forked from RocketChat/k8s-secrets-backup
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.go
161 lines (135 loc) · 4.61 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
package main
import (
"context"
"fmt"
"io"
"os"
"path"
"strings"
"time"
"github.com/rs/zerolog/log"
"github.com/sethvargo/go-envconfig"
"filippo.io/age"
"filippo.io/age/armor"
"github.com/RocketChat/k8s-secrets-backup/internal/options"
"github.com/RocketChat/k8s-secrets-backup/internal/services"
"github.com/joho/godotenv"
)
func main() {
// #############################
// Load environment variables
// #############################
godotenv.Load()
// #############################
// prepare the options
// #############################
var opts options.Options
if err := envconfig.Process(context.Background(), &opts); err != nil {
log.Fatal().Err(err).Msg("Failed to process environment variables")
}
// #############################
// validate the options
// #############################
if err := opts.Validate(); err != nil {
log.Fatal().Err(err).Msg("Invalid configuration")
}
// #############################
// prepare k8s service
// #############################
k8sService, err := services.NewK8sService()
if err != nil {
log.Fatal().Err(err).Msg("Failed to create k8s service")
}
// #############################
// Get the cluster name
// #############################
clusterName, err := k8sService.GetClusterName(&opts)
if err != nil {
log.Fatal().Err(err).Msg("Failed to get cluster name")
}
// #############################
// Prepare the file name, s3 key, and encrypted file name
// #############################
var baseFileName string
if opts.Secret.Name == "" {
baseFileName = fmt.Sprintf("%s-%s-%s", clusterName, opts.Secret.LabelKey, opts.Secret.LabelValue)
baseFileName = strings.ReplaceAll(baseFileName, "/", "_")
} else {
baseFileName = fmt.Sprintf("%s-%s", clusterName, opts.Secret.Name)
}
timeStamp := time.Now().UTC().Format("2006-01-02_15-04-05") // YYYY-MM-DD_HH-MM-SS
fileName := fmt.Sprintf("%s-%s.yaml", baseFileName, timeStamp)
encryptedFileName := fileName + ".age.asc"
s3key := path.Join(opts.S3.Path, encryptedFileName)
log.Info().Msgf("not encrypted secrets file name: %s", fileName)
log.Info().Msgf("encrypted secrets file name: %s", encryptedFileName)
log.Info().Msgf("s3 key: %s", s3key)
// #############################
// Get secrets to backup
// #############################
if err = k8sService.GetSecrets(fileName, &opts); err != nil {
log.Fatal().Err(err).Msg("Failed to save secrets into yaml file")
}
// Encrypt the secrets backup file
if err := encryptSecretsFile(opts, fileName, encryptedFileName); err != nil {
log.Fatal().Err(err).Msg("Failed to encrypt secrets file")
}
log.Info().Msgf("File '%s' encrypted to '%s'", fileName, encryptedFileName)
// #############################
// prepare s3 service
// #############################
s3Service, err := services.NewS3Service(&opts.S3)
if err != nil {
log.Fatal().Err(err).Msg("Failed to create s3 service")
}
// #############################
// Upload to backup s3 bucket the encrypted file
// #############################
if err = s3Service.UploadFile(&opts, s3key, encryptedFileName); err != nil {
log.Fatal().Err(err).Msg("Failed to upload file to S3")
}
log.Info().Msgf("File uploaded successfully!")
}
func encryptSecretsFile(opts options.Options, fileName string, encryptedFile string) error {
// #############################
// Open the input file for reading
// #############################
in, err := os.Open(path.Join(opts.BackupDir, fileName))
if err != nil {
log.Fatal().Err(err).Msg("Failed to open file for reading")
}
defer in.Close()
// #############################
// Create the output file for writing the encrypted content
// #############################
out, err := os.Create(path.Join(opts.BackupDir, encryptedFile))
if err != nil {
log.Fatal().Err(err).Msg("Failed to create file for writing")
}
defer out.Close()
// #############################
// Create an Age encryption writer
// #############################
recipient, err := age.ParseX25519Recipient(opts.AgePublicKey)
if err != nil {
log.Fatal().Err(err).Msg("Failed to parse recipient public key")
}
// #############################
// Encrypt the input file with ASCII armor
// #############################
aw := armor.NewWriter(out)
defer aw.Close()
encWriter, err := age.Encrypt(aw, recipient)
if err != nil {
log.Fatal().Err(err).Msg("Failed to create encryption writer")
}
defer encWriter.Close()
// #############################
// Copy the contents of the input file to the encryption writer
// #############################
_, err = io.Copy(encWriter, in)
if err != nil {
log.Fatal().Err(err).Msg("unable to encrypt secrets file")
}
return nil
}