Trey t
c77ff07ce9
Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps), tracked in deploy-k3s/SECURITY.md, plus fixes from two independent post-remediation reviews. Auth & sessions: - SHA-256 hashed auth-token storage (C1); prior-token cache eviction on re-login (MEDIUM-1) - local Google JWKS verification, iss/aud/exp checks (C2/C3) - constant-time login + generic errors (L1/LIVE-L11/LIVE-L13) - per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3) - verified-email gating, login rate limiting (LIVE-L19, H1-H3) IAP & webhooks: - Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6) - migrations 000003-000006 (token hashing, IAP replay, audit_log + webhook_event_log table creation, append-only audit log) Authorization & races: - file-ownership owner-OR-member fix (C7), atomic share-code join (C9/H9), device-token reassignment (C8/LOW-3) Secrets & deploy: - secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis password out of the ConfigMap (HIGH-1); B2 keys reconciled - digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban + unattended-upgrades at provision; secret-rotation runbook Build, vet, and the full test suite (incl. -race) pass; the goose migration chain is verified against PostgreSQL 16. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
172 lines
6.9 KiB
Bash
Executable File
172 lines
6.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
# shellcheck source=_config.sh
|
|
source "${SCRIPT_DIR}/_config.sh"
|
|
|
|
SECRETS_DIR="${DEPLOY_DIR}/secrets"
|
|
NAMESPACE="honeydue"
|
|
|
|
log() { printf '[secrets] %s\n' "$*"; }
|
|
warn() { printf '[secrets][warn] %s\n' "$*" >&2; }
|
|
die() { printf '[secrets][error] %s\n' "$*" >&2; exit 1; }
|
|
|
|
# --- Prerequisites ---
|
|
|
|
command -v kubectl >/dev/null 2>&1 || die "Missing: kubectl"
|
|
|
|
kubectl get namespace "${NAMESPACE}" >/dev/null 2>&1 || {
|
|
log "Creating namespace ${NAMESPACE}..."
|
|
kubectl apply -f "${DEPLOY_DIR}/manifests/namespace.yaml"
|
|
}
|
|
|
|
# --- Validate secret files ---
|
|
|
|
require_file() {
|
|
local path="$1" label="$2"
|
|
[[ -f "${path}" ]] || die "Missing: ${path} (${label})"
|
|
[[ -s "${path}" ]] || die "Empty: ${path} (${label})"
|
|
}
|
|
|
|
require_file "${SECRETS_DIR}/postgres_password.txt" "Postgres password"
|
|
require_file "${SECRETS_DIR}/secret_key.txt" "SECRET_KEY"
|
|
require_file "${SECRETS_DIR}/email_host_password.txt" "SMTP password"
|
|
require_file "${SECRETS_DIR}/fcm_server_key.txt" "FCM server key"
|
|
require_file "${SECRETS_DIR}/apns_auth_key.p8" "APNS private key"
|
|
require_file "${SECRETS_DIR}/cloudflare-origin.crt" "Cloudflare origin cert"
|
|
require_file "${SECRETS_DIR}/cloudflare-origin.key" "Cloudflare origin key"
|
|
|
|
# Validate APNS key format
|
|
if ! grep -q "BEGIN PRIVATE KEY" "${SECRETS_DIR}/apns_auth_key.p8"; then
|
|
die "APNS key file does not look like a private key: ${SECRETS_DIR}/apns_auth_key.p8"
|
|
fi
|
|
|
|
# Validate secret_key length (minimum 32 chars)
|
|
SECRET_KEY_LEN="$(tr -d '\r\n' < "${SECRETS_DIR}/secret_key.txt" | wc -c | tr -d ' ')"
|
|
if (( SECRET_KEY_LEN < 32 )); then
|
|
die "secret_key.txt must be at least 32 characters (got ${SECRET_KEY_LEN})."
|
|
fi
|
|
|
|
# --- Read optional config values ---
|
|
|
|
REDIS_PASSWORD="$(cfg redis.password 2>/dev/null || true)"
|
|
ADMIN_AUTH_USER="$(cfg admin.basic_auth_user 2>/dev/null || true)"
|
|
ADMIN_AUTH_PASSWORD="$(cfg admin.basic_auth_password 2>/dev/null || true)"
|
|
|
|
# --- Create app secrets ---
|
|
|
|
log "Creating honeydue-secrets..."
|
|
SECRET_ARGS=(
|
|
--namespace="${NAMESPACE}"
|
|
--from-literal="POSTGRES_PASSWORD=$(tr -d '\r\n' < "${SECRETS_DIR}/postgres_password.txt")"
|
|
--from-literal="SECRET_KEY=$(tr -d '\r\n' < "${SECRETS_DIR}/secret_key.txt")"
|
|
--from-literal="EMAIL_HOST_PASSWORD=$(tr -d '\r\n' < "${SECRETS_DIR}/email_host_password.txt")"
|
|
--from-literal="FCM_SERVER_KEY=$(tr -d '\r\n' < "${SECRETS_DIR}/fcm_server_key.txt")"
|
|
)
|
|
|
|
if [[ -n "${REDIS_PASSWORD}" ]]; then
|
|
log " Including REDIS_PASSWORD in secrets"
|
|
SECRET_ARGS+=(--from-literal="REDIS_PASSWORD=${REDIS_PASSWORD}")
|
|
else
|
|
# Audit K3S-F1 (CRITICAL) / MEDIUM-4: refuse to deploy with an unauthenticated
|
|
# Redis. A previous version only warned here, which let a deploy from an
|
|
# unedited config.yaml silently bring Redis up with no password.
|
|
die "redis.password is empty in config.yaml — refusing to deploy: Redis would run with NO authentication (audit K3S-F1). Set a strong value, e.g.: openssl rand -base64 32"
|
|
fi
|
|
|
|
# B2 (Backblaze) object-storage credentials. The api/worker manifests
|
|
# reference B2_KEY_ID / B2_APP_KEY as required secret keys, so honeydue-secrets
|
|
# MUST carry them or those pods fail to start. Sourced from config.yaml so the
|
|
# script and the manifests no longer drift (was a latent gap before 2026-05-16).
|
|
B2_KEY_ID_VAL="$(cfg storage.b2_key_id 2>/dev/null || true)"
|
|
B2_APP_KEY_VAL="$(cfg storage.b2_app_key 2>/dev/null || true)"
|
|
if [[ -n "${B2_KEY_ID_VAL}" && -n "${B2_APP_KEY_VAL}" ]]; then
|
|
log " Including B2_KEY_ID / B2_APP_KEY in secrets"
|
|
SECRET_ARGS+=(--from-literal="B2_KEY_ID=${B2_KEY_ID_VAL}")
|
|
SECRET_ARGS+=(--from-literal="B2_APP_KEY=${B2_APP_KEY_VAL}")
|
|
else
|
|
warn "storage.b2_key_id / b2_app_key not set in config.yaml — B2 uploads will be disabled."
|
|
fi
|
|
|
|
# Observability ingest credentials live in deploy/prod.env (gitignored) so
|
|
# the values aren't checked into config.yaml. Skipped silently when the
|
|
# file or keys are absent — the api/worker manifests mark these env vars
|
|
# optional, so the deployment still rolls without traces.
|
|
PROD_ENV_FILE="${DEPLOY_DIR}/../deploy/prod.env"
|
|
if [[ -f "${PROD_ENV_FILE}" ]]; then
|
|
OBS_TOKEN_VAL="$(grep -E '^OBS_INGEST_TOKEN=' "${PROD_ENV_FILE}" 2>/dev/null | cut -d= -f2- || true)"
|
|
OBS_URL_VAL="$(grep -E '^OBS_TRACES_URL=' "${PROD_ENV_FILE}" 2>/dev/null | cut -d= -f2- || true)"
|
|
if [[ -n "${OBS_TOKEN_VAL}" ]]; then
|
|
log " Including OBS_INGEST_TOKEN in secrets"
|
|
SECRET_ARGS+=(--from-literal="OBS_INGEST_TOKEN=${OBS_TOKEN_VAL}")
|
|
fi
|
|
if [[ -n "${OBS_URL_VAL}" ]]; then
|
|
log " Including OBS_TRACES_URL in secrets"
|
|
SECRET_ARGS+=(--from-literal="OBS_TRACES_URL=${OBS_URL_VAL}")
|
|
fi
|
|
fi
|
|
|
|
kubectl create secret generic honeydue-secrets \
|
|
"${SECRET_ARGS[@]}" \
|
|
--dry-run=client -o yaml | kubectl apply -f -
|
|
|
|
# --- Create APNS key secret ---
|
|
|
|
log "Creating honeydue-apns-key..."
|
|
kubectl create secret generic honeydue-apns-key \
|
|
--namespace="${NAMESPACE}" \
|
|
--from-file="apns_auth_key.p8=${SECRETS_DIR}/apns_auth_key.p8" \
|
|
--dry-run=client -o yaml | kubectl apply -f -
|
|
|
|
# --- Create container registry credentials ---
|
|
# Secret name is gitea-credentials (audit F6): the registry is self-hosted
|
|
# Gitea, not GHCR. Every deployment manifest references this same name.
|
|
|
|
REGISTRY_SERVER="$(cfg registry.server)"
|
|
REGISTRY_USER="$(cfg registry.username)"
|
|
REGISTRY_TOKEN="$(cfg registry.token)"
|
|
|
|
if [[ -n "${REGISTRY_SERVER}" && -n "${REGISTRY_USER}" && -n "${REGISTRY_TOKEN}" ]]; then
|
|
log "Creating gitea-credentials..."
|
|
kubectl create secret docker-registry gitea-credentials \
|
|
--namespace="${NAMESPACE}" \
|
|
--docker-server="${REGISTRY_SERVER}" \
|
|
--docker-username="${REGISTRY_USER}" \
|
|
--docker-password="${REGISTRY_TOKEN}" \
|
|
--dry-run=client -o yaml | kubectl apply -f -
|
|
else
|
|
warn "Registry credentials incomplete in config.yaml — skipping gitea-credentials."
|
|
fi
|
|
|
|
# --- Create Cloudflare origin cert ---
|
|
|
|
log "Creating cloudflare-origin-cert..."
|
|
kubectl create secret tls cloudflare-origin-cert \
|
|
--namespace="${NAMESPACE}" \
|
|
--cert="${SECRETS_DIR}/cloudflare-origin.crt" \
|
|
--key="${SECRETS_DIR}/cloudflare-origin.key" \
|
|
--dry-run=client -o yaml | kubectl apply -f -
|
|
|
|
# --- Create admin basic auth secret ---
|
|
|
|
if [[ -n "${ADMIN_AUTH_USER}" && -n "${ADMIN_AUTH_PASSWORD}" ]]; then
|
|
command -v htpasswd >/dev/null 2>&1 || die "Missing: htpasswd (install apache2-utils)"
|
|
log "Creating admin-basic-auth secret..."
|
|
# -B forces bcrypt (Traefik BasicAuth supports it; avoids weak apr1-MD5).
|
|
HTPASSWD="$(htpasswd -nbB "${ADMIN_AUTH_USER}" "${ADMIN_AUTH_PASSWORD}")"
|
|
kubectl create secret generic admin-basic-auth \
|
|
--namespace="${NAMESPACE}" \
|
|
--from-literal=users="${HTPASSWD}" \
|
|
--dry-run=client -o yaml | kubectl apply -f -
|
|
else
|
|
warn "admin.basic_auth_user/password not set in config.yaml — skipping admin-basic-auth."
|
|
warn "Admin panel will NOT have basic auth protection."
|
|
fi
|
|
|
|
# --- Done ---
|
|
|
|
log ""
|
|
log "All secrets created in namespace '${NAMESPACE}'."
|
|
log "Verify: kubectl get secrets -n ${NAMESPACE}"
|