tech/sendico
2
0
Fork 0
Code Issues 22 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
main
sendico/ci/vlt
Stephan D 86fcb9d82f
Some checks failed
ci/woodpecker/push/db Pipeline failed
Details
fixed multiline secret handling
2025-11-07 02:04:12 +01:00

69 lines
2.1 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# Minimal Vault helper for CI steps (AppRole login + KVv2 reads).
# Requires: curl, sed. Uses VAULT_ADDR, VAULT_ROLE_ID, VAULT_SECRET_ID from env.
set -euo pipefail
: "${VAULT_ADDR:?missing VAULT_ADDR}"
VAULT_TOKEN_FILE="${VAULT_TOKEN_FILE:-.vault_token}"
log(){ printf '[vlt] %s\n' "$*" >&2; }
login() {
: "${VAULT_ROLE_ID:?missing VAULT_ROLE_ID}"
: "${VAULT_SECRET_ID:?missing VAULT_SECRET_ID}"
log "login approle"
resp="$(curl -sfS -X POST -H 'Content-Type: application/json' \
--connect-timeout 5 --max-time 20 \
-d "{\"role_id\":\"${VAULT_ROLE_ID}\",\"secret_id\":\"${VAULT_SECRET_ID}\"}" \
"${VAULT_ADDR%/}/v1/auth/approle/login")"
token="$(printf '%s' "$resp" | sed -n 's/.*"client_token"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')"
[ -n "$token" ] || { echo "login failed" >&2; exit 1; }
printf '%s' "$token" > "$VAULT_TOKEN_FILE"
}
ensure_token() {
if [ -s "$VAULT_TOKEN_FILE" ]; then
VAULT_TOKEN="$(cat "$VAULT_TOKEN_FILE")"
else
login
VAULT_TOKEN="$(cat "$VAULT_TOKEN_FILE")"
fi
}
# kv_get <mount> <path> <field> (KV v2)
kv_get() {
mount="$1"; path="$2"; field="$3"
ensure_token
url="${VAULT_ADDR%/}/v1/${mount}/data/${path}"
resp="$(curl -sfS --connect-timeout 5 --max-time 20 -H "X-Vault-Token: ${VAULT_TOKEN}" "$url")"
RESP="$resp" python3 - "$field" <<'PY'
import json, os, sys
field = sys.argv[1]
resp = os.environ.get("RESP", "")
try:
data = json.loads(resp)
value = data["data"]["data"][field]
except (KeyError, TypeError, json.JSONDecodeError):
print(f"field not found or invalid JSON", file=sys.stderr)
sys.exit(2)
sys.stdout.write(value)
PY
}
# kv_to_file <mount> <path> <field> <dest> [mode]
kv_to_file() {
mount="$1"; path="$2"; field="$3"; dest="$4"; mode="${5:-600}"
tmp="$(mktemp)"
kv_get "$mount" "$path" "$field" > "$tmp"
install -m "$mode" "$tmp" "$dest"
rm -f "$tmp"
log "wrote $dest"
}
case "${1:-}" in
login) shift; login "$@";;
kv_get) shift; kv_get "$@";;
kv_to_file) shift; kv_to_file "$@";;
*) echo "usage: vlt {login|kv_get|kv_to_file} ..." >&2; exit 64;;
esac
Reference in New Issue View Git Blame Copy Permalink