vault-ops/infra/scripts/vault-agent-post-chain.sh

#!/usr/bin/env bash
set -Eeuo pipefail


# ===== Logs =====
if [[ -t 1 ]]; then B=$'\e[1m'; R=$'\e[0m'; G=$'\e[32m'; Y=$'\e[33m'; E=$'\e[31m'; else B= R= G= Y= E=; fi
info(){ echo -e "🟦 ${G}${B}[INFO]${R} $*"; }
ok(){ echo -e "🟩 ${G}${B}[ OK ]${R} $*"; }
warn(){ echo -e "🟨 ${Y}${B}[WARN]${R} $*"; }
die(){ echo -e "🟥 ${E}${B}[FAIL]${R} $*" >&2; exit 1; }


# ===== Context =====
SCRIPT_DIR="$(cd -- "$(dirname -- "$0")" && pwd)"
AGENT_DIR="$(dirname -- "$SCRIPT_DIR")" # …/.vault-agent-<app>-ca
JSON_CA="${JSON_CA:-${AGENT_DIR}/.ca.json}" # vom template erzeugt
ROOT_FILE="${ROOT_FILE:-$HOME/vault/ca/ca.pem}" # Root-Zert für Anhang
CHAIN_FILE="${CHAIN_FILE:-$HOME/nginx/ca/current-ca-chain.pem}" # Zielpfad
RELOAD_TLS_LABEL="${RELOAD_TLS_LABEL:-tls=true}" # Label für NGINX-Reload (leer = aus)


command -v jq >/dev/null || die "jq not found"


[[ -r "$JSON_CA" ]] || die "render JSON missing: $JSON_CA"
[[ -r "$ROOT_FILE" ]] || die "Root file missing: $ROOT_FILE"
mkdir -p "$(dirname "$CHAIN_FILE")"


# ===== Build chain =====
TMP="$(mktemp "${CHAIN_FILE}.XXXX")"; trap 'rm -f "$TMP"' EXIT
ISS_CA=$(jq -r '.issuing_ca // (.ca_chain[0] // .certificate // "")' "$JSON_CA")
[[ -n "${ISS_CA// }" ]] || die "no issuing_ca in $JSON_CA"
{
printf '%s\n' "$ISS_CA"
cat "$ROOT_FILE"
} > "$TMP"


install -m 0644 -D "$TMP" "$CHAIN_FILE"
ok "chain → $CHAIN_FILE"


# ===== Optional container reload (label) =====
if [[ -n "$RELOAD_TLS_LABEL" ]]; then
if command -v podman >/dev/null 2>&1; then
info "reload label: $RELOAD_TLS_LABEL"
mapfile -t CIDS < <(podman ps --filter "label=${RELOAD_TLS_LABEL}" --format '{{.ID}}' | sed '/^$/d') || true
if (( ${#CIDS[@]} == 0 )); then
warn "no containers with label $RELOAD_TLS_LABEL → skip reload"
else
for cid in "${CIDS[@]}"; do
if podman exec "$cid" sh -lc 'nginx -t >/dev/null 2>&1 && nginx -s reload' >/dev/null 2>&1; then
ok "reload OK in ${cid}"
else
warn "reload FAILED in ${cid}"
fi
done
fi
else
warn "podman not found → skip reload"
fi
fi