From 704aa7c758e5b9008b736fa2f3f443e9ef44dc1d Mon Sep 17 00:00:00 2001 From: janskiba Date: Tue, 7 Nov 2023 14:55:26 +0000 Subject: [PATCH] Add secret sync to the bridgehead --- bridgehead | 1 + lib/functions.sh | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/bridgehead b/bridgehead index 8db9735..b1b5d36 100755 --- a/bridgehead +++ b/bridgehead @@ -66,6 +66,7 @@ loadVars() { detectCompose setHostname setupProxy + sync_secrets } case "$ACTION" in diff --git a/lib/functions.sh b/lib/functions.sh index 4d2bb2f..4c435a9 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -239,3 +239,35 @@ add_basic_auth_user() { log DEBUG "Saving clear text credentials in $FILE. If wanted, delete them manually." sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE } + +SECRET_SYNC_ARGS=${SECRET_SYNC_ARGS:-""} +# First argument is the variable name that will be generated. +# Second argument is a comma seperated list of allowed redirect urls for the oidc client. +function generate_oidc_client() { + local delimiter=$'\x1E' + if [[ $SECRET_SYNC_ARGS == "" ]]; then + SECRET_SYNC_ARGS+="OIDC:$1:$2" + else + SECRET_SYNC_ARGS+="${delimiter}OIDC:$1:$2" + fi +} + +function sync_secrets() { + if [[ $SECRET_SYNC_ARGS == "" ]]; then + return + fi + # The oidc provider will need to be switched based on the project at some point I guess + docker run --rm \ + -v /var/cache/bridgehead/secrets:/usr/local/cache \ + -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ + -v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ + -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ + -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ + -e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \ + -e PROXY_ID=$PROXY_ID \ + -e BROKER_URL=$BROKER_URL \ + -e OIDC_PROVIDER=secret-sync.central.$BROKER_ID \ + -e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \ + docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest + source /var/cache/bridgehead/secrets/* +}