#!/usr/bin/env bash set -euo pipefail vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}" vault_role="${VAULT_ROLE:-finance-secrets}" jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')" vault_token="$(curl -sS --request POST --data "${login_payload}" \ "${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')" if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then echo "vault login failed" >&2 exit 1 fi read_secret() { path="$1" if [ -f "${path}" ]; then cat "${path}" fi } require_value() { label="$1" value="$2" if [ -z "${value}" ]; then echo "missing ${label}" >&2 exit 1 fi } vault_read() { path="$1" key="$2" curl -sS -H "X-Vault-Token: ${vault_token}" \ "${vault_addr}/v1/kv/data/atlas/${path}" 2>/dev/null | \ jq -r --arg key "${key}" '.data.data[$key] // empty' 2>/dev/null || true } vault_write_json() { path="$1" payload="$2" curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \ -d "${payload}" "${vault_addr}/v1/kv/data/atlas/${path}" >/dev/null } firefly_db_host="$(read_secret /secrets/firefly-db/DB_HOST)" if [ -z "${firefly_db_host}" ]; then firefly_db_host="$(read_secret /secrets/firefly-db/DB_HOSTNAME)" fi firefly_db_port="$(read_secret /secrets/firefly-db/DB_PORT)" firefly_db_name="$(read_secret /secrets/firefly-db/DB_DATABASE)" if [ -z "${firefly_db_name}" ]; then firefly_db_name="$(read_secret /secrets/firefly-db/DB_NAME)" fi firefly_db_user="$(read_secret /secrets/firefly-db/DB_USERNAME)" if [ -z "${firefly_db_user}" ]; then firefly_db_user="$(read_secret /secrets/firefly-db/DB_USER)" fi firefly_db_pass="$(read_secret /secrets/firefly-db/DB_PASSWORD)" if [ -z "${firefly_db_pass}" ]; then firefly_db_pass="$(read_secret /secrets/firefly-db/DB_PASS)" fi require_value "firefly-db/DB_HOST" "${firefly_db_host}" require_value "firefly-db/DB_PORT" "${firefly_db_port}" require_value "firefly-db/DB_DATABASE" "${firefly_db_name}" require_value "firefly-db/DB_USERNAME" "${firefly_db_user}" require_value "firefly-db/DB_PASSWORD" "${firefly_db_pass}" firefly_payload="$(jq -nc \ --arg host "${firefly_db_host}" \ --arg port "${firefly_db_port}" \ --arg db "${firefly_db_name}" \ --arg user "${firefly_db_user}" \ --arg pass "${firefly_db_pass}" \ '{data:{DB_HOST:$host, DB_PORT:$port, DB_DATABASE:$db, DB_USERNAME:$user, DB_PASSWORD:$pass}}')" vault_write_json "finance/firefly-db" "${firefly_payload}" app_key="$(vault_read "finance/firefly-secrets" "APP_KEY")" if [ -z "${app_key}" ]; then app_key="base64:$(head -c 32 /dev/urandom | base64 | tr -d '\n')" fi cron_token="$(vault_read "finance/firefly-secrets" "STATIC_CRON_TOKEN")" if [ -z "${cron_token}" ]; then cron_token="$(head -c 32 /dev/urandom | base64 | tr -d '\n' | tr '+/' '-_' | tr -d '=')" fi firefly_secret_payload="$(jq -nc \ --arg app_key "${app_key}" \ --arg cron "${cron_token}" \ '{data:{APP_KEY:$app_key, STATIC_CRON_TOKEN:$cron}}')" vault_write_json "finance/firefly-secrets" "${firefly_secret_payload}" if [ -d /secrets/actualbudget-db ]; then actual_db_host="$(read_secret /secrets/actualbudget-db/DB_HOST)" if [ -z "${actual_db_host}" ]; then actual_db_host="$(read_secret /secrets/actualbudget-db/DB_HOSTNAME)" fi actual_db_port="$(read_secret /secrets/actualbudget-db/DB_PORT)" actual_db_name="$(read_secret /secrets/actualbudget-db/DB_DATABASE)" if [ -z "${actual_db_name}" ]; then actual_db_name="$(read_secret /secrets/actualbudget-db/DB_NAME)" fi actual_db_user="$(read_secret /secrets/actualbudget-db/DB_USERNAME)" if [ -z "${actual_db_user}" ]; then actual_db_user="$(read_secret /secrets/actualbudget-db/DB_USER)" fi actual_db_pass="$(read_secret /secrets/actualbudget-db/DB_PASSWORD)" if [ -z "${actual_db_pass}" ]; then actual_db_pass="$(read_secret /secrets/actualbudget-db/DB_PASS)" fi if [ -n "${actual_db_host}${actual_db_port}${actual_db_name}${actual_db_user}${actual_db_pass}" ]; then require_value "actualbudget-db/DB_HOST" "${actual_db_host}" require_value "actualbudget-db/DB_PORT" "${actual_db_port}" require_value "actualbudget-db/DB_DATABASE" "${actual_db_name}" require_value "actualbudget-db/DB_USERNAME" "${actual_db_user}" require_value "actualbudget-db/DB_PASSWORD" "${actual_db_pass}" actual_payload="$(jq -nc \ --arg host "${actual_db_host}" \ --arg port "${actual_db_port}" \ --arg db "${actual_db_name}" \ --arg user "${actual_db_user}" \ --arg pass "${actual_db_pass}" \ '{data:{DB_HOST:$host, DB_PORT:$port, DB_DATABASE:$db, DB_USERNAME:$user, DB_PASSWORD:$pass}}')" vault_write_json "finance/actual-db" "${actual_payload}" else echo "actualbudget-db secret empty; skipping actual-db vault write" >&2 fi fi