Last active
November 7, 2023 05:52
-
-
Save jakefhyde/b5df6becca4a63f9539376a5a4e9604f to your computer and use it in GitHub Desktop.
run with `bash -ex extract-c-c-secrets.sh <SNAPSHOT_FILE_NAME> <ETCD_VERSION>`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -ex | |
| if [ $# -ne 2 ]; then | |
| echo "Usage: $0 [filename] [etcd_version]" | |
| exit 1 | |
| fi | |
| FILENAME=$1 | |
| ETCD_VERSION=$2 | |
| TIMESTAMP="$(date +%s)" | |
| TARGET="restore_etcd_${TIMESTAMP}" | |
| ZIPEXTENSION="\.zip" | |
| echo "Temp directory is ${PWD}/${TARGET}" | |
| # These are dummies for the fake etcd server | |
| CACERT="-----BEGIN CERTIFICATE-----\nMIIDGjCCAgKgAwIBAgIJALxnIidJgFyoMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV\nBAMMB3Rlc3QtY2EwHhcNMjEwNTMxMTY1MjEzWhcNMzEwNTI5MTY1MjEzWjASMRAw\nDgYDVQQDDAd0ZXN0LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\npsQ9d5w5NQ6bZl0nWUQH8FFNXl+6SPL2YDrUyjK04HUflx+KDka3jMHCt5+oV2Cr\n6vsd8gOAuj70RABBco5AjX7xl+T5iSMf6b2rlTNNC75U6hbavtFB9HajAKBTh7xA\n8nbwTIR3hnvT6LVqDcoH7aA/AG//vOk6eq2iLt1+8lG81y2b2TrRH0P3vLb1kk5j\nHLVIJnh+IzYtlNFe45wZ2qLfJCivnKBdjczFnfkbmVMz5FxyhtwHKjSvM2Z71Wzl\nNden4YV1Re4lZrKMqZzfmBM+0Ga6rAXWmHte6+a49zRNwzNDdij36YwT9PjLSfjV\nqs/wJ4N8kb4PYoebgNy+nQIDAQABo3MwcTAdBgNVHQ4EFgQUp15tAmIjQ/f9Ciq8\nUWZiPxz4cMQwQgYDVR0jBDswOYAUp15tAmIjQ/f9Ciq8UWZiPxz4cMShFqQUMBIx\nEDAOBgNVBAMMB3Rlc3QtY2GCCQC8ZyInSYBcqDAMBgNVHRMEBTADAQH/MA0GCSqG\nSIb3DQEBCwUAA4IBAQATsqfajPUzqHbqE8qTQHjJAk/Y+zU+sjMJvvfXCPQy+nhG\nerDHk3yb+ZLvlY4hDJqxWB0iTTzq7fXB8Xi8XX+7LoOwOK8DHaL90EPHLGLbUXvc\np6U2ilkxRsC2yVCCSehesbbZ/kja6f4K6HkLGjjBKFj1j3accAAgfVUBuaw8PFH8\nXgXJ8q1gOw5oAN/DK/PuLZ1EmRhC0ymlHucOZqq54HPz9Jx1j5YngAQxz5qVL832\nmPki4+URXSczHN2McQWMMMknk33iKPqfeZl/is13HuPqA5Si7a3VMJOrZe2ltOTf\nzLu2JUZq8U6kxFU9hf7sGauwuQjLAqEmQr2NSua0\n-----END CERTIFICATE-----\n" | |
| CERT="-----BEGIN CERTIFICATE-----\nMIIDAzCCAeugAwIBAgIJAKnlD2rVEPSiMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV\nBAMMB3Rlc3QtY2EwHhcNMjEwNTMxMTY1MjE0WhcNMzEwNTI5MTY1MjE0WjAUMRIw\nEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQCjsrvZ1sBVCo4pxb2beOs70n1981RMW0vEseA/cZR89IgSOon8rNuhHovMDToy\niAptcmDALIbLOhyRYwVRGinMX9ASRJkE0pIm9hpqCxdTAuOWCFIy0lrZWQsGn5qj\n2LBoRVRFnDgiWLIfdHO0nopsPp69PRYXPPpuJXn5M1n0qIhMmXU2MSbyNOdITQ68\nvfHFUO+cqYf0Hslgam16HSBpiCi8bZ/FgCyMU4aRQ2jwpG0613JkA3B/RTB2eswt\nFtnc8Nuuq65Br48FSedKYIDM1HgrgsNd4EAoUlO87SR5vcLSJuopDJ9P00Zk4q+B\nG2lB+pgbHaAc6+PjdMOz3m19AgMBAAGjWjBYMAkGA1UdEwQCMAAwCwYDVR0PBAQD\nAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAfBgNVHREEGDAWggls\nb2NhbGhvc3SCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAhadpezzycpu2\nCkaXXM/FgJ7+UOcDq4rJr53uBqE9J7P7FbcCVAzXnlBF+jPq/z9qVvPOb5/SwTqC\nsJN33QfZlJg+Gzqy/FLsyxt/izZ4LKOhN68jLrveeGN11+oajkU3l9oZaTBV5apr\nKzoWJWP+XwmJ/XzSCZLIko9zRmW0RdZiPCB2vqRj63GczX8D6ipx//Ny/MmhpJ5M\n1YHpBmYaUo5Jx/ZbkbSSGBfplbhv567uhSfgruo8mt5t4P4whW98B6WgqT7lILQF\nC91xQ6CJh8QkOnrPxAt2L2eagy2mvUDvs3bb2Ai96wVPAemUPD76+pKsC0cwFRN9\nEHAlJ2XcKg==\n-----END CERTIFICATE-----\n" | |
| KEY="-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAo7K72dbAVQqOKcW9m3jrO9J9ffNUTFtLxLHgP3GUfPSIEjqJ\n/KzboR6LzA06MogKbXJgwCyGyzockWMFURopzF/QEkSZBNKSJvYaagsXUwLjlghS\nMtJa2VkLBp+ao9iwaEVURZw4IliyH3RztJ6KbD6evT0WFzz6biV5+TNZ9KiITJl1\nNjEm8jTnSE0OvL3xxVDvnKmH9B7JYGpteh0gaYgovG2fxYAsjFOGkUNo8KRtOtdy\nZANwf0UwdnrMLRbZ3PDbrquuQa+PBUnnSmCAzNR4K4LDXeBAKFJTvO0keb3C0ibq\nKQyfT9NGZOKvgRtpQfqYGx2gHOvj43TDs95tfQIDAQABAoIBACPkDz3O0PKUUuEj\nwtOwqlq+ZtdTn3ryVWV13oXqgDT5ZFAi15g3yhvEV8BQch8cJrUia8YWvSMXxaW2\nwTar9tghdbxbn/UnufWi5d20OtPvgTim8GbGKjcXR8yW98/OtbbW5IgynTginEM7\nRBco346mGCXDm/FSZFH8E4co1CNI6nz1GkK5AnYDaMLscefvvXRTDxEsx4VBuhYe\npJ4ZG51zNmpmj2xhzRG4qD7ymOlKTpC4lV20jDCUtW/StXh9Kpyk7FDIpZ/Ghf82\nklaES6jcA/zXmsCXwKzGA6VNJZr87YXDly1fkWll7Rm18kaX/hMxP1BixNpiqh7s\nqVsvE90CgYEAzNjMsS3eDPWeDKWkSE1f+v+Jqx/RWkzCP8IE6tzvDQo/aBvB18o8\nmjSWL4j4XM0f7lb9QZwPKQTZ6hYtEP9GGLKyqV2/CKQd/lvz/L+B/maskOTlCyiD\neLVhuJ8P2PArIszfGTuVEdZoWZaEjNLUvWkD18fc3nD/Ov3KiC8OIisCgYEAzJNu\nSG1kBgg+S0fmdSaqbIAbsPK3/XFSG+jj/dpP4MOy8GG6IFUtj4lKiIzrUugLHe8l\nJDcujsIc61OG4U1NkpRGaRaPNj1FEREoa/me66LceP8cAe2XDQeILZhjwUy0Do6x\nwHvkyYPnxYcsck8rNGelxJb9CHzqkPWmYRP1YvcCgYEAyZI4cczJqQT0fktsif0h\nilJ0PKC1mF7Z8nVP83BuBu3jkOVnbJlD4xYGB0aH5oGufxC4axxOyrVMXY1u0T/w\n0RLevcxS1ATywr3nK/miyBxuiLHENKOsI1aQj2Rt6rICMF9a1XCM8p2B105GpnA8\nCRpSPr4buAOHE5xy9GkhRjsCgYAPds2NWAeJlTHwSt0W2fdkAEMXmyFhXSGRzob9\nd3U2TlTGavzA2O96vCwQKmbXe4brmlo6ZJl2XSIGf+fgPBGzFNZFt1jYBsWjxqJB\nlzr2IPd9hfs+AhG7AGjA2ZYg1IV/3DV/kV34BaqNeexYL7faXENhmvBBpf+tOYR8\nLiAMfQKBgDcAHSjlFl5XccpiCRo9J2xnrY9uLjWIX4paTJZ6fbMO63lzWIOoJCW2\n8Y4fTrp2DSPvd6F02Q7cF9zodjmru6qNItillaitqxH1LqfSVRlVUhr8SF5UyzXX\nGgTh9av+CRKWZMuPO/3UMcaao5R1Dav3DqpM/k4Afa1whYT6dG0C\n-----END RSA PRIVATE KEY-----\n" | |
| mkdir -p ${PWD}/${TARGET}/{unzipped,restored,ssl} | |
| if test "${FILENAME#*$ZIPEXTENSION}" != "${FILENAME}"; then | |
| echo "Unzipping ${FILENAME}" | |
| docker run -v ${PWD}:/tmp -v $PWD/${TARGET}/unzipped:/backup busybox sh -c "unzip /tmp/${FILENAME}" | |
| else | |
| cp "${PWD}/${FILENAME}" "${PWD}/${TARGET}/unzipped" | |
| fi | |
| echo -e $CACERT > "${PWD}/${TARGET}/ssl/ca.pem" | |
| echo -e $CERT > "${PWD}/${TARGET}/ssl/cert.pem" | |
| echo -e $KEY > "${PWD}/${TARGET}/ssl/key.pem" | |
| echo "Restoring backup" | |
| docker run -v ${PWD}/${TARGET}/unzipped:/backup -v ${PWD}/${TARGET}/ssl:/ssl -v ${PWD}/${TARGET}/restored:/var/lib/etcd -e ETCDCTL_API=3 --entrypoint sh quay.io/coreos/etcd:v${ETCD_VERSION} -c "etcdctl snapshot restore /backup/* --cacert /ssl/ca.pem --cert /ssl/cert.pem --key /ssl/key.pem --name etcd1 --initial-cluster etcd1=https://localhost:2380 --initial-cluster-token k8s_etcd --initial-advertise-peer-urls https://localhost:2380 --data-dir /var/lib/etcd/restore" | |
| echo "Populating etcd database" | |
| docker run -d --name etcd-restore-${TIMESTAMP} -v $PWD/${TARGET}/ssl:/ssl -v ${PWD}/${TARGET}/restored/restore:/var/lib/etcd -e ETCDCTL_ENDPOINTS=https://localhost:2379 -e ETCDCTL_CACERT=/ssl/ca.pem -e ETCDCTL_CERT=/ssl/cert.pem -e ETCDCTL_KEY=/ssl/key.pem -e ETCDCTL_API=3 quay.io/coreos/etcd:v${ETCD_VERSION} /usr/local/bin/etcd --cert-file=/ssl/cert.pem --key-file=/ssl/key.pem --name=etcd1 --initial-cluster=etcd1=https://localhost:2380 --advertise-client-urls=https://localhost:2379 --listen-client-urls=https://localhost:2379 --initial-cluster-token=k8s_etcd --initial-advertise-peer-urls=https://localhost:2380 --data-dir=/var/lib/etcd | |
| echo "Querying etcd endpoint status" | |
| docker exec etcd-restore-${TIMESTAMP} etcdctl endpoint status --write-out=table | |
| echo "Extracting secrets to yaml" | |
| for secret in $(docker exec etcd-restore-${TIMESTAMP} etcdctl get /registry/secrets/cattle-system --prefix=true --keys-only | grep "c-c-"); do | |
| YAML_FILE=$(echo $secret | awk -F/ '{print $NF}').yaml | |
| docker exec etcd-restore-${TIMESTAMP} etcdctl get $secret | docker run -i jakefhyde/auger decode > $YAML_FILE | |
| NEW_YAML_FILE=$(echo $secret | awk -F/ '{print $NF}')-new.yaml | |
| cat $YAML_FILE | docker run --rm -i mikefarah/yq eval 'del(.metadata.creationTimestamp)' | docker run --rm -i mikefarah/yq eval 'del(.metadata.labels)' | docker run --rm -i mikefarah/yq eval 'del(.metadata.uid)' > $NEW_YAML_FILE | |
| if [ $(wc -l $NEW_YAML_FILE | awk '{print $1}') -le 2 ]; then | |
| echo "WARNING: $NEW_YAML_FILE may not have been properly generated" | |
| fi | |
| done | |
| echo "Run the following command to apply the yaml" | |
| echo "===IMPORTANT===" | |
| echo "Before running this command, manually verify that the yaml is expected" | |
| echo "find . -maxdepth 1 -name "*-new.yaml" -type f | xargs -I{} kubectl create -f {}" | |
| echo "This command will run the following commands:" | |
| find . -maxdepth 1 -name "*-new.yaml" -type f | xargs -I{} echo "kubectl create -f {}" | |
| echo "Removing etcd container" | |
| docker rm -f etcd-restore-${TIMESTAMP} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment