapse/macaroon_secret_key deleted file mode 100644 index f601137..0000000 --- a/cluster/staging/app/im/secrets/synapse/macaroon_secret_key +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -base64 42 diff --git a/cluster/staging/app/im/secrets/synapse/registration_shared_secret b/cluster/staging/app/im/secrets/synapse/registration_shared_secret deleted file mode 100644 index f601137..0000000 --- a/cluster/staging/app/im/secrets/synapse/registration_shared_secret +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -base64 42 diff --git a/cluster/staging/app/im/secrets/synapse/s3_access_key b/cluster/staging/app/im/secrets/synapse/s3_access_key deleted file mode 100644 index 692dc34..0000000 --- a/cluster/staging/app/im/secrets/synapse/s3_access_key +++ /dev/null @@ -1 +0,0 @@ -USER S3 access key ID for database storage diff --git a/cluster/staging/app/im/secrets/synapse/s3_secret_key b/cluster/staging/app/im/secrets/synapse/s3_secret_key deleted file mode 100644 index 8bef13c..0000000 --- a/cluster/staging/app/im/secrets/synapse/s3_secret_key +++ /dev/null @@ -1 +0,0 @@ -USER S3 secret key for database storage diff --git a/cluster/staging/app/im/secrets/synapse/signing_key b/cluster/staging/app/im/secrets/synapse/signing_key deleted file mode 100644 index 6821360..0000000 --- a/cluster/staging/app/im/secrets/synapse/signing_key +++ /dev/null @@ -1 +0,0 @@ -USER Signing key for messages diff --git a/cluster/staging/app/telemetry/secrets.toml b/cluster/staging/app/telemetry/secrets.toml new file mode 100644 index 0000000..56df97d --- /dev/null +++ b/cluster/staging/app/telemetry/secrets.toml @@ -0,0 +1,13 @@ +[secrets."telemetry/grafana/s3_access_key"] +type = 'user' +description = 'S3 access key for grafana db' + +[secrets."telemetry/grafana/admin_password"] +type = 'command' +rotate = true +command = 'openssl rand -base64 12' + +[secrets."telemetry/grafana/s3_secret_key"] +type = 'user' +description = 'S3 secret key for grafana db' + diff --git a/cluster/staging/app/telemetry/secrets/telemetry/grafana/admin_password b/cluster/staging/app/telemetry/secrets/telemetry/grafana/admin_password deleted file mode 100644 index 2f36e97..0000000 --- a/cluster/staging/app/telemetry/secrets/telemetry/grafana/admin_password +++ /dev/null @@ -1 +0,0 @@ -CMD openssl rand -base64 12 diff --git a/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_access_key b/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_access_key deleted file mode 100644 index c7e41a4..0000000 --- a/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_access_key +++ /dev/null @@ -1 +0,0 @@ -USER S3 access key for grafana db diff --git a/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_secret_key b/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_secret_key deleted file mode 100644 index 051f41a..0000000 --- a/cluster/staging/app/telemetry/secrets/telemetry/grafana/s3_secret_key +++ /dev/null @@ -1 +0,0 @@ -USER S3 secret key for grafana db diff --git a/cluster/staging/secretmgr.toml b/cluster/staging/secretmgr.toml new file mode 100644 index 0000000..cbaa6f6 --- /dev/null +++ b/cluster/staging/secretmgr.toml @@ -0,0 +1,9 @@ +[ldap] +server = "ldap://localhost:1389" +service_dn_suffix = "ou=services,ou=users,dc=staging,dc=deuxfleurs,dc=org" +admin_dn = "cn=admin,dc=staging,dc=deuxfleurs,dc=org" +admin_password_secret = "directory/admin_password" + +[constants] +"dummy/public_domain" = "dummy.staging.deuxfleurs.org" +"dummy/test_constant" = "test value" -- cgit v1.2.3