From d428f08d8a2824a78acc850710167cb6b579b38f Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 12 May 2022 18:23:52 +0200
Subject: [PATCH 1/4] Whenever a variable has the value <VAULT>, auto-fetch
 value from vault.

---
 bridgehead       |  1 +
 lib/functions.sh | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/bridgehead b/bridgehead
index 0634d06..7585594 100755
--- a/bridgehead
+++ b/bridgehead
@@ -46,6 +46,7 @@ source /etc/bridgehead/site.conf
 case "$ACTION" in
 	start)
 		checkRequirements
+		fetchVarsFromVault /etc/bridgehead/site.conf /etc/bridgehead/$PROJECT.env
 		exec docker-compose -f ./$PROJECT/docker-compose.yml --env-file /etc/bridgehead/$PROJECT.env up
 		;;
 	stop)
diff --git a/lib/functions.sh b/lib/functions.sh
index 03def34..5ffd5c7 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -23,3 +23,21 @@ checkRequirements() {
 		return 0
 	fi
 }
+
+fetchVarsFromVault() {
+	VARS_TO_FETCH=""
+
+	for line in $(cat $@); do
+		if [[ $line =~ .*=\<VAULT\>.* ]]; then
+			VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') "
+		fi
+	done
+
+	if [ -z "$VARS_TO_FETCH" ]; then
+		return 0
+	fi
+
+	eval $(docker run --rm -ti -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET bwcli $VARS_TO_FETCH | sed 's/\r//g')
+
+	return 0
+}

From 4b5af787e5cb182ecd764114b2da5b9f3eeef5c8 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 12 May 2022 18:27:34 +0200
Subject: [PATCH 2/4] Use correct image name.

---
 lib/functions.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index 5ffd5c7..751ce8e 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -37,7 +37,7 @@ fetchVarsFromVault() {
 		return 0
 	fi
 
-	eval $(docker run --rm -ti -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET bwcli $VARS_TO_FETCH | sed 's/\r//g')
+	eval $(docker run --rm -ti -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET samply/bridgehead-vaultfetcher $VARS_TO_FETCH | sed 's/\r//g')
 
 	return 0
 }

From 1692395ffcab8ea0a7db2d3a1f5530c28ab8383c Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 13 May 2022 14:11:14 +0200
Subject: [PATCH 3/4] Support retrieving credentials for vault from
 /etc/bridgehead/vault.conf

---
 bridgehead           |  2 +-
 lib/functions.sh     | 24 +++++++++++++++++++++++-
 lib/prerequisites.sh |  7 +++++++
 3 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/bridgehead b/bridgehead
index 7585594..bb02c92 100755
--- a/bridgehead
+++ b/bridgehead
@@ -46,7 +46,7 @@ source /etc/bridgehead/site.conf
 case "$ACTION" in
 	start)
 		checkRequirements
-		fetchVarsFromVault /etc/bridgehead/site.conf /etc/bridgehead/$PROJECT.env
+		fetchVarsFromVault /etc/bridgehead/site.conf /etc/bridgehead/$PROJECT.env || exit 1
 		exec docker-compose -f ./$PROJECT/docker-compose.yml --env-file /etc/bridgehead/$PROJECT.env up
 		;;
 	stop)
diff --git a/lib/functions.sh b/lib/functions.sh
index 751ce8e..e0a8b61 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -37,7 +37,29 @@ fetchVarsFromVault() {
 		return 0
 	fi
 
-	eval $(docker run --rm -ti -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET samply/bridgehead-vaultfetcher $VARS_TO_FETCH | sed 's/\r//g')
+	log INFO "Fetching secrets from vault ..."
+
+	[ -e /etc/bridgehead/vault.conf ] && source /etc/bridgehead/vault.conf
+
+	if [ -z "$BW_MASTERPASS" ] || [ -z "$BW_CLIENTID" ] || [ -z "$BW_CLIENTSECRET" ]; then
+		log ERROR "Please supply correct credentials in /etc/bridgehead/vault.conf."
+		return 1
+	fi
+
+	set +e
+
+	PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -ti -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET samply/bridgehead-vaultfetcher $VARS_TO_FETCH)
+	RET=$?
+
+	if [ $RET -ne 0 ]; then
+		echo "Code: $RET"
+		echo $PASS
+		return $RET
+	fi
+
+	eval $(echo -e "$PASS" | sed 's/\r//g')
+
+	set -e
 
 	return 0
 }
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 60fa945..983ebc3 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -69,6 +69,13 @@ if [ ! -e "certs/traefik.crt" ]; then
   openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 365
 fi
 
+if [ -e /etc/bridgehead/vault.conf ]; then
+	if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
+		log ERROR "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
+		exit 1
+	fi
+fi
+
 log INFO "Success - all prerequisites are met!"
 
 exit 0

From f510b1d0cb94fdc9c7426149bc83d86a9f7679a4 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 13 May 2022 14:19:52 +0200
Subject: [PATCH 4/4] Use http proxy set in $http_proxy.

---
 lib/functions.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index e0a8b61..80bb698 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -48,7 +48,7 @@ fetchVarsFromVault() {
 
 	set +e
 
-	PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -ti -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET samply/bridgehead-vaultfetcher $VARS_TO_FETCH)
+	PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -ti -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $VARS_TO_FETCH)
 	RET=$?
 
 	if [ $RET -ne 0 ]; then