xactfetch: Configure secretsocket

The `xactfetch` script now uses a helper tool, `secretsocket` to
handle looking up secrets.  This tool supports various secret source
types, including files, environment variables, and external commands.
Separating this functionality out of the main script makes it a lot
more flexible and pluggable.  It's main purpose, though, was actually
to allow `xactfetch` to run in a container while communicating with
`rbw` outside that container, specifically for development puposes.

The `secretsocket` tool reads its configuration from a TOML document.
This document defines the secrets the tool handles, and how to look
them up.

Note that the `xactfetch` container image no longer defines the
`XDG_CONFIG_HOME` environment variable, as it uses Chromium instead of
Firefox now, and the former does not work with a read-only config
directory.  As such, we have to mount the `rbw` configuration in the
default location.

xactfetch/kustomization.yaml

@@ -17,6 +17,9 @@ configMapGenerator:
 - name: xactfetch
   envs:
   - xactfetch.env
+- name: xactfetch-secrets
+  files:
+  - secrets.toml
 - name: xactfetch-rbw
   files:
   - config.json=rbw-config.json

xactfetch/secrets.toml

@@ -0,0 +1,29 @@
+['firefly.token']
+exec = 'rbw get xactfetch'
+
+['firefly.import.secret']
+path = '/run/secrets/xactfetch/firefly-import.secret'
+
+['firefly.import.username']
+string = 'svc.xactfetch'
+
+['firefly.import.password']
+path = '/run/secrets/xactfetch/firefly-import.password'
+
+['bank.commerce.username']
+string = 'admiraln3mo'
+
+['bank.commerce.password']
+exec = '''rbw get --folder Websites 'Commerce Bank' admiraln3mo'''
+
+['bank.commerce.otp']
+exec = '''rbw code --folder Websites 'Commerce Bank' admiraln3mo'''
+
+['bank.chase.username']
+string = 'AdmiralN3mo'
+
+['bank.chase.password']
+exec = '''rbw get --folder Websites Chase AdmiralN3mo'''
+
+['bank.chase.otp']
+exec = 'chase2fa'

xactfetch/xactfetch.yaml

@@ -44,9 +44,6 @@ spec:
             securityContext:
               readOnlyRootFilesystem: true
             volumeMounts:
-            - mountPath: /etc/rbw
-              name: xactfetch-rbw
-              readOnly: true
             - mountPath: /run/secrets/xactfetch
               name: xactfetch-secrets
               readOnly: true
@@ -56,6 +53,9 @@ spec:
             - mountPath: /var/lib/xactfetch
               name: xactfetch-data
               subPath: data
+            - mountPath: /var/lib/xactfetch/.config/rbw
+              name: xactfetch-rbw
+              readOnly: true
           containers:
           - name: xactfetch
             image: git.pyrocufflink.net/packages/xactfetch
@@ -67,9 +67,6 @@ spec:
             securityContext:
               readOnlyRootFilesystem: true
             volumeMounts:
-            - mountPath: /etc/rbw
-              name: xactfetch-rbw
-              readOnly: true
             - mountPath: /run/secrets/xactfetch
               name: xactfetch-secrets
               readOnly: true
@@ -79,6 +76,13 @@ spec:
             - mountPath: /var/lib/xactfetch
               name: xactfetch-data
               subPath: data
+            - mountPath: /var/lib/xactfetch/.config/rbw
+              name: xactfetch-rbw
+              readOnly: true
+            - mountPath: /var/lib/xactfetch/secrets.toml
+              name: xactfetch-secrets-config
+              subPath: secrets.toml
+              readOnly: true
           nodeSelector:
             kubernetes.io/arch: amd64
           securityContext:
@@ -94,6 +98,9 @@ spec:
           - name: xactfetch-rbw
             configMap:
               name: xactfetch-rbw
+          - name: xactfetch-secrets-config
+            configMap:
+              name: xactfetch-secrets
           - name: xactfetch-secrets
             secret:
               secretName: xactfetch
@@ -145,9 +152,6 @@ spec:
             securityContext:
               readOnlyRootFilesystem: true
             volumeMounts:
-            - mountPath: /etc/rbw
-              name: xactfetch-rbw
-              readOnly: true
             - mountPath: /run/secrets/xactfetch
               name: xactfetch-secrets
               readOnly: true
@@ -157,6 +161,9 @@ spec:
             - mountPath: /var/lib/xactfetch
               name: xactfetch-data
               subPath: data
+            - mountPath: /var/lib/xactfetch/.config/rbw
+              name: xactfetch-rbw
+              readOnly: true
           containers:
           - name: xactfetch
             image: git.pyrocufflink.net/packages/xactfetch
@@ -168,9 +175,6 @@ spec:
             securityContext:
               readOnlyRootFilesystem: true
             volumeMounts:
-            - mountPath: /etc/rbw
-              name: xactfetch-rbw
-              readOnly: true
             - mountPath: /run/secrets/xactfetch
               name: xactfetch-secrets
               readOnly: true
@@ -180,6 +184,13 @@ spec:
             - mountPath: /var/lib/xactfetch
               name: xactfetch-data
               subPath: data
+            - mountPath: /var/lib/xactfetch/.config/rbw
+              name: xactfetch-rbw
+              readOnly: true
+            - mountPath: /var/lib/xactfetch/secrets.toml
+              name: xactfetch-secrets-config
+              subPath: secrets.toml
+              readOnly: true
           nodeSelector:
             kubernetes.io/arch: amd64
           securityContext:
@@ -195,6 +206,9 @@ spec:
           - name: xactfetch-rbw
             configMap:
               name: xactfetch-rbw
+          - name: xactfetch-secrets-config
+            configMap:
+              name: xactfetch-secrets
           - name: xactfetch-secrets
             secret:
               secretName: xactfetch