This repository was archived by the owner on Nov 3, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathconvert-kms-private-ssh-key.sh
executable file
·79 lines (72 loc) · 2.2 KB
/
convert-kms-private-ssh-key.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/bin/bash
# http://redsymbol.net/articles/unofficial-bash-strict-mode/
set -euo pipefail
IFS=$'\n\t'
folder=""
private_key_folder=~/.ssh
private_key_path="$private_key_folder/id_rsa"
kms_base="/kms"
aws_region_placeholder="###REGION###"
kubernetes_labels="/details/labels"
set +u
if [ ! -z "$1" ];
then
folder=$1
else
folder="/meta"
fi
if [ ! -z "$2" ];
then
private_key_folder="./ssh"
private_key_path="./ssh/id_rsa_test"
folder="./ghe-backup-test/mymeta"
aws_region_placeholder="eu-west-1"
kms_base="$PWD/ghe-backup-test/kms"
fi
# Treat unset variables as an error when substituting.
set -u
# @TODO: add test for $kubernetes_labels existance
if [ -f $kubernetes_labels ]
then
# @TODO: avoid DRY -> create new function -> parameter would be private key content ($SSHKEY /meta/ghe-backup-secret/kms_private_ssh_key)
if [ -f $private_key_path ]
then
echo "The file $private_key_path exists already. Won't be overridden." >&2
exit 0
else
echo "The file $private_key_path does not exists. Start writing private ssh key."
mkdir -p $private_key_folder
cp $folder/ghe-backup-secret/kms_private_ssh_key $private_key_path
chmod 0600 $private_key_path
echo "Private ssh key file '$private_key_path' written."
exit 0
fi
### end of separate function
exit 1
elif [ -f $folder/taupage.yaml ]
then
echo "File $folder/taupage.yaml exists."
SSHKEY=$(python3 $kms_base/extract_decrypt_kms.py -f "$folder/taupage.yaml" -k "kms_private_ssh_key" -r "$aws_region_placeholder")
if [[ $SSHKEY == "Invalid KMS key." ]]
then
echo "KMS key or KMS string is invalid."
echo "Expected KMS string format: aws:kms:<BASE64STRING>"
echo "KMS key must be usable via Host-IAM-Profile"
exit 1
fi
if [ -f $private_key_path ]
then
echo "The file $private_key_path exists already. Won't be overridden." >&2
exit 0
else
echo "The file $private_key_path does not exists. Start writing private ssh key."
mkdir -p $private_key_folder
printf "%s" "$SSHKEY" >> $private_key_path
chmod 0600 $private_key_path
echo "Private ssh key file '$private_key_path' written."
exit 0
fi
else
echo "Neither $kubernetes_labels nor $folder/taupage.yaml exist."
fi
exit 1