Auto-decrypt kubeconfig when loading secrets
This commit is contained in:
Tero Halla-aho
parent
b38951b75a
commit
281fffbe4f
1 changed files with 28 additions and 1 deletions
|
|
@ -7,6 +7,8 @@ set -euo pipefail
|
|||
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
SECRETS_FILE="${SECRETS_FILE:-$ROOT_DIR/creds/secrets.env}"
|
||||
ENCRYPTED_FILE="${ENCRYPTED_FILE:-$ROOT_DIR/creds/secrets.enc.env}"
|
||||
KUBECONFIG_FILE="${KUBECONFIG_FILE:-$ROOT_DIR/creds/kubeconfig.yaml}"
|
||||
KUBECONFIG_ENC_FILE="${KUBECONFIG_ENC_FILE:-$ROOT_DIR/creds/kubeconfig.enc.yaml}"
|
||||
|
||||
ensure_decrypted() {
|
||||
if [[ -f "$SECRETS_FILE" ]]; then
|
||||
|
|
@ -24,8 +26,33 @@ ensure_decrypted() {
|
|||
}
|
||||
|
||||
ensure_decrypted || exit 0
|
||||
|
||||
echo "Loading secrets from $SECRETS_FILE"
|
||||
|
||||
set -a
|
||||
source "$SECRETS_FILE"
|
||||
set +a
|
||||
|
||||
ensure_kubeconfig() {
|
||||
# If user already set KUBECONFIG, respect it.
|
||||
if [[ -n "${KUBECONFIG:-}" ]]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [[ -f "$KUBECONFIG_FILE" ]]; then
|
||||
export KUBECONFIG="$KUBECONFIG_FILE"
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [[ -f "$KUBECONFIG_ENC_FILE" ]]; then
|
||||
if command -v sops >/dev/null 2>&1; then
|
||||
echo "Decrypting $KUBECONFIG_ENC_FILE -> $KUBECONFIG_FILE"
|
||||
sops -d "$KUBECONFIG_ENC_FILE" >"$KUBECONFIG_FILE"
|
||||
export KUBECONFIG="$KUBECONFIG_FILE"
|
||||
else
|
||||
echo "sops not found and kubeconfig is missing. Install sops or set KUBECONFIG manually." >&2
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
ensure_kubeconfig || true
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue