Update entrypoint.sh
All checks were successful
Build and Push SOPS Decrypt Image / build-and-push (push) Successful in 11s
All checks were successful
Build and Push SOPS Decrypt Image / build-and-push (push) Successful in 11s
This commit is contained in:
parent
9d539c78c4
commit
4d647e1ec0
@ -2,18 +2,23 @@
|
||||
set -e
|
||||
|
||||
# --- Configuration (from Environment Variables) ---
|
||||
APP_NAME="${APP_NAME:-sops-init}"
|
||||
# UPDATED: Set the default APP_NAME for logging
|
||||
APP_NAME="${APP_NAME:-sops-decrypt}"
|
||||
GPG_KEY_PATH="${GPG_KEY_PATH:-/run/secrets/gpg_key}"
|
||||
GPG_PASSPHRASE_PATH="${GPG_PASSPHRASE_PATH}"
|
||||
SOPS_INPUT_DIR="${SOPS_INPUT_DIR:-/config_in}"
|
||||
SOPS_OUTPUT_DIR="${SOPS_OUTPUT_DIR:-/config_out}"
|
||||
GPG_PASSPHRASE_PATH="${GPG_PASSPHRASE_PATH:-/run/secrets/gpg_passphrase}"
|
||||
SOPS_INPUT_DIR="${SOPS_INPUT_DIR:-/in}"
|
||||
SOPS_OUTPUT_DIR="${SOPS_OUTPUT_DIR:-/out}"
|
||||
SOPS_VERBOSE="${SOPS_VERBOSE:-false}"
|
||||
|
||||
|
||||
# --- Script Logic ---
|
||||
echo "✅ $APP_NAME: Configuration materializer started."
|
||||
if [ "$SOPS_VERBOSE" = "true" ]; then
|
||||
echo "🐞 $APP_NAME: VERBOSE mode enabled."
|
||||
fi
|
||||
echo "➡️ $APP_NAME: Input Dir: '$SOPS_INPUT_DIR', Output Dir: '$SOPS_OUTPUT_DIR'"
|
||||
|
||||
# --- GPG Key Import and Unlocking ---
|
||||
# (This section is unchanged as it is working correctly)
|
||||
echo "🔄 $APP_NAME: Starting GPG Agent..."
|
||||
unset GPG_AGENT_INFO
|
||||
eval $(gpg-agent --daemon --pinentry-mode loopback)
|
||||
@ -25,11 +30,7 @@ fi
|
||||
echo "🔐 $APP_NAME: Importing GPG private key..."
|
||||
gpg --batch --import "$GPG_KEY_PATH"
|
||||
|
||||
if [ -n "$GPG_PASSPHRASE_PATH" ]; then
|
||||
if [ ! -f "$GPG_PASSPHRASE_PATH" ]; then
|
||||
echo "❌ $APP_NAME: ERROR: GPG passphrase file not found at '$GPG_PASSPHRASE_PATH'"
|
||||
exit 1
|
||||
fi
|
||||
if [ -n "$GPG_PASSPHRASE_PATH" ] && [ -f "$GPG_PASSPHRASE_PATH" ]; then
|
||||
echo "🔑 $APP_NAME: Unlocking key to cache passphrase with GPG Agent..."
|
||||
KEY_FINGERPRINT=$(gpg --with-colons --import-options import-show --import < "$GPG_KEY_PATH" | awk -F: '/^sec:/ { print $5 }')
|
||||
if [ -z "$KEY_FINGERPRINT" ]; then
|
||||
@ -44,20 +45,24 @@ fi
|
||||
|
||||
# --- File Processing Loop ---
|
||||
echo "🔎 $APP_NAME: Processing all files in '$SOPS_INPUT_DIR'..."
|
||||
# Find ALL files (-type f) in the input directory
|
||||
find "$SOPS_INPUT_DIR" -type f | while read -r source_file; do
|
||||
relative_path="${source_file#$SOPS_INPUT_DIR/}"
|
||||
destination_file="${SOPS_OUTPUT_DIR}/${relative_path}"
|
||||
|
||||
# Ensure the destination directory exists
|
||||
mkdir -p "$(dirname "$destination_file")"
|
||||
|
||||
# Attempt to decrypt the file. Redirect stderr to /dev/null to keep logs clean.
|
||||
if sops --decrypt "$source_file" > "$destination_file" 2>/dev/null; then
|
||||
# If decryption succeeds, log it.
|
||||
SOPS_CMD="sops --decrypt"
|
||||
if [ "$SOPS_VERBOSE" = "true" ]; then
|
||||
SOPS_CMD="$SOPS_CMD --verbose"
|
||||
fi
|
||||
SOPS_CMD="$SOPS_CMD \"$source_file\" > \"$destination_file\""
|
||||
if [ "$SOPS_VERBOSE" != "true" ]; then
|
||||
SOPS_CMD="$SOPS_CMD 2>/dev/null"
|
||||
fi
|
||||
|
||||
if eval "$SOPS_CMD"; then
|
||||
echo " decrypted ✅ $relative_path"
|
||||
else
|
||||
# If decryption fails, it's not a SOPS file. Copy it verbatim instead.
|
||||
echo " copied ↪️ $relative_path"
|
||||
cp "$source_file" "$destination_file"
|
||||
fi
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user