mirror of https://github.com/samply/bridgehead.git
Use secret-sync for gitpassword (#257)
--------- Co-authored-by: Tim Schumacher <tim@tschumacher.net> Co-authored-by: Jan <59206115+Threated@users.noreply.github.com> Co-authored-by: Tim Schumacher <tim.schumacher@dkfz-heidelberg.de>
This commit is contained in:
Martin Lablans
GitHub
parent
910289079b
commit
615990b92a
|
|
@ -116,7 +116,7 @@ assertVarsNotEmpty() {
|
|||
MISSING_VARS=""
|
||||
|
||||
for VAR in $@; do
|
||||
if [ -z "${!VAR}" ]; then
|
||||
if [ -z "${!VAR}" ]; then
|
||||
MISSING_VARS+="$VAR "
|
||||
fi
|
||||
done
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/bash
|
||||
|
||||
[ "$1" = "get" ] || exit
|
||||
|
||||
source /var/cache/bridgehead/secrets/gitlab_token
|
||||
|
||||
# Any non-empty username works, only the token matters
|
||||
cat << EOF
|
||||
username=bk
|
||||
password=$BRIDGEHEAD_CONFIG_REPO_TOKEN
|
||||
EOF
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ "$1" != "get" ]; then
|
||||
echo "Usage: $0 get"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
baseDir() {
|
||||
# see https://stackoverflow.com/questions/59895
|
||||
SOURCE=${BASH_SOURCE[0]}
|
||||
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
|
||||
DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
|
||||
SOURCE=$(readlink "$SOURCE")
|
||||
[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
|
||||
done
|
||||
DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
|
||||
echo $DIR
|
||||
}
|
||||
|
||||
BASE=$(baseDir)
|
||||
cd $BASE
|
||||
|
||||
source lib/functions.sh
|
||||
|
||||
assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
|
||||
|
||||
PARAMS="$(cat)"
|
||||
GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
|
||||
|
||||
fetchVarsFromVault GIT_PASSWORD
|
||||
|
||||
if [ -z "${GIT_PASSWORD}" ]; then
|
||||
fail_and_report 1 "gitpassword.sh failed: Git password not found."
|
||||
fi
|
||||
|
||||
cat <<EOF
|
||||
protocol=https
|
||||
host=$GITHOST
|
||||
username=bk-${SITE_ID}
|
||||
password=${GIT_PASSWORD}
|
||||
EOF
|
||||
|
|
@ -19,7 +19,7 @@ fi
|
|||
|
||||
hc_send log "Checking for bridgehead updates ..."
|
||||
|
||||
CONFFILE=/etc/bridgehead/$1.conf
|
||||
CONFFILE=/etc/bridgehead/$PROJECT.conf
|
||||
|
||||
if [ ! -e $CONFFILE ]; then
|
||||
fail_and_report 1 "Configuration file $CONFFILE not found."
|
||||
|
|
@ -33,7 +33,43 @@ export SITE_ID
|
|||
checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
|
||||
checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
|
||||
|
||||
CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
|
||||
# Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
|
||||
# If it is missing or expired, Secret Sync will create a new token and write it to the file.
|
||||
# The git credential helper reads the token from the file during git pull.
|
||||
mkdir -p /var/cache/bridgehead/secrets
|
||||
touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
|
||||
log "INFO" "Running Secret Sync for the GitLab token"
|
||||
docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
|
||||
docker run --rm \
|
||||
-v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
|
||||
-v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
|
||||
-v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
|
||||
-v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
|
||||
-e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
|
||||
-e NO_PROXY=localhost,127.0.0.1 \
|
||||
-e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
|
||||
-e PROXY_ID=$PROXY_ID \
|
||||
-e BROKER_URL=$BROKER_URL \
|
||||
-e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
|
||||
-e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN: \
|
||||
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
|
||||
if [ $? -eq 0 ]; then
|
||||
log "INFO" "Secret Sync was successful"
|
||||
# In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
|
||||
CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
|
||||
git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
|
||||
# Set the git credential helper
|
||||
git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
|
||||
else
|
||||
log "WARN" "Secret Sync failed"
|
||||
# Remove the git credential helper
|
||||
git -C /etc/bridgehead config --unset credential.helper
|
||||
fi
|
||||
|
||||
# In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
|
||||
# Let's remove it to avoid confusion. This line can be removed at some point the future when we
|
||||
# believe that it was removed on all/most production servers.
|
||||
git -C /srv/docker/bridgehead config --unset credential.helper
|
||||
|
||||
CHANGES=""
|
||||
|
||||
|
|
@ -45,10 +81,6 @@ for DIR in /etc/bridgehead $(pwd); do
|
|||
if [ -n "$OUT" ]; then
|
||||
report_error log "The working directory $DIR is modified. Changed files: $OUT"
|
||||
fi
|
||||
if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
|
||||
log "INFO" "Configuring repo to use bridgehead git credential helper."
|
||||
git -C $DIR config credential.helper "$CREDHELPER"
|
||||
fi
|
||||
old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
|
||||
if [ -z "$HTTPS_PROXY_FULL_URL" ]; then
|
||||
log "INFO" "Git is using no proxy!"
|
||||
|
|
|
|||
Loading…
Reference in New Issue