From 7ad3e809a46c0bbb1796fb2ea864839a5ed2b22c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ste=CC=81phane=20Cottin?= <stephane.cottin@vixns.com>
Date: Thu, 17 Sep 2020 17:25:14 +0200
Subject: [PATCH 1/2] Obtain vault token from approle auth using VAULT_ROLE_ID
 and VAULT_ROLE_SECRET env vars.

---
 deploy/vault_cli.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/deploy/vault_cli.sh b/deploy/vault_cli.sh
index 8b854137..cd182c9f 100644
--- a/deploy/vault_cli.sh
+++ b/deploy/vault_cli.sh
@@ -12,6 +12,10 @@
 # additionally, you need to ensure that VAULT_TOKEN is avialable or
 # `vault auth` has applied the appropriate authorization for the vault binary
 # to access the vault server
+#
+# If VAULT_ROLE_ID and VAULT_ROLE_SECRET are available, get a valid token using the
+# vault approle authentication method.
+# https://www.vaultproject.io/docs/auth/approle
 
 #returns 0 means success, otherwise error.
 
@@ -49,6 +53,15 @@ vault_cli_deploy() {
     return 1
   fi
 
+  if [ -n "$VAULT_ROLE_ID" ]; then
+    export VAULT_TOKEN=$(vault write -field=token auth/approle/login \
+      role_id="$VAULT_ROLE_ID" secret_id="$VAULT_ROLE_SECRET")
+    if [ ! $? ]; then
+      _err "cannot login to vault approle ${VAULT_ROLE_ID}!"
+      return 1
+    fi
+  fi
+
   if [ -n "$FABIO" ]; then
     $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
   else

From 1ea5fe6b6de8340f1318a6eb353702dbef9a3054 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ste=CC=81phane=20Cottin?= <stephane.cottin@vixns.com>
Date: Thu, 17 Sep 2020 17:35:24 +0200
Subject: [PATCH 2/2] SC2155: Declare and assign separately to avoid masking
 return values

---
 deploy/vault_cli.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/deploy/vault_cli.sh b/deploy/vault_cli.sh
index cd182c9f..575b30f6 100644
--- a/deploy/vault_cli.sh
+++ b/deploy/vault_cli.sh
@@ -54,12 +54,13 @@ vault_cli_deploy() {
   fi
 
   if [ -n "$VAULT_ROLE_ID" ]; then
-    export VAULT_TOKEN=$(vault write -field=token auth/approle/login \
+    VAULT_TOKEN=$(vault write -field=token auth/approle/login \
       role_id="$VAULT_ROLE_ID" secret_id="$VAULT_ROLE_SECRET")
     if [ ! $? ]; then
       _err "cannot login to vault approle ${VAULT_ROLE_ID}!"
       return 1
     fi
+    export VAULT_TOKEN
   fi
 
   if [ -n "$FABIO" ]; then