patch-secret-known-hosts.sh

patch-secret-known-hosts.sh

#!/usr/bin/env bash

# Ref https://github.com/fluxcd/source-controller/issues/490
# Ref https://github.blog/2021-09-01-improving-git-protocol-security-github/

function usage() {
    echo "Usage: $0 context [list|diff|apply]"
}

if [ -z "$1" ]; then
    usage
    echo "Specify a context:" $(kubectl config get-contexts -o name)
    exit 1
fi
context="$1"

if [ "$2" == "diff" ]; then
    mode="diff"
elif [ "$2" == "apply" ]; then
    mode="apply"
elif [ "$2" == "list" ]; then
    mode="list"
else
    usage
    echo "Mode must be one of:"
    echo " * list - show secrets to be patched"
    echo " * diff - show proposed patch"
    echo " * apply - apply the patch"
    exit 1
fi

echo "Dependencies:"
which jq kubectl ssh-keyscan

known_hosts=$(ssh-keyscan github.com bitbucket.org)

echo "Fetching secrets from $context..."
kubectl "--context=$context" get secret -o json --all-namespaces | jq -r '.items[] | select(.data.known_hosts) | select (.data.known_hosts | @base64d | contains("ecdsa") | not) | [.metadata.name, .metadata.namespace] | @tsv' | \
while read -r name namespace; do
    echo "$mode patch for context=$context namespace=$namespace name=$name"
    if [ "$mode" != "list" ]; then
        kubectl "--context=$context" "--namespace=$namespace" get secret "$name" -o json | jq --arg known_hosts "$known_hosts" '.stringData["known_hosts"]=$known_hosts' | kubectl "--context=$context" "$mode" -f -
    fi
done