From 74fa9264df698b1dad72f4097c49a271dd45d4f7 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Thu, 11 Jul 2024 22:20:49 -0500 Subject: [PATCH] xactfetch: Configure secretsocket The `xactfetch` script now uses a helper tool, `secretsocket` to handle looking up secrets. This tool supports various secret source types, including files, environment variables, and external commands. Separating this functionality out of the main script makes it a lot more flexible and pluggable. It's main purpose, though, was actually to allow `xactfetch` to run in a container while communicating with `rbw` outside that container, specifically for development puposes. The `secretsocket` tool reads its configuration from a TOML document. This document defines the secrets the tool handles, and how to look them up. Note that the `xactfetch` container image no longer defines the `XDG_CONFIG_HOME` environment variable, as it uses Chromium instead of Firefox now, and the former does not work with a read-only config directory. As such, we have to mount the `rbw` configuration in the default location. --- xactfetch/kustomization.yaml | 3 +++ xactfetch/secrets.toml | 29 +++++++++++++++++++++++++++ xactfetch/xactfetch.yaml | 38 ++++++++++++++++++++++++------------ 3 files changed, 58 insertions(+), 12 deletions(-) create mode 100644 xactfetch/secrets.toml diff --git a/xactfetch/kustomization.yaml b/xactfetch/kustomization.yaml index cae0001..1e452ed 100644 --- a/xactfetch/kustomization.yaml +++ b/xactfetch/kustomization.yaml @@ -17,6 +17,9 @@ configMapGenerator: - name: xactfetch envs: - xactfetch.env +- name: xactfetch-secrets + files: + - secrets.toml - name: xactfetch-rbw files: - config.json=rbw-config.json diff --git a/xactfetch/secrets.toml b/xactfetch/secrets.toml new file mode 100644 index 0000000..f1c918f --- /dev/null +++ b/xactfetch/secrets.toml @@ -0,0 +1,29 @@ +['firefly.token'] +exec = 'rbw get xactfetch' + +['firefly.import.secret'] +path = '/run/secrets/xactfetch/firefly-import.secret' + +['firefly.import.username'] +string = 'svc.xactfetch' + +['firefly.import.password'] +path = '/run/secrets/xactfetch/firefly-import.password' + +['bank.commerce.username'] +string = 'admiraln3mo' + +['bank.commerce.password'] +exec = '''rbw get --folder Websites 'Commerce Bank' admiraln3mo''' + +['bank.commerce.otp'] +exec = '''rbw code --folder Websites 'Commerce Bank' admiraln3mo''' + +['bank.chase.username'] +string = 'AdmiralN3mo' + +['bank.chase.password'] +exec = '''rbw get --folder Websites Chase AdmiralN3mo''' + +['bank.chase.otp'] +exec = 'chase2fa' diff --git a/xactfetch/xactfetch.yaml b/xactfetch/xactfetch.yaml index 757cfa4..ec52d55 100644 --- a/xactfetch/xactfetch.yaml +++ b/xactfetch/xactfetch.yaml @@ -44,9 +44,6 @@ spec: securityContext: readOnlyRootFilesystem: true volumeMounts: - - mountPath: /etc/rbw - name: xactfetch-rbw - readOnly: true - mountPath: /run/secrets/xactfetch name: xactfetch-secrets readOnly: true @@ -56,6 +53,9 @@ spec: - mountPath: /var/lib/xactfetch name: xactfetch-data subPath: data + - mountPath: /var/lib/xactfetch/.config/rbw + name: xactfetch-rbw + readOnly: true containers: - name: xactfetch image: git.pyrocufflink.net/packages/xactfetch @@ -67,9 +67,6 @@ spec: securityContext: readOnlyRootFilesystem: true volumeMounts: - - mountPath: /etc/rbw - name: xactfetch-rbw - readOnly: true - mountPath: /run/secrets/xactfetch name: xactfetch-secrets readOnly: true @@ -79,6 +76,13 @@ spec: - mountPath: /var/lib/xactfetch name: xactfetch-data subPath: data + - mountPath: /var/lib/xactfetch/.config/rbw + name: xactfetch-rbw + readOnly: true + - mountPath: /var/lib/xactfetch/secrets.toml + name: xactfetch-secrets-config + subPath: secrets.toml + readOnly: true nodeSelector: kubernetes.io/arch: amd64 securityContext: @@ -94,6 +98,9 @@ spec: - name: xactfetch-rbw configMap: name: xactfetch-rbw + - name: xactfetch-secrets-config + configMap: + name: xactfetch-secrets - name: xactfetch-secrets secret: secretName: xactfetch @@ -145,9 +152,6 @@ spec: securityContext: readOnlyRootFilesystem: true volumeMounts: - - mountPath: /etc/rbw - name: xactfetch-rbw - readOnly: true - mountPath: /run/secrets/xactfetch name: xactfetch-secrets readOnly: true @@ -157,6 +161,9 @@ spec: - mountPath: /var/lib/xactfetch name: xactfetch-data subPath: data + - mountPath: /var/lib/xactfetch/.config/rbw + name: xactfetch-rbw + readOnly: true containers: - name: xactfetch image: git.pyrocufflink.net/packages/xactfetch @@ -168,9 +175,6 @@ spec: securityContext: readOnlyRootFilesystem: true volumeMounts: - - mountPath: /etc/rbw - name: xactfetch-rbw - readOnly: true - mountPath: /run/secrets/xactfetch name: xactfetch-secrets readOnly: true @@ -180,6 +184,13 @@ spec: - mountPath: /var/lib/xactfetch name: xactfetch-data subPath: data + - mountPath: /var/lib/xactfetch/.config/rbw + name: xactfetch-rbw + readOnly: true + - mountPath: /var/lib/xactfetch/secrets.toml + name: xactfetch-secrets-config + subPath: secrets.toml + readOnly: true nodeSelector: kubernetes.io/arch: amd64 securityContext: @@ -195,6 +206,9 @@ spec: - name: xactfetch-rbw configMap: name: xactfetch-rbw + - name: xactfetch-secrets-config + configMap: + name: xactfetch-secrets - name: xactfetch-secrets secret: secretName: xactfetch