From c06b6c82ee0af74e0e8c533a9976a1d76d27fa67 Mon Sep 17 00:00:00 2001
From: Ulf Gebhardt <ulf.gebhardt@webcraft-media.de>
Date: Mon, 13 Mar 2023 13:08:22 +0100
Subject: [PATCH 1/4] secrets scripts

---
 deployment/scripts/secret.generate.sh | 14 +++++++++
 deployment/scripts/secrets.decrypt.sh | 44 +++++++++++++++++++++++++++
 deployment/scripts/secrets.encrypt.sh | 41 +++++++++++++++++++++++++
 3 files changed, 99 insertions(+)
 create mode 100755 deployment/scripts/secret.generate.sh
 create mode 100755 deployment/scripts/secrets.decrypt.sh
 create mode 100755 deployment/scripts/secrets.encrypt.sh

diff --git a/deployment/scripts/secret.generate.sh b/deployment/scripts/secret.generate.sh
new file mode 100755
index 000000000..dba958c34
--- /dev/null
+++ b/deployment/scripts/secret.generate.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# generate a secret and store it in the SECRET file.
+# Note that this overwrites the existing file
+
+# base setup
+SCRIPT_PATH=$(realpath $0)
+SCRIPT_DIR=$(dirname $SCRIPT_PATH)
+
+# configuration
+CONFIGURATION=${CONFIGURATION:-"example"}
+SECRET_FILE=${SCRIPT_DIR}/../configurations/${CONFIGURATION}/SECRET
+
+openssl rand -base64 32 > ${SECRET_FILE}
\ No newline at end of file
diff --git a/deployment/scripts/secrets.decrypt.sh b/deployment/scripts/secrets.decrypt.sh
new file mode 100755
index 000000000..283768ad0
--- /dev/null
+++ b/deployment/scripts/secrets.decrypt.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# decrypt secrets in the selected configuration
+# Note that existing decrypted files will be overwritten
+
+# base setup
+SCRIPT_PATH=$(realpath $0)
+SCRIPT_DIR=$(dirname $SCRIPT_PATH)
+
+# configuration
+CONFIGURATION=${CONFIGURATION:-"example"}
+SECRET=${SECRET}
+SECRET_FILE=${SCRIPT_DIR}/../configurations/${CONFIGURATION}/SECRET
+FILES=(\
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/.env" \
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubeconfig.yaml" \
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/values.yaml" \
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/dns.values.yaml" \
+  )
+
+# Load SECRET from file if it is not set explicitly
+if [ -z ${SECRET} ] && [ -f "${SECRET_FILE}" ]; then
+  SECRET=$(<${SECRET_FILE})
+fi
+
+# exit when there is no SECRET set
+if [ -z ${SECRET} ]; then
+  echo "No SECRET provided and no SECRET-File found."
+  exit 1
+fi
+
+# decrypt
+for file in "${FILES[@]}"
+do
+  if [ -f "${file}.enc" ]; then
+    #gpg --symmetric --batch --passphrase="${SECRET}" --cipher-algo AES256 --output ${file}.enc ${file} 
+    gpg --quiet --batch --yes --decrypt --passphrase="${SECRET}" --output ${file} ${file}.enc
+    echo "Decrypted ${file}"
+  fi
+done
+
+echo "DONE"
+# gpg --quiet --batch --yes --decrypt --passphrase="${SECRET}" \
+# --output $HOME/secrets/my_secret.json my_secret.json.gpg
diff --git a/deployment/scripts/secrets.encrypt.sh b/deployment/scripts/secrets.encrypt.sh
new file mode 100755
index 000000000..ef6c87e85
--- /dev/null
+++ b/deployment/scripts/secrets.encrypt.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# encrypt secrets in the selected configuration
+# Note that existing encrypted files will be overwritten
+
+# base setup
+SCRIPT_PATH=$(realpath $0)
+SCRIPT_DIR=$(dirname $SCRIPT_PATH)
+
+# configuration
+CONFIGURATION=${CONFIGURATION:-"example"}
+SECRET=${SECRET}
+SECRET_FILE=${SCRIPT_DIR}/../configurations/${CONFIGURATION}/SECRET
+FILES=(\
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/.env" \
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubeconfig.yaml" \
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/values.yaml" \
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/dns.values.yaml" \
+  )
+
+# Load SECRET from file if it is not set explicitly
+if [ -z ${SECRET} ] && [ -f "${SECRET_FILE}" ]; then
+  SECRET=$(<${SECRET_FILE})
+fi
+
+# exit when there is no SECRET set
+if [ -z ${SECRET} ]; then
+  echo "No SECRET provided and no SECRET-File found."
+  exit 1
+fi
+
+# encrypt
+for file in "${FILES[@]}"
+do
+  if [ -f "${file}" ]; then
+    gpg --symmetric --batch --yes --passphrase="${SECRET}" --cipher-algo AES256 --output ${file}.enc ${file} 
+    echo "Encrypted ${file}"
+  fi
+done
+
+echo "DONE"

From 3a3e576047c961d8e340e840d0cc6954d4035f5d Mon Sep 17 00:00:00 2001
From: Ulf Gebhardt <ulf.gebhardt@webcraft-media.de>
Date: Mon, 13 Mar 2023 13:12:46 +0100
Subject: [PATCH 2/4] moved values files and removed .gitignore

---
 .../example}/kubernetes/dns.values.template.yaml               | 0
 deployment/src/kubernetes/.gitignore                           | 3 ---
 .../{nginx.values.template.yaml => nginx.values.yaml}          | 0
 3 files changed, 3 deletions(-)
 rename deployment/{src => configurations/example}/kubernetes/dns.values.template.yaml (100%)
 delete mode 100644 deployment/src/kubernetes/.gitignore
 rename deployment/src/kubernetes/{nginx.values.template.yaml => nginx.values.yaml} (100%)

diff --git a/deployment/src/kubernetes/dns.values.template.yaml b/deployment/configurations/example/kubernetes/dns.values.template.yaml
similarity index 100%
rename from deployment/src/kubernetes/dns.values.template.yaml
rename to deployment/configurations/example/kubernetes/dns.values.template.yaml
diff --git a/deployment/src/kubernetes/.gitignore b/deployment/src/kubernetes/.gitignore
deleted file mode 100644
index e0473b0fd..000000000
--- a/deployment/src/kubernetes/.gitignore
+++ /dev/null
@@ -1,3 +0,0 @@
-/dns.values.yaml
-/nginx.values.yaml
-/values.yaml
diff --git a/deployment/src/kubernetes/nginx.values.template.yaml b/deployment/src/kubernetes/nginx.values.yaml
similarity index 100%
rename from deployment/src/kubernetes/nginx.values.template.yaml
rename to deployment/src/kubernetes/nginx.values.yaml

From 57d33821c51200939cb804f789549ceef192c1cd Mon Sep 17 00:00:00 2001
From: Ulf Gebhardt <ulf.gebhardt@webcraft-media.de>
Date: Tue, 14 Mar 2023 01:36:55 +0100
Subject: [PATCH 3/4] do not encrypt .env

---
 deployment/scripts/secrets.decrypt.sh | 1 -
 deployment/scripts/secrets.encrypt.sh | 1 -
 2 files changed, 2 deletions(-)

diff --git a/deployment/scripts/secrets.decrypt.sh b/deployment/scripts/secrets.decrypt.sh
index 283768ad0..9d2e333e3 100755
--- a/deployment/scripts/secrets.decrypt.sh
+++ b/deployment/scripts/secrets.decrypt.sh
@@ -12,7 +12,6 @@ CONFIGURATION=${CONFIGURATION:-"example"}
 SECRET=${SECRET}
 SECRET_FILE=${SCRIPT_DIR}/../configurations/${CONFIGURATION}/SECRET
 FILES=(\
-    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/.env" \
     "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubeconfig.yaml" \
     "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/values.yaml" \
     "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/dns.values.yaml" \
diff --git a/deployment/scripts/secrets.encrypt.sh b/deployment/scripts/secrets.encrypt.sh
index ef6c87e85..0451b7a20 100755
--- a/deployment/scripts/secrets.encrypt.sh
+++ b/deployment/scripts/secrets.encrypt.sh
@@ -12,7 +12,6 @@ CONFIGURATION=${CONFIGURATION:-"example"}
 SECRET=${SECRET}
 SECRET_FILE=${SCRIPT_DIR}/../configurations/${CONFIGURATION}/SECRET
 FILES=(\
-    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/.env" \
     "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubeconfig.yaml" \
     "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/values.yaml" \
     "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/dns.values.yaml" \

From 3ee90536231a27c20ea886e8e341c71cab0c5556 Mon Sep 17 00:00:00 2001
From: Ulf Gebhardt <ulf.gebhardt@webcraft-media.de>
Date: Tue, 14 Mar 2023 01:39:27 +0100
Subject: [PATCH 4/4] better to encrypt .env

---
 deployment/scripts/secrets.decrypt.sh | 1 +
 deployment/scripts/secrets.encrypt.sh | 1 +
 2 files changed, 2 insertions(+)

diff --git a/deployment/scripts/secrets.decrypt.sh b/deployment/scripts/secrets.decrypt.sh
index 9d2e333e3..283768ad0 100755
--- a/deployment/scripts/secrets.decrypt.sh
+++ b/deployment/scripts/secrets.decrypt.sh
@@ -12,6 +12,7 @@ CONFIGURATION=${CONFIGURATION:-"example"}
 SECRET=${SECRET}
 SECRET_FILE=${SCRIPT_DIR}/../configurations/${CONFIGURATION}/SECRET
 FILES=(\
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/.env" \
     "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubeconfig.yaml" \
     "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/values.yaml" \
     "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/dns.values.yaml" \
diff --git a/deployment/scripts/secrets.encrypt.sh b/deployment/scripts/secrets.encrypt.sh
index 0451b7a20..ef6c87e85 100755
--- a/deployment/scripts/secrets.encrypt.sh
+++ b/deployment/scripts/secrets.encrypt.sh
@@ -12,6 +12,7 @@ CONFIGURATION=${CONFIGURATION:-"example"}
 SECRET=${SECRET}
 SECRET_FILE=${SCRIPT_DIR}/../configurations/${CONFIGURATION}/SECRET
 FILES=(\
+    "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/.env" \
     "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubeconfig.yaml" \
     "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/values.yaml" \
     "${SCRIPT_DIR}/../configurations/${CONFIGURATION}/kubernetes/dns.values.yaml" \