paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-23 04:52:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

kandra: Support installing multiple ssh keys from multiple secrets.

Browse Source
This commit is contained in:
Alex Vandiver
2025-05-09 01:19:10 -04:00
committed by Tim Abbott
parent 5a21f42000
commit a959f71208
2 changed files with 34 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
puppet/kandra/files/install-ssh-keys
View File

@@ -1,8 +1,24 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
args="$(getopt -o '' --long check -- "$@")"
eval "set -- $args"
check=false
while true; do
case "$1" in
--check)
check=true
shift
;;
--)
shift
break
;;
esac
done
username="$1" username="$1"
ssh_secret_name="$2" shift
homedir="$(getent passwd "$username" | cut -d: -f6)" homedir="$(getent passwd "$username" | cut -d: -f6)"
sshdir="$homedir/.ssh" sshdir="$homedir/.ssh"
@@ -15,20 +31,22 @@ trap cleanup EXIT
umask 033 umask 033
keydata="$(/srv/zulip-aws-tools/bin/aws --output text \ for ssh_secret_name in "$@"; do
secretsmanager get-secret-value \ keydata="$(/srv/zulip-aws-tools/bin/aws --output text \
--secret-id "$ssh_secret_name" \ secretsmanager get-secret-value \
--query SecretString)" --secret-id "$ssh_secret_name" \
for keyfile in $(jq -r 'keys[]' <<<"$keydata"); do --query SecretString)"
touch "$workdir/$keyfile" for keyfile in $(jq -r 'keys[]' <<<"$keydata"); do
if [[ "$keyfile" != *".pub" ]]; then touch "$workdir/$keyfile"
chmod 600 "$workdir/$keyfile" if [[ "$keyfile" != *".pub" ]]; then
fi chmod 600 "$workdir/$keyfile"
jq -r ".[\"$keyfile\"]" <<<"$keydata" | base64 -d >"$workdir/$keyfile" fi
chown "$username:$username" "$workdir/$keyfile" jq -r ".[\"$keyfile\"]" <<<"$keydata" | base64 -d >"$workdir/$keyfile"
chown "$username:$username" "$workdir/$keyfile"
done
done done
if [ "$#" -gt 2 ]; then if [ "$check" = "true" ]; then
diff -rN -x config -x authorized_keys -x known_hosts \ diff -rN -x config -x authorized_keys -x known_hosts \
"$workdir/" "$sshdir/" "$workdir/" "$sshdir/"
exit 0 exit 0

4
puppet/kandra/manifests/ssh_keys.pp
View File

@@ -4,12 +4,14 @@ define kandra::ssh_keys(
$user = $name $user = $name
if $keys == true { if $keys == true {
$keypath = "prod/ssh/keys/${user}" $keypath = "prod/ssh/keys/${user}"
} elsif $keys.is_a(Array) {
$keypath = join($keys.map |$k| {"prod/ssh/keys/${k}"}, ' ')
} else { } else {
$keypath = "prod/ssh/keys/${keys}" $keypath = "prod/ssh/keys/${keys}"
} }
exec { "ssh_keys ${user}": exec { "ssh_keys ${user}":
require => File['/usr/local/bin/install-ssh-keys'], require => File['/usr/local/bin/install-ssh-keys'],
command => "/usr/local/bin/install-ssh-keys ${user} ${keypath}", command => "/usr/local/bin/install-ssh-keys ${user} ${keypath}",
unless => "[ -f /usr/local/bin/install-ssh-keys ] && /usr/local/bin/install-ssh-keys ${user} ${keypath} check", unless => "[ -f /usr/local/bin/install-ssh-keys ] && /usr/local/bin/install-ssh-keys --check ${user} ${keypath}",
} }
} }