luzifer-docker/argo-crypt
1
0
Fork 0
mirror of https://github.com/luzifer-docker/argo-crypt.git synced 2024-10-22 11:13:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Initial version

Browse source
This commit is contained in:
Knut Ahlers 2024-09-16 19:51:28 +02:00
commit 95001487b6
Signed by: luzifer
SSH key fingerprint: SHA256:/xtE5lCgiRDQr8SLxHMS92ZBlACmATUmF1crK16Ks4E
2 changed files with 42 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
Dockerfile Normal file
View file

@ -0,0 +1,27 @@
FROM alpine AS prefetch
WORKDIR /tmp
RUN set -ex \
&& apk add --no-cache \
curl \
unzip \
&& curl -sSfLo vault.zip "https://releases.hashicorp.com/vault/1.17.5/vault_1.17.5_linux_amd64.zip" \
&& unzip vault.zip
FROM quay.io/argoproj/argocd:v2.12.3
USER root
RUN apt-get update \
&& apt-get install -y \
git-crypt \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
&& mv /usr/bin/git /usr/bin/git.bin
COPY git-wrapper.sh /usr/bin/git
COPY --from=prefetch /tmp/vault /usr/bin/vault
USER 999

15
git-wrapper.sh Normal file
View file

@ -0,0 +1,15 @@
#!/bin/sh
$(dirname $0)/git.bin "$@"
EC=$?
if [ "$1" = "checkout" -a -d ".git-crypt" -f ".git-crypt-key" -a ! "$GIT_CRYPT_RUNNING" = "true" ]; then
export GIT_CRYPT_RUNNING=true
export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="${VAULT_ROLE_ID:-}")
tmpfile=$(mktemp)
vault read -field=key "secret/git-crypt/$(<.git-crypt-key)" | base64 -d >${tmpfile}
git-crypt unlock ${tmpfile}
rm ${tmpfile}
fi
exit $EC