From 511b6ca4e127cd539ee7ff6c7e77b1471b8f7d16 Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutrelis.com>
Date: Mon, 9 May 2022 23:07:17 +0300
Subject: [PATCH] misc/vault-keyring-client.sh: add flock workaround

Otherwise running terraform under tf-stage2 will often fail with:

> ansible.errors.AnsibleError: Vault password client script
> ../misc/vault-keyring-client.sh did not find a secret for
> vault-id=default: b'gpg: decryption failed: No secret key\n'
---
 misc/vault-keyring-client.sh | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/misc/vault-keyring-client.sh b/misc/vault-keyring-client.sh
index 23ac7106..4f24f902 100755
--- a/misc/vault-keyring-client.sh
+++ b/misc/vault-keyring-client.sh
@@ -1,2 +1,8 @@
 #!/bin/sh
-exec gpg --batch --decrypt --quiet "$(dirname $0)/vault-$2-password.gpg"
+
+readonly vault_password_file_encrypted="$(dirname $0)/vault-$2-password.gpg"
+
+# often getting "gpg: decryption failed: No secret key" in tf-stage2
+# seems to work with flock (issue last reproduced with gnupg 2.2.35)
+flock "$vault_password_file_encrypted" \
+  gpg --batch --decrypt --quiet "$vault_password_file_encrypted"