From 36672d3f1066d32685791bbe451383f3d2ec255d Mon Sep 17 00:00:00 2001 From: Prox Date: Sun, 15 Feb 2026 19:21:41 +0200 Subject: [PATCH] feat: add pilot-ivanov setup key and encrypted key export in CI --- .gitea/workflows/terraform.yml | 54 ++++++++++++++++++++++++++++++++-- terraform/outputs.tf | 5 ++++ terraform/setup_keys.tf | 10 ++++++- 3 files changed, 66 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/terraform.yml b/.gitea/workflows/terraform.yml index 1bb0da2..b901a23 100644 --- a/.gitea/workflows/terraform.yml +++ b/.gitea/workflows/terraform.yml @@ -43,14 +43,64 @@ jobs: if: github.ref == 'refs/heads/main' && github.event_name == 'push' run: terraform apply -auto-approve - - name: Commit state changes + - name: Export setup keys (encrypted) + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + env: + AGE_PUBLIC_KEY: ${{ secrets.AGE_PUBLIC_KEY }} + run: | + # Install age if not present + if ! command -v age &> /dev/null; then + curl -sL https://github.com/FiloSottile/age/releases/download/v1.1.1/age-v1.1.1-linux-amd64.tar.gz | tar xz + sudo mv age/age age/age-keygen /usr/local/bin/ + fi + + # Extract all setup key values + terraform output -json | python3 -c " + import json, sys, subprocess + outputs = json.load(sys.stdin) + + keys = {} + for name, data in outputs.items(): + if data.get('sensitive') and 'key' in name.lower(): + result = subprocess.run(['terraform', 'output', '-raw', name], + capture_output=True, text=True) + if result.returncode == 0: + keys[name] = result.stdout.strip() + + result = { + 'generated': '$(date -u +%Y-%m-%dT%H:%M:%SZ)', + 'commit': '${{ github.sha }}', + 'keys': keys + } + print(json.dumps(result, indent=2)) + " > setup-keys.json + + # Encrypt with age + if [ -n "$AGE_PUBLIC_KEY" ]; then + age -r "$AGE_PUBLIC_KEY" -o setup-keys.json.age setup-keys.json + rm setup-keys.json + echo "Setup keys encrypted to setup-keys.json.age" + else + echo "WARNING: AGE_PUBLIC_KEY not set, keys not encrypted!" + rm setup-keys.json + fi + + - name: Commit state and keys if: github.ref == 'refs/heads/main' && github.event_name == 'push' working-directory: . run: | git config user.name "Terraform CI" git config user.email "ci@localhost" + + # Add state files git add terraform/terraform.tfstate terraform/terraform.tfstate.backup 2>/dev/null || true + + # Add encrypted keys if generated + if [ -f terraform/setup-keys.json.age ]; then + git add terraform/setup-keys.json.age + fi + if ! git diff --staged --quiet; then - git commit -m "chore: update terraform state [skip ci]" + git commit -m "chore: update terraform state and keys [skip ci]" git push fi diff --git a/terraform/outputs.tf b/terraform/outputs.tf index 5c00c76..fb84287 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -8,6 +8,11 @@ output "pilot_setup_key" { sensitive = true } +output "pilot_ivanov_key" { + value = netbird_setup_key.pilot_ivanov.key + sensitive = true +} + output "group_ids" { value = { ground_stations = netbird_group.ground_stations.id diff --git a/terraform/setup_keys.tf b/terraform/setup_keys.tf index a108549..e0db00c 100644 --- a/terraform/setup_keys.tf +++ b/terraform/setup_keys.tf @@ -7,7 +7,6 @@ resource "netbird_setup_key" "gs_onboarding" { ephemeral = false } -# Comment to trigger CI resource "netbird_setup_key" "pilot_onboarding" { name = "pilot-onboarding" type = "reusable" @@ -15,3 +14,12 @@ resource "netbird_setup_key" "pilot_onboarding" { usage_limit = 0 ephemeral = false } + +# Test setup key for e2e demo (one-time use, peer will be renamed to "pilot-ivanov") +resource "netbird_setup_key" "pilot_ivanov" { + name = "pilot-ivanov" + type = "one-off" + auto_groups = [netbird_group.pilots.id] + usage_limit = 1 + ephemeral = false +}