BlackthornYugen · December 16, 2022 13:40
diff --git a/generate-pki-from-gpg-truststore.sh b/generate-pki-from-gpg-truststore.sh
 #!/usr/bin/env bash

 set -e

 if [ -f "$MY_SECRETS" ] ; then
  echo "Verified that MY_SECRETS is set."
 elif [ -z "$GITLAB_ACCESS_TOKEN" ] ; then
  echo "MY_SECRETS needs to be created but GITLAB_ACCESS_TOKEN was not set. Cannot deploy PKI."
  exit 1
 else
  echo "MY_SECRETS is missing and will be regenerated."
  export GZIP=-9
  export TMPDIR=/dev/shm
  CA_WORKSPACE=$(mktemp --directory)

  function finish {
    sha256sum "$CA_WORKSPACE/"*
    shred --iterations=5 --verbose "$CA_WORKSPACE/"*
    sha256sum "$CA_WORKSPACE/"*
    rm -rv "$CA_WORKSPACE"
  }

  trap finish EXIT

  dd if=/dev/urandom count=1 bs=63 | base64 --wrap=0 > "$CA_WORKSPACE/password.txt"

  openssl req \
          -passout "file:$CA_WORKSPACE/password.txt" \
          -newkey ec:<(openssl ecparam -name prime256v1) \
          -new \
          -x509 \
          -days 365 \
          -keyout "$CA_WORKSPACE/ca.key" \
          -out "$CA_WORKSPACE/ca.crt" \
          -subj '/C=CA/ST=ON/L=OpenAI/O=BETA'

  openssl req \
          -nodes \
          -newkey ec:<(openssl ecparam -name prime256v1) \
          -new \
          -keyout "$CA_WORKSPACE/open-ai-system-tests.key" \
          -subj '/C=CA/ST=ON/L=OpenAI/O=BETA/CN=open-ai-system-tests' |
    openssl x509 \
          -passin "file:$CA_WORKSPACE/password.txt" \
          -req \
          -in /dev/stdin \
          -CA "$CA_WORKSPACE/ca.crt" \
          -CAkey "$CA_WORKSPACE/ca.key" \
          -out "$CA_WORKSPACE/open-ai-system-tests.pem" \
          -CAcreateserial \
          -CAserial "$CA_WORKSPACE/tmp.srl" \
          -days 365 \
          -sha256

  openssl pkcs12 \
          -export \
          -clcerts \
          -in "$CA_WORKSPACE/open-ai-system-tests.pem" \
          -inkey "$CA_WORKSPACE/open-ai-system-tests.key" \
          -out "$CA_WORKSPACE/open-ai-system-tests.p12" \
          -passout="pass:"

  curl --silent \
       --header "PRIVATE-TOKEN: $GITLAB_ACCESS_TOKEN" \
       --request DELETE \
       "$CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/variables/OPEN_AI_CRT_P12_B64" | jq '.'

  OPEN_AI_CRT_P12_B64="$(base64 --wrap=0 "$CA_WORKSPACE/open-ai-system-tests.p12")"
  curl --silent --header "PRIVATE-TOKEN: $GITLAB_ACCESS_TOKEN" "$CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/variables" \
       --form "key=OPEN_AI_CRT_P12_B64" \
       --form "masked=true" \
       --form "value=$OPEN_AI_CRT_P12_B64" | jq '.'

  MY_SECRETS=$(mktemp)
  tee "$MY_SECRETS" <<_EOF
 apiVersion: v1
 metadata:
  annotations:
    ci.pipeline.job.started-at: $CI_JOB_STARTED_AT
    ci.pipeline.url: $CI_PIPELINE_URL
    ci.pipeline.runner.token: $CI_RUNNER_SHORT_TOKEN
    ci.pipeline.runner.version: $CI_RUNNER_VERSION
 data:
  ca.crt: "$(base64 --wrap=0 "$CA_WORKSPACE/ca.crt")"
 kind: Secret
 metadata:
  name: client-ca
 type: Opaque
 ---
 apiVersion: v1
 metadata:
  annotations:
    ci.pipeline.job.started-at: $CI_JOB_STARTED_AT
    ci.pipeline.url: $CI_PIPELINE_URL
    ci.pipeline.runner.token: $CI_RUNNER_SHORT_TOKEN
    ci.pipeline.runner.version: $CI_RUNNER_VERSION
 data:
  ca.crt: "$( base64 --wrap=0 "$CA_WORKSPACE/ca.crt")"
  tls.ca: "$( base64 --wrap=0 "$CA_WORKSPACE/ca.crt")"
  tls.crt: "$(base64 --wrap=0 "$CA_WORKSPACE/ca.crt")"
  tls.key: "$(base64 --wrap=0 "$CA_WORKSPACE/ca.key")"
 kind: Secret
 metadata:
  name: ca-cert-wild
 type: kubernetes.io/tls
 _EOF

  curl --silent --header "PRIVATE-TOKEN: $GITLAB_ACCESS_TOKEN" "$CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/variables" \
    --form "key=MY_SECRETS" \
    --form "variable_type=file" \
    --form "value=$(cat "$MY_SECRETS")"

  for email in $(gpg --list-keys | grep -E "<" | sed -E 's/.*<(.*)>.*/\1/'); do
      USER_WORKSPACE=$(mktemp --directory)
      dd if=/dev/urandom count=1 bs=33 | base64 --wrap=0 > "$USER_WORKSPACE/password.txt"

      openssl req \
                -passout "file:$USER_WORKSPACE/password.txt" \
                -newkey ec:<(openssl ecparam -name prime256v1) \
                -new \
                -keyout "$USER_WORKSPACE/open-ai-client.key.pem" \
                -subj '/C=CA/ST=ON/L=OpenAI/O=BETA/CN='"$email" |
        openssl x509 \
                -passin "file:$CA_WORKSPACE/password.txt" \
                -req \
                -in /dev/stdin \
                -CA "$CA_WORKSPACE/ca.crt" \
                -CAkey "$CA_WORKSPACE/ca.key" \
                -out "$USER_WORKSPACE/open-ai-client.crt.pem" \
                -CAcreateserial \
                -CAserial "$CA_WORKSPACE/tmp.srl" \
                -days 365 \
                -sha256

      openssl pkcs12 \
                -export \
                -clcerts \
                -in "$USER_WORKSPACE/open-ai-client.crt.pem" \
                -inkey "$USER_WORKSPACE/open-ai-client.key.pem" \
                -out "$USER_WORKSPACE/open-ai-client.p12" \
                -password "file:$USER_WORKSPACE/password.txt" \
                -passin "file:/$USER_WORKSPACE/password.txt"

      openssl verify -verbose -CAfile "$CA_WORKSPACE/ca.crt" "$CA_WORKSPACE/ca.crt" "$USER_WORKSPACE/open-ai-client.crt.pem"
      tar -C "$USER_WORKSPACE" -czf - . \
        | gpg --always-trust --encrypt --armor --recipient "$email" || echo "Encryption failed for $email"
      shred -v "$USER_WORKSPACE/password.txt"
      rm -vrf "$USER_WORKSPACE"
  done

  gpg --list-keys | grep -E "(john.doe|jane.smith)" | sed -E 's/.*<(.*)>.*/\1/' \
      | xargs -n1 echo --recipient \
      | xargs echo "tar -C \"$CA_WORKSPACE\" -czf - . | gpg --always-trust --encrypt --armor" \
      | bash -x

  trap - EXIT # Remove trap now that we are calling finish
  finish
 fi

 if [[ "${BASH_SOURCE[0]}" == "${0}" ]] ; then
    echo "WARNING: ${BASH_SOURCE[0]} must be called with . to export variables to your shell!"
    exit 1
 fi

 export MY_SECRETS
 export OPEN_AI_CRT_P12_B64
	#!/usr/bin/env bash

	set -e

	if [ -f "$MY_SECRETS" ] ; then
	echo "Verified that MY_SECRETS is set."
	elif [ -z "$GITLAB_ACCESS_TOKEN" ] ; then
	echo "MY_SECRETS needs to be created but GITLAB_ACCESS_TOKEN was not set. Cannot deploy PKI."
	exit 1
	else
	echo "MY_SECRETS is missing and will be regenerated."
	export GZIP=-9
	export TMPDIR=/dev/shm
	CA_WORKSPACE=$(mktemp --directory)

	function finish {
	sha256sum "$CA_WORKSPACE/"*
	shred --iterations=5 --verbose "$CA_WORKSPACE/"*
	sha256sum "$CA_WORKSPACE/"*
	rm -rv "$CA_WORKSPACE"
	}

	trap finish EXIT

	dd if=/dev/urandom count=1 bs=63 \| base64 --wrap=0 > "$CA_WORKSPACE/password.txt"

	openssl req \
	-passout "file:$CA_WORKSPACE/password.txt" \
	-newkey ec:<(openssl ecparam -name prime256v1) \
	-new \
	-x509 \
	-days 365 \
	-keyout "$CA_WORKSPACE/ca.key" \
	-out "$CA_WORKSPACE/ca.crt" \
	-subj '/C=CA/ST=ON/L=OpenAI/O=BETA'

	openssl req \
	-nodes \
	-newkey ec:<(openssl ecparam -name prime256v1) \
	-new \
	-keyout "$CA_WORKSPACE/open-ai-system-tests.key" \
	-subj '/C=CA/ST=ON/L=OpenAI/O=BETA/CN=open-ai-system-tests' \|
	openssl x509 \
	-passin "file:$CA_WORKSPACE/password.txt" \
	-req \
	-in /dev/stdin \
	-CA "$CA_WORKSPACE/ca.crt" \
	-CAkey "$CA_WORKSPACE/ca.key" \
	-out "$CA_WORKSPACE/open-ai-system-tests.pem" \
	-CAcreateserial \
	-CAserial "$CA_WORKSPACE/tmp.srl" \
	-days 365 \
	-sha256

	openssl pkcs12 \
	-export \
	-clcerts \
	-in "$CA_WORKSPACE/open-ai-system-tests.pem" \
	-inkey "$CA_WORKSPACE/open-ai-system-tests.key" \
	-out "$CA_WORKSPACE/open-ai-system-tests.p12" \
	-passout="pass:"

	curl --silent \
	--header "PRIVATE-TOKEN: $GITLAB_ACCESS_TOKEN" \
	--request DELETE \
	"$CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/variables/OPEN_AI_CRT_P12_B64" \| jq '.'

	OPEN_AI_CRT_P12_B64="$(base64 --wrap=0 "$CA_WORKSPACE/open-ai-system-tests.p12")"
	curl --silent --header "PRIVATE-TOKEN: $GITLAB_ACCESS_TOKEN" "$CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/variables" \
	--form "key=OPEN_AI_CRT_P12_B64" \
	--form "masked=true" \
	--form "value=$OPEN_AI_CRT_P12_B64" \| jq '.'

	MY_SECRETS=$(mktemp)
	tee "$MY_SECRETS" <<_EOF
	apiVersion: v1
	metadata:
	annotations:
	ci.pipeline.job.started-at: $CI_JOB_STARTED_AT
	ci.pipeline.url: $CI_PIPELINE_URL
	ci.pipeline.runner.token: $CI_RUNNER_SHORT_TOKEN
	ci.pipeline.runner.version: $CI_RUNNER_VERSION
	data:
	ca.crt: "$(base64 --wrap=0 "$CA_WORKSPACE/ca.crt")"
	kind: Secret
	metadata:
	name: client-ca
	type: Opaque
	---
	apiVersion: v1
	metadata:
	annotations:
	ci.pipeline.job.started-at: $CI_JOB_STARTED_AT
	ci.pipeline.url: $CI_PIPELINE_URL
	ci.pipeline.runner.token: $CI_RUNNER_SHORT_TOKEN
	ci.pipeline.runner.version: $CI_RUNNER_VERSION
	data:
	ca.crt: "$( base64 --wrap=0 "$CA_WORKSPACE/ca.crt")"
	tls.ca: "$( base64 --wrap=0 "$CA_WORKSPACE/ca.crt")"
	tls.crt: "$(base64 --wrap=0 "$CA_WORKSPACE/ca.crt")"
	tls.key: "$(base64 --wrap=0 "$CA_WORKSPACE/ca.key")"
	kind: Secret
	metadata:
	name: ca-cert-wild
	type: kubernetes.io/tls
	_EOF

	curl --silent --header "PRIVATE-TOKEN: $GITLAB_ACCESS_TOKEN" "$CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/variables" \
	--form "key=MY_SECRETS" \
	--form "variable_type=file" \
	--form "value=$(cat "$MY_SECRETS")"

	for email in $(gpg --list-keys \| grep -E "<" \| sed -E 's/.<(.)>.*/\1/'); do
	USER_WORKSPACE=$(mktemp --directory)
	dd if=/dev/urandom count=1 bs=33 \| base64 --wrap=0 > "$USER_WORKSPACE/password.txt"

	openssl req \
	-passout "file:$USER_WORKSPACE/password.txt" \
	-newkey ec:<(openssl ecparam -name prime256v1) \
	-new \
	-keyout "$USER_WORKSPACE/open-ai-client.key.pem" \
	-subj '/C=CA/ST=ON/L=OpenAI/O=BETA/CN='"$email" \|
	openssl x509 \
	-passin "file:$CA_WORKSPACE/password.txt" \
	-req \
	-in /dev/stdin \
	-CA "$CA_WORKSPACE/ca.crt" \
	-CAkey "$CA_WORKSPACE/ca.key" \
	-out "$USER_WORKSPACE/open-ai-client.crt.pem" \
	-CAcreateserial \
	-CAserial "$CA_WORKSPACE/tmp.srl" \
	-days 365 \
	-sha256

	openssl pkcs12 \
	-export \
	-clcerts \
	-in "$USER_WORKSPACE/open-ai-client.crt.pem" \
	-inkey "$USER_WORKSPACE/open-ai-client.key.pem" \
	-out "$USER_WORKSPACE/open-ai-client.p12" \
	-password "file:$USER_WORKSPACE/password.txt" \
	-passin "file:/$USER_WORKSPACE/password.txt"

	openssl verify -verbose -CAfile "$CA_WORKSPACE/ca.crt" "$CA_WORKSPACE/ca.crt" "$USER_WORKSPACE/open-ai-client.crt.pem"
	tar -C "$USER_WORKSPACE" -czf - . \
	\| gpg --always-trust --encrypt --armor --recipient "$email" \|\| echo "Encryption failed for $email"
	shred -v "$USER_WORKSPACE/password.txt"
	rm -vrf "$USER_WORKSPACE"
	done

	gpg --list-keys \| grep -E "(john.doe\|jane.smith)" \| sed -E 's/.<(.)>.*/\1/' \
	\| xargs -n1 echo --recipient \
	\| xargs echo "tar -C \"$CA_WORKSPACE\" -czf - . \| gpg --always-trust --encrypt --armor" \
	\| bash -x

	trap - EXIT # Remove trap now that we are calling finish
	finish
	fi

	if [[ "${BASH_SOURCE[0]}" == "${0}" ]] ; then
	echo "WARNING: ${BASH_SOURCE[0]} must be called with . to export variables to your shell!"
	exit 1
	fi

	export MY_SECRETS
	export OPEN_AI_CRT_P12_B64