Fix predeploy to grab unseal keys from target vault

Prior to this change, keys were being grabbed from the active vault being used to deploy this vault. If that vault also had vault unseal keys, they would be grabbed, but fail to unseal this fault in the post-deploy hook. Fixes #16
genesis-community · Oct 30, 2020 · 9162e4c · 9162e4c
1 parent 45dd32e
commit 9162e4c
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/hooks/pre-deploy b/hooks/pre-deploy
@@ -19,11 +19,12 @@ set -eu
 #
 # it's like magic!
 
-# FIXME: Only grab unseal keys if you ARE the target vault
-i=1
-(while safe exists "secret/vault/seal/keys:key$i"; do
-  safe read "secret/vault/seal/keys:key$i"
-  i="$((i+=1))"
-done) > "$GENESIS_PREDEPLOY_DATAFILE"
-[[ -s "$GENESIS_PREDEPLOY_DATAFILE" ]] || rm "$GENESIS_PREDEPLOY_DATAFILE"
+if safe targets --json | jq -e --arg alias "$GENESIS_ENVIRONMENT" '.[] |select(.name == $alias)' &>/dev/null ; then
+  i=1
+  (while safe exists "secret/vault/seal/keys:key$i"; do
+    safe -T "$GENESIS_ENVIRONMENT" read "secret/vault/seal/keys:key$i"
+    i="$((i+=1))"
+  done) > "$GENESIS_PREDEPLOY_DATAFILE"
+  [[ -s "$GENESIS_PREDEPLOY_DATAFILE" ]] || rm "$GENESIS_PREDEPLOY_DATAFILE"
+fi
 exit 0