verbis-admin/bridgehead
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9 from samply/feature/fetchSecretsFromVault

Browse Source 
Auto-fetch sensitive variables from vault.
This commit is contained in:
Torben Brenner
2022-05-13 15:20:00 +02:00
committed by GitHub
parent 14b3f2d61b f510b1d0cb
commit fbfd7cc428
3 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
bridgehead
View File

@@ -46,6 +46,7 @@ source /etc/bridgehead/site.conf
case "$ACTION" in
start)
checkRequirements
fetchVarsFromVault /etc/bridgehead/site.conf /etc/bridgehead/$PROJECT.env || exit 1
exec docker-compose -f ./$PROJECT/docker-compose.yml --env-file /etc/bridgehead/$PROJECT.env up
;;
stop)

40
lib/functions.sh
View File

@@ -23,3 +23,43 @@ checkRequirements() {
return 0
fi
}
fetchVarsFromVault() {
VARS_TO_FETCH=""
for line in $(cat $@); do
if [[ $line =~ .*=\<VAULT\>.* ]]; then
VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') "
fi
done
if [ -z "$VARS_TO_FETCH" ]; then
return 0
fi
log INFO "Fetching secrets from vault ..."
[ -e /etc/bridgehead/vault.conf ] && source /etc/bridgehead/vault.conf
if [ -z "$BW_MASTERPASS" ] || [ -z "$BW_CLIENTID" ] || [ -z "$BW_CLIENTSECRET" ]; then
log ERROR "Please supply correct credentials in /etc/bridgehead/vault.conf."
return 1
fi
set +e
PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -ti -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $VARS_TO_FETCH)
RET=$?
if [ $RET -ne 0 ]; then
echo "Code: $RET"
echo $PASS
return $RET
fi
eval $(echo -e "$PASS" | sed 's/\r//g')
set -e
return 0
}

7
lib/prerequisites.sh
View File

@@ -69,6 +69,13 @@ if [ ! -e "certs/traefik.crt" ]; then
openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 3650 -subj "/CN=$HOST"
fi
if [ -e /etc/bridgehead/vault.conf ]; then
if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
log ERROR "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
exit 1
fi
fi
log INFO "Success - all prerequisites are met!"
exit 0