Add the op-cli in the script

By adding the `op-cli` in the script, we no longer need to look for environment variables that have a reference and fetch the values of the secrets through shell script. Instead, we use the commands `op list envars` and `op read` (alpha version)
2021-08-03 18:00:57 +02:00
parent e28960dbbb
commit e64093d691
1 changed files with 6 additions and 78 deletions
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -2,6 +2,10 @@
 # shellcheck disable=SC2046,SC2001,SC2086
 set -e
 # Install op-cli
 $(curl -sSfLo op.zip "https://drive.google.com/uc?export=download&id=1HRAsihTN0Cx0pWZEWN06jAWxo0eW5eG-")
 unzip -od /usr/local/bin/ op.zip && rm op.zip
 if [ -z "$OP_CONNECT_TOKEN" ] || [ -z "$OP_CONNECT_HOST" ]; then
  echo "\$OP_CONNECT_TOKEN and \$OP_CONNECT_HOST must be set"
  exit 1
@@ -27,90 +31,14 @@ if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
  managed_variables=()
 fi
 curl_headers=(-H "Content-Type: application/json" -H "Authorization: Bearer $OP_CONNECT_TOKEN")
 # Iterate over environment varables to find 1Password references, load the secret values, 
 # and make them available as environment variables in the next steps.
 IFS=$'\n'
-for possible_ref in $(printenv | grep "=op://" | grep -v "^#"); do
+for env_var in $(op list envars); do
  env_var=$(echo "$possible_ref" | cut -d '=' -f1)
  ref=$(printenv $env_var)
  if [[ ! $ref == "op://"* ]]; then
    echo "Not really a reference: $ref"
    continue
  fi
  path=$(echo $ref | sed -e "s/^op:\/\///")
  if [ $(echo "$path" | tr -cd '/' | wc -c) -lt 2 ]; then
    echo "Expected path to be in format op://<vault>/<item>[/<section>]/<field>: $ref"
    continue
  fi
  echo "Populating variable: $env_var"
-
+  secret_value=$(op read $ref)
  vault=""
  item=""
  section=""
  field=""
  i=0
  IFS="/"
  for component in $path; do
    ((i+=1))
    case "$i" in
      1) vault=$component ;;
      2) item=$component ;;
      3) section=$component ;;
      4) field=$component ;;
    esac
  done
  unset IFS
  # If field is not set, it may have wrongfully been interpreted as the section.
  if [ -z "$field" ]; then
    field="$section"
    section=""
  fi
  if [[ $(echo -n $(echo $vault | grep "^[a-z0-9]*$") | wc -c) -ne 26 ]]; then
    echo "Getting vault ID from vault name: $vault"
    vault=$(curl -sSf "${curl_headers[@]}" "$OP_CONNECT_HOST/v1/vaults?filter=name%20eq%20%22$vault%22" | jq -r '.[0] | .id')
    if [ -z "$vault" ]; then
      echo "Could not find vault ID for vault: $vault"
      exit 1
    fi
  fi
  if [[ $(echo -n $(echo $item | grep "^[a-z0-9]*$") | wc -c) -ne 26 ]]; then
    echo "Getting item ID from vault $vault..."
    item=$(curl -sSf "${curl_headers[@]}" "$OP_CONNECT_HOST/v1/vaults/$vault/items?filter=title%20eq%20%22$item%22" | jq -r '.[0] | .id')
    if [ -z "$item" ]; then
      echo "Could not find item ID for item: $item"
      exit 1
    fi
  fi
  echo "Loading item $item from vault $vault..."
  item_json=$(curl -sSf "${curl_headers[@]}" "$OP_CONNECT_HOST/v1/vaults/$vault/items/$item")
  jq_field_selector=".id == \"$field\" or .label == \"$field\""
  jq_section_selector=".section == null"
  # If the reference contains a section, edit the jq selector to take that into account.
  if [ -n "$section" ]; then
    echo "Looking for section: $section"
    section_id=$(echo "$item_json" | jq -r ".sections[] | select(.id == \"$section\" or .label == \"$section\") | .id")
    jq_section_selector=".section.id == \"$section_id\""
  fi
  jq_secret_selector="$jq_section_selector and ($jq_field_selector)"
  echo "Looking for field: $field"
  secret_field_json=$(echo "$item_json" | jq -r "first(.fields[] | select($jq_secret_selector))")
  field_type=$(echo "$secret_field_json" | jq -r '.type')
  field_purpose=$(echo "$secret_field_json" | jq -r '.purpose')
  secret_value=$(echo "$secret_field_json" | jq -r '.value')
  if [ -z "$secret_value" ]; then
    echo "Could not find or access secret $ref"