feat(db-sync): Vault's database secrets engine

Adds support to retrieve credentials dynamically from Vault's database secrets engine, assuming the user has enabled and configured it.
IntersectMBO · Feb 28, 2023 · 4d90695 · 4d90695
1 parent 367c839
commit 4d90695
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/nix/cardano/entrypoints.nix b/nix/cardano/entrypoints.nix
@@ -427,10 +427,18 @@ in {
         )
 
         local json
-        json=$("''${cmd[@]}" | jq '.data.data') 2>/dev/null
 
-        PGUSER=$(echo "$json"|jq -e -r '."pgUser"')
-        PGPASS=$(echo "$json"|jq -e -r '."pgPass"')
+        if [[ $VAULT_KV_PATH =~ .*/creds/.* ]]; then
+          local qdata quser qpass
+          qdata=".data"
+          quser=".username"
+          qpass=".password"
+        fi
+
+        json=$("''${cmd[@]}" | jq "''${qdata:-.data.data}") 2>/dev/null
+
+        PGUSER=$(echo "$json"|jq -e -r "''${quser:-.pgUser}")
+        PGPASS=$(echo "$json"|jq -e -r "''${qpass:-.pgPass}")
         echo -n "$PSQL_ADDR0:$DB_NAME:$PGUSER:$PGPASS" > "$PGPASSFILE"
         test -z "''${PGPASSFILE:-}" || chmod 0600 "$PGPASSFILE"
       }