Run Secret Sync outside of git credentials helper

bridgehead

@@ -166,11 +166,6 @@ case "$ACTION" in
 		;;
 	postRun | postUpdate)
 		;;
-	gitCredentials)
-		loadVars >&2
-		shift 2
-		exec ./lib/gitpassword.sh $@
-		;;
 	*)
 		printUsage
 		exit 1

lib/functions.sh

@@ -53,7 +53,7 @@ checkOwner(){
 }
 
 printUsage() {
-	echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|install|uninstall|adduser|enroll|gitCredentials PROJECTNAME"
+	echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|install|uninstall|adduser|enroll PROJECTNAME"
 	echo "PROJECTNAME should be one of ccp|bbmri|cce|itcc|kr|dhki"
 }
 
@@ -116,7 +116,7 @@ assertVarsNotEmpty() {
 	MISSING_VARS=""
 
 	for VAR in $@; do
-		if [ -z "${VAR+x}" ] || [ -z "$VAR" ]; then
+		if [ -z "${!VAR}" ]; then
 			MISSING_VARS+="$VAR "
 		fi
 	done

lib/gitpassword.sh

@@ -1,65 +1,11 @@
-#!/bin/bash -eu
+#!/bin/bash
 
-SECRETS_FILE=/var/cache/bridgehead/secrets/gitetcbridgehead
+[ "$1" = "get" ] || exit
 
-case "$1" in
+source /var/cache/bridgehead/secrets/gitlab_token
-  erase)
-    rm -f $SECRETS_FILE
-    CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
-    git -C /etc/bridgehead remote set-url origin $CLEAN_REPO
-    exit 0
-    ;;
-  get)
-    # continue below
-    ;;
-  store)
-    # We could store the credentials in /var/cache/bridgehead, but we already did -- so nothing to do
-    exit 0
-    ;;
-  *)
-    fail_and_report 1 "gitpassword.sh called incorrectly"
-    ;;
-esac
-
-PARAMS="$(cat)"
-GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
-
-if [ ! -f ${SECRETS_FILE} ]; then
-   TMPFILE=$(mktemp)
-   docker run --rm \
-        -v $TMPFILE:/usr/local/cache \
-        -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-        -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
-        -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
-        -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-        -e NO_PROXY=localhost,127.0.0.1 \
-        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
-        -e PROXY_ID=$PROXY_ID \
-        -e BROKER_URL=$BROKER_URL \
-        -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
-        -e SECRET_DEFINITIONS=GitLabProjectAccessToken:GIT_CONFIG_REPO_TOKEN:bridgehead-configuration \
-        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
-    mv $TMPFILE $SECRETS_FILE
-fi
-
-source "${SECRETS_FILE}"
-
-if [ -z ${GIT_CONFIG_REPO_TOKEN} ]; then
-	rm "${SECRETS_FILE}"
-	fail_and_report 1 "gitpassword.sh failed: Git password file present but without token."
-fi
-
-REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|' | sed -E 's|https://||')"
-if ! git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL ls-remote https://bk-$SITE_ID:${GIT_CONFIG_REPO_TOKEN}@${REPO} 1>/dev/null 2>/dev/null 3>/dev/null; then
-	rm "${SECRETS_FILE}"
-	fail_and_report 1 "gitpassword.sh failed: Git password present but invalid."
-fi
 
+# Any non-empty username works, only the token matters
 cat << EOF
-protocol=https
+username=bk
-host=$GITHOST
+password=$BRIDGEHEAD_CONFIG_REPO_TOKEN
-username=bk-${SITE_ID}
-password=${GIT_CONFIG_REPO_TOKEN}
 EOF
-
-exit 0

lib/update-bridgehead.sh

@@ -1,8 +1,6 @@
 #!/bin/bash
 source lib/functions.sh
 
-PROJECT="$1"
-
 AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true}
 
 if [ "$AUTO_HOUSEKEEPING" == "true" ]; then
@@ -35,7 +33,36 @@ export SITE_ID
 checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
 checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
 
-CREDHELPER="/srv/docker/bridgehead/bridgehead gitCredentials $PROJECT"
+# Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
+# If it is missing or expired, Secret Sync will create a new token and write it to the file.
+# The git credential helper reads the token from the file during git pull.
+mkdir -p /var/cache/bridgehead/secrets
+touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
+log "INFO" "Running Secret Sync for the GitLab token"
+docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
+docker run --rm \
+  -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
+  -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
+  -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
+  -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
+  -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
+  -e NO_PROXY=localhost,127.0.0.1 \
+  -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
+  -e PROXY_ID=$PROXY_ID \
+  -e BROKER_URL=$BROKER_URL \
+  -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
+  -e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN: \
+  docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
+if [ $? -eq 0 ]; then
+  log "INFO" "Secret Sync was successful"
+  # In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
+  CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
+  git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
+else
+  log "WARN" "Secret Sync failed"
+fi
+
+CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
 
 CHANGES=""