apiVersion: v1 kind: ConfigMap metadata: name: gitlab-shared-secrets namespace: public-service labels: app: gitlab component: shared-secrets annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-weight": "-3" "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation data: generate-secrets: | namespace=public-service env=production pushd $(mktemp -d) function gen_random(){ head -c 4096 /dev/urandom | LC_CTYPE=C tr -cd $1 | head -c $2 } function fetch_rails_value(){ local value=$(yq read $1 "${2}") if [ "${value}" != "null" ]; then echo "${value}"; fi } function label_secret(){ local secret_name=$1 kubectl --namespace=$namespace label \ secret $secret_name $(echo 'app.kubernetes.io/name=mygitlab' | sed -E 's/=[^ ]*/-/g') #helm渲染时指定名称为mygitlab,mygitlab不要修改为gitlab,否则postgresql无法使用secrets kubectl --namespace=$namespace label \ --overwrite \ secret $secret_name app=gitlab component=shared-secrets } function generate_secret_if_needed(){ local secret_args=( "${@:2}") local secret_name=$1 if ! $(kubectl --namespace=$namespace get secret $secret_name > /dev/null 2>&1); then kubectl --namespace=$namespace create secret generic $secret_name ${secret_args[@]} else echo "secret \"$secret_name\" already exists" fi; label_secret $secret_name } generate_secret_if_needed "gitlab-initial-root-password" --from-literal="password"=$(gen_random 'a-zA-Z0-9' 64) generate_secret_if_needed "gitlab-redis-secret" --from-literal="secret"=$(gen_random 'a-zA-Z0-9' 64) generate_secret_if_needed "gitlab-postgresql-password" --from-literal=postgresql-password=$(gen_random 'a-zA-Z0-9' 64) --from-literal=postgresql-postgres-password=$(gen_random 'a-zA-Z0-9' 64) generate_secret_if_needed "gitlab-shell-secret" --from-literal="secret"=$(gen_random 'a-zA-Z0-9' 64) generate_secret_if_needed "gitlab-gitaly-secret" --from-literal="token"=$(gen_random 'a-zA-Z0-9' 64) generate_secret_if_needed "gitlab-minio-secret" --from-literal=accesskey=$(gen_random 'a-zA-Z0-9' 64) --from-literal=secretkey=$(gen_random 'a-zA-Z0-9' 64) generate_secret_if_needed "gitlab-runner-secret" --from-literal=runner-registration-token=$(gen_random 'a-zA-Z0-9' 64) --from-literal=runner-token="" mkdir -p certs openssl req -new -newkey rsa:4096 -subj "/CN=gitlab-issuer" -nodes -x509 -keyout certs/registry-example-com.key -out certs/registry-example-com.crt -days 3650 generate_secret_if_needed "gitlab-registry-secret" --from-file=registry-auth.key=certs/registry-example-com.key --from-file=registry-auth.crt=certs/registry-example-com.crt if [ -n "$env" ]; then rails_secret="gitlab-rails-secret" if $(kubectl --namespace=$namespace get secret $rails_secret > /dev/null 2>&1); then kubectl --namespace=$namespace get secret $rails_secret -o jsonpath="{.data.secrets\.yml}" | base64 --decode > secrets.yml secret_key_base=$(fetch_rails_value secrets.yml "${env}.secret_key_base") otp_key_base=$(fetch_rails_value secrets.yml "${env}.otp_key_base") db_key_base=$(fetch_rails_value secrets.yml "${env}.db_key_base") openid_connect_signing_key=$(fetch_rails_value secrets.yml "${env}.openid_connect_signing_key") ci_jwt_signing_key=$(fetch_rails_value secrets.yml "${env}.ci_jwt_signing_key") fi; secret_key_base="${secret_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64) otp_key_base="${otp_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64) db_key_base="${db_key_base:-$(gen_random 'a-f0-9' 128)}" # equavilent to secureRandom.hex(64) openid_connect_signing_key="${openid_connect_signing_key:-$(openssl genrsa 2048)}" ci_jwt_signing_key="${ci_jwt_signing_key:-$(openssl genrsa 2048)}" cat << EOF > rails-secrets.yml apiVersion: v1 kind: Secret metadata: name: $rails_secret type: Opaque stringData: secrets.yml: |- $env: secret_key_base: $secret_key_base otp_key_base: $otp_key_base db_key_base: $db_key_base openid_connect_signing_key: | $(echo "${openid_connect_signing_key}" | awk '{print " " $0}') ci_jwt_signing_key: | $(echo "${ci_jwt_signing_key}" | awk '{print " " $0}') EOF kubectl --validate=false --namespace=$namespace apply -f rails-secrets.yml label_secret $rails_secret fi ssh-keygen -A mkdir -p host_keys cp /etc/ssh/ssh_host_* host_keys/ generate_secret_if_needed "gitlab-shell-host-keys" --from-file host_keys generate_secret_if_needed "gitlab-workhorse-secret" --from-literal="shared_secret"=$(gen_random 'a-zA-Z0-9' 32 | base64) generate_secret_if_needed "gitlab-registry-httpsecret" --from-literal="secret"=$(gen_random 'a-z0-9' 128 | base64 -w 0)