From 3c4dd4294b1526e73cb051598e2e015e9dfc4c6f Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Thu, 1 Aug 2024 15:06:21 +0100 Subject: [PATCH] fix: handle encrypted `.yml` files correctly Before `.yml` files were being grouped together with all other vaulted files. This is wrong as these `.yml` files need to be used by Ansible as files that contain variables. Therefore, this change aims to split all encrypted files based on `.yml` extension or not. Also it has been identified that with this approach of find all vaulted files we are unintentionally pickup files from `ci-multinode` and other environments which can not be decrypted using client vault password. --- scripts/config-diff.sh | 60 +++++++++++++++++------------------------- 1 file changed, 24 insertions(+), 36 deletions(-) diff --git a/scripts/config-diff.sh b/scripts/config-diff.sh index 8da8502..562a284 100755 --- a/scripts/config-diff.sh +++ b/scripts/config-diff.sh @@ -30,15 +30,6 @@ function pre_config_init { } function post_config_init { - KAYOBE_CONFIG_SECRET_PATHS_DEFAULT=( - "etc/kayobe/kolla/passwords.yml" - "etc/kayobe/secrets.yml" - "etc/kayobe/environments/$KAYOBE_ENVIRONMENT/secrets.yml" - "etc/kayobe/environments/$KAYOBE_ENVIRONMENT/kolla/passwords.yml" - ${KAYOBE_CONFIG_SECRET_PATHS_EXTRA[@]} - ) - KAYOBE_CONFIG_SECRET_PATHS=("${KAYOBE_CONFIG_SECRET_PATHS[@]:-${KAYOBE_CONFIG_SECRET_PATHS_DEFAULT[@]}}") - find_redacted_files "/stack/kayobe-automation-env/src/kayobe-config/etc/kayobe" # Some values are currently determined dynamically from container versions @@ -51,43 +42,40 @@ function post_config_init { function find_redacted_files { KAYOBE_CONFIG_VAULTED_FILES_PATHS=() + KAYOBE_CONFIG_SECRET_PATHS=() local directory="$1" - echo $directory + # Define forbidden paths patterns + KAYOBE_CONFIG_FORBIDDEN_ENVIRONMENTS=( + "aufn-ceph" + "ci-aio" + "ci-builder" + "ci-multinode") # Search for vaulted files recursively in the directory while IFS= read -r -d '' file; do - if grep -q "ANSIBLE_VAULT;1" "$file"; then + # Check if the file path contains any forbidden path patterns + local ignore_file=false + for pattern in "${KAYOBE_CONFIG_FORBIDDEN_ENVIRONMENTS[@]}"; do + if [[ "$file" == *"environments/${pattern}"* ]]; then + ignore_file=true + break + fi + done + # Continue to the next file if this one should be ignored + if [ "$ignore_file" = true ]; then + continue + fi + if head -n 1 "$file" | grep -q "ANSIBLE_VAULT;1"; then truncated_path="${file#"$directory/"}" vaulted_file="etc/kayobe/$truncated_path" - if ! [[ "${KAYOBE_CONFIG_SECRET_PATHS_DEFAULT[*]}" =~ "$vaulted_file" ]]; then - KAYOBE_CONFIG_VAULTED_FILES_PATHS+=("etc/kayobe/$truncated_path") + if [[ "$vaulted_file" == *.yml ]]; then + KAYOBE_CONFIG_SECRET_PATHS+=("etc/kayobe/$truncated_path") + else + KAYOBE_CONFIG_VAULTED_FILES_PATHS+=("etc/kayobe/$truncated_path") fi fi done < <(find "$directory" -type f -print0) - echo ${KAYOBE_CONFIG_VAULTED_FILES_PATHS[*]} -} - -function redact_file { - if [ ! -z ${ANSIBLE_VERBOSITY:+x} ]; then - _ANSIBLE_VERBOSITY=$ANSIBLE_VERBOSITY - fi - unset ANSIBLE_VERBOSITY - if [ ! -f "$1" ]; then - log_info "Skipping redaction of: $1" - return - fi - log_info Redacting $1 with reference ${2:-None} - export KAYOBE_AUTOMATION_VAULT_PASSWORD="$KAYOBE_VAULT_PASSWORD" - if [ "$2" != "" ] && [ -e "$2" ]; then - $KAYOBE_AUTOMATION_UTILS_PATH/kayobe-automation-redact <($ANSIBLE_VAULT view --vault-password-file $KAYOBE_AUTOMATION_UTILS_PATH/kayobe-automation-vault-helper $1) <($ANSIBLE_VAULT view --vault-password-file $KAYOBE_AUTOMATION_UTILS_PATH/kayobe-automation-vault-helper $2) >$1.redact - else - $KAYOBE_AUTOMATION_UTILS_PATH/kayobe-automation-redact <($ANSIBLE_VAULT view --vault-password-file $KAYOBE_AUTOMATION_UTILS_PATH/kayobe-automation-vault-helper $1) >$1.redact - fi - mv $1.redact $1 - if [ ! -z ${_ANSIBLE_VERBOSITY:+x} ]; then - export ANSIBLE_VERBOSITY=$_ANSIBLE_VERBOSITY - fi } function encrypt_file {