Merge pull request #16 from samply/feature/gitcredentials
Allow git to fetch credentials from Vault.
This commit is contained in:
commit
8de0c1acae
|
@ -44,7 +44,7 @@ esac
|
||||||
case "$ACTION" in
|
case "$ACTION" in
|
||||||
start)
|
start)
|
||||||
checkRequirements
|
checkRequirements
|
||||||
fetchVarsFromVault /etc/bridgehead/$PROJECT.conf || exit 1
|
fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || exit 1
|
||||||
exec docker-compose -f ./$PROJECT/docker-compose.yml --env-file /etc/bridgehead/$PROJECT.conf up
|
exec docker-compose -f ./$PROJECT/docker-compose.yml --env-file /etc/bridgehead/$PROJECT.conf up
|
||||||
;;
|
;;
|
||||||
stop)
|
stop)
|
||||||
|
|
|
@ -7,6 +7,15 @@ exitIfNotRoot() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
checkOwner(){
|
||||||
|
COUNT=$(find $1 ! -user $2 |wc -l)
|
||||||
|
if [ $COUNT -gt 0 ]; then
|
||||||
|
log ERROR "$COUNT files in $1 are not owned by user $2. Run find $1 ! -user $2 to see them, chown -R $2 $1 to correct this issue."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
log() {
|
log() {
|
||||||
echo -e "$(date +'%Y-%m-%d %T')" "$1:" "$2"
|
echo -e "$(date +'%Y-%m-%d %T')" "$1:" "$2"
|
||||||
}
|
}
|
||||||
|
@ -26,20 +35,6 @@ checkRequirements() {
|
||||||
}
|
}
|
||||||
|
|
||||||
fetchVarsFromVault() {
|
fetchVarsFromVault() {
|
||||||
VARS_TO_FETCH=""
|
|
||||||
|
|
||||||
for line in $(cat $@); do
|
|
||||||
if [[ $line =~ .*=\<VAULT\>.* ]]; then
|
|
||||||
VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') "
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ -z "$VARS_TO_FETCH" ]; then
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
log "INFO" "Fetching secrets from vault ..."
|
|
||||||
|
|
||||||
[ -e /etc/bridgehead/vault.conf ] && source /etc/bridgehead/vault.conf
|
[ -e /etc/bridgehead/vault.conf ] && source /etc/bridgehead/vault.conf
|
||||||
|
|
||||||
if [ -z "$BW_MASTERPASS" ] || [ -z "$BW_CLIENTID" ] || [ -z "$BW_CLIENTSECRET" ]; then
|
if [ -z "$BW_MASTERPASS" ] || [ -z "$BW_CLIENTID" ] || [ -z "$BW_CLIENTSECRET" ]; then
|
||||||
|
@ -49,7 +44,7 @@ fetchVarsFromVault() {
|
||||||
|
|
||||||
set +e
|
set +e
|
||||||
|
|
||||||
PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $VARS_TO_FETCH)
|
PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $@)
|
||||||
RET=$?
|
RET=$?
|
||||||
|
|
||||||
if [ $RET -ne 0 ]; then
|
if [ $RET -ne 0 ]; then
|
||||||
|
@ -65,6 +60,43 @@ fetchVarsFromVault() {
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fetchVarsFromVaultByFile() {
|
||||||
|
VARS_TO_FETCH=""
|
||||||
|
|
||||||
|
for line in $(cat $@); do
|
||||||
|
if [[ $line =~ .*=[\"]*\<VAULT\>[\"]*.* ]]; then
|
||||||
|
VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') "
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -z "$VARS_TO_FETCH" ]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
log INFO "Fetching $(echo $VARS_TO_FETCH | wc -w) secrets from Vault ..."
|
||||||
|
|
||||||
|
fetchVarsFromVault $VARS_TO_FETCH
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
assertVarsNotEmpty() {
|
||||||
|
MISSING_VARS=""
|
||||||
|
|
||||||
|
for VAR in $@; do
|
||||||
|
if [ -z "${!VAR}" ]; then
|
||||||
|
MISSING_VARS+="$VAR "
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -n "$MISSING_VARS" ]; then
|
||||||
|
log "ERROR" "Mandatory variables not defined: $MISSING_VARS"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
##Setting Network properties
|
##Setting Network properties
|
||||||
export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
|
export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
|
||||||
export HOST=$(hostname)
|
export HOST=$(hostname)
|
||||||
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ "$1" != "get" ]; then
|
||||||
|
echo "Usage: $0 get"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
baseDir() {
|
||||||
|
# see https://stackoverflow.com/questions/59895
|
||||||
|
SOURCE=${BASH_SOURCE[0]}
|
||||||
|
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
|
||||||
|
DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
|
||||||
|
SOURCE=$(readlink "$SOURCE")
|
||||||
|
[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
|
||||||
|
done
|
||||||
|
DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
|
||||||
|
echo $DIR
|
||||||
|
}
|
||||||
|
|
||||||
|
BASE=$(baseDir)
|
||||||
|
cd $BASE
|
||||||
|
|
||||||
|
source lib/functions.sh
|
||||||
|
|
||||||
|
assertVarsNotEmpty SITE_ID || exit 1
|
||||||
|
|
||||||
|
PARAMS="$(cat)"
|
||||||
|
GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
|
||||||
|
|
||||||
|
fetchVarsFromVault GIT_PASSWORD
|
||||||
|
|
||||||
|
if [ -z "${GIT_PASSWORD}" ]; then
|
||||||
|
log ERROR "Git password not found."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat <<EOF
|
||||||
|
protocol=https
|
||||||
|
host=$GITHOST
|
||||||
|
username=bk-${SITE_ID}
|
||||||
|
password=${GIT_PASSWORD}
|
||||||
|
EOF
|
|
@ -2,22 +2,13 @@
|
||||||
|
|
||||||
source lib/functions.sh
|
source lib/functions.sh
|
||||||
|
|
||||||
checkOwner(){
|
|
||||||
## Check for file permissions
|
|
||||||
COUNT=$(find $1 ! -user $2 |wc -l)
|
|
||||||
if [ $COUNT -gt 0 ]; then
|
|
||||||
log ERROR "$COUNT files in $1 are not owned by user $2. Run find $1 ! -user $2 to see them, chown -R $2 $1 to correct this issue."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
if ! id "bridgehead" &>/dev/null; then
|
if ! id "bridgehead" &>/dev/null; then
|
||||||
log ERROR "User bridgehead does not exist. Please consult readme for installation."
|
log ERROR "User bridgehead does not exist. Please consult readme for installation."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
checkOwner . bridgehead
|
checkOwner . bridgehead || exit 1
|
||||||
checkOwner /etc/bridgehead bridgehead
|
checkOwner /etc/bridgehead bridgehead || exit 1
|
||||||
|
|
||||||
## Check if user is a su
|
## Check if user is a su
|
||||||
log INFO "Checking if all prerequisites are met ..."
|
log INFO "Checking if all prerequisites are met ..."
|
||||||
|
|
|
@ -1,10 +1,30 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
source lib/functions.sh
|
source lib/functions.sh
|
||||||
|
|
||||||
log "INFO" "Checking for updates of services"
|
CONFFILE=/etc/bridgehead/$1.conf
|
||||||
|
|
||||||
|
if [ ! -e $CONFFILE ]; then
|
||||||
|
log ERROR "Configuration file $CONFFILE not found."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
source $CONFFILE
|
||||||
|
|
||||||
|
assertVarsNotEmpty SITE_ID || exit 1
|
||||||
|
export SITE_ID
|
||||||
|
|
||||||
|
checkOwner . bridgehead || exit 1
|
||||||
|
checkOwner /etc/bridgehead bridgehead || exit 1
|
||||||
|
|
||||||
|
CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
|
||||||
|
|
||||||
# Check git updates
|
# Check git updates
|
||||||
for DIR in /etc/bridgehead $(pwd); do
|
for DIR in /etc/bridgehead $(pwd); do
|
||||||
|
log "INFO" "Checking for updates to git repo $DIR ..."
|
||||||
|
if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
|
||||||
|
log "INFO" "Configuring repo to use bridgehead git credential helper."
|
||||||
|
git -C $DIR config credential.helper "$CREDHELPER"
|
||||||
|
fi
|
||||||
old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
|
old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
|
||||||
git -C $DIR fetch 2>&1
|
git -C $DIR fetch 2>&1
|
||||||
git -C $DIR pull 2>&1
|
git -C $DIR pull 2>&1
|
||||||
|
@ -30,6 +50,7 @@ for DIR in /etc/bridgehead $(pwd); do
|
||||||
done
|
done
|
||||||
|
|
||||||
# Check docker updates
|
# Check docker updates
|
||||||
|
log "INFO" "Checking for updates to running docker images ..."
|
||||||
docker_updated="false"
|
docker_updated="false"
|
||||||
for IMAGE in $(docker ps --filter "name=bridgehead" --format {{.Image}}); do
|
for IMAGE in $(docker ps --filter "name=bridgehead" --format {{.Image}}); do
|
||||||
log "INFO" "Checking for Updates of Image: $IMAGE"
|
log "INFO" "Checking for Updates of Image: $IMAGE"
|
||||||
|
@ -41,10 +62,12 @@ done
|
||||||
|
|
||||||
# If anything is updated, restart service
|
# If anything is updated, restart service
|
||||||
if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
|
if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
|
||||||
log "INFO" "Due to previous updates now restarting bridgehead"
|
log "INFO" "Update detected, now restarting bridgehead"
|
||||||
systemctl restart 'bridgehead@*'
|
systemctl restart 'bridgehead@*'
|
||||||
|
else
|
||||||
|
log "INFO" "Nothing updated, nothing to restart."
|
||||||
fi
|
fi
|
||||||
log "INFO" "checking updates finished"
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
# TODO: Print last commit explicit
|
# TODO: Print last commit explicit
|
||||||
|
|
Loading…
Reference in New Issue