随着时间的流逝,CI / CD工具发生了变化,项目,环境和密钥存储位置的数量成倍增加,某个地方过时的密钥的焦虑程度增加了。好吧,已经足够了……我可以只将密钥留在存储库中吗?事实证明,可以。这比我以前做过的事方便了一个数量级。
让我们跳过有关项目中各种秘密的所有人都面临的令人痛心的故事,直截了当。
目标
- , /
- , ,
- CI ,
- .
: encrypt.sh decrypt.sh.
encrypt.sh :
#!/bin/bash
# sh encrypt.sh <./path/to/file.js> <environment> <password>
LOCAL_IP_REMOVED='Y'
if [[ $2 == 'local' ]]; then
read -p "You are encrypting local environment. \
Did you remove your local ip address from configs? Y/n" LOCAL_IP_REMOVED
fi
if [[ $LOCAL_IP_REMOVED != 'Y' ]]; then
echo "Well, go on and remove it then! Aborting encryiption"
exit 1
fi
echo "encrypting $1"
openssl enc -aes-128-cbc -a -salt -pass pass:$3 -in $1 -out $1.${2}-enc -md md5
echo "done"decrypt.sh :
#!/bin/bash
# sh decrypt.sh <environment> <password>
echo "decrypting $1 environment"
for file in $(find . -not -path "*/node_modules/*" -name "*.$1-enc")
do
echo "decrypting $file to ${file//.$1-enc}"
openssl enc -aes-128-cbc -a -d -salt -pass pass:$2 -in $file -out "${file//.$1-enc}" -md md5
done
if [[ $1 == 'local' ]]; then
LOCAL_IP=`ifconfig | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p'`
echo "Also replacing localhost with your local machine ip: $LOCAL_IP"
# optionally, add logic to replace "localhost" with your machine IP
sed -i '' "s|localhost|$LOCAL_IP|g" './src/env.js'
fi , . .env, env.js .
.gitignore.
encrypt.sh:
sh encrypt.sh ./src/env.js <environment> <very_secure_password> . ./src/env.js.production-enc.
我建议你开始有三个environmentS: ,local,。stagingproduction
local环境的特殊性是该脚本decrypt.sh也可以localhost在您的配置中替换为计算机的本地IP。例如,在移动开发中,当智能手机必须连接到本地服务器时,这是必需的。
感谢您的关注!