initial commit
This commit is contained in:
Mark Kaulertz
commit
536831f8d9
15
Dockerfile
Normal file
15
Dockerfile
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
# Use a minimal, secure base image
|
||||||
|
FROM alpine:latest
|
||||||
|
|
||||||
|
# Install only the tools we need: SOPS and GnuPG
|
||||||
|
RUN apk add --no-cache sops gnupg
|
||||||
|
|
||||||
|
# Set a working directory
|
||||||
|
WORKDIR /app
|
||||||
|
|
||||||
|
# Copy our decryption script into the container and make it executable
|
||||||
|
COPY entrypoint.sh .
|
||||||
|
RUN chmod +x ./entrypoint.sh
|
||||||
|
|
||||||
|
# Set the script as the entrypoint
|
||||||
|
ENTRYPOINT ["./entrypoint.sh"]
|
||||||
54
entrypoint.sh
Normal file
54
entrypoint.sh
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Exit immediately if any command fails
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# --- Configuration (from Environment Variables) ---
|
||||||
|
# Use ':-' to set a default value if the variable is unset or null.
|
||||||
|
APP_NAME="${APP_NAME:-sops-init}"
|
||||||
|
GPG_KEY_PATH="${GPG_KEY_PATH:-/run/secrets/gpg_key}"
|
||||||
|
|
||||||
|
# The directory containing encrypted files.
|
||||||
|
SOPS_INPUT_DIR="${SOPS_INPUT_DIR:-/config_in}"
|
||||||
|
# The directory where decrypted files will be written.
|
||||||
|
SOPS_OUTPUT_DIR="${SOPS_OUTPUT_DIR:-/config_out}"
|
||||||
|
# The suffix of files to search for.
|
||||||
|
SOPS_FILE_SUFFIX="${SOPS_FILE_SUFFIX:-.sops.yaml}"
|
||||||
|
|
||||||
|
|
||||||
|
# --- Script Logic ---
|
||||||
|
echo "✅ $APP_NAME: Decryption container started."
|
||||||
|
echo "➡️ $APP_NAME: Input Dir: '$SOPS_INPUT_DIR', Output Dir: '$SOPS_OUTPUT_DIR', Suffix: '$SOPS_FILE_SUFFIX'"
|
||||||
|
|
||||||
|
# Validate that the required files/directories exist
|
||||||
|
if [ ! -f "$GPG_KEY_PATH" ]; then
|
||||||
|
echo "❌ $APP_NAME: ERROR: GPG secret key not found at '$GPG_KEY_PATH'"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -d "$SOPS_INPUT_DIR" ]; then
|
||||||
|
echo "❌ $APP_NAME: ERROR: Input directory not found at '$SOPS_INPUT_DIR'"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Ensure the output directory exists
|
||||||
|
mkdir -p "$SOPS_OUTPUT_DIR"
|
||||||
|
|
||||||
|
echo "🔐 $APP_NAME: Importing GPG private key..."
|
||||||
|
gpg --batch --import "$GPG_KEY_PATH"
|
||||||
|
|
||||||
|
echo "🔎 $APP_NAME: Searching for files ending in '$SOPS_FILE_SUFFIX'..."
|
||||||
|
|
||||||
|
# Use 'find' to locate all target files and loop through them
|
||||||
|
find "$SOPS_INPUT_DIR" -type f -name "*${SOPS_FILE_SUFFIX}" | while read -r encrypted_file; do
|
||||||
|
# Get the filename without the full path
|
||||||
|
base_filename_with_suffix=$(basename "$encrypted_file")
|
||||||
|
# Remove the suffix to get the clean output filename
|
||||||
|
output_filename=$(basename "$encrypted_file" "$SOPS_FILE_SUFFIX")
|
||||||
|
# Construct the full output path
|
||||||
|
decrypted_file="${SOPS_OUTPUT_DIR}/${output_filename}"
|
||||||
|
|
||||||
|
echo " - Decrypting '$base_filename_with_suffix' to '$decrypted_file'"
|
||||||
|
sops --decrypt "$encrypted_file" > "$decrypted_file"
|
||||||
|
done
|
||||||
|
|
||||||
|
echo "🎉 $APP_NAME: All files decrypted. Exiting."
|
||||||
Loading…
x
Reference in New Issue
Block a user