diff --git a/bosh/credhub-format.sh b/bosh/credhub-format.sh new file mode 100755 index 00000000..e4b8e646 --- /dev/null +++ b/bosh/credhub-format.sh @@ -0,0 +1,64 @@ +#!/bin/bash +set -eo pipefail + +# yq operates on yaml documents using a jq-like syntax. +# For jq program syntax, see: https://stedolan.github.io/jq/manual/ + +if [ "$#" -ne 2 ]; then + echo " +Usage: ./credhub-format.sh +Example: ./credhub-format.sh vars.yml /bosh/deployment > output.json + +You can optionally override the location for your manifest, which +defaults to manifest.yml: + +MANIFEST_PATH=deploy/manifest.yml ./credhub-format.sh credentials.yml deploy-something > output.yml + +Read from a BOSH variables file and reformat the contents to a JSON format that CredHub +can import, excluding any keys that do not appear in the manifests + +Run this script from the root of the repository so it can find the manifest +file. The output file is written to stdout. Additional output, such as the keys that were +excluded, is written to stderr." >&2 + exit 1 +fi + +MANIFEST_PATH=${MANIFEST_PATH:-manifest.yml} + +if [ ! -f "$MANIFEST_PATH" ]; then + echo "$MANIFEST_PATH not found. Is the script being run from the root directory of the repository?" >&2 + exit 1 +fi + +VARS_FILE=$1 +CREDHUB_VAR_PREFIX=$2 + +echo "The following values do not appear in $MANIFEST_PATH and will not be exported: +" >&2 +# without setting -S, strings longer than the default of 255 will not be fully interpolated by xargs. + +yq 'keys | .[]' < "$VARS_FILE" | xargs -I % -S 512 bash -c \ +"if ! grep -q % $MANIFEST_PATH; then + echo % +fi" >&2 + +MANIFEST_VARS=$(cat "$MANIFEST_PATH" | yq '.variables' --output-format json | jq 'map({(.name): .}) | add') + +# reformat the credential file to the Credhub format, excluding entries +# that don't appear in the manifest +yq --output-format json < "$VARS_FILE" | \ +jq --arg credhub_var_prefix "$CREDHUB_VAR_PREFIX" \ + --argjson manifest_vars "$MANIFEST_VARS" \ + --rawfile varsfile "$VARS_FILE" ' + to_entries | + map(select(.key | inside($varsfile))) | + { + credentials: [ .[] | + { + name: ($credhub_var_prefix+"/"+.key), + type: ($manifest_vars[.key].type // if .value | type == "object" then "json" else "value" end), + value: .value + } + ] + } +' diff --git a/concourse/get-pipelines-without-self-set.sh b/concourse/get-pipelines-without-self-set.sh new file mode 100755 index 00000000..13f76147 --- /dev/null +++ b/concourse/get-pipelines-without-self-set.sh @@ -0,0 +1,64 @@ +#!/usr/bin/env bash + +function usage { + echo -e " + ./$( basename "$0" ) [pipeline-name] [--help, -h] + + Get all git resources in Concourse pipelines that don\'t have commit signing + configured + + Optional environment variable \$CI_URL matching your Concourse URL. + example: CI_URL=https://ci.fr.cloud.gov ./$( basename "$0" ) + + Optional argument for specific pipeline to check + example: ./$( basename "$0" ) pipeline-name + + \$CI_URL, Defaults to https://ci.fr.cloud.gov + " + exit +} + +while getopts ":h" opt; do + case ${opt} in + h ) + usage + exit 0 + ;; + * ) + usage + exit 0 + ;; + esac +done + + +CI_URL="${CI_URL:-"https://ci.fr.cloud.gov"}" +FLY_TARGET=$(fly targets | grep "${CI_URL}" | head -n 1 | awk '{print $1}') + +if ! fly --target "${FLY_TARGET}" workers > /dev/null; then + echo "Not logged in to concourse" + exit 1 +fi + +function get_number_of_self_set_tasks { + fly -t "${FLY_TARGET}" get-pipeline --pipeline "$1" --json \ + | jq '[.jobs[].plan[] | has("set_pipeline")] | map(select(.)) | length' +} + +function report_pipelines_without_self_set { + length=$(get_number_of_self_set_tasks "$1") + if [[ $length != "1" ]]; then + printf 'pipeline: %s\n' "$1" + fi +} + +if [ -z "$1" ]; then + fly --target "${FLY_TARGET}" pipelines | tail -n +1 | while read -r line; do + pipeline_name=$(echo "$line" | awk '{print $2}') + + report_pipelines_without_self_set "$pipeline_name" + done +else + report_pipelines_without_self_set "$1" +fi +