Utility for generating secrets for an environment (azimuth-cloud#191)

* Add utility for generating secrets for an environment

* Add documentation for generating secrets

Author: Matt Pryor

.github/actions/setup/action.yml

@@ -107,6 +107,14 @@ runs:
         source ./bin/activate "$AZIMUTH_CONFIG_ENVIRONMENT" "$AZIMUTH_ENVIRONMENT"
         ansible-galaxy install -f -r requirements.yml
 
+    - name: Generate secrets for environment
+      shell: bash
+      run: |
+        set -e
+        source ci.env
+        source ./bin/activate "$AZIMUTH_CONFIG_ENVIRONMENT" "$AZIMUTH_ENVIRONMENT"
+        ./bin/generate-secrets
+
     # Generate and append the S3 credential to the CI environment file
     - name: Configure S3 lock
       id: s3-lock-config

.gitignore

@@ -5,3 +5,6 @@
 .python-version
 /clouds.yaml*
 tilt-settings.yaml
+# Ignore generated secrets in demo and CI environments
+environments/demo/inventory/group_vars/all/secrets.yml
+.github/environments/**/secrets.yml

bin/generate-secrets

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+#####
+## This script generates a secrets file for an environment.
+##
+## The environment can either be given as an argument or activated.
+#####
+
+set -eo pipefail
+
+
+# Parse the command line arguments
+# The environment defaults to the active environment, if set
+COMMAND_ENVIRONMENT="${AZIMUTH_CONFIG_ENVIRONMENT:-""}"
+FORCE_OVERWRITE=
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        -f|--force)
+            FORCE_OVERWRITE="yes"
+            shift
+            ;;
+        *)
+            COMMAND_ENVIRONMENT="$1"
+            shift
+            ;;
+    esac
+done
+
+# If the environment is unknown at this point, bail
+if [ -z "$COMMAND_ENVIRONMENT" ]; then
+    echo "Target environment must either be specified as an argument or activated" >&2
+    exit 1
+fi
+
+# Work out where the secrets file for the specified environment lives
+CONFIG_ROOT="$(dirname $(dirname $(realpath ${BASH_SOURCE[0]:-${(%):-%x}})))"
+# We check environments and .github/environments, as in activate
+if [ -d "$CONFIG_ROOT/environments/$COMMAND_ENVIRONMENT" ]; then
+  CONFIG_ENVIRONMENT_ROOT="$CONFIG_ROOT/environments/$COMMAND_ENVIRONMENT"
+elif [ -d "$CONFIG_ROOT/.github/environments/$COMMAND_ENVIRONMENT" ]; then
+  CONFIG_ENVIRONMENT_ROOT="$CONFIG_ROOT/.github/environments/$COMMAND_ENVIRONMENT"
+else
+  echo "Unrecognised config environment '$COMMAND_ENVIRONMENT'" >&2
+  exit 1
+fi
+SECRETS_FILE="$CONFIG_ENVIRONMENT_ROOT/inventory/group_vars/all/secrets.yml"
+echo "Writing secrets to $SECRETS_FILE"
+
+# If the secrets file already exists, do not overwrite it unless explicitly requested
+if [ -f "$SECRETS_FILE" ]; then
+    if [ "$FORCE_OVERWRITE" = "yes" ]; then
+        echo "$SECRETS_FILE already exists - overwriting"
+    else
+        echo "$SECRETS_FILE already exists - will not overwrite" >&2
+        exit 1
+    fi
+fi
+
+# Write the secrets file, making sure the directory exists first
+mkdir -p "$(dirname $SECRETS_FILE)"
+cat <<EOF > $SECRETS_FILE
+#####
+# This file contains secrets for the $COMMAND_ENVIRONMENT environment
+#
+# It should be encrypted if stored in version control
+# https://azimuth-config.readthedocs.io/en/stable/repository/secrets/
+#####
+
+# https://azimuth-config.readthedocs.io/en/stable/configuration/05-secret-key/
+# The secret key for signing Azimuth cookies
+azimuth_secret_key: "$(openssl rand -hex 32)"
+
+# https://azimuth-config.readthedocs.io/en/stable/configuration/07-platform-identity/#keycloak-admin-password
+# The admin password for the Keycloak master realm
+keycloak_admin_password: "$(openssl rand -hex 16)"
+
+# https://azimuth-config.readthedocs.io/en/stable/configuration/08-zenith/
+# The secret key for signing Zenith registrar tokens
+zenith_registrar_subdomain_token_signing_key: "$(openssl rand -hex 32)"
+
+# https://azimuth-config.readthedocs.io/en/stable/configuration/10-kubernetes-clusters/#harbor-registry
+# The password for the Harbor admin account
+harbor_admin_password: "$(openssl rand -hex 16)"
+# The secret key for Harbor
+harbor_secret_key: "$(openssl rand -hex 8)"
+
+# https://azimuth-config.readthedocs.io/en/stable/configuration/14-monitoring/#accessing-web-interfaces
+# The admin password for Azimuth administrative dashboards
+admin_dashboard_ingress_basic_auth_password: "$(openssl rand -hex 16)"
+EOF

bin/kube-connect

@@ -1,8 +1,8 @@
 #!/usr/bin/env bash
 
 #####
-## This script uses Tilt (tilt.dev) to allow easier code development on the
-## currently activated environment
+## This script allows access to the Azimuth Kubernetes cluster from the machine
+## where the script is executed by using a SOCKS proxy
 #####
 
 set -eo pipefail

docs/configuration/05-secret-key.md

@@ -9,7 +9,12 @@ azimuth_secret_key: "<some secret key>"
 !!! tip
 
     This key should be a long, random string - at least 32 bytes (256 bits) is recommended.
-    A suitable key can be generated using `openssl rand -hex 32`.
+
+    `azimuth-config` includes a utility for generating secrets for an environment:
+
+    ```sh
+    ./bin/generate-secrets [--force] <environment-name>
+    ```
 
 !!! danger
 

docs/configuration/07-platform-identity.md

@@ -79,6 +79,14 @@ The only required configuration for platform identity is to set the admin passwo
 keycloak_admin_password: "<secure password>"
 ```
 
+!!! tip
+
+    `azimuth-config` includes a utility for generating secrets for an environment:
+
+    ```sh
+    ./bin/generate-secrets [--force] <environment-name>
+    ```
+
 !!! danger
 
     This password should be kept secret. If you want to keep the password in Git - which is

docs/configuration/08-zenith.md

@@ -18,7 +18,12 @@ zenith_registrar_subdomain_token_signing_key: "<some secret key>"
 !!! tip
 
     This key must be a long, random string - at least 32 bytes (256 bits) is required.
-    A suitable key can be generated using `openssl rand -hex 32`.
+
+    `azimuth-config` includes a utility for generating secrets for an environment:
+
+    ```sh
+    ./bin/generate-secrets [--force] <environment-name>
+    ```
 
 !!! danger
 

docs/configuration/10-kubernetes-clusters.md

@@ -159,6 +159,14 @@ harbor_admin_password: "<secure password>"
 harbor_secret_key: "<secure secret key>"
 ```
 
+!!! tip
+
+    `azimuth-config` includes a utility for generating secrets for an environment:
+
+    ```sh
+    ./bin/generate-secrets [--force] <environment-name>
+    ```
+
 !!! danger
 
     These values should be kept secret. If you want to keep them in Git - which is recommended -

docs/configuration/14-monitoring.md

@@ -51,6 +51,14 @@ admin_dashboard_ingress_basic_auth_password: "<secure password>"
     As such you should ensure that a strong password is used, and take care when sharing
     it.
 
+!!! tip
+
+    `azimuth-config` includes a utility for generating secrets for an environment:
+
+    ```sh
+    ./bin/generate-secrets [--force] <environment-name>
+    ```
+
 !!! danger
 
     This password should be kept secret. If you want to keep the password in Git - which is

docs/developing/index.md

@@ -70,6 +70,10 @@ export OS_CLIENT_CONFIG_FILE=/path/to/clouds.yaml
 # with other deployments that use the dev environment
 source ./bin/activate dev jbloggs-dev
 
+# Generate secrets locally for the active environment, if required
+# DO NOT COMMIT THE GENERATED FILE TO GIT
+./bin/generate-secrets
+
 # Install Azimuth as usual
 ansible-galaxy install -f -r requirements.yml
 ansible-playbook azimuth_cloud.azimuth_ops.provision