131 lines
4.8 KiB
Bash
Executable File
131 lines
4.8 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
vault_addr="${VAULT_ADDR:-http://vault.vault.svc.cluster.local:8200}"
|
|
vault_role="${VAULT_ROLE:-finance-secrets}"
|
|
jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
|
|
login_payload="$(jq -nc --arg jwt "${jwt}" --arg role "${vault_role}" '{jwt:$jwt, role:$role}')"
|
|
vault_token="$(curl -sS --request POST --data "${login_payload}" \
|
|
"${vault_addr}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
|
|
if [ -z "${vault_token}" ] || [ "${vault_token}" = "null" ]; then
|
|
echo "vault login failed" >&2
|
|
exit 1
|
|
fi
|
|
|
|
read_secret() {
|
|
path="$1"
|
|
if [ -f "${path}" ]; then
|
|
cat "${path}"
|
|
fi
|
|
}
|
|
|
|
require_value() {
|
|
label="$1"
|
|
value="$2"
|
|
if [ -z "${value}" ]; then
|
|
echo "missing ${label}" >&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
vault_read() {
|
|
path="$1"
|
|
key="$2"
|
|
curl -sS -H "X-Vault-Token: ${vault_token}" \
|
|
"${vault_addr}/v1/kv/data/atlas/${path}" 2>/dev/null | \
|
|
jq -r --arg key "${key}" '.data.data[$key] // empty' 2>/dev/null || true
|
|
}
|
|
|
|
vault_write_json() {
|
|
path="$1"
|
|
payload="$2"
|
|
curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
|
|
-d "${payload}" "${vault_addr}/v1/kv/data/atlas/${path}" >/dev/null
|
|
}
|
|
|
|
firefly_db_host="$(read_secret /secrets/firefly-db/DB_HOST)"
|
|
if [ -z "${firefly_db_host}" ]; then
|
|
firefly_db_host="$(read_secret /secrets/firefly-db/DB_HOSTNAME)"
|
|
fi
|
|
firefly_db_port="$(read_secret /secrets/firefly-db/DB_PORT)"
|
|
firefly_db_name="$(read_secret /secrets/firefly-db/DB_DATABASE)"
|
|
if [ -z "${firefly_db_name}" ]; then
|
|
firefly_db_name="$(read_secret /secrets/firefly-db/DB_NAME)"
|
|
fi
|
|
firefly_db_user="$(read_secret /secrets/firefly-db/DB_USERNAME)"
|
|
if [ -z "${firefly_db_user}" ]; then
|
|
firefly_db_user="$(read_secret /secrets/firefly-db/DB_USER)"
|
|
fi
|
|
firefly_db_pass="$(read_secret /secrets/firefly-db/DB_PASSWORD)"
|
|
if [ -z "${firefly_db_pass}" ]; then
|
|
firefly_db_pass="$(read_secret /secrets/firefly-db/DB_PASS)"
|
|
fi
|
|
|
|
require_value "firefly-db/DB_HOST" "${firefly_db_host}"
|
|
require_value "firefly-db/DB_PORT" "${firefly_db_port}"
|
|
require_value "firefly-db/DB_DATABASE" "${firefly_db_name}"
|
|
require_value "firefly-db/DB_USERNAME" "${firefly_db_user}"
|
|
require_value "firefly-db/DB_PASSWORD" "${firefly_db_pass}"
|
|
|
|
firefly_payload="$(jq -nc \
|
|
--arg host "${firefly_db_host}" \
|
|
--arg port "${firefly_db_port}" \
|
|
--arg db "${firefly_db_name}" \
|
|
--arg user "${firefly_db_user}" \
|
|
--arg pass "${firefly_db_pass}" \
|
|
'{data:{DB_HOST:$host, DB_PORT:$port, DB_DATABASE:$db, DB_USERNAME:$user, DB_PASSWORD:$pass}}')"
|
|
vault_write_json "finance/firefly-db" "${firefly_payload}"
|
|
|
|
app_key="$(vault_read "finance/firefly-secrets" "APP_KEY")"
|
|
if [ -z "${app_key}" ]; then
|
|
app_key="base64:$(head -c 32 /dev/urandom | base64 | tr -d '\n')"
|
|
fi
|
|
cron_token="$(vault_read "finance/firefly-secrets" "STATIC_CRON_TOKEN")"
|
|
if [ -z "${cron_token}" ]; then
|
|
cron_token="$(head -c 32 /dev/urandom | base64 | tr -d '\n' | tr '+/' '-_' | tr -d '=')"
|
|
fi
|
|
firefly_secret_payload="$(jq -nc \
|
|
--arg app_key "${app_key}" \
|
|
--arg cron "${cron_token}" \
|
|
'{data:{APP_KEY:$app_key, STATIC_CRON_TOKEN:$cron}}')"
|
|
vault_write_json "finance/firefly-secrets" "${firefly_secret_payload}"
|
|
|
|
if [ -d /secrets/actualbudget-db ]; then
|
|
actual_db_host="$(read_secret /secrets/actualbudget-db/DB_HOST)"
|
|
if [ -z "${actual_db_host}" ]; then
|
|
actual_db_host="$(read_secret /secrets/actualbudget-db/DB_HOSTNAME)"
|
|
fi
|
|
actual_db_port="$(read_secret /secrets/actualbudget-db/DB_PORT)"
|
|
actual_db_name="$(read_secret /secrets/actualbudget-db/DB_DATABASE)"
|
|
if [ -z "${actual_db_name}" ]; then
|
|
actual_db_name="$(read_secret /secrets/actualbudget-db/DB_NAME)"
|
|
fi
|
|
actual_db_user="$(read_secret /secrets/actualbudget-db/DB_USERNAME)"
|
|
if [ -z "${actual_db_user}" ]; then
|
|
actual_db_user="$(read_secret /secrets/actualbudget-db/DB_USER)"
|
|
fi
|
|
actual_db_pass="$(read_secret /secrets/actualbudget-db/DB_PASSWORD)"
|
|
if [ -z "${actual_db_pass}" ]; then
|
|
actual_db_pass="$(read_secret /secrets/actualbudget-db/DB_PASS)"
|
|
fi
|
|
|
|
if [ -n "${actual_db_host}${actual_db_port}${actual_db_name}${actual_db_user}${actual_db_pass}" ]; then
|
|
require_value "actualbudget-db/DB_HOST" "${actual_db_host}"
|
|
require_value "actualbudget-db/DB_PORT" "${actual_db_port}"
|
|
require_value "actualbudget-db/DB_DATABASE" "${actual_db_name}"
|
|
require_value "actualbudget-db/DB_USERNAME" "${actual_db_user}"
|
|
require_value "actualbudget-db/DB_PASSWORD" "${actual_db_pass}"
|
|
|
|
actual_payload="$(jq -nc \
|
|
--arg host "${actual_db_host}" \
|
|
--arg port "${actual_db_port}" \
|
|
--arg db "${actual_db_name}" \
|
|
--arg user "${actual_db_user}" \
|
|
--arg pass "${actual_db_pass}" \
|
|
'{data:{DB_HOST:$host, DB_PORT:$port, DB_DATABASE:$db, DB_USERNAME:$user, DB_PASSWORD:$pass}}')"
|
|
vault_write_json "finance/actual-db" "${actual_payload}"
|
|
else
|
|
echo "actualbudget-db secret empty; skipping actual-db vault write" >&2
|
|
fi
|
|
fi
|