lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

nix/docker/vault: update Vault's plugin registry as part of upload

Browse source 
It's possible (and likely) that when we update the Vault image that the SHA256
of the plugin will also change.

Automatically update that as the last step of the deploy.
This commit is contained in:
Luke Granger-Brown 2022-03-06 17:10:58 +00:00
parent 932b47e9e9
commit 332d1ca100
1 changed files with 41 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

54
nix/docker/vault/default.nix
View file

@ -2,28 +2,25 @@
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
{ pkgs, depot, ... }: { lib, pkgs, depot, ... }:
let let
vault = pkgs.vault-bin; vault = pkgs.vault-bin;
imageName = "europe-docker.pkg.dev/lukegb-vault/lukegb-vault/vault"; imageName = "europe-docker.pkg.dev/lukegb-vault/lukegb-vault/vault";
imageVersion = vault.version; imageVersion = vault.version;
plugins = [ plugins = {
depot.nix.pkgs.vault-acme acme = { pkg = depot.nix.pkgs.vault-acme; type = "secret"; name = "acme"; };
]; };
pluginDrv = pkgs.runCommand "vault-plugins" { pluginDrv = pkgs.runCommand "vault-plugins" {} ''
inherit plugins;
} ''
mkdir -p $out/libexec/vault mkdir -p $out/libexec/vault
for plugin in $plugins; do ${lib.concatStrings (lib.mapAttrsToList (
for f in $plugin/libexec/vault/*; do execName: pluginAttrs: ''
# Must actually put the file into the directory. cp ${pluginAttrs.pkg}/libexec/vault/${execName} $out/libexec/vault/${execName}
cp $f $out/libexec/vault ''
done ) plugins)}
done
''; '';
container = pkgs.dockerTools.buildImage rec { container = pkgs.dockerTools.buildImage rec {
@ -39,6 +36,32 @@ let
plugins = pluginDrv; plugins = pluginDrv;
}; };
updateVaultPluginsCmd = pkgs.runCommand "update-vault-plugins" {} ''
mkdir -p $out/bin
cat <<EOF >"$out/bin/update-vault-plugins"
#!${pkgs.runtimeShell}
set -o errexit
set -o nounset
set -o pipefail
export VAULT_ADDR=https://vault.int.lukegb.com/
vault token lookup >/dev/null || vault login -method=oidc role="admin" skip_browser=true
${lib.concatStrings (lib.mapAttrsToList (
execName: pluginAttrs: ''
echo '${execName}'
vault write '/sys/plugins/catalog/${pluginAttrs.type}/${pluginAttrs.name}' command="${execName}" sha256="$(sha256sum '${pluginAttrs.pkg}/libexec/vault/${execName}' | cut -f1 -d' ')"
''
) plugins)}
EOF
chmod +x "$out/bin/update-vault-plugins"
${pkgs.stdenv.shellDryRun} "$out/bin/update-vault-plugins"
${pkgs.shellcheck}/bin/shellcheck "$out/bin/update-vault-plugins"
'';
uploadCmd = pkgs.writeShellApplication { uploadCmd = pkgs.writeShellApplication {
name = "upload-vault-container"; name = "upload-vault-container";
@ -52,8 +75,13 @@ let
echo echo
echo Switching Cloud Run over echo Switching Cloud Run over
gcloud --project lukegb-vault run deploy vault-server --region europe-west1 --image ${imageName}:${imageVersion} --concurrency default gcloud --project lukegb-vault run deploy vault-server --region europe-west1 --image ${imageName}:${imageVersion} --concurrency default
echo
echo Updating Vault SHA256 for plugins
${updateVaultPluginsCmd}/bin/update-vault-plugins
''; '';
}; };
in container // { in container // {
upload = uploadCmd; upload = uploadCmd;
updateVaultPlugins = updateVaultPluginsCmd;
} }