Merge pull request #16 from samply/feature/gitcredentials

Allow git to fetch credentials from Vault.
This commit is contained in:
patrickskowronekdkfz 2022-06-02 15:42:07 +02:00 committed by GitHub
commit 8de0c1acae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 118 additions and 30 deletions

View File

@ -44,7 +44,7 @@ esac
case "$ACTION" in
start)
checkRequirements
fetchVarsFromVault /etc/bridgehead/$PROJECT.conf || exit 1
fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || exit 1
exec docker-compose -f ./$PROJECT/docker-compose.yml --env-file /etc/bridgehead/$PROJECT.conf up
;;
stop)

View File

@ -7,6 +7,15 @@ exitIfNotRoot() {
fi
}
checkOwner(){
COUNT=$(find $1 ! -user $2 |wc -l)
if [ $COUNT -gt 0 ]; then
log ERROR "$COUNT files in $1 are not owned by user $2. Run find $1 ! -user $2 to see them, chown -R $2 $1 to correct this issue."
return 1
fi
return 0
}
log() {
echo -e "$(date +'%Y-%m-%d %T')" "$1:" "$2"
}
@ -26,20 +35,6 @@ checkRequirements() {
}
fetchVarsFromVault() {
VARS_TO_FETCH=""
for line in $(cat $@); do
if [[ $line =~ .*=\<VAULT\>.* ]]; then
VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') "
fi
done
if [ -z "$VARS_TO_FETCH" ]; then
return 0
fi
log "INFO" "Fetching secrets from vault ..."
[ -e /etc/bridgehead/vault.conf ] && source /etc/bridgehead/vault.conf
if [ -z "$BW_MASTERPASS" ] || [ -z "$BW_CLIENTID" ] || [ -z "$BW_CLIENTSECRET" ]; then
@ -49,7 +44,7 @@ fetchVarsFromVault() {
set +e
PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $VARS_TO_FETCH)
PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $@)
RET=$?
if [ $RET -ne 0 ]; then
@ -65,6 +60,43 @@ fetchVarsFromVault() {
return 0
}
fetchVarsFromVaultByFile() {
VARS_TO_FETCH=""
for line in $(cat $@); do
if [[ $line =~ .*=[\"]*\<VAULT\>[\"]*.* ]]; then
VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') "
fi
done
if [ -z "$VARS_TO_FETCH" ]; then
return 0
fi
log INFO "Fetching $(echo $VARS_TO_FETCH | wc -w) secrets from Vault ..."
fetchVarsFromVault $VARS_TO_FETCH
return 0
}
assertVarsNotEmpty() {
MISSING_VARS=""
for VAR in $@; do
if [ -z "${!VAR}" ]; then
MISSING_VARS+="$VAR "
fi
done
if [ -n "$MISSING_VARS" ]; then
log "ERROR" "Mandatory variables not defined: $MISSING_VARS"
return 1
fi
return 0
}
##Setting Network properties
export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
export HOST=$(hostname)

42
lib/gitpassword.sh Executable file
View File

@ -0,0 +1,42 @@
#!/bin/bash
if [ "$1" != "get" ]; then
echo "Usage: $0 get"
exit 1
fi
baseDir() {
# see https://stackoverflow.com/questions/59895
SOURCE=${BASH_SOURCE[0]}
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
SOURCE=$(readlink "$SOURCE")
[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
done
DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
echo $DIR
}
BASE=$(baseDir)
cd $BASE
source lib/functions.sh
assertVarsNotEmpty SITE_ID || exit 1
PARAMS="$(cat)"
GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
fetchVarsFromVault GIT_PASSWORD
if [ -z "${GIT_PASSWORD}" ]; then
log ERROR "Git password not found."
exit 1
fi
cat <<EOF
protocol=https
host=$GITHOST
username=bk-${SITE_ID}
password=${GIT_PASSWORD}
EOF

View File

@ -2,22 +2,13 @@
source lib/functions.sh
checkOwner(){
## Check for file permissions
COUNT=$(find $1 ! -user $2 |wc -l)
if [ $COUNT -gt 0 ]; then
log ERROR "$COUNT files in $1 are not owned by user $2. Run find $1 ! -user $2 to see them, chown -R $2 $1 to correct this issue."
exit 1
fi
}
if ! id "bridgehead" &>/dev/null; then
log ERROR "User bridgehead does not exist. Please consult readme for installation."
exit 1
fi
checkOwner . bridgehead
checkOwner /etc/bridgehead bridgehead
checkOwner . bridgehead || exit 1
checkOwner /etc/bridgehead bridgehead || exit 1
## Check if user is a su
log INFO "Checking if all prerequisites are met ..."

View File

@ -1,10 +1,30 @@
#!/bin/bash
source lib/functions.sh
log "INFO" "Checking for updates of services"
CONFFILE=/etc/bridgehead/$1.conf
if [ ! -e $CONFFILE ]; then
log ERROR "Configuration file $CONFFILE not found."
exit 1
fi
source $CONFFILE
assertVarsNotEmpty SITE_ID || exit 1
export SITE_ID
checkOwner . bridgehead || exit 1
checkOwner /etc/bridgehead bridgehead || exit 1
CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
# Check git updates
for DIR in /etc/bridgehead $(pwd); do
log "INFO" "Checking for updates to git repo $DIR ..."
if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
log "INFO" "Configuring repo to use bridgehead git credential helper."
git -C $DIR config credential.helper "$CREDHELPER"
fi
old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
git -C $DIR fetch 2>&1
git -C $DIR pull 2>&1
@ -30,6 +50,7 @@ for DIR in /etc/bridgehead $(pwd); do
done
# Check docker updates
log "INFO" "Checking for updates to running docker images ..."
docker_updated="false"
for IMAGE in $(docker ps --filter "name=bridgehead" --format {{.Image}}); do
log "INFO" "Checking for Updates of Image: $IMAGE"
@ -41,10 +62,12 @@ done
# If anything is updated, restart service
if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
log "INFO" "Due to previous updates now restarting bridgehead"
log "INFO" "Update detected, now restarting bridgehead"
systemctl restart 'bridgehead@*'
else
log "INFO" "Nothing updated, nothing to restart."
fi
log "INFO" "checking updates finished"
exit 0
# TODO: Print last commit explicit