From 6d6521d0867577c82d242a8616ab7329c89d7622 Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Fri, 17 Jan 2025 18:55:36 +0100 Subject: [PATCH] Run Secret Sync outside of git credentials helper --- bridgehead | 5 --- lib/functions.sh | 4 +-- lib/gitpassword.sh | 70 +++++----------------------------------- lib/update-bridgehead.sh | 33 +++++++++++++++++-- 4 files changed, 40 insertions(+), 72 deletions(-) diff --git a/bridgehead b/bridgehead index 3df3df3..d5d3a20 100755 --- a/bridgehead +++ b/bridgehead @@ -166,11 +166,6 @@ case "$ACTION" in ;; postRun | postUpdate) ;; - gitCredentials) - loadVars >&2 - shift 2 - exec ./lib/gitpassword.sh $@ - ;; *) printUsage exit 1 diff --git a/lib/functions.sh b/lib/functions.sh index 27fe758..ed57293 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -53,7 +53,7 @@ checkOwner(){ } printUsage() { - echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|install|uninstall|adduser|enroll|gitCredentials PROJECTNAME" + echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|install|uninstall|adduser|enroll PROJECTNAME" echo "PROJECTNAME should be one of ccp|bbmri|cce|itcc|kr|dhki" } @@ -116,7 +116,7 @@ assertVarsNotEmpty() { MISSING_VARS="" for VAR in $@; do - if [ -z "${VAR+x}" ] || [ -z "$VAR" ]; then + if [ -z "${!VAR}" ]; then MISSING_VARS+="$VAR " fi done diff --git a/lib/gitpassword.sh b/lib/gitpassword.sh index 54ce149..e618029 100755 --- a/lib/gitpassword.sh +++ b/lib/gitpassword.sh @@ -1,65 +1,11 @@ -#!/bin/bash -eu +#!/bin/bash -SECRETS_FILE=/var/cache/bridgehead/secrets/gitetcbridgehead +[ "$1" = "get" ] || exit -case "$1" in - erase) - rm -f $SECRETS_FILE - CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')" - git -C /etc/bridgehead remote set-url origin $CLEAN_REPO - exit 0 - ;; - get) - # continue below - ;; - store) - # We could store the credentials in /var/cache/bridgehead, but we already did -- so nothing to do - exit 0 - ;; - *) - fail_and_report 1 "gitpassword.sh called incorrectly" - ;; -esac +source /var/cache/bridgehead/secrets/gitlab_token -PARAMS="$(cat)" -GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g') - -if [ ! -f ${SECRETS_FILE} ]; then - TMPFILE=$(mktemp) - docker run --rm \ - -v $TMPFILE:/usr/local/cache \ - -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ - -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ - -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ - -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ - -e NO_PROXY=localhost,127.0.0.1 \ - -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \ - -e PROXY_ID=$PROXY_ID \ - -e BROKER_URL=$BROKER_URL \ - -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \ - -e SECRET_DEFINITIONS=GitLabProjectAccessToken:GIT_CONFIG_REPO_TOKEN:bridgehead-configuration \ - docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest - mv $TMPFILE $SECRETS_FILE -fi - -source "${SECRETS_FILE}" - -if [ -z ${GIT_CONFIG_REPO_TOKEN} ]; then - rm "${SECRETS_FILE}" - fail_and_report 1 "gitpassword.sh failed: Git password file present but without token." -fi - -REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|' | sed -E 's|https://||')" -if ! git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL ls-remote https://bk-$SITE_ID:${GIT_CONFIG_REPO_TOKEN}@${REPO} 1>/dev/null 2>/dev/null 3>/dev/null; then - rm "${SECRETS_FILE}" - fail_and_report 1 "gitpassword.sh failed: Git password present but invalid." -fi - -cat <