From 0cdd5f371b132d9a8ec7b5826feafadee0611d79 Mon Sep 17 00:00:00 2001
From: Tim Schumacher <tim.schumacher@dkfz-heidelberg.de>
Date: Wed, 7 May 2025 14:15:25 +0200
Subject: [PATCH] Use temp directory for secret sync cache

---
 lib/functions.sh           | 11 +++++++----
 lib/gitlab-token-helper.sh |  2 +-
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index a11920b..d30cf58 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -347,18 +347,21 @@ function secret_sync_gitlab_token() {
         root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem"
     fi
 
-    # Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
+    # Create a temporary directory for Secret Sync that is valid per boot
+    secret_sync_tempdir="/tmp/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)"
+    mkdir -p $secret_sync_tempdir
+
+    # Use Secret Sync to validate the GitLab token in $secret_sync_tempdir/cache.
     # If it is missing or expired, Secret Sync will create a new token and write it to the file.
     # The git credential helper reads the token from the file during git pull.
-    mkdir -p /var/cache/bridgehead/secrets
-    touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
     log "INFO" "Running Secret Sync for the GitLab token (gitlab=$gitlab)"
     docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
     docker run --rm \
-        -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
         -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
         -v $root_crt_file:/run/secrets/root.crt.pem:ro \
         -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
+        -v $secret_sync_tempdir:/secret-sync/ \
+        -e CACHE_PATH=/secret-sync/gitlab-token \
         -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
         -e NO_PROXY=localhost,127.0.0.1 \
         -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
diff --git a/lib/gitlab-token-helper.sh b/lib/gitlab-token-helper.sh
index e618029..56d65c6 100755
--- a/lib/gitlab-token-helper.sh
+++ b/lib/gitlab-token-helper.sh
@@ -2,7 +2,7 @@
 
 [ "$1" = "get" ] || exit
 
-source /var/cache/bridgehead/secrets/gitlab_token
+source "/tmp/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)/gitlab-token"
 
 # Any non-empty username works, only the token matters
 cat << EOF