[Fixes: mosip/mosip-infra#1874] Add wg-onboard.sh for WireGuard onboa…

[Ivanmeneges]

…rding automation

This script automates the onboarding process for WireGuard in a new environment, handling peer allocation, configuration transformation, and publishing secrets to GitHub.

Summary by CodeRabbit

Release Notes

• New Features
  • Added a self-service WireGuard onboarding script to provision and allocate peers for a specified environment/branch via a jumpserver connection.
  • Includes input validation, a dry-run preview, and updates local peer allocation tracking (TSV).
  • When allowed, it creates missing peer configs/credentials, updates the live WireGuard runtime, and prepares sanitized peer config outputs.
  • Added a GitHub Actions workflow (workflow dispatch) to run the onboarding and, after success, commit and push tracker updates; on secret publish failure, it rolls back prior publishes and allocations.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

A new Bash script .github/scripts/wg-onboard.sh (830 lines) and GitHub Actions workflow .github/workflows/wg-onboard.yml (134 lines) are added together to automate self-service WireGuard peer onboarding. The script inventories a jumpserver, atomically allocates three peers under flock, optionally generates peer keys via a Docker container, transforms peer configs, publishes them as GitHub environment secrets with atomic rollback on failure, and records allocations to a local TSV tracker. The workflow provides the user-facing entry point, validates credentials, manages SSH keys, invokes the script, and commits the updated tracker file back to the repository.

Changes

WireGuard Onboarding Script and Workflow

Layer / File(s)	Summary
Script header, defaults, and CLI argument parsing .github/scripts/wg-onboard.sh	Defines default variables, the ordered three-peer secret-name array, help/usage text, logging helpers, full argument parsing (environment name, jumpserver host, SSH key path, GitHub repo, peer overrides, dry-run flag), input validation including IPv4 CIDR syntax checking, tooling checks (gh, ssh), jumpserver path constants, and SSH known-hosts file handling. Includes jumpserver preflight: lists the WireGuard config directory, inventories existing peerN entries, computes or validates MAX_PEERS, and determines whether missing peer configs can be created from templates.
Atomic peer allocation with flock and remote rollback .github/scripts/wg-onboard.sh	Implements the core allocation logic on the jumpserver under flock via a remote SSH heredoc: parses assigned.txt in legacy colon format (peerN: username) or MOSIP per-secret format (peerN env(SECRET_NAME)), detects/reuses an existing allocation for the target environment when present, gap-fills three distinct peers within the peer1..peerMAX_PEERS pool, generates WireGuard keys/PSKs via the Docker container when allowed, writes peerN.conf, appends peers to the wg0 runtime config, updates runtime peer PSK/allowed-ips, and records new assigned.txt entries. Includes the remote rollback function that removes recorded peer lines from assigned.txt under the same allocation lock using atomic temp-file rewrite, and parsing of the remote allocation output into peer IDs and record metadata flags.
Config transformation and GitHub environment secret publishing .github/scripts/wg-onboard.sh	Fetches each allocated peer's raw peerN.conf over SSH, validates AllowedIPs presence, removes DNS = ... lines, and rewrites the [Peer] section's AllowedIPs with the configured CIDR. In dry-run mode, logs the intended assigned.txt entries and secret names then exits before any GitHub changes. Otherwise, ensures the target GitHub environment exists via gh api PUT, then publishes exactly three environment secrets in a fixed deterministic order using gh secret set. On any publish failure, deletes already-published secrets via gh secret delete and rolls back any recorded assigned.txt entries via the remote atomic rollback function before exiting non-zero.
Local TSV tracking and completion logs .github/scripts/wg-onboard.sh	Acquires a local flock on wg-peer-allocation.tsv, appends a new row with environment name, three peer IDs, UTC timestamp, and assignment file path using atomic temp-file + move (replacing any previous row for that environment). Writes final completion logs with environment name, peer IDs, and paths to both the server-side assigned.txt and local tracker file.
Workflow orchestration: credential validation, SSH setup, and script execution .github/workflows/wg-onboard.yml	Defines a workflow_dispatch entry point with inputs for environment name, jumpserver host, optional ticket, WireGuard directory, allowed IPs, and DRY_RUN flag. Sets repository read permissions and concurrency keyed by environment name. Validates required repository secrets (ACTION_PAT, MOSIP_AWS_PEM) with hard failure. Checks out the repository with persist-credentials: false. Writes the SSH private key from MOSIP_AWS_PEM to a temp file, normalizes line endings, sets restrictive permissions (0600), verifies the key parses via ssh-keygen, and exports SSH_KEY_PATH to job environment. Runs .github/scripts/wg-onboard.sh with constructed CLI arguments (conditionally appending --ticket and --dry-run) and passes ACTION_PAT as the GitHub token. Ensures cleanup of the temp SSH key file in an always() step.
Tracker file commit and push .github/workflows/wg-onboard.yml	When DRY_RUN is false, compares the peer allocation tracker TSV for changes. If changed, constructs an authenticated remote URL using ACTION_PAT, performs a rebase pull (git pull --rebase --autostash) to handle concurrent updates, commits the tracker file (with GPG signing enabled), and pushes back to ${GITHUB_REF_NAME}. Exits with a clear error if the rebase fails (e.g., due to concurrent updates).

Sequence Diagram(s)

sequenceDiagram
  participant Operator
  participant Workflow as GitHub Actions
  participant Script as wg-onboard.sh
  participant Jumpserver
  participant WGDocker as WireGuard Docker
  participant GitHubAPI as GitHub API

  rect rgba(70, 130, 180, 0.5)
    note over Operator,Script: Workflow dispatch triggered
    Operator->>Workflow: Trigger with env name, jumpserver, flags
    Workflow->>Workflow: Validate secrets (ACTION_PAT, MOSIP_AWS_PEM)
    Workflow->>Workflow: Write & verify SSH key
  end

  rect rgba(100, 149, 237, 0.5)
    note over Script,WGDocker: Preflight and Atomic Allocation
    Script->>Jumpserver: SSH ls WG_DIR, inventory peerN, check templates
    Jumpserver-->>Script: existing peers, MAX_PEERS, CAN_CREATE flag
    Script->>Jumpserver: SSH heredoc (flock ALLOC_LOCK)
    Jumpserver->>Jumpserver: parse assigned.txt, reuse or gap-fill 3 peers
    alt peer config missing and CAN_CREATE
      Jumpserver->>WGDocker: generate privkey, pubkey, PSK
      WGDocker-->>Jumpserver: keys
      Jumpserver->>Jumpserver: write peerN.conf, update wg0 runtime
    end
    Jumpserver->>Jumpserver: record to assigned.txt
    Jumpserver-->>Script: TF_PEER, WG0_PEER, WG1_PEER, REUSED flag
  end

  rect rgba(60, 179, 113, 0.5)
    note over Script,GitHubAPI: Transform Configs and Publish Secrets
    Script->>Jumpserver: SSH cat peerN.conf (×3)
    Jumpserver-->>Script: raw confs
    Script->>Script: validate/transform: remove DNS, set AllowedIPs CIDR
    alt dry-run mode
      Script->>Script: log intended entries + exit
    else publish
      Script->>GitHubAPI: ensure GitHub environment exists
      loop each of 3 secrets
        Script->>GitHubAPI: gh secret set ENV/SECRET_NAME
        alt publish fails
          Script->>GitHubAPI: gh secret delete (rollback)
          Script->>Jumpserver: SSH rollback assigned.txt
          Script->>Script: exit non-zero
        end
      end
    end
  end

  rect rgba(184, 134, 11, 0.5)
    note over Script,Workflow: Local Tracking and Repository Push
    Script->>Script: flock, append to wg-peer-allocation.tsv
    Script-->>Workflow: allocation complete
    alt DRY_RUN is false
      Workflow->>Workflow: Check TSV for changes
      alt TSV changed
        Workflow->>Workflow: git pull --rebase (handle concurrent)
        Workflow->>Workflow: git commit wg-peer-allocation.tsv (signed)
        Workflow->>Workflow: git push to GITHUB_REF_NAME
      end
    end
    Workflow->>Workflow: Remove temp SSH key
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• mosip/infra#247: Directly overlaps — implements the same core wg-onboard.sh peer-allocation flow including assigned.txt parsing, three-peer allocation, WireGuard Docker key generation, config transformation, gh secret set with rollback, and TSV tracking.
• mosip/infra#249: Adds .github/workflows/wg-onboard.yml which directly invokes this script, passing its inputs/flags and committing the wg-peer-allocation.tsv tracker file produced by the script.

Poem

🐇 Hoppity-hop through WireGuard's gate,
Three peers to allocate — never late!
A flock-locked heredoc keeps things neat,
Rollback in hand if secrets don't beat.
TSV tracker logs every hop,
The rabbit says: self-service won't stop! 🌐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 15.79% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly references issue #1874 and clearly describes the main addition: a WireGuard onboarding script (wg-onboard.sh), which aligns with the changeset's primary contribution.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch Ivanmeneges-patch-6

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Ivanmeneges]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 9

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/scripts/wg-onboard.sh:
- Around line 272-320: The record_assignment function writes a temp file and
then uses cat to copy it to the destination file, which is not atomic and can
leave the file empty or partial if the write fails. Replace the final two lines
(cat "$tmp" > "$file" and rm -f "$tmp") with a single mv "$tmp" "$file" command
to atomically replace the file after successful generation. Apply the same
atomic replacement pattern to the remove_peer_line function as well.
- Around line 139-144: The wg_onboard_exit_cleanup function currently references
the TMP variable without initialization, which could be inherited from the
caller and cause deletion of unrelated files. Create a new script-owned variable
initialized to an empty string (such as WG_ONBOARD_TMP) at the beginning of the
script before the EXIT trap is installed. Replace all references to TMP in the
wg_onboard_exit_cleanup function and throughout the script with this new
script-owned variable. This ensures only temporary files created by this script
are cleaned up, not files from the caller's environment.
- Around line 438-465: The script skips the entire existing allocation lookup
when any FORCE_TF, FORCE_WG0, or FORCE_WG1 flag is set, which causes duplicate
assignments in assigned.txt when re-running with forced peers. Remove or modify
the condition that gates the allocation lookup (the check for empty FORCE_TF,
FORCE_WG0, FORCE_WG1 flags), so the existing assignment discovery always runs
for tf, wg0, and wg1. Then apply the force overrides after the lookup completes.
When a force override changes a peer for an existing environment, either
atomically replace the old per-secret assignment line in assigned.txt or fail
with a clear error message indicating manual cleanup is needed.
- Around line 146-157: The security issue is that the script defaults to
creating a temporary SSH_KNOWN_HOSTS file via mktemp and uses
StrictHostKeyChecking=accept-new, which allows any host key to be accepted
without validation on each CI run, creating a vector for host impersonation
attacks. Fix this by either making SSH_KNOWN_HOSTS required by removing the else
block that creates the temporary file, or by adding an explicit environment
variable flag that gates the accept-new behavior. When the flag is not
explicitly set, fall back to requiring a pre-configured known_hosts file,
ensuring trust-on-first-use is only enabled through explicit opt-in rather than
by default in the ssh_cmd function.
- Around line 197-200: The preflight check in the CAN_CREATE_PEERS condition
allows peer creation when a template file exists at templates/peer.conf, but the
ensure_peer_conf function (also mentioned in lines 330-333) does not actually
use this template and will fail if no existing peerN/peerN.conf configurations
are present. Remove the template existence check from the conditional expression
in the preflight validation so that CAN_CREATE_PEERS is only set to true when
there are existing peers that can be used as a basis for new peer creation,
ensuring the preflight check accurately reflects what the actual peer creation
logic can accomplish.
- Around line 485-490: The validation in the peer loop does not check if the
peer ID numeric value falls within the configured pool range. After extracting
the numeric portion into variable n using parameter expansion
(n="${peer#peer}"), add validation to ensure that n is within the valid range 1
to MAX_PEERS before calling ensure_peer_conf. This validation should reject peer
IDs that are outside the configured pool, preventing forced assignment of peers
like peer0 or peer999 when MAX_PEERS limits the actual pool size.
- Around line 153-162: The `ssh_cmd()` function definition is correct, but all
calls to it throughout the script pass user-controlled variables without proper
shell escaping, creating command injection vulnerabilities. Create a
`remote_quote()` helper function that properly escapes special characters in
shell strings, then apply this function to all unescaped variables before
passing them to `ssh_cmd()`. Specifically, find all instances where variables
like `CONFIG_DIR`, `ASSIGNED_FILE`, `ASSIGN_LOCK_FILE`, peer names, and ticket
labels are embedded in command strings passed to `ssh_cmd()` (such as at line
166 with the ls command, lines 217-220 and 528-530 with bash -s calls, and line
620 with the cat command), and wrap each variable with `$(remote_quote
"$VARIABLE")` to ensure proper escaping regardless of the variable content.
- Around line 653-672: The script records peer assignments before GitHub
operations, but fails to clean up on partial success. If environment creation
fails at the initial PUT call, the script exits via die without rolling back the
pre-recorded assignments. If secret publishing fails after partial success, the
code calls atomic_rollback_assignments to free peers without first deleting the
already-published secrets from GitHub, leaving stale credentials exposed. Add a
trap or error handler around the environment creation to trigger rollback if it
fails. Additionally, before calling atomic_rollback_assignments in the secret
publishing failure path, iterate through the successfully published secrets
(tracked via PUBLISHED_SECRETS counter and SECRET_NAMES array indices) and
delete each one using gh secret delete with the --env flag for the specific
environment to ensure stale secrets are removed before peer assignment records
are rolled back.
- Around line 96-109: The command-line argument parsing loop in the while
statement expands $2 directly in each case branch before require_arg can
validate whether the argument value exists. When set -u is enabled and a flag is
missing its required value, Bash exits with an unbound variable error instead of
allowing require_arg to provide the intended error message. Replace all
instances of "$2" in the case branches (for flags like --env, --host, --ssh-key,
--repo, --ticket, --wg-dir, --allowed-ips, --tf-peer, --wg0-peer, --wg1-peer,
and --max-peers) with "${2-}" to provide an empty default value, allowing
require_arg to validate the argument properly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 4c2ab4d9-9819-4131-97e3-762adcee4a38

📥 Commits

Reviewing files that changed from the base of the PR and between d9b9da0 and 0800826.

📒 Files selected for processing (1)

• .github/scripts/wg-onboard.sh

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/scripts/wg-onboard.sh:
- Around line 602-620: The rollback_published_secrets function logs deletion
failures but still returns success (0), allowing rollback_allocation_state to
proceed with atomic_rollback_assignments even when secrets remain. Modify
rollback_published_secrets to track whether any secret deletions failed and
return a non-zero exit code if so, then update rollback_allocation_state to
check the return status of rollback_published_secrets before calling
atomic_rollback_assignments, ensuring peer assignments are only freed if all
secrets are successfully deleted.
- Around line 743-746: The temporary file created with mktemp defaults to /tmp,
causing the subsequent mv operation to be non-atomic across filesystems and
potentially replacing the allocation tracker with a file having restrictive 0600
permissions. Modify the TRACKER_TMP assignment to create the temporary file in
the same directory as $ALLOCATION_FILE by using mktemp with a template that
includes the directory path of $ALLOCATION_FILE (for example, using dirname to
extract the directory). This ensures the mv operation stays within the same
filesystem and behaves atomically.
- Around line 211-213: In the peer_config_exists() function, split the single
local statement containing both peer and conf assignments into two separate
local statements. First declare and assign local peer="$1", then on the next
line declare and assign local conf="$CONFIG_DIR/$peer/$peer.conf". This ensures
that the peer variable is properly set before it is referenced in the conf
variable assignment, preventing unbound variable errors when set -u is enabled
and avoiding stale global peer values.
- Around line 223-234: The remote_quote function expansions in the ssh_cmd bash
command (lines 223-234 and 557-565) are not properly quoted locally, causing the
local shell to split arguments containing whitespace before they reach ssh. Wrap
each $(remote_quote ...) expansion in double quotes to ensure paths and labels
with whitespace are passed to the remote shell as single argv tokens. This
applies to all the variable expansions like $(remote_quote "$ASSIGNED_FILE"),
$(remote_quote "$ASSIGN_LOCK_FILE"), $(remote_quote "$CONFIG_DIR"), and all
other similar expansions in that command block.
- Line 172: The ssh_cmd invocations that include `bash -c` are incorrectly
formatted, causing OpenSSH to parse the remote command improperly. Remove the
`bash -c` wrapper from the ssh_cmd calls (keeping the command string that
follows), as ssh_cmd already passes the entire string as a single argument to
the remote shell. This applies to four instances of the pattern `ssh_cmd bash -c
"..."` which should become just `ssh_cmd "..."`. Note that the `bash -s` pattern
used elsewhere should remain unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 364cb21e-fdb1-460d-94a9-23c5e43d0143

📥 Commits

Reviewing files that changed from the base of the PR and between 0800826 and f68f57f.

📒 Files selected for processing (1)

• .github/scripts/wg-onboard.sh

[Ivanmeneges]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/wg-onboard.yml‎ (1)

53-62: 💤 Low value

Pass secrets through environment variables instead of direct interpolation.

Direct interpolation of ${{ secrets.X }} in shell context is a minor security anti-pattern. While unlikely for PAT/PEM values, secrets containing shell metacharacters could cause unexpected behavior.

Suggested improvement

       - name: Validate required secrets
+        env:
+          ACTION_PAT: ${{ secrets.ACTION_PAT }}
+          MOSIP_AWS_PEM: ${{ secrets.MOSIP_AWS_PEM }}
         run: |
           missing=()
-          [[ -z "${{ secrets.ACTION_PAT }}" ]] && missing+=(ACTION_PAT)
-          [[ -z "${{ secrets.MOSIP_AWS_PEM }}" ]] && missing+=(MOSIP_AWS_PEM)
+          [[ -z "$ACTION_PAT" ]] && missing+=(ACTION_PAT)
+          [[ -z "$MOSIP_AWS_PEM" ]] && missing+=(MOSIP_AWS_PEM)
           if ((${`#missing`[@]})); then
             echo "ERROR: Missing repository secrets: ${missing[*]}"
             echo "Add them under Settings → Secrets and variables → Actions for ${GITHUB_REPOSITORY}"
             exit 1
           fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/wg-onboard.yml‎ around lines 53 - 62, The Validate
required secrets step directly interpolates secrets using ${{ secrets.ACTION_PAT
}} and ${{ secrets.MOSIP_AWS_PEM }} syntax in the shell script, which is a
security anti-pattern. Instead, add an env section to the step that maps these
secrets to environment variables (such as ACTION_PAT_ENV and MOSIP_AWS_PEM_ENV),
then update the conditional checks to reference these environment variables
(e.g., [[ -z "$ACTION_PAT_ENV" ]]) instead of directly interpolating the secrets
inline.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/wg-onboard.yml‎:
- Around line 53-62: The Validate required secrets step directly interpolates
secrets using ${{ secrets.ACTION_PAT }} and ${{ secrets.MOSIP_AWS_PEM }} syntax
in the shell script, which is a security anti-pattern. Instead, add an env
section to the step that maps these secrets to environment variables (such as
ACTION_PAT_ENV and MOSIP_AWS_PEM_ENV), then update the conditional checks to
reference these environment variables (e.g., [[ -z "$ACTION_PAT_ENV" ]]) instead
of directly interpolating the secrets inline.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 646ca814-c8a6-44e1-9956-d336edcf5d86

📥 Commits

Reviewing files that changed from the base of the PR and between 6942782 and 9877d0b.

📒 Files selected for processing (1)

• .github/workflows/wg-onboard.yml‎