Merge pull request #46 from CodeNow/SAN-6292-add-cleanup-back-in

Delete certs, consul-resources when the dock finishes initializing.

Author: Myztiq

init.sh

@@ -40,9 +40,12 @@ source "${DOCK_INIT_BASE}/lib/aws.sh"
 source "${DOCK_INIT_BASE}/lib/dock.sh"
 source "${DOCK_INIT_BASE}/lib/container.sh"
 source "${DOCK_INIT_BASE}/lib/iptables.sh"
+source "${DOCK_INIT_BASE}/lib/cleanup.sh"
 
 # Initializes the dock
 main() {
+  # Make sure to setup the exit trap first so we never have a dock with creds hanging about
+  cleanup::set_exit_trap
   consul::connect
   consul::get_environment
   consul::configure_consul_template

lib/cleanup.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# An "on exit" trap to clean up sensitive keys and files on the dock itself.
+# Note that this will have no effect if the `DONT_DELETE_KEYS` environment has
+# been set (useful for testing)
+cleanup::exit_trap() {
+  # Delete the keys unless the `DONT_DELETE_KEYS` flag is set
+  if [[ "${DONT_DELETE_KEYS}" == "" ]]; then
+    log::info '[CLEANUP TRAP] Removing Keys'
+    rm -f "${CERT_PATH}"/ca-key.pem \
+          "${CERT_PATH}"/pass \
+          "${DOCK_INIT_BASE}"/consul-resources/template-config.hcl \
+          "${DOCK_INIT_BASE}"/consul-resources/vault/**/auth-token \
+          "${DOCK_INIT_BASE}"/consul-resources/vault/**/token-* \
+          "${DOCK_INIT_BASE}"/key/rollbar.token
+  fi
+}
+
+# Sets the cleanup trap for the entire script
+cleanup::set_exit_trap() {
+  log::info "Setting key cleanup trap"
+  trap 'cleanup::exit_trap' EXIT
+}