55# This product includes software developed at Datadog (https://www.datadoghq.com/).
66# Copyright 2023 Datadog, Inc.
77
8+ # Loads secrets for CI jobs from Vault (gitlab-runner path below).
9+ #
10+ # Full mode (default): requires EXTERNAL_ID_NAME, ROLE_TO_ASSUME, and AWS_ACCOUNT.
11+ # Fetches the external ID and DD API key, then assumes the AWS deployer role.
12+ #
13+ # API-key-only mode: set GET_SECRETS_API_KEY_ONLY=1 when sourcing.
14+ # Loads DD_API_KEY only (e.g. unit-test Test Optimization). Uses DD_API_KEY from
15+ # the environment when set; otherwise reads from Vault. Installs the vault CLI
16+ # on slim images that do not include it.
17+
818set -e
919
20+ VAULT_SECRETS_PATH=" kv/k8s/gitlab-runner/datadog-lambda-python/secrets"
21+ VAULT_CLI_VERSION=" ${VAULT_CLI_VERSION:- 1.18.5} "
22+
23+ _ensure_vault_cli () {
24+ command -v vault > /dev/null 2>&1 && return
25+
26+ local arch install_dir
27+ case " $( uname -m) " in
28+ x86_64 | amd64) arch=amd64 ;;
29+ aarch64 | arm64) arch=arm64 ;;
30+ * ) printf " [Error] Unsupported architecture: %s\n" " $( uname -m) " >&2 ; exit 1 ;;
31+ esac
32+
33+ install_dir=" ${TMPDIR:-/ tmp} /vault-cli-${VAULT_CLI_VERSION} -${arch} "
34+ if [ -x " ${install_dir} /vault" ; then
35+ export PATH=" ${install_dir} :${PATH} "
36+ return
37+ fi
38+
39+ apt-get update -qq && apt-get install -y -qq curl unzip
40+ printf " Installing vault CLI %s (%s)...\n" " $VAULT_CLI_VERSION " " $arch "
41+ mkdir -p " $install_dir "
42+ curl -fsSL \
43+ " https://releases.hashicorp.com/vault/${VAULT_CLI_VERSION} /vault_${VAULT_CLI_VERSION} _linux_${arch} .zip"
44+ -o " ${install_dir} /vault.zip"
45+ unzip -qo " ${install_dir} /vault.zip" " $install_dir "
46+ rm -f " ${install_dir} /vault.zip"
47+ export PATH=" ${install_dir} :${PATH} "
48+ }
49+
50+ _get_dd_api_key () {
51+ if [ -n " ${DD_API_KEY:- } " ; then
52+ printf " Using DD_API_KEY from environment.\n"
53+ else
54+ printf " Getting DD API KEY...\n"
55+ _ensure_vault_cli
56+ DD_API_KEY=$( vault kv get -field=dd-api-key " $VAULT_SECRETS_PATH " )
57+ if [ -z " $DD_API_KEY " ; then
58+ printf " [Error] DD_API_KEY is empty after Vault lookup.\n" >&2
59+ return 1 2> /dev/null || exit 1
60+ fi
61+ export DD_API_KEY
62+ fi
63+
64+ if [ -n " ${GITLAB_ENV:- } " ; then
65+ echo " DD_API_KEY=${DD_API_KEY} " >> " $GITLAB_ENV "
66+ fi
67+ }
68+
69+ if [ -n " ${GET_SECRETS_API_KEY_ONLY:- } " ; then
70+ _get_dd_api_key
71+ return 0 2> /dev/null || exit 0
72+ fi
73+
1074if [ -z " $EXTERNAL_ID_NAME " ; then
1175 printf " [Error] No EXTERNAL_ID_NAME found.\n"
1276 printf " Exiting script...\n"
@@ -19,13 +83,13 @@ if [ -z "$ROLE_TO_ASSUME" ]; then
1983 exit 1
2084fi
2185
22- printf " Getting AWS External ID...\n "
86+ _ensure_vault_cli
2387
24- EXTERNAL_ID= $( vault kv get -field= " $EXTERNAL_ID_NAME " kv/k8s/gitlab-runner/datadog-lambda-python/secrets )
88+ printf " Getting AWS External ID...\n "
2589
26- printf " Getting DD API KEY...\n "
90+ EXTERNAL_ID= $( vault kv get -field= " $EXTERNAL_ID_NAME " " $VAULT_SECRETS_PATH " )
2791
28- export DD_API_KEY= $( vault kv get -field=dd-api-key kv/k8s/gitlab-runner/datadog-lambda-python/secrets )
92+ _get_dd_api_key
2993
3094printf " Assuming role...\n"
3195
0 commit comments