Merge branch 'version-1' of https://github.com/samply/bridgehead into version-1

2022-05-16 08:20:15 +02:00 · 2022-05-16 08:20:15 +02:00 · 0b48ebb44a
parent 08ee32ac40 8352965d66
commit 0b48ebb44a
4 changed files with 49 additions and 5 deletions
--- a/1
+++ b/1
@ -46,6 +46,7 @@ source /etc/bridgehead/site.conf
 case "$ACTION" in
 	start)
 		checkRequirements
+		fetchVarsFromVault /etc/bridgehead/site.conf /etc/bridgehead/$PROJECT.env || exit 1
 		exec docker-compose -f ./$PROJECT/docker-compose.yml --env-file /etc/bridgehead/$PROJECT.env up
 		;;
 	stop)
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@ -79,11 +79,7 @@ services:
      APP_BROKER_AUTHTOKEN: ${CCP_SEARCHBROKER_PASSWORD}
      APP_STORE_BASEURL: "http://bridgehead-ccp-blaze:8080/fhir"
      SPRING_DATASOURCE_URL: "jdbc:postgresql://bridgehead-ccp-share-db:5432/dktk-fed-search-share"
-      JAVA_TOOL_OPTIONS: "-Xmx1g"
-      http_proxy: "http://bridgehead-forward-proxy:3128"
-      https_proxy: "http://bridgehead-forward-proxy:3128"
-      HTTP_PROXY: "http://bridgehead-forward-proxy:3128"
-      HTTPS_PROXY: "http://bridgehead-forward-proxy:3128"
+      JAVA_TOOL_OPTIONS: -Xmx1g -Dhttp.proxyHost=bridgehead-forward-proxy -Dhttp.proxyPort=3128 -Dhttps.proxyHost=bridgehead-forward-proxy -Dhttps.proxyPort=3128 -Dhttp.noProxyHosts="bridgehead-*"
    depends_on:
    - ccp-search-share-db
    - blaze
--- a/lib/functions.sh
+++ b/lib/functions.sh
@ -23,3 +23,43 @@ checkRequirements() {
 		return 0
 	fi
 }
+
+fetchVarsFromVault() {
+	VARS_TO_FETCH=""
+
+	for line in $(cat $@); do
+		if [[ $line =~ .*=\<VAULT\>.* ]]; then
+			VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') "
+		fi
+	done
+
+	if [ -z "$VARS_TO_FETCH" ]; then
+		return 0
+	fi
+
+	log INFO "Fetching secrets from vault ..."
+
+	[ -e /etc/bridgehead/vault.conf ] && source /etc/bridgehead/vault.conf
+
+	if [ -z "$BW_MASTERPASS" ] || [ -z "$BW_CLIENTID" ] || [ -z "$BW_CLIENTSECRET" ]; then
+		log ERROR "Please supply correct credentials in /etc/bridgehead/vault.conf."
+		return 1
+	fi
+
+	set +e
+
+	PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $VARS_TO_FETCH)
+	RET=$?
+
+	if [ $RET -ne 0 ]; then
+		echo "Code: $RET"
+		echo $PASS
+		return $RET
+	fi
+
+	eval $(echo -e "$PASS" | sed 's/\r//g')
+
+	set -e
+
+	return 0
+}
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@ -69,6 +69,13 @@ if [ ! -e "certs/traefik.crt" ]; then
  openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 3650 -subj "/CN=$HOST"
 fi

+if [ -e /etc/bridgehead/vault.conf ]; then
+	if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
+		log ERROR "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
+		exit 1
+	fi
+fi
+
 log INFO "Success - all prerequisites are met!"

 exit 0