Add vault git credential helper and consult it always

Signed-off-by: Knut Ahlers <knut@ahlers.me>
2023-08-25 17:44:14 +02:00 · 2023-08-25 17:44:14 +02:00 · 9d1896bb23
commit 9d1896bb23
parent 31dc52106d
2 changed files with 31 additions and 0 deletions
--- a/.gitconfig
+++ b/.gitconfig
@ -27,6 +27,9 @@ pager = less -F -X
 repositoryformatversion = 0
 warnAmbiguousRefs = false

+[credential]
+helper = vault
+
 [diff]
 renames = true

--- a/bin/git-credential-vault
+++ b/bin/git-credential-vault
@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+source "${HOME}/bin/script_framework.sh"
+
+function handle_get() {
+  while read line; do
+    local param=$(cut -d '=' -f 1 <<<"${line}")
+    local value=$(cut -d '=' -f 2- <<<"${line}")
+
+    [[ $param == host ]] || continue
+
+    vault read -format=json secret/git-credential/${value} 2>/dev/null | jq -r '.data | to_entries[] | [.key, .value] | join("=")' || return 1
+    info "[git-credential-vault] Read credential for '${value}' from Vault"
+  done
+}
+
+function main() {
+  local action="${1:-_invalid}"
+  shift
+
+  case ${action} in
+  get) handle_get ;;
+  *) return 1 ;;
+  esac
+}
+
+main "$@"