#!/bin/sh
  
set -eo pipefail

NOMAD_TOKEN=$1
VAULT_TOKEN=$2

NOMAD_CERT_BUNDLE={{ vault_root_dir }}/tmp/nomad_client_bundle.json
VAULT_ADDR={{ vault_conf.api_addr }}

if [ "$(vault status -format=json| jq .is_self)" != "true" ]; then
  echo "We're not the active vault, exiting"
elif [ "$(vault status -format=json | jq .sealed)" != "false" ]; then
  echo "Vault is sealed, exiting"
elif [ "$(vault status -format=json | jq .initialized)" != "true" ]; then
  echo "Vault is not initialized yet, exiting"
else
  echo Updating Vault certificate to access Nomad API
  VAULT_TOKEN=$VAULT_TOKEN \
    vault write {{ vault_secrets.nomad.secret.path }}/config/access \
      address="{{ vault_secrets.nomad.address }}" \
      token="$NOMAD_TOKEN" \
      ca_cert="$(cat $NOMAD_CERT_BUNDLE | jq -r .issuing_ca)" \
      client_cert="$(cat $NOMAD_CERT_BUNDLE | jq -r .certificate)" \
      client_key="$(cat $NOMAD_CERT_BUNDLE | jq -r .private_key)"
fi

echo Removing Nomad client certificate from the filesystem
rm -f $NOMAD_CERT_BUNDLE