From 95001487b624319f3186609d8579354016e4e7c7 Mon Sep 17 00:00:00 2001
From: Knut Ahlers <knut@ahlers.me>
Date: Mon, 16 Sep 2024 19:51:28 +0200
Subject: [PATCH] Initial version

---
 Dockerfile     | 27 +++++++++++++++++++++++++++
 git-wrapper.sh | 15 +++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 Dockerfile
 create mode 100644 git-wrapper.sh

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..8917a32
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,27 @@
+FROM alpine AS prefetch
+
+WORKDIR /tmp
+
+RUN set -ex \
+ && apk add --no-cache \
+      curl \
+      unzip \
+ && curl -sSfLo vault.zip "https://releases.hashicorp.com/vault/1.17.5/vault_1.17.5_linux_amd64.zip" \
+ && unzip vault.zip
+
+
+FROM quay.io/argoproj/argocd:v2.12.3
+
+USER root
+
+RUN apt-get update \
+ && apt-get install -y \
+      git-crypt \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
+ && mv /usr/bin/git /usr/bin/git.bin
+
+COPY                  git-wrapper.sh  /usr/bin/git
+COPY --from=prefetch  /tmp/vault      /usr/bin/vault
+
+USER 999
diff --git a/git-wrapper.sh b/git-wrapper.sh
new file mode 100644
index 0000000..e662850
--- /dev/null
+++ b/git-wrapper.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+$(dirname $0)/git.bin "$@"
+EC=$?
+
+if [ "$1" = "checkout" -a -d ".git-crypt" -f ".git-crypt-key" -a ! "$GIT_CRYPT_RUNNING" = "true" ]; then
+  export GIT_CRYPT_RUNNING=true
+  export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="${VAULT_ROLE_ID:-}")
+
+  tmpfile=$(mktemp)
+  vault read -field=key "secret/git-crypt/$(<.git-crypt-key)" | base64 -d >${tmpfile}
+  git-crypt unlock ${tmpfile}
+  rm ${tmpfile}
+fi
+
+exit $EC