Skip to content

Commit 36ec290

Browse files
jackhodgkissjackhodgkiss
authored
Merge pull request #60 from stackhpc/secret-fix
fix: handle encrypted `.yml` files correctly
2 parents 534a2d9 + b1bbd05 commit 36ec290

File tree

1 file changed

+24
-14
lines changed

1 file changed

+24
-14
lines changed

scripts/config-diff.sh

Lines changed: 24 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -30,16 +30,7 @@ function pre_config_init {
3030
}
3131

3232
function post_config_init {
33-
KAYOBE_CONFIG_SECRET_PATHS_DEFAULT=(
34-
"etc/kayobe/kolla/passwords.yml"
35-
"etc/kayobe/secrets.yml"
36-
"etc/kayobe/environments/$KAYOBE_ENVIRONMENT/secrets.yml"
37-
"etc/kayobe/environments/$KAYOBE_ENVIRONMENT/kolla/passwords.yml"
38-
${KAYOBE_CONFIG_SECRET_PATHS_EXTRA[@]}
39-
)
40-
KAYOBE_CONFIG_SECRET_PATHS=("${KAYOBE_CONFIG_SECRET_PATHS[@]:-${KAYOBE_CONFIG_SECRET_PATHS_DEFAULT[@]}}")
41-
42-
find_redacted_files "/stack/kayobe-automation-env/src/kayobe-config/etc/kayobe"
33+
find_redacted_files "/src/etc/kayobe"
4334

4435
# Some values are currently determined dynamically from container versions
4536
export KAYOBE_AUTOMATION_CONFIG_DIFF_FLUENTD_BINARY="${KAYOBE_AUTOMATION_CONFIG_DIFF_FLUENTD_BINARY:-td-agent}"
@@ -51,21 +42,40 @@ function post_config_init {
5142

5243
function find_redacted_files {
5344
KAYOBE_CONFIG_VAULTED_FILES_PATHS=()
45+
KAYOBE_CONFIG_SECRET_PATHS=()
5446
local directory="$1"
5547

56-
echo $directory
48+
# Define forbidden paths patterns
49+
KAYOBE_CONFIG_FORBIDDEN_ENVIRONMENTS=(
50+
"aufn-ceph"
51+
"ci-aio"
52+
"ci-builder"
53+
"ci-multinode")
5754

5855
# Search for vaulted files recursively in the directory
5956
while IFS= read -r -d '' file; do
60-
if grep -q "ANSIBLE_VAULT;1" "$file"; then
57+
# Check if the file path contains any forbidden path patterns
58+
local ignore_file=false
59+
for pattern in "${KAYOBE_CONFIG_FORBIDDEN_ENVIRONMENTS[@]}"; do
60+
if [[ "$file" == *"environments/${pattern}"* ]]; then
61+
ignore_file=true
62+
break
63+
fi
64+
done
65+
# Continue to the next file if this one should be ignored
66+
if [ "$ignore_file" = true ]; then
67+
continue
68+
fi
69+
if head -n 1 "$file" | grep -q "ANSIBLE_VAULT;1"; then
6170
truncated_path="${file#"$directory/"}"
6271
vaulted_file="etc/kayobe/$truncated_path"
63-
if ! [[ "${KAYOBE_CONFIG_SECRET_PATHS_DEFAULT[*]}" =~ "$vaulted_file" ]]; then
72+
if [[ "$vaulted_file" == *.yml ]]; then
73+
KAYOBE_CONFIG_SECRET_PATHS+=("etc/kayobe/$truncated_path")
74+
else
6475
KAYOBE_CONFIG_VAULTED_FILES_PATHS+=("etc/kayobe/$truncated_path")
6576
fi
6677
fi
6778
done < <(find "$directory" -type f -print0)
68-
echo ${KAYOBE_CONFIG_VAULTED_FILES_PATHS[*]}
6979
}
7080

7181
function redact_file {

0 commit comments

Comments
 (0)