sync-external-secret

#!/usr/bin/env python3


import argparse
import subprocess

import yaml


def _main():
    parser = argparse.ArgumentParser(description="Fill the Azure keyvault from gopass")
    parser.add_argument("--keyvault", help="The Azure keyvault name to sync")
    args = parser.parse_args()

    with open("data/keyvault.yaml", encoding="utf-8") as f:
        config = yaml.load(f, Loader=yaml.SafeLoader)

    for keyvault, keys in config.items():
        if args.keyvault and keyvault != args.keyvault:
            continue
        for keyvault_key, gopass_key in keys.items():
            if gopass_key is None:
                # delete the key
                print(f"Deleting {keyvault}:{keyvault_key}")
                cmd = [
                    "az",
                    "keyvault",
                    "secret",
                    "delete",
                    f"--vault-name={keyvault}",
                    f"--name={keyvault_key}",
                ]
                subprocess.run(cmd, stdout=subprocess.PIPE, encoding="utf-8")
            else:
                print(f"Syncing {keyvault}:{keyvault_key} from {gopass_key}")
                value = subprocess.run(
                    ["gopass", "show", *gopass_key.split(' ', 1)], check=True, stdout=subprocess.PIPE, encoding="utf-8"
                ).stdout.strip()
                cmd = [
                    "az",
                    "keyvault",
                    "secret",
                    "set",
                    f"--vault-name={keyvault}",
                    f"--name={keyvault_key}",
                    f"--value={value}",
                ]
                subprocess.run(cmd, check=True, stdout=subprocess.PIPE, encoding="utf-8")


if __name__ == "__main__":
    _main()