Add secrets manager tool (#73)

obelisk · Jan 21, 2025 · bf86457 · bf86457
1 parent 843df0e
commit bf86457
Show file tree

Hide file tree

Showing 9 changed files with 482 additions and 38 deletions.
diff --git a/.github/workflows/ConfigChecker.yaml b/.github/workflows/ConfigChecker.yaml
@@ -1,9 +1,7 @@
 name: Release config checker
 
 on:
-  push:
-    tags:
-      - '*'
+  workflow_call:
 
 permissions:
   contents: write
@@ -29,7 +27,8 @@ jobs:
       - name: Build config checker
         run: cd runtime && cargo build --bin=config_check --release
 
-      - name: Release
-        uses: softprops/action-gh-release@v2
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
         with:
-          files: runtime/target/release/config_check
+          name: config_check
+          path: runtime/target/release/config_check
diff --git a/.github/workflows/Release.yaml b/.github/workflows/Release.yaml
@@ -0,0 +1,38 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - '*'
+
+permissions:
+  contents: write
+
+jobs:
+  config_check:
+    uses: ./.github/workflows/ConfigChecker.yaml
+
+  secrets_manager:
+    uses: ./.github/workflows/SecretsManager.yaml
+
+  release:
+    name: Release
+    needs: [config_check, secrets_manager]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download config checker
+        uses: actions/download-artifact@v4
+        with:
+          name: config_check
+
+      - name: Download secrets manager
+        uses: actions/download-artifact@v4
+        with:
+          name: secrets_manager
+
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            config_check
+            secrets_manager
diff --git a/.github/workflows/SecretsManager.yaml b/.github/workflows/SecretsManager.yaml
@@ -0,0 +1,29 @@
+name: Release secrets manager
+
+on:
+  workflow_call:
+
+permissions:
+  contents: write
+
+jobs:
+  release_secrets_manager:
+    name: Release secrets manager
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build secrets manager for aarch64
+        run: |
+          cd runtime
+          docker build -t secrets_manager -f plaid/resources/Dockerfile_secrets_manager.aarch64 .
+          # By default, this container prints the base64 encoding of the executable.
+          # We take it and pipe-decode it into a file, which will then be released.
+          docker run --rm secrets_manager | base64 -d > secrets_manager
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: secrets_manager
+          path: runtime/secrets_manager
diff --git a/modules/Cargo.lock b/modules/Cargo.lock
diff --git a/runtime/Cargo.lock b/runtime/Cargo.lock
diff --git a/runtime/plaid-stl/Cargo.toml b/runtime/plaid-stl/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "plaid_stl"
-version = "0.14.0"
+version = "0.14.2"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

diff --git a/runtime/plaid/Cargo.toml b/runtime/plaid/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "plaid"
-version = "0.14.0"
+version = "0.14.2"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
@@ -12,8 +12,9 @@ aws = ["aws-sdk-kms", "aws-config"]
 [dependencies]
 alkali = "0.3.0"
 async-trait = "0.1.56"
+aws-sdk-secretsmanager = "1.57.0"
 base64 = "0.13"
-clap = { version = "4", default-features = false, features = ["std"] }
+clap = { version = "4", default-features = false, features = ["std", "help", "usage"] }
 crossbeam-channel = "0.5"
 env_logger = "0.8"
 flate2 = "1.0"
@@ -73,3 +74,7 @@ path = "src/bin/config_check.rs"
 [[bin]]
 name = "request_handler"
 path = "src/bin/request_handler.rs"
+
+[[bin]]
+name = "secrets_manager"
+path = "src/bin/secrets_manager.rs"
diff --git a/runtime/plaid/resources/Dockerfile_secrets_manager.aarch64 b/runtime/plaid/resources/Dockerfile_secrets_manager.aarch64
@@ -0,0 +1,9 @@
+FROM messense/rust-musl-cross:aarch64-musl
+
+RUN mkdir /build
+WORKDIR /build
+COPY . .
+
+RUN cargo build --release --bin=secrets_manager
+
+ENTRYPOINT ["/usr/bin/base64", "-w0", "target/aarch64-unknown-linux-musl/release/secrets_manager"]