From 332d1ca1002b1642343a17bc7aba0d6287735986 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Sun, 6 Mar 2022 17:10:58 +0000
Subject: [PATCH] nix/docker/vault: update Vault's plugin registry as part of
 upload

It's possible (and likely) that when we update the Vault image that the SHA256
of the plugin will also change.

Automatically update that as the last step of the deploy.
---
 nix/docker/vault/default.nix | 54 +++++++++++++++++++++++++++---------
 1 file changed, 41 insertions(+), 13 deletions(-)

diff --git a/nix/docker/vault/default.nix b/nix/docker/vault/default.nix
index e1a5fdce2a..24741fccda 100644
--- a/nix/docker/vault/default.nix
+++ b/nix/docker/vault/default.nix
@@ -2,28 +2,25 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-{ pkgs, depot, ... }:
+{ lib, pkgs, depot, ... }:
 let
   vault = pkgs.vault-bin;
 
   imageName = "europe-docker.pkg.dev/lukegb-vault/lukegb-vault/vault";
   imageVersion = vault.version;
 
-  plugins = [
-    depot.nix.pkgs.vault-acme
-  ];
+  plugins = {
+    acme = { pkg = depot.nix.pkgs.vault-acme; type = "secret"; name = "acme"; };
+  };
 
-  pluginDrv = pkgs.runCommand "vault-plugins" {
-    inherit plugins;
-  } ''
+  pluginDrv = pkgs.runCommand "vault-plugins" {} ''
     mkdir -p $out/libexec/vault
 
-    for plugin in $plugins; do
-      for f in $plugin/libexec/vault/*; do
-        # Must actually put the file into the directory.
-        cp $f $out/libexec/vault
-      done
-    done
+    ${lib.concatStrings (lib.mapAttrsToList (
+      execName: pluginAttrs: ''
+        cp ${pluginAttrs.pkg}/libexec/vault/${execName} $out/libexec/vault/${execName}
+      ''
+    ) plugins)}
   '';
 
   container = pkgs.dockerTools.buildImage rec {
@@ -39,6 +36,32 @@ let
     plugins = pluginDrv;
   };
 
+  updateVaultPluginsCmd = pkgs.runCommand "update-vault-plugins" {} ''
+    mkdir -p $out/bin
+
+    cat <<EOF >"$out/bin/update-vault-plugins"
+    #!${pkgs.runtimeShell}
+    set -o errexit
+    set -o nounset
+    set -o pipefail
+
+    export VAULT_ADDR=https://vault.int.lukegb.com/
+
+    vault token lookup >/dev/null || vault login -method=oidc role="admin" skip_browser=true
+
+    ${lib.concatStrings (lib.mapAttrsToList (
+      execName: pluginAttrs: ''
+        echo '${execName}'
+        vault write '/sys/plugins/catalog/${pluginAttrs.type}/${pluginAttrs.name}' command="${execName}" sha256="$(sha256sum '${pluginAttrs.pkg}/libexec/vault/${execName}' | cut -f1 -d' ')"
+      ''
+    ) plugins)}
+    EOF
+    chmod +x "$out/bin/update-vault-plugins"
+
+    ${pkgs.stdenv.shellDryRun} "$out/bin/update-vault-plugins"
+    ${pkgs.shellcheck}/bin/shellcheck "$out/bin/update-vault-plugins"
+  '';
+
   uploadCmd = pkgs.writeShellApplication {
     name = "upload-vault-container";
 
@@ -52,8 +75,13 @@ let
       echo
       echo Switching Cloud Run over
       gcloud --project lukegb-vault run deploy vault-server --region europe-west1 --image ${imageName}:${imageVersion} --concurrency default
+
+      echo
+      echo Updating Vault SHA256 for plugins
+      ${updateVaultPluginsCmd}/bin/update-vault-plugins
     '';
   };
 in container // {
   upload = uploadCmd;
+  updateVaultPlugins = updateVaultPluginsCmd;
 }