Rotate operator secrets into agenix and deepen caches

Scripts/cloudflare-upsert-a-record.sh

@@ -1,6 +1,11 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+# shellcheck source=Scripts/_burrow-secrets.sh
+source "${SCRIPT_DIR}/_burrow-secrets.sh"
+
 usage() {
   cat <<'EOF'
 Usage: Scripts/cloudflare-upsert-a-record.sh --zone <zone> --name <fqdn> --ipv4 <address> [options]
@@ -13,7 +18,7 @@ Options:
   --name <fqdn>              Fully-qualified DNS record name
   --ipv4 <address>           IPv4 address for the A record
   --token-file <path>        Cloudflare API token file
-                             default: intake/cloudflare-token.txt
+                             default: secrets/cloudflare/api-token.age, then intake/cloudflare-token.txt
   --ttl <seconds|auto>       Record TTL, or auto
                              default: auto
   --proxied <true|false>     Whether to proxy through Cloudflare
@@ -25,10 +30,15 @@ EOF
 ZONE_NAME=""
 RECORD_NAME=""
 IPV4=""
-TOKEN_FILE="intake/cloudflare-token.txt"
+TOKEN_FILE="${CLOUDFLARE_TOKEN_FILE:-}"
 TTL_VALUE="auto"
 PROXIED="false"
 
+cleanup() {
+  burrow_cleanup_secret_tmpfiles
+}
+trap cleanup EXIT
+
 while [[ $# -gt 0 ]]; do
   case "$1" in
     --zone)
@@ -71,11 +81,16 @@ if [[ -z "${ZONE_NAME}" || -z "${RECORD_NAME}" || -z "${IPV4}" ]]; then
   usage >&2
   exit 2
 fi
-
-if [[ ! -f "${TOKEN_FILE}" ]]; then
-  echo "Cloudflare token file not found: ${TOKEN_FILE}" >&2
+TOKEN_FILE="$(
+  burrow_resolve_secret_file \
+    "${REPO_ROOT}" \
+    "${TOKEN_FILE}" \
+    "${REPO_ROOT}/intake/cloudflare-token.txt" \
+    "${REPO_ROOT}/secrets/cloudflare/api-token.age"
+)" || {
+  echo "Cloudflare token file could not be resolved" >&2
   exit 1
-fi
+}
 
 if [[ ! "${IPV4}" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
   echo "Invalid IPv4 address: ${IPV4}" >&2