samply
/
bridgehead
mirror of https://github.com/samply/bridgehead.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make gitpassword.sh use new secret-sync

This commit is contained in:
Martin Lablans 2024-12-20 12:00:57 +01:00
parent ba31975887
commit 2754c1c46f
1 changed files with 55 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
lib/gitpassword.sh
View File

@ -1,41 +1,71 @@
#!/bin/bash #!/bin/bash -eu
if [ "$1" != "get" ]; then #echo "Called: $@" >> /tmp/credhelper
echo "Usage: $0 get"
exit 1
fi
baseDir() { SECRETS_FILE=/var/cache/bridgehead/secrets/gitetcbridgehead
# see https://stackoverflow.com/questions/59895
SOURCE=${BASH_SOURCE[0]}
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
SOURCE=$(readlink "$SOURCE")
[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
done
DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
echo $DIR
}
BASE=$(baseDir) # Called from bridgehead, so shift 2 times
cd $BASE shift
shift
source lib/functions.sh case "$1" in
erase)
assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty." rm -f $SECRETS_FILE
CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
git -C /etc/bridgehead remote set-url origin $CLEAN_REPO
exit 0
;;
get)
# continue below
;;
store)
# We could store the credentials in /var/cache/bridgehead, but we already did -- so nothing to do
exit 0
;;
*)
fail_and_report 1 "gitpassword.sh called incorrectly"
;;
esac
PARAMS="$(cat)" PARAMS="$(cat)"
GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g') GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
fetchVarsFromVault GIT_PASSWORD if [ ! -f ${SECRETS_FILE} ]; then
TMPFILE=$(mktemp)
docker run --rm \
-v $TMPFILE:/usr/local/cache \
-v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
-v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
-e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-e NO_PROXY=localhost,127.0.0.1 \
-e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
-e PROXY_ID=$PROXY_ID \
-e BROKER_URL=$BROKER_URL \
-e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
-e SECRET_DEFINITIONS=GitLabProjectAccessToken:GIT_CONFIG_REPO_TOKEN:bridgehead-configuration \
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
mv $TMPFILE $SECRETS_FILE
fi
if [ -z "${GIT_PASSWORD}" ]; then source "${SECRETS_FILE}"
fail_and_report 1 "gitpassword.sh failed: Git password not found."
if [ -z ${GIT_CONFIG_REPO_TOKEN} ]; then
rm "${SECRETS_FILE}"
fail_and_report 1 "gitpassword.sh failed: Git password file present but without token."
fi
REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|' | sed -E 's|https://||')"
if ! git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL ls-remote https://bk-$SITE_ID:${GIT_CONFIG_REPO_TOKEN}@${REPO} 1>/dev/null 2>/dev/null 3>/dev/null; then
rm "${SECRETS_FILE}"
fail_and_report 1 "gitpassword.sh failed: Git password present but invalid."
fi fi
cat <<EOF cat <<EOF
protocol=https protocol=https
host=$GITHOST host=$GITHOST
username=bk-${SITE_ID} username=bk-${SITE_ID}
password=${GIT_PASSWORD} password=${GIT_CONFIG_REPO_TOKEN}
EOF EOF
exit 0