nix/docker/vault: update Vault's plugin registry as part of upload

It's possible (and likely) that when we update the Vault image that the SHA256 of the plugin will also change. Automatically update that as the last step of the deploy.
2022-03-06 17:10:58 +00:00 · 2022-03-06 17:10:58 +00:00 · 332d1ca100
commit 332d1ca100
parent 932b47e9e9
1 changed files with 41 additions and 13 deletions
--- a/nix/docker/vault/default.nix
+++ b/nix/docker/vault/default.nix
@ -2,28 +2,25 @@
 #
 # SPDX-License-Identifier: Apache-2.0

-{ pkgs, depot, ... }:
+{ lib, pkgs, depot, ... }:
 let
  vault = pkgs.vault-bin;

  imageName = "europe-docker.pkg.dev/lukegb-vault/lukegb-vault/vault";
  imageVersion = vault.version;

-  plugins = [
-    depot.nix.pkgs.vault-acme
-  ];
+  plugins = {
+    acme = { pkg = depot.nix.pkgs.vault-acme; type = "secret"; name = "acme"; };
+  };

-  pluginDrv = pkgs.runCommand "vault-plugins" {
-    inherit plugins;
-  } ''
+  pluginDrv = pkgs.runCommand "vault-plugins" {} ''
    mkdir -p $out/libexec/vault

-    for plugin in $plugins; do
-      for f in $plugin/libexec/vault/*; do
-        # Must actually put the file into the directory.
-        cp $f $out/libexec/vault
-      done
-    done
+    ${lib.concatStrings (lib.mapAttrsToList (
+      execName: pluginAttrs: ''
+        cp ${pluginAttrs.pkg}/libexec/vault/${execName} $out/libexec/vault/${execName}
+      ''
+    ) plugins)}
  '';

  container = pkgs.dockerTools.buildImage rec {
@ -39,6 +36,32 @@ let
    plugins = pluginDrv;
  };

+  updateVaultPluginsCmd = pkgs.runCommand "update-vault-plugins" {} ''
+    mkdir -p $out/bin
+
+    cat <<EOF >"$out/bin/update-vault-plugins"
+    #!${pkgs.runtimeShell}
+    set -o errexit
+    set -o nounset
+    set -o pipefail
+
+    export VAULT_ADDR=https://vault.int.lukegb.com/
+
+    vault token lookup >/dev/null || vault login -method=oidc role="admin" skip_browser=true
+
+    ${lib.concatStrings (lib.mapAttrsToList (
+      execName: pluginAttrs: ''
+        echo '${execName}'
+        vault write '/sys/plugins/catalog/${pluginAttrs.type}/${pluginAttrs.name}' command="${execName}" sha256="$(sha256sum '${pluginAttrs.pkg}/libexec/vault/${execName}' | cut -f1 -d' ')"
+      ''
+    ) plugins)}
+    EOF
+    chmod +x "$out/bin/update-vault-plugins"
+
+    ${pkgs.stdenv.shellDryRun} "$out/bin/update-vault-plugins"
+    ${pkgs.shellcheck}/bin/shellcheck "$out/bin/update-vault-plugins"
+  '';
+
  uploadCmd = pkgs.writeShellApplication {
    name = "upload-vault-container";

@ -52,8 +75,13 @@ let
      echo
      echo Switching Cloud Run over
      gcloud --project lukegb-vault run deploy vault-server --region europe-west1 --image ${imageName}:${imageVersion} --concurrency default
+
+      echo
+      echo Updating Vault SHA256 for plugins
+      ${updateVaultPluginsCmd}/bin/update-vault-plugins
    '';
  };
 in container // {
  upload = uploadCmd;
+  updateVaultPlugins = updateVaultPluginsCmd;
 }