|
|
|
@ -2,13 +2,18 @@
|
|
|
|
# Purpose: manage .sops.yaml based on gpg keys in the same dir _and_ verify correct configuration
|
|
|
|
# Purpose: manage .sops.yaml based on gpg keys in the same dir _and_ verify correct configuration
|
|
|
|
set -euo pipefail
|
|
|
|
set -euo pipefail
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# "anchor" for actions relevant to this script
|
|
|
|
|
|
|
|
repo_root="$(realpath $(dirname "${BASH_SOURCE[0]}")/..)"
|
|
|
|
# OPTIONS: ARGPARSING and VALIDATION
|
|
|
|
# OPTIONS: ARGPARSING and VALIDATION
|
|
|
|
# assume location of script as running directly from repo with keys (instead of as a standalone packaged tool)
|
|
|
|
# assume location of script as running directly from repo with keys (instead of as a standalone packaged tool)
|
|
|
|
keyfiles_dir="$(realpath $(dirname "${BASH_SOURCE[0]}")/..)"
|
|
|
|
keyfiles_dir="${repo_root}"
|
|
|
|
# assume location of secrets config file in pwd
|
|
|
|
# assume location of secrets config file in pwd
|
|
|
|
sops_config_dir="${PWD}"
|
|
|
|
sops_config_dir="${PWD}"
|
|
|
|
# optional: secrets files to be updated
|
|
|
|
# optional: secrets files to be updated
|
|
|
|
secrets_file_list=()
|
|
|
|
secrets_file_list=()
|
|
|
|
|
|
|
|
# optional:
|
|
|
|
|
|
|
|
opt_list_roles=0
|
|
|
|
|
|
|
|
roles_def_dir="${repo_root}/roles"
|
|
|
|
|
|
|
|
|
|
|
|
while (( $# >= 1 ));do
|
|
|
|
while (( $# >= 1 ));do
|
|
|
|
cur="${1}";
|
|
|
|
cur="${1}";
|
|
|
|
@ -19,6 +24,8 @@ while (( $# >= 1 ));do
|
|
|
|
-k|--key|--keyfiles) keyfiles_dir="${2}"; shift ;;
|
|
|
|
-k|--key|--keyfiles) keyfiles_dir="${2}"; shift ;;
|
|
|
|
# ARGS: dir containing .sops.yaml (sops config file)
|
|
|
|
# ARGS: dir containing .sops.yaml (sops config file)
|
|
|
|
-c|--config_dir) sops_config_dir="${2}"; shift ;;
|
|
|
|
-c|--config_dir) sops_config_dir="${2}"; shift ;;
|
|
|
|
|
|
|
|
# ARGS: [optional] show list of roles and exit
|
|
|
|
|
|
|
|
-lr|--list_roles) opt_list_roles=1 ;;
|
|
|
|
# ARGS: [optional] [list] specify files containing sops-encrypted secrets
|
|
|
|
# ARGS: [optional] [list] specify files containing sops-encrypted secrets
|
|
|
|
-s|--secrets_file|-f|--file) secrets_file_list+=( "${2}" ); shift ;;
|
|
|
|
-s|--secrets_file|-f|--file) secrets_file_list+=( "${2}" ); shift ;;
|
|
|
|
# ARGS: [optional] [list] specify files containing sops-encrypted secrets
|
|
|
|
# ARGS: [optional] [list] specify files containing sops-encrypted secrets
|
|
|
|
@ -114,6 +121,13 @@ EOM
|
|
|
|
# UPDATE SOPS CONFIG
|
|
|
|
# UPDATE SOPS CONFIG
|
|
|
|
# TODO: remove the 'pushd;popd' workaround and make the functions aware of the dir being read
|
|
|
|
# TODO: remove the 'pushd;popd' workaround and make the functions aware of the dir being read
|
|
|
|
pushd "${keyfiles_dir}" > /dev/null 2>&1
|
|
|
|
pushd "${keyfiles_dir}" > /dev/null 2>&1
|
|
|
|
|
|
|
|
if [[ "${opt_list_roles}" ]]; then
|
|
|
|
|
|
|
|
pushd "${roles_def_dir}" > /dev/null 2>&1
|
|
|
|
|
|
|
|
>&2 echo "# INFO: listing roles"
|
|
|
|
|
|
|
|
ls -1d *
|
|
|
|
|
|
|
|
exit 0
|
|
|
|
|
|
|
|
popd > /dev/null 2>&1
|
|
|
|
|
|
|
|
fi
|
|
|
|
(fn_update_sops_config) > "${sops_config}"
|
|
|
|
(fn_update_sops_config) > "${sops_config}"
|
|
|
|
popd > /dev/null 2>&1
|
|
|
|
popd > /dev/null 2>&1
|
|
|
|
|
|
|
|
|
|
|
|
|
LeeW
11 months ago