Small enhacements, new render command

bash_completion

@@ -3,7 +3,7 @@ _ctctl(){
   _init_completion || return
 
   case $prev in
-    auth|disconnect|prep|current|tokens|list|build|build-no-cache|volumes|logs|conf)
+    auth|disconnect|render|current|tokens|list|build|build-no-cache|volumes|logs|conf)
       return
       ;;
     switch)
@@ -12,7 +12,7 @@ _ctctl(){
       ;;
   esac
 
-  COMPREPLY=($(compgen -W 'auth switch current disconnect prep tokens list build build-no-cache volumes logs conf' -- "$cur"))
+  COMPREPLY=($(compgen -W 'auth switch current disconnect render prep tokens list build build-no-cache volumes logs conf' -- "$cur"))
 } &&
     complete -F _ctctl ctctl
 

ctctl

@@ -52,7 +52,6 @@ load_config(){
       source ~/.ctctl/${CTCTL_DOMAIN}/ctctl.local.conf
       set +o allexport
     fi
-
   fi
 }
 
@@ -71,8 +70,8 @@ switch_env(){
     kill -INT $$
   fi
 
-  # Clean any variable
-  for VAR in $(printenv | perl -ne  '/^((CTCTL|CONSUL|VAULT|NOMAD)_[^=]+)=.*/ && print "$1\n"'); do
+  # Clear any variable
+  for VAR in $(printenv | grep -E '^(CTCTL|CONSUL|VAULT|NOMAD)_.*' | sed -E 's/^([^=]+)=.*/\1/'); do
     unset ${VAR}
   done
 
@@ -93,11 +92,9 @@ switch_env(){
   # Authenticate
   auth_env
 
-  local NAMESPACE_LIST=$(ls_namespace)
-
   if [ -z "${TARGET_NAMESPACE}" ]; then
-    if [ $(echo -n ${NAMESPACE_LIST} | wc -w) -eq 1 ]; then
-      TARGET_NAMESPACE=${NAMESPACE_LIST}
+    if [ $(ls_namespace | wc -w) -eq 1 ]; then
+      TARGET_NAMESPACE=$(ls_namespace)
     else
       echo "Select the namespace you are working in"
       TARGET_NAMESPACE=$(ls_namespace | ${FZF_CMD})
@@ -112,9 +109,19 @@ switch_env(){
 
 # Check if we have a valid token for vault
 check_vault_token(){
-  vault read auth/token/lookup-self > /dev/null 2>&1
-  if [ $? == 0 ]; then
+  vault token lookup > /dev/null 2>&1
+  if vault token lookup > /dev/null 2>&1; then
     echo 1
+  elif [ -n "${VAULT_TOKEN:-}" -a -e ~/.vault-token ]; then
+    # If VAULT_TOKEN is defined, unset it and try again. This is because we might
+    # have a valid token in ~/.vault-token but an expired token is set in VAULT_TOKEN
+    # and is taking precedence
+    export VAULT_TOKEN=$(cat ~/.vault-token)
+    if vault token lookup > /dev/null 2>&1; then
+      echo 1
+    else
+      echo 0
+    fi
   else
     echo 0
   fi
@@ -163,7 +170,7 @@ auth_env(){
     echo "Your vault token is valid"
     vault token renew > /dev/null 2>&1
   fi
-  VAULT_TOKEN_INFO=$(vault read -format=json auth/token/lookup-self)
+  VAULT_TOKEN_INFO=$(vault token lookup -format=json)
   # TODO make the role selection more generic
   if [ "$(echo $VAULT_TOKEN_INFO | jq '.data.policies | any(. == "admin-policy" or .== "admin")')" == "true" ]; then
     NOMAD_ROLE=admin
@@ -192,7 +199,7 @@ auth_env(){
   # Check if we have a valid nomad token already
   if [ "$(check_nomad_token)" != "1" ]; then
     echo "Fecthing a Nomad token from vault"
-    NOMAD_CREDS=$(vault read -format=json nomad/creds/${NOMAD_ROLE})
+    NOMAD_CREDS=$(vault read -format=json ${VAULT_PREFIX:-}nomad/creds/${NOMAD_ROLE})
     export NOMAD_TOKEN=$(echo -n ${NOMAD_CREDS} | jq -r .data.secret_id)
     export NOMAD_LEASE=$(echo -n ${NOMAD_CREDS} | jq -r .lease_id)
     unset NOMAD_CREDS
@@ -203,7 +210,7 @@ auth_env(){
   # Check if we have a valid consul token already
   if [ "$(check_consul_token)" != "1" ]; then
     echo "Fetching a Consul token from vault"
-    CONSUL_CREDS=$(vault read -format=json consul/creds/${CONSUL_ROLE})
+    CONSUL_CREDS=$(vault read -format=json ${VAULT_PREFIX:-}consul/creds/${CONSUL_ROLE})
     export CONSUL_HTTP_TOKEN=$(echo -n ${CONSUL_CREDS} | jq -r .data.token)
     export CONSUL_LEASE=$(echo -n ${CONSUL_CREDS} | jq -r .lease_id)
     unset CONSUL_CREDS
@@ -250,7 +257,7 @@ ls_namespace(){
 ls_build_docker_images(){
   (for JOB in $(find . -maxdepth 1 \( -name \*.nomad -o -name \*.nomad.hcl \)); do
        nomad run -output $JOB | jq '.Job.TaskGroups' | jq '.[] | .Tasks' | jq -r '.[] | .Config.image' 2>/dev/null
-     done) | grep -E "${DOCKER_BUILD_REPO_REGEX:-docker-repo.ehtrace.com}" | sort -u
+     done) | grep -E "${CTCTL_DOCKER_BUILD_REPO_REGEX:-docker-repo.ehtrace.com}" | sort -u
 }
 
 # Load policies for vault, Consul and Nomad
@@ -419,7 +426,8 @@ render_templates(){
     FILE=$(basename ${TEMPLATE} .tpl)
     DEST=${DIR}/${FILE}
     echo "Rendering ${TEMPLATE} into ${DEST}"
-    levant render -var-file ${MERGED_CONF} -log-level=WARN ${TEMPLATE} > ${DEST}
+    # Note: render twice, so included templates get rendered too
+    levant render -var-file ${MERGED_CONF} -log-level=WARN <(levant render -var-file ${MERGED_CONF} -log-level=WARN ${TEMPLATE}) > ${DEST}
     nomad fmt ${DEST}
   done
 
@@ -559,6 +567,10 @@ case $1 in
     ls_env
     renew_leases
     ;;
+  render)
+    render_templates
+    renew_leases
+    ;;
   prep)
     render_templates
     load_policies

ctctl.example.conf

@@ -8,9 +8,15 @@
 # export EHT_MAVEN_PWD=$(vault kv get -field=pwd kv/admin/maven)
 # export CTCTL_DOCKER_BUILD_OPTS="--secret id=EHT_MAVEN_PWD"
 
-# VAULT_AUTH_CONFIG define options for vault login, for example
+# CTCTL_DOCKER_BUILD_REPO_REGEX defines a regex against which docker image will be compared
+# and if it matches, images will be built and pushed to it during prep/build/build-no-cache
+
+# VAULT_AUTH_CONFIG defines options for vault login, for example
 # VAULT_AUTH_CONFIG="-method=approle role_id=XXXXXX secret_id=YYYYY"
 
+# VAULT_PREFIX defines a prefix to prepend to all vault paths
+# VAULT_PREFIX="prd/"
+
 # If using Loki, you can configure access to it
 # LOKI_ADDR=https://loki.domain.tld
 # LOKI_USER=loki