From 545f5bce219fe63ab2d3c4e6a5f2b263fd888055 Mon Sep 17 00:00:00 2001 From: LeeW Date: Thu, 13 Feb 2025 16:34:41 +0100 Subject: [PATCH] refactor - consolidate all non-function code --- bin/update_sops.sh | 126 +++++++++++++++++++++++---------------------- 1 file changed, 64 insertions(+), 62 deletions(-) diff --git a/bin/update_sops.sh b/bin/update_sops.sh index 9ee53d0..57f016c 100755 --- a/bin/update_sops.sh +++ b/bin/update_sops.sh @@ -2,68 +2,6 @@ # Purpose: manage .sops.yaml based on gpg keys in the same dir _and_ verify correct configuration set -euo pipefail -# "anchor" for actions relevant to this script -repo_root="$(realpath $(dirname "${BASH_SOURCE[0]}")/..)" -# OPTIONS: ARGPARSING and VALIDATION -# assume location of script as running directly from repo with keys (instead of as a standalone packaged tool) -keyfiles_dir="${repo_root}" -# assume location of secrets config file in pwd -sops_config_dir="${PWD}" -# path to role definitions -roles_def_dir="${repo_root}/roles" -# optional: -opt_list_roles=0 -# optional: specify "roles" -roles_list=() -# optional: secrets files to be updated -secrets_file_list=() - -while (( $# >= 1 ));do - cur="${1}"; - case $cur in - # ARGS: print this help - -h|--help) echo "# ARGUMENTS:"; grep -A 1 '# ARGS:' "${BASH_SOURCE[0]}"; exit 0 ;; - # ARGS: dir containing gpg keyfiles - -k|--key|--keyfiles) keyfiles_dir="${2}"; shift ;; - # ARGS: dir containing .sops.yaml (sops config file) - -c|--config_dir) sops_config_dir="${2}"; shift ;; - # ARGS: [optional] show list of roles and exit - -lr|--list_roles) opt_list_roles=1 ;; - # ARGS: [optional] [list] specify "roles" which correspond to e.g. job roles, projects, etc - -r|--role) roles_list+=( "${2}" ); shift ;; - # ARGS: [optional] [list] specify files containing sops-encrypted secrets - -s|--secrets_file|-f|--file) secrets_file_list+=( "${2}" ); shift ;; - # ARGS: [optional] [list] specify files containing sops-encrypted secrets - *) secrets_file_list+=( "${cur}" ) - esac - shift; -done - -# Resolve Parameters -# ... i.e. combine,override,etc options which interact -if [[ "${#roles_list[@]}" -eq 1 ]]; then - # simply change keyfiles_dir to the "roles" dir - keyfiles_dir="${roles_def_dir}/${roles_list[0]}" -elif [[ "${#roles_list[@]}" -gt 1 ]]; then - >&2 echo "# ERROR: only specify one role" - exit 1 -fi - -# VALIDATE INPUTS -keyfiles_dir="$(realpath "${keyfiles_dir}")" -test -d "${keyfiles_dir}" || (echo "E: specify dir containing keyfiles; invalid dir: '${keyfiles_dir}'" && exit 1) -sops_config_dir="$(realpath "${sops_config_dir}")" -test -d "${sops_config_dir}" || (echo "E: specify dir containing .sops.yaml, invalid dir: '${sops_config_dir}'" && exit 1) -sops_config="${sops_config_dir}/.sops.yaml" -# create it! # test -e "${sops_config}" || (echo "E: could not locate .sops.yaml, tried ${sops_config}" && exit 1) -if [[ "${#secrets_file_list[@]}" != "0" ]]; then - for secrets_file in "${secrets_file_list[@]}"; do - test -e "${secrets_file}" || (echo "E: could not locate file with secrets, tried: ${secrets_file}" && exit 1) - done -fi -# /VALIDATE INPUTS -# /OPTIONS: ARGPARSING and VALIDATION - function fn_gpg_extract_fpr(){ gpgkeyfile=$1;shift; # fingerprint @@ -175,6 +113,68 @@ fn_sops_updatekeys_and_verify(){ GPG_TTY=$(tty) sops -d "${sops_enc_file}" } +# "anchor" for actions relevant to this script +repo_root="$(realpath $(dirname "${BASH_SOURCE[0]}")/..)" +# OPTIONS: ARGPARSING and VALIDATION +# assume location of script as running directly from repo with keys (instead of as a standalone packaged tool) +keyfiles_dir="${repo_root}" +# assume location of secrets config file in pwd +sops_config_dir="${PWD}" +# path to role definitions +roles_def_dir="${repo_root}/roles" +# optional: +opt_list_roles=0 +# optional: specify "roles" +roles_list=() +# optional: secrets files to be updated +secrets_file_list=() + +while (( $# >= 1 ));do + cur="${1}"; + case $cur in + # ARGS: print this help + -h|--help) echo "# ARGUMENTS:"; grep -A 1 '# ARGS:' "${BASH_SOURCE[0]}"; exit 0 ;; + # ARGS: dir containing gpg keyfiles + -k|--key|--keyfiles) keyfiles_dir="${2}"; shift ;; + # ARGS: dir containing .sops.yaml (sops config file) + -c|--config_dir) sops_config_dir="${2}"; shift ;; + # ARGS: [optional] show list of roles and exit + -lr|--list_roles) opt_list_roles=1 ;; + # ARGS: [optional] [list] specify "roles" which correspond to e.g. job roles, projects, etc + -r|--role) roles_list+=( "${2}" ); shift ;; + # ARGS: [optional] [list] specify files containing sops-encrypted secrets + -s|--secrets_file|-f|--file) secrets_file_list+=( "${2}" ); shift ;; + # ARGS: [optional] [list] specify files containing sops-encrypted secrets + *) secrets_file_list+=( "${cur}" ) + esac + shift; +done + +# Resolve Parameters +# ... i.e. combine,override,etc options which interact +if [[ "${#roles_list[@]}" -eq 1 ]]; then + # simply change keyfiles_dir to the "roles" dir + keyfiles_dir="${roles_def_dir}/${roles_list[0]}" +elif [[ "${#roles_list[@]}" -gt 1 ]]; then + >&2 echo "# ERROR: only specify one role" + exit 1 +fi + +# VALIDATE INPUTS +keyfiles_dir="$(realpath "${keyfiles_dir}")" +test -d "${keyfiles_dir}" || (echo "E: specify dir containing keyfiles; invalid dir: '${keyfiles_dir}'" && exit 1) +sops_config_dir="$(realpath "${sops_config_dir}")" +test -d "${sops_config_dir}" || (echo "E: specify dir containing .sops.yaml, invalid dir: '${sops_config_dir}'" && exit 1) +sops_config="${sops_config_dir}/.sops.yaml" +# create it! # test -e "${sops_config}" || (echo "E: could not locate .sops.yaml, tried ${sops_config}" && exit 1) +if [[ "${#secrets_file_list[@]}" != "0" ]]; then + for secrets_file in "${secrets_file_list[@]}"; do + test -e "${secrets_file}" || (echo "E: could not locate file with secrets, tried: ${secrets_file}" && exit 1) + done +fi +# /VALIDATE INPUTS +# /OPTIONS: ARGPARSING and VALIDATION + # BEGIN if [[ "${opt_list_roles}" -eq 1 ]]; then # list available roles and exit @@ -207,3 +207,5 @@ if [[ "${#secrets_file_list[@]}" != "0" ]]; then else echo "# WARN: no secrets file passed in, make sure to call 'sops updatekeys' on secrets files" fi + +exit