forked from UDL-TF/Clusters
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathTaskfile.yaml
More file actions
137 lines (118 loc) · 3.87 KB
/
Taskfile.yaml
File metadata and controls
137 lines (118 loc) · 3.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
version: "3"
# Load environment variables from .env file if it exists
dotenv: [".env"]
vars:
SSH_KEY:
sh: echo "${SSH_KEY:-$HOME/.ssh/id_ed25519}"
KUBE_CONTROLLER:
sh: echo "${KUBE_CONTROLLER:-}"
KUBE_NAMESPACE:
sh: echo "${KUBE_NAMESPACE:-}"
KUBE_CONTEXT:
sh: echo "${KUBE_CONTEXT:-}"
tasks:
default:
cmds:
- task --list
prereqs:
desc: "Ensure required tools are installed"
cmds:
- which sops
- which kubeseal
- which ssh-to-age
silent: true
check:ssh-key:
desc: "Verify SSH key exists and is valid"
internal: true
cmds:
- |
if [ ! -f "{{.SSH_KEY}}" ]; then
echo "ERROR: SSH key not found at {{.SSH_KEY}}"
echo "Please create .env from .env.example and set SSH_KEY path"
exit 1
fi
if [ ! -f "{{.SSH_KEY}}.pub" ]; then
echo "ERROR: Public key not found at {{.SSH_KEY}}.pub"
exit 1
fi
echo "✓ SSH key found at {{.SSH_KEY}}"
silent: true
# ---------------- USER MANAGEMENT ----------------
key:print:
desc: "Show your public Age key (derived from SSH_KEY)"
deps: [check:ssh-key]
cmds:
- ssh-to-age -i {{.SSH_KEY}}.pub
silent: true
key:add-user:
desc: "Fetch a GitHub user's Age key. Usage: task key:add-user USER=octocat"
requires:
vars: [USER]
cmds:
- echo "Fetching key for GitHub user {{.USER}}..."
- curl -s "https://github.com/{{.USER}}.keys" | ssh-to-age
- echo "---"
- echo "Copy the key above into .sops.yaml and run 'task secrets:rotate'"
silent: true
# ---------------- SECRET WORKFLOW ----------------
secrets:edit:
desc: "Open a .sops.yaml file with SOPS"
requires:
vars: [FILE]
deps: [prereqs, check:ssh-key]
cmds:
- export SOPS_AGE_KEY=$(ssh-to-age -private-key -i {{.SSH_KEY}}) && sops {{.FILE}}
secrets:decrypt:
desc: "Create/refresh .secret.yaml files from .sops.yaml files"
deps: [prereqs, check:ssh-key]
cmds:
- ./scripts/secrets_decrypt.sh "{{.FILE}}" {{.SSH_KEY}}
secrets:checkout:
desc: "Alias for secrets:decrypt (decrypts specified/all .sops files)"
deps: [prereqs, check:ssh-key]
cmds:
- task: secrets:decrypt
vars: { FILE: "{{.FILE}}" }
secrets:checkin:
desc: "Re-encrypt updated .secret.yaml files back into .sops.yaml"
deps: [prereqs, check:ssh-key]
cmds:
- ./scripts/secrets_checkin.sh "{{.FILE}}"
secrets:seal:
desc: "Turn .secret.yaml files into .sealed.yaml manifests"
deps: [prereqs, check:ssh-key]
cmds:
- ./scripts/secrets_seal.sh "{{.FILE}}" {{.SSH_KEY}} {{.KUBE_CONTROLLER}} {{.KUBE_NAMESPACE}} "{{.KUBE_CONTEXT}}"
secrets:seal-changed:
desc: "Seal only the secrets whose .sops.yaml has changed"
deps: [prereqs, check:ssh-key]
cmds:
- ./scripts/secrets_seal_changed.sh "{{.FILE}}" {{.SSH_KEY}} {{.KUBE_CONTROLLER}} {{.KUBE_NAMESPACE}} "{{.KUBE_CONTEXT}}"
secrets:sync:
desc: "Decrypt and seal in one go"
deps: [prereqs, check:ssh-key]
cmds:
- task: secrets:decrypt
vars: { FILE: "{{.FILE}}" }
- task: secrets:seal
vars: { FILE: "{{.FILE}}" }
secrets:roundtrip:
desc: "Workflow helper: checkout -> manual edit -> checkin -> seal changed"
deps: [prereqs, check:ssh-key]
cmds:
- task: secrets:checkout
vars: { FILE: "{{.FILE}}" }
- echo "--- Edit the .secret.yaml files as needed, then continue ---"
- task: secrets:checkin
vars: { FILE: "{{.FILE}}" }
- task: secrets:seal-changed
vars: { FILE: "{{.FILE}}" }
secrets:clean:
desc: "Remove generated .secret.yaml files"
cmds:
- ./scripts/secrets_clean.sh "{{.FILE}}"
secrets:rotate:
desc: "Run sops updatekeys across .sops.yaml files"
deps: [prereqs, check:ssh-key]
cmds:
- ./scripts/secrets_rotate.sh "{{.FILE}}" {{.SSH_KEY}}