Merge pull request #9 from samply/feature/fetchSecretsFromVault

Auto-fetch sensitive variables from vault.
This commit is contained in:
Torben Brenner 2022-05-13 15:20:00 +02:00 committed by GitHub
commit fbfd7cc428
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 48 additions and 0 deletions

View File

@ -46,6 +46,7 @@ source /etc/bridgehead/site.conf
case "$ACTION" in case "$ACTION" in
start) start)
checkRequirements checkRequirements
fetchVarsFromVault /etc/bridgehead/site.conf /etc/bridgehead/$PROJECT.env || exit 1
exec docker-compose -f ./$PROJECT/docker-compose.yml --env-file /etc/bridgehead/$PROJECT.env up exec docker-compose -f ./$PROJECT/docker-compose.yml --env-file /etc/bridgehead/$PROJECT.env up
;; ;;
stop) stop)

View File

@ -23,3 +23,43 @@ checkRequirements() {
return 0 return 0
fi fi
} }
fetchVarsFromVault() {
VARS_TO_FETCH=""
for line in $(cat $@); do
if [[ $line =~ .*=\<VAULT\>.* ]]; then
VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') "
fi
done
if [ -z "$VARS_TO_FETCH" ]; then
return 0
fi
log INFO "Fetching secrets from vault ..."
[ -e /etc/bridgehead/vault.conf ] && source /etc/bridgehead/vault.conf
if [ -z "$BW_MASTERPASS" ] || [ -z "$BW_CLIENTID" ] || [ -z "$BW_CLIENTSECRET" ]; then
log ERROR "Please supply correct credentials in /etc/bridgehead/vault.conf."
return 1
fi
set +e
PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -ti -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $VARS_TO_FETCH)
RET=$?
if [ $RET -ne 0 ]; then
echo "Code: $RET"
echo $PASS
return $RET
fi
eval $(echo -e "$PASS" | sed 's/\r//g')
set -e
return 0
}

View File

@ -69,6 +69,13 @@ if [ ! -e "certs/traefik.crt" ]; then
openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 3650 -subj "/CN=$HOST" openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 3650 -subj "/CN=$HOST"
fi fi
if [ -e /etc/bridgehead/vault.conf ]; then
if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
log ERROR "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
exit 1
fi
fi
log INFO "Success - all prerequisites are met!" log INFO "Success - all prerequisites are met!"
exit 0 exit 0