Add secret sync to the bridgehead

This commit is contained in:
janskiba 2023-11-07 14:55:26 +00:00 committed by juarez
parent b1a6abdab6
commit a386bcadcf
2 changed files with 33 additions and 0 deletions

View File

@ -82,6 +82,7 @@ loadVars() {
export FOCUS_TAG=main
;;
esac
sync_secrets
}
case "$ACTION" in

View File

@ -239,3 +239,35 @@ add_basic_auth_user() {
log DEBUG "Saving clear text credentials in $FILE. If wanted, delete them manually."
sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE
}
SECRET_SYNC_ARGS=${SECRET_SYNC_ARGS:-""}
# First argument is the variable name that will be generated.
# Second argument is a comma seperated list of allowed redirect urls for the oidc client.
function generate_oidc_client() {
local delimiter=$'\x1E'
if [[ $SECRET_SYNC_ARGS == "" ]]; then
SECRET_SYNC_ARGS+="OIDC:$1:$2"
else
SECRET_SYNC_ARGS+="${delimiter}OIDC:$1:$2"
fi
}
function sync_secrets() {
if [[ $SECRET_SYNC_ARGS == "" ]]; then
return
fi
# The oidc provider will need to be switched based on the project at some point I guess
docker run --rm \
-v /var/cache/bridgehead/secrets:/usr/local/cache \
-v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
-v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
-e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \
-e PROXY_ID=$PROXY_ID \
-e BROKER_URL=$BROKER_URL \
-e OIDC_PROVIDER=secret-sync.central.$BROKER_ID \
-e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
source /var/cache/bridgehead/secrets/*
}