132 lines
3.1 KiB
Bash
132 lines
3.1 KiB
Bash
#!/bin/sh
|
|
set -eu
|
|
|
|
if ! set -o pipefail 2>/dev/null; then
|
|
:
|
|
fi
|
|
|
|
REPO_ROOT="$(cd "$(dirname "$0")/../../.." && pwd)"
|
|
cd "${REPO_ROOT}"
|
|
|
|
usage() {
|
|
echo "usage: runtime_kv_get.sh kv_get <mount> <path> <field>" >&2
|
|
exit 64
|
|
}
|
|
|
|
[ "${1:-}" = "kv_get" ] || usage
|
|
[ $# -eq 4 ] || usage
|
|
|
|
MOUNT="$2"
|
|
SECRET_PATH="$3"
|
|
FIELD="$4"
|
|
|
|
. ci/scripts/common/runtime_env.sh
|
|
|
|
runtime_env_name="${CI_TARGET_ENV:-${CI_RUNTIME_ENV_NAME:-$(resolve_runtime_env_name)}}"
|
|
vault_source="${CI_VAULT_SOURCE:-runtime}"
|
|
|
|
if [ "${vault_source}" = "external" ] || [ "${runtime_env_name}" != "devserver" ]; then
|
|
exec ./ci/vlt kv_get "${MOUNT}" "${SECRET_PATH}" "${FIELD}"
|
|
fi
|
|
|
|
runtime_file="$(resolve_runtime_env_file "${runtime_env_name}")"
|
|
cleanup_runtime_file=0
|
|
case "${runtime_file}" in
|
|
./.runtime.*.merged.*)
|
|
cleanup_runtime_file=1
|
|
;;
|
|
esac
|
|
|
|
cleanup() {
|
|
if [ "${cleanup_runtime_file}" -eq 1 ]; then
|
|
rm -f "${runtime_file}"
|
|
fi
|
|
}
|
|
trap cleanup EXIT INT TERM
|
|
|
|
normalize_env_file "${runtime_file}"
|
|
load_env_file "${runtime_file}"
|
|
|
|
: "${SSH_USER:?missing SSH_USER}"
|
|
: "${SSH_HOST:?missing SSH_HOST}"
|
|
: "${REMOTE_BASE:?missing REMOTE_BASE}"
|
|
: "${VAULT_DIR:?missing VAULT_DIR}"
|
|
|
|
SSH_KEY_FILE="${SSH_KEY_FILE:-}"
|
|
if [ -z "${SSH_KEY_FILE}" ] || [ ! -f "${SSH_KEY_FILE}" ]; then
|
|
for candidate in /root/.ssh/id_rsa secrets/SSH_KEY; do
|
|
if [ -f "${candidate}" ]; then
|
|
SSH_KEY_FILE="${candidate}"
|
|
break
|
|
fi
|
|
done
|
|
fi
|
|
|
|
if [ -z "${SSH_KEY_FILE}" ] || [ ! -f "${SSH_KEY_FILE}" ]; then
|
|
echo "[runtime-kv-get] ssh key not found; expected /root/.ssh/id_rsa or secrets/SSH_KEY" >&2
|
|
exit 65
|
|
fi
|
|
|
|
b64enc() {
|
|
printf '%s' "$1" | base64 | tr -d '\n'
|
|
}
|
|
|
|
MOUNT_B64="$(b64enc "${MOUNT}")"
|
|
SECRET_PATH_B64="$(b64enc "${SECRET_PATH}")"
|
|
FIELD_B64="$(b64enc "${FIELD}")"
|
|
REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
|
|
|
|
SSH_OPTS="
|
|
-i ${SSH_KEY_FILE}
|
|
-o StrictHostKeyChecking=no
|
|
-o UserKnownHostsFile=/dev/null
|
|
-o LogLevel=ERROR
|
|
-o BatchMode=yes
|
|
-o PreferredAuthentications=publickey
|
|
-o ConnectTimeout=10
|
|
"
|
|
|
|
ssh ${SSH_OPTS} "${REMOTE_TARGET}" \
|
|
REMOTE_BASE="${REMOTE_BASE}" \
|
|
VAULT_DIR="${VAULT_DIR}" \
|
|
MOUNT_B64="${MOUNT_B64}" \
|
|
SECRET_PATH_B64="${SECRET_PATH_B64}" \
|
|
FIELD_B64="${FIELD_B64}" \
|
|
sh -s <<'EOSSH'
|
|
set -eu
|
|
|
|
if printf 'AA==' | base64 -d >/dev/null 2>&1; then
|
|
BASE64_DECODE_FLAG='-d'
|
|
else
|
|
BASE64_DECODE_FLAG='--decode'
|
|
fi
|
|
|
|
decode_b64() {
|
|
printf '%s' "$1" | base64 "${BASE64_DECODE_FLAG}"
|
|
}
|
|
|
|
MOUNT="$(decode_b64 "${MOUNT_B64}")"
|
|
SECRET_PATH="$(decode_b64 "${SECRET_PATH_B64}")"
|
|
FIELD="$(decode_b64 "${FIELD_B64}")"
|
|
INIT_FILE="${REMOTE_BASE%/}/${VAULT_DIR}/env/vault-init.json"
|
|
|
|
if [ ! -s "${INIT_FILE}" ]; then
|
|
echo "[runtime-kv-get] dev vault init file not found: ${INIT_FILE}" >&2
|
|
exit 66
|
|
fi
|
|
|
|
INIT_JSON_COMPACT="$(tr -d '\r\n\t ' <"${INIT_FILE}")"
|
|
ROOT_TOKEN="$(printf '%s' "${INIT_JSON_COMPACT}" | sed -n 's/.*"root_token":"\([^"]*\)".*/\1/p')"
|
|
|
|
if [ -z "${ROOT_TOKEN}" ]; then
|
|
echo "[runtime-kv-get] failed to extract dev vault root token from ${INIT_FILE}" >&2
|
|
exit 67
|
|
fi
|
|
|
|
docker exec \
|
|
-e VAULT_ADDR=http://127.0.0.1:8200 \
|
|
-e VAULT_TOKEN="${ROOT_TOKEN}" \
|
|
dev-vault \
|
|
vault kv get -mount="${MOUNT}" -field="${FIELD}" "${SECRET_PATH}"
|
|
EOSSH
|