forked from bcgov/sbc-auth
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path1pass.sh
executable file
·229 lines (199 loc) · 7.31 KB
/
1pass.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
#!/bin/bash
# =================================================================================================================
# Usage:
# -----------------------------------------------------------------------------------------------------------------
usage() {
cat <<-EOF
A helper script to get the secrcts from 1password' vault.
Usage: ./1pass.sh [-h -d <subdomainName> -u <accountName>]
-k <secretKey>
-p <masterPassword>
-m <method>
-e <environment(s)>
-v <vaultDetails>
-a <appName>
-n <namespace>
-s <skip>
OPTIONS:
========
-h prints the usage for the script.
-d The subdomain name of the 1password account, default is registries.1password.ca.
-u The account name of the 1password account, default is [email protected].
-k The secret key of the 1password account.
-p The master password of the 1password account.
-m The methodof using the vaults.
secret - set vault values to Openshift secrets
env - set vault values to github action environment
compare - compare two environments vault values
-e The environment(s) of the vault, for example pytest/dev/test/prod or "dev test".
-a Openshift application name, for example: auth-api-dev
-n Openshift namespace name, for example: 1rdehl-dev
-s Skip this script, for exmaple: true t TRUE T True 1
-v A list of vault and application name of the 1password account, for example:
[
{
"vault": "shared",
"application": [
"keycloak",
"email"
]
},
{
"vault": "relationship",
"application": [
"auth-api",
"notify-api",
"status-api"
]
}
]
EOF
exit
}
# -----------------------------------------------------------------------------------------------------------------
# Initialization:
# -----------------------------------------------------------------------------------------------------------------
while getopts h:a:d:u:k:p:v:m:e:n:s: FLAG; do
case $FLAG in
h ) usage ;;
a ) APP_NAME=$OPTARG ;;
d ) DOMAIN_NAME=$OPTARG ;;
u ) USERNAME=$OPTARG ;;
k ) SECRET_KEY=$OPTARG ;;
p ) MASTER_PASSWORD=$OPTARG ;;
v ) VAULT=$OPTARG ;;
m ) METHOD=$OPTARG ;;
e ) ENVIRONMENT=$OPTARG ;;
n ) NAMESPACE=$OPTARG ;;
s ) SKIP=$OPTARG ;;
\? ) #unrecognized option - show help
echo -e \\n"Invalid script option: -${OPTARG}"\\n
usage
;;
esac
done
# Shift the parameters in case there any more to be used
shift $((OPTIND-1))
# echo Remaining arguments: $@
skip_true=(true t TRUE T True 1)
if [[ " ${skip_true[@]} " =~ " ${SKIP} " ]]; then
echo -e "Skip"
exit
fi
if [ -z "${DOMAIN_NAME}" ]; then
DOMAIN_NAME=registries.1password.ca
fi
if [ -z "${USERNAME}" ]; then
fi
if [ -z "${SECRET_KEY}" ] || [ -z "${MASTER_PASSWORD}" ]; then
echo -e \\n"Missing parameters - secret key or master password"\\n
usage
fi
if [ -z "${ENVIRONMENT}" ]; then
echo -e \\n"Missing parameters - environment"\\n
usage
fi
if [ -z "${VAULT}" ]; then
echo -e \\n"Missing parameters - vault"\\n
usage
fi
methods=(secret env compare)
if [[ ! " ${methods[@]} " =~ " ${METHOD} " ]]; then
echo -e \\n"Method must be contain one of the following method: secret, env or compare."\\n
usage
fi
envs=(${ENVIRONMENT})
if [[ " compare " =~ " ${METHOD} " ]]; then
if [[ ${#envs[@]} != 2 ]]; then
echo -e \\n"Environments must be contain two values ('dev test' or 'test prod')."\\n
exit
fi
fi
if [[ " secret " =~ " ${METHOD} " ]]; then
if [[ -z "${APP_NAME}" ]]; then
echo -e \\n"Missing parameters - application name"\\n
usage
else
if [[ -z "${NAMESPACE}" ]]; then
echo -e \\n"Missing parameters - namespace"\\n
usage
fi
fi
fi
# Login to 1Password../s
# Assumes you have installed the OP CLI and performed the initial configuration
# For more details see https://support.1password.com/command-line-getting-started/
eval $(echo "${MASTER_PASSWORD}" | op signin ${DOMAIN_NAME} ${USERNAME} ${SECRET_KEY})
if [[ " secret " =~ " ${METHOD} " ]]; then
# create application secrets
oc create secret generic ${APP_NAME}-secret -n ${NAMESPACE} > /dev/null 2>&1 &
fi
num=0
for env_name in "${envs[@]}"; do
num=$((num+1))
for vault_name in $(echo "${VAULT}" | jq -r '.[] | @base64' ); do
_jq() {
echo ${vault_name} | base64 --decode | jq -r ${1}
}
for application_name in $(echo "$(_jq '.application')" | jq -r '.[]| @base64' ); do
_jq_app() {
echo ${application_name} | base64 --decode
}
app_name=$(echo ${application_name} | base64 --decode)
# My setup uses a 1Password type of 'Password' and stores all records within a
# single section. The label is the key, and the value is the value.
ev=`op get item --vault=$(_jq .vault) ${env_name}`
# Convert to base64 for multi-line secrets.
# The schema for the 1Password type uses t as the label, and v as the value.
# Set secrets to secret in Openshift
for row in $(echo ${ev} | jq -r -c '.details.sections[] | select(.title=='\"$(_jq_app)\"') | .fields[] | @base64'); do
_envvars() {
echo ${row} | base64 --decode | jq -r ${1}
}
case ${METHOD} in
secret)
secret_json=$(oc create secret generic ${APP_NAME}-secret --from-literal="$(_envvars '.t')=$(_envvars '.v')" --dry-run=client -o json)
# Set secret key and value from 1password
oc get secret ${APP_NAME}-secret -n ${NAMESPACE} -o json \
| jq ". * $secret_json" \
| oc apply -f -
;;
env)
echo "Setting environment variable $(_envvars '.t')"
echo ::add-mask::$(_envvars '.v')
echo ::echo "$(_envvars '.t')=$(_envvars '.v')" >> $GITHUB_ENV
;;
compare)
#read the vault's key to a txt file
echo "${app_name}: $(_envvars '.t')" >> t$num.txt
;;
esac
done
done
done
done
case ${METHOD} in
secret)
# Set environment variable of deployment config
oc set env dc/${APP_NAME} -n ${NAMESPACE} --overwrite --from=secret/${APP_NAME}-secret --containers=${APP_NAME} ENV- > /dev/null 2>&1 &
;;
compare)
# Compare txt file and write the result into github actions environment
result=$(comm -23 <(sort t1.txt) <(sort t2.txt))
result2=$(comm -23 <(sort t2.txt) <(sort t1.txt))
if [[ -z ${result} ]]; then
if [[ -z ${result2} ]]; then
echo ::echo "approval=true" >> $GITHUB_ENV
echo ::echo "message=The vault items between ${envs[0]} and ${envs[1]} are matched." >> $GITHUB_ENV
else
echo ::echo "approval=false" >> $GITHUB_ENV
echo ::echo "message=The following vault items between ${envs[1]} and ${envs[0]} does not match. ${result2}" >> $GITHUB_ENV
fi
else
echo ::echo "approval=false" >> $GITHUB_ENV
echo ::echo "message=The following vault items between ${envs[0]} and ${envs[1]} does not match. ${result}" >> $GITHUB_ENV
fi
rm t*.txt
;;
esac