-
-
Save nnewc/08bf47f4b3aad7a291c7b75934abfb55 to your computer and use it in GitHub Desktop.
run with `bash -ex extract-c-c-secrets.sh <SNAPSHOT_FILE_NAME> <ETCD_VERSION>`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -ex | |
| if [ $# -ne 2 ]; then | |
| echo "Usage: $0 [filename] [etcd_version] [decryption-key]" | |
| exit 1 | |
| fi | |
| FILENAME=$1 | |
| ETCD_VERSION=$2 | |
| DECRYPTION_KEY=$3 | |
| TIMESTAMP="$(date +%s)" | |
| TARGET="restore_etcd_${TIMESTAMP}" | |
| ZIPEXTENSION="\.zip" | |
| echo "Temp directory is ${PWD}/${TARGET}" | |
| # These are dummies for the fake etcd server | |
| CACERT="-----BEGIN CERTIFICATE-----\nMIIDGjCCAgKgAwIBAgIJALxnIidJgFyoMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV\nBAMMB3Rlc3QtY2EwHhcNMjEwNTMxMTY1MjEzWhcNMzEwNTI5MTY1MjEzWjASMRAw\nDgYDVQQDDAd0ZXN0LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\npsQ9d5w5NQ6bZl0nWUQH8FFNXl+6SPL2YDrUyjK04HUflx+KDka3jMHCt5+oV2Cr\n6vsd8gOAuj70RABBco5AjX7xl+T5iSMf6b2rlTNNC75U6hbavtFB9HajAKBTh7xA\n8nbwTIR3hnvT6LVqDcoH7aA/AG//vOk6eq2iLt1+8lG81y2b2TrRH0P3vLb1kk5j\nHLVIJnh+IzYtlNFe45wZ2qLfJCivnKBdjczFnfkbmVMz5FxyhtwHKjSvM2Z71Wzl\nNden4YV1Re4lZrKMqZzfmBM+0Ga6rAXWmHte6+a49zRNwzNDdij36YwT9PjLSfjV\nqs/wJ4N8kb4PYoebgNy+nQIDAQABo3MwcTAdBgNVHQ4EFgQUp15tAmIjQ/f9Ciq8\nUWZiPxz4cMQwQgYDVR0jBDswOYAUp15tAmIjQ/f9Ciq8UWZiPxz4cMShFqQUMBIx\nEDAOBgNVBAMMB3Rlc3QtY2GCCQC8ZyInSYBcqDAMBgNVHRMEBTADAQH/MA0GCSqG\nSIb3DQEBCwUAA4IBAQATsqfajPUzqHbqE8qTQHjJAk/Y+zU+sjMJvvfXCPQy+nhG\nerDHk3yb+ZLvlY4hDJqxWB0iTTzq7fXB8Xi8XX+7LoOwOK8DHaL90EPHLGLbUXvc\np6U2ilkxRsC2yVCCSehesbbZ/kja6f4K6HkLGjjBKFj1j3accAAgfVUBuaw8PFH8\nXgXJ8q1gOw5oAN/DK/PuLZ1EmRhC0ymlHucOZqq54HPz9Jx1j5YngAQxz5qVL832\nmPki4+URXSczHN2McQWMMMknk33iKPqfeZl/is13HuPqA5Si7a3VMJOrZe2ltOTf\nzLu2JUZq8U6kxFU9hf7sGauwuQjLAqEmQr2NSua0\n-----END CERTIFICATE-----\n" | |
| CERT="-----BEGIN CERTIFICATE-----\nMIIDAzCCAeugAwIBAgIJAKnlD2rVEPSiMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV\nBAMMB3Rlc3QtY2EwHhcNMjEwNTMxMTY1MjE0WhcNMzEwNTI5MTY1MjE0WjAUMRIw\nEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQCjsrvZ1sBVCo4pxb2beOs70n1981RMW0vEseA/cZR89IgSOon8rNuhHovMDToy\niAptcmDALIbLOhyRYwVRGinMX9ASRJkE0pIm9hpqCxdTAuOWCFIy0lrZWQsGn5qj\n2LBoRVRFnDgiWLIfdHO0nopsPp69PRYXPPpuJXn5M1n0qIhMmXU2MSbyNOdITQ68\nvfHFUO+cqYf0Hslgam16HSBpiCi8bZ/FgCyMU4aRQ2jwpG0613JkA3B/RTB2eswt\nFtnc8Nuuq65Br48FSedKYIDM1HgrgsNd4EAoUlO87SR5vcLSJuopDJ9P00Zk4q+B\nG2lB+pgbHaAc6+PjdMOz3m19AgMBAAGjWjBYMAkGA1UdEwQCMAAwCwYDVR0PBAQD\nAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAfBgNVHREEGDAWggls\nb2NhbGhvc3SCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAhadpezzycpu2\nCkaXXM/FgJ7+UOcDq4rJr53uBqE9J7P7FbcCVAzXnlBF+jPq/z9qVvPOb5/SwTqC\nsJN33QfZlJg+Gzqy/FLsyxt/izZ4LKOhN68jLrveeGN11+oajkU3l9oZaTBV5apr\nKzoWJWP+XwmJ/XzSCZLIko9zRmW0RdZiPCB2vqRj63GczX8D6ipx//Ny/MmhpJ5M\n1YHpBmYaUo5Jx/ZbkbSSGBfplbhv567uhSfgruo8mt5t4P4whW98B6WgqT7lILQF\nC91xQ6CJh8QkOnrPxAt2L2eagy2mvUDvs3bb2Ai96wVPAemUPD76+pKsC0cwFRN9\nEHAlJ2XcKg==\n-----END CERTIFICATE-----\n" | |
| KEY="-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAo7K72dbAVQqOKcW9m3jrO9J9ffNUTFtLxLHgP3GUfPSIEjqJ\n/KzboR6LzA06MogKbXJgwCyGyzockWMFURopzF/QEkSZBNKSJvYaagsXUwLjlghS\nMtJa2VkLBp+ao9iwaEVURZw4IliyH3RztJ6KbD6evT0WFzz6biV5+TNZ9KiITJl1\nNjEm8jTnSE0OvL3xxVDvnKmH9B7JYGpteh0gaYgovG2fxYAsjFOGkUNo8KRtOtdy\nZANwf0UwdnrMLRbZ3PDbrquuQa+PBUnnSmCAzNR4K4LDXeBAKFJTvO0keb3C0ibq\nKQyfT9NGZOKvgRtpQfqYGx2gHOvj43TDs95tfQIDAQABAoIBACPkDz3O0PKUUuEj\nwtOwqlq+ZtdTn3ryVWV13oXqgDT5ZFAi15g3yhvEV8BQch8cJrUia8YWvSMXxaW2\nwTar9tghdbxbn/UnufWi5d20OtPvgTim8GbGKjcXR8yW98/OtbbW5IgynTginEM7\nRBco346mGCXDm/FSZFH8E4co1CNI6nz1GkK5AnYDaMLscefvvXRTDxEsx4VBuhYe\npJ4ZG51zNmpmj2xhzRG4qD7ymOlKTpC4lV20jDCUtW/StXh9Kpyk7FDIpZ/Ghf82\nklaES6jcA/zXmsCXwKzGA6VNJZr87YXDly1fkWll7Rm18kaX/hMxP1BixNpiqh7s\nqVsvE90CgYEAzNjMsS3eDPWeDKWkSE1f+v+Jqx/RWkzCP8IE6tzvDQo/aBvB18o8\nmjSWL4j4XM0f7lb9QZwPKQTZ6hYtEP9GGLKyqV2/CKQd/lvz/L+B/maskOTlCyiD\neLVhuJ8P2PArIszfGTuVEdZoWZaEjNLUvWkD18fc3nD/Ov3KiC8OIisCgYEAzJNu\nSG1kBgg+S0fmdSaqbIAbsPK3/XFSG+jj/dpP4MOy8GG6IFUtj4lKiIzrUugLHe8l\nJDcujsIc61OG4U1NkpRGaRaPNj1FEREoa/me66LceP8cAe2XDQeILZhjwUy0Do6x\nwHvkyYPnxYcsck8rNGelxJb9CHzqkPWmYRP1YvcCgYEAyZI4cczJqQT0fktsif0h\nilJ0PKC1mF7Z8nVP83BuBu3jkOVnbJlD4xYGB0aH5oGufxC4axxOyrVMXY1u0T/w\n0RLevcxS1ATywr3nK/miyBxuiLHENKOsI1aQj2Rt6rICMF9a1XCM8p2B105GpnA8\nCRpSPr4buAOHE5xy9GkhRjsCgYAPds2NWAeJlTHwSt0W2fdkAEMXmyFhXSGRzob9\nd3U2TlTGavzA2O96vCwQKmbXe4brmlo6ZJl2XSIGf+fgPBGzFNZFt1jYBsWjxqJB\nlzr2IPd9hfs+AhG7AGjA2ZYg1IV/3DV/kV34BaqNeexYL7faXENhmvBBpf+tOYR8\nLiAMfQKBgDcAHSjlFl5XccpiCRo9J2xnrY9uLjWIX4paTJZ6fbMO63lzWIOoJCW2\n8Y4fTrp2DSPvd6F02Q7cF9zodjmru6qNItillaitqxH1LqfSVRlVUhr8SF5UyzXX\nGgTh9av+CRKWZMuPO/3UMcaao5R1Dav3DqpM/k4Afa1whYT6dG0C\n-----END RSA PRIVATE KEY-----\n" | |
| mkdir -p ${PWD}/${TARGET}/{unzipped,restored,ssl} | |
| if test "${FILENAME#*$ZIPEXTENSION}" != "${FILENAME}"; then | |
| echo "Unzipping ${FILENAME}" | |
| docker run -v ${PWD}:/tmp -v $PWD/${TARGET}/unzipped:/backup busybox sh -c "unzip /tmp/${FILENAME}" | |
| else | |
| cp "${PWD}/${FILENAME}" "${PWD}/${TARGET}/unzipped" | |
| fi | |
| echo -e $CACERT > "${PWD}/${TARGET}/ssl/ca.pem" | |
| echo -e $CERT > "${PWD}/${TARGET}/ssl/cert.pem" | |
| echo -e $KEY > "${PWD}/${TARGET}/ssl/key.pem" | |
| echo "Restoring backup" | |
| docker run -v ${PWD}/${TARGET}/unzipped:/backup -v ${PWD}/${TARGET}/ssl:/ssl -v ${PWD}/${TARGET}/restored:/var/lib/etcd -e ETCDCTL_API=3 --entrypoint sh quay.io/coreos/etcd:v${ETCD_VERSION} -c "etcdctl snapshot restore /backup/* --cacert /ssl/ca.pem --cert /ssl/cert.pem --key /ssl/key.pem --name etcd1 --initial-cluster etcd1=https://localhost:2380 --initial-cluster-token k8s_etcd --initial-advertise-peer-urls https://localhost:2380 --data-dir /var/lib/etcd/restore" | |
| echo "Populating etcd database" | |
| docker run -d --name etcd-restore-${TIMESTAMP} -v $PWD/${TARGET}/ssl:/ssl -v ${PWD}/${TARGET}/restored/restore:/var/lib/etcd -e ETCDCTL_ENDPOINTS=https://localhost:2379 -e ETCDCTL_CACERT=/ssl/ca.pem -e ETCDCTL_CERT=/ssl/cert.pem -e ETCDCTL_KEY=/ssl/key.pem -e ETCDCTL_API=3 quay.io/coreos/etcd:v${ETCD_VERSION} /usr/local/bin/etcd --cert-file=/ssl/cert.pem --key-file=/ssl/key.pem --name=etcd1 --initial-cluster=etcd1=https://localhost:2380 --advertise-client-urls=https://localhost:2379 --listen-client-urls=https://localhost:2379 --initial-cluster-token=k8s_etcd --initial-advertise-peer-urls=https://localhost:2380 --data-dir=/var/lib/etcd | |
| echo "Querying etcd endpoint status" | |
| docker exec etcd-restore-${TIMESTAMP} etcdctl endpoint status --write-out=table | |
| echo "Extracting secrets to yaml" | |
| for secret in $(docker exec etcd-restore-${TIMESTAMP} etcdctl get /registry/secrets/cattle-system --prefix=true --keys-only | grep "c-c-"); do | |
| CIPHERTEXT=$(echo $secret | awk -F/ '{print $NF}').ciphertext | |
| # get secret and discard first line | |
| docker exec etcd-restore-${TIMESTAMP} etcdctl get $secret | sed 1d > $CIPHERTEXT | |
| PLAINTEXT=$(echo $secret | awk -F/ '{print $NF}').plaintext | |
| # decrypt file here | |
| # go run etcd.go $DECRYPTION_KEY $CIPHERTEXT > $PLAINTEXT | |
| done | |
| echo "Run the following command to apply the yaml" | |
| echo "===IMPORTANT===" | |
| echo "Before running this command, manually verify that the yaml is expected" | |
| echo "find . -maxdepth 1 -name "*-new.yaml" -type f | xargs -I{} kubectl create -f {}" | |
| echo "This command will run the following commands:" | |
| # find . -maxdepth 1 -name "*-new.yaml" -type f | xargs -I{} echo "kubectl create -f {}" | |
| echo "Removing etcd container" | |
| docker rm -f etcd-restore-${TIMESTAMP} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment