Skip to content

scripts: added temp gpg key script #2893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
shafi-elastisys wants to merge 3 commits into
base: main
Choose a base branch
from
Open

scripts: added temp gpg key script #2893

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d19bcb6
added temp gpg key script
shafi-elastisys Dec 8, 2025
733e754
added to localcluster script
shafi-elastisys Dec 10, 2025
741a1a8
changed home dir
shafi-elastisys Dec 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions bin/setup-local-gpg
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#!/usr/bin/env bash
set -euo pipefail

GNUPGHOME="$(mktemp -d)"
export GNUPGHOME

cat >"$GNUPGHOME/gpg-batch" <<EOF
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 4096
Name-Real: Local Test User
Name-Email: [email protected]
Expire-Date: 0
%no-protection
%commit
%echo done
EOF

gpg --batch --generate-key "$GNUPGHOME/gpg-batch" >/dev/null 2>&1

# SOPS needs this fingerprint to know which key to use
FINGERPRINT=$(gpg --list-secret-keys --keyid-format LONG | grep sec | awk '{print $2}' | cut -d'/' -f2)

echo "export GNUPGHOME='$GNUPGHOME'"
echo "export CK8S_PGP_FP='$FINGERPRINT'"
31 changes: 29 additions & 2 deletions scripts/local-cluster.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -296,16 +296,31 @@ config() {
export flavor
export ops_prefix

local config_path_was_unset=false
local pgp_key_was_unset=false

if [[ -z "${name}" ]] || [[ -z "${flavor}" ]] || [[ -z "${domain}" ]]; then
log.usage
fi

if [[ -z "${CK8S_CONFIG_PATH:-}" ]]; then
log.fatal "CK8S_CONFIG_PATH is unset"
config_path_was_unset=true
export CK8S_CONFIG_PATH="${HOME}/.ck8s/welkin-quick-start"
mkdir -p "${CK8S_CONFIG_PATH}"
log.info "CK8S_CONFIG_PATH is unset. Using default: ${CK8S_CONFIG_PATH}"
fi

if [[ -z "${CK8S_PGP_FP:-}" ]]; then
log.fatal "CK8S_PGP_FP is unset"
pgp_key_was_unset=true
if [[ -x "${ROOT}/bin/setup-local-gpg" ]]; then
eval "$("${ROOT}/bin/setup-local-gpg")"
log.info "CK8S_PGP_FP is unset. Using temp gpgkey: ${CK8S_PGP_FP}"
Copy link
Contributor

@aarnq aarnq Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
log.info "CK8S_PGP_FP is unset. Using temp gpgkey: ${CK8S_PGP_FP}"
log.info "CK8S_PGP_FP is unset. Using temporary GPP key: ${CK8S_PGP_FP}"

log.info "Using temp GNUPGHOME: ${GNUPGHOME}"
Copy link
Contributor

@aarnq aarnq Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
log.info "Using temp GNUPGHOME: ${GNUPGHOME}"
log.info "Using temp GNUPGHOME: ${GNUPGHOME}"
log.warn "Once this is cleared you will loose the ability to decrypt the secrets for this config path."

fi

if [[ -z "${CK8S_PGP_FP:-}" ]]; then
log.fatal "CK8S_PGP_FP is unset and automatic generation failed."
fi
fi

if ! [[ -d "${CK8S_CONFIG_PATH}" ]]; then
Expand Down Expand Up @@ -353,6 +368,18 @@ config() {
fi

"${ROOT}/bin/ck8s" init both

if [[ "${config_path_was_unset}" == "true" ]] || [[ "${pgp_key_was_unset}" == "true" ]]; then
log.info "Run these commands to configure your current shell session before creating cluster"
if [[ "${config_path_was_unset}" == "true" ]]; then
log.info "export CK8S_CONFIG_PATH='${CK8S_CONFIG_PATH}'"
fi

if [[ "${pgp_key_was_unset}" == "true" ]]; then
log.info "export CK8S_PGP_FP='${CK8S_PGP_FP}'"
log.info "export GNUPGHOME='${GNUPGHOME}'"
fi
fi
}

create() {
Expand Down
16 changes: 16 additions & 0 deletions tests/bats.lib.bash
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,22 @@ with_kubeconfig() {
export DETIK_CLIENT_NAME="kubectl"
}

# sets up a temporary GPG home and key for local testing
# usage: with_temporary_gpg
with_temporary_gpg() {
if ! command -v setup-local-gpg &>/dev/null; then
log.fatal "setup-local-gpg script not found in path"
fi

eval "$(setup-local-gpg)"

if [[ -z "${CK8S_PGP_FP:-}" ]]; then
fail "Failed to generate temporary GPG key"
fi

log.trace "Temporary GPG initialized. Fingerprint: $CK8S_PGP_FP"
}

Comment on lines +165 to +180
Copy link
Contributor

@aarnq aarnq Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this needed? We already have a function for it already in common/bats/gpg.sh that also takes care of an edge case in which the GPG agent isn't available in the first tries.

# sets the kubeconfig to use
# usage: with_static_wc_kubeconfig <dev|...?>
with_static_wc_kubeconfig() {
Expand Down