omegasquad82 / concourse-k0sctl Goto Github PK

Create configuration and comments for @renovatebot's [repology-datasource|https://docs.renovatebot.com/modules/datasource/#repology-datasource] on all versioned packages in the Dockerfile

• make Repology known to renovate.json
• pull out all versions to environment
• create a repology comment on variables
• test if this works within the branch

Clear separation of concerns will increase the utility of the image by not locking anyone into using git for backups.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update anchore/scan-action digest to bc9adf6
• chore(deps): update codacy/codacy-analysis-cli-action digest to 0991600
• chore(deps): update dependency alpine_3_17/openssl to v3.0.14-r0
• chore(deps): update alpine docker tag to v3.20.2
• chore(deps): update dependency alpine_3_17/curl to v8.9.0-r0
• chore(deps): update docker/dockerfile docker tag to v1.9
• chore(deps): update pre-commit hook pre-commit/mirrors-prettier to v3.1.0
• chore(deps): update pre-commit hook pre-commit/pre-commit-hooks to v4.6.0
• chore(deps): update docker/build-push-action action to v6
• chore(deps): update github/codeql-action action to v3
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

The parameters that are not required by a user to be provided can be written as default values within bash.

Currently the backup archives are directly pushed to git w/o prior encryption. Implement a scheme derived from the k0sproject.io example

• extend the Dockerfile by installing the gnupg
• extend the Pipeline's parameters by taking a GPG key.
• duplicate the printHeading as printFunction with less visual intrusiveness and shorter length.
• create function prepareGPG() to import a gpg_pair into it's configuration.
• create a function mkpw() which uses graphical characters and 24 chars default length
• call it in the init Job and encrypt the password with said GPG key, store it as file secret.gpg.
• use the secret and openssl enc to encrypt a new backup
• dynamically decrypt the 'secret.gpg' file from the backup repository and use it to decrypt a backup to be restored

Currently we've got many warnings for the README.md file generated by code scanning. This indicates a lack of configuration.

• create an .editorconfig
• create an .prettierrc
• enable prettier option to use the editorconfig
• enable prettier to proseWrap markdown on print width
• use no-commit-to-branch in the pre-commit-config

As the restore Job relies on executing 'k0sctl apply --restore-from=' it would install the cluster with the values from the k0sctl.yaml but restore the cluster's state if and only if the cluster has been reset upfront. Judging by the initial and current restore.go source it seems that the module would only proceed if there is no running installation. It therefore seems unnecessary to have a separate restore Job when it's functionally equivalent to the install job employing 'k0sctl apply' but without any prior backups.

• in k0sctl-handler.sh move the restore functionality to the install part
• add the backup resource to the install Job in the pipeline
• remove the restore Job from the pipeline

There is no documentation, provide meaningful descriptions of the pipeline, an example parameterization and screenshots.

• redesign the parameter interface
• provide an example var-file
• create descriptions
• create screenshots

We have some trust in the security of Concourse's backing secrets store, however sharing the key pair between the controllers and workers can be considered unsafe in case either private key has been leaked. At least two sets of SSH keys should be used when managing clusters. In extremo one key per node might be desirable, which is out of scope for this issue.

• add k0sctl.ssh data structure
• let every element of this be a name:keydata attribute
• create a new task prepare-ssh-keys to write from the data structure to it's ssh output
• create a new input ssh to the k0sctl-task to propagate keys to the handler
• update the k0sctl-handler by adding K0SCTL_SSH_DIR variable
• update the k0sctl-handler with code that copies the contents of the K0SCTL_SSH_DIR to the ~/.ssh directory
• remove from k0sctl-handler all other ssh-related coding

Currently the image is being tested via an instantiated pipeline in my private Concourse installation. There should be one for every step callable by k0sctl-handler.sh.

• version
• install
• uninstall
• backup

Tracking issue for:

• https://github.com/OmegaSquad82/concourse-k0sctl/security/code-scanning/73

Please check which of the code scanning is really necessary and consolidate it into the buildx-ci.yml!