-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvault_setup.sh
executable file
·123 lines (99 loc) · 4.74 KB
/
vault_setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#!/usr/bin/env bash
set -Euo pipefail
LOGFILE=tmp/progress.txt
VAULT_SERVICE_PUBLIC_URL=http://127.0.0.1:8200
PCGL_DEBUG_MODE=1
# make sure we have all the env vars:
source secrets.sh
vault=$(docker ps -a --format "{{.Names}}" | grep pcgl-authz_vault_1 | awk '{print $1}')
vault_runner=$(docker ps -a --format "{{.Names}}" | grep pcgl-authz_runner_1 | awk '{print $1}')
echo "hi"
docker cp vault-config.json $vault:/vault/config/
# if vault isn't started, start it:
docker restart $vault
echo ">> waiting for vault to start"
docker ps --format "{{.Names}}" | grep vault_1
while [ $? -ne 0 ]
do
echo "..."
sleep 1
docker ps --format "{{.Names}}" | grep vault_1
done
sleep 10
mkdir -p tmp/vault
# gather keys and login token
stuff=$(docker exec $vault vault operator init) # | head -7 | rev | cut -d " " -f1 | rev)
if [[ $? -eq 0 ]]; then
echo ">> initialized vault, saving keys"
key_1=$(echo -n "${stuff}" | grep 'Unseal Key 1: ' | awk '{print $4}' | sed 's/[^a-zA-Z0-9\.\/\+]//g' | sed -e 's/\(0m\)*$//g' | tr -d '[:space:]')
key_2=$(echo -n "${stuff}" | grep 'Unseal Key 2: ' | awk '{print $4}' | sed 's/[^a-zA-Z0-9\.\/\+]//g' | sed -e 's/\(0m\)*$//g' | tr -d '[:space:]')
key_3=$(echo -n "${stuff}" | grep 'Unseal Key 3: ' | awk '{print $4}' | sed 's/[^a-zA-Z0-9\.\/\+]//g' | sed -e 's/\(0m\)*$//g' | tr -d '[:space:]')
key_4=$(echo -n "${stuff}" | grep 'Unseal Key 4: ' | awk '{print $4}' | sed 's/[^a-zA-Z0-9\.\/\+]//g' | sed -e 's/\(0m\)*$//g' | tr -d '[:space:]')
key_5=$(echo -n "${stuff}" | grep 'Unseal Key 5: ' | awk '{print $4}' | sed 's/[^a-zA-Z0-9\.\/\+]//g' | sed -e 's/\(0m\)*$//g' | tr -d '[:space:]')
key_root=$(echo -n "${stuff}" | grep 'Initial Root Token: ' | awk '{print $4}' | sed 's/[^a-zA-Z0-9\.\/\+]//g' | sed -e 's/\(0m\)*$//g' | tr -d '[:space:]')
echo "found key1: ${key_1}"
echo "found key2: ${key_2}"
echo "found key3: ${key_3}"
echo "found key4: ${key_4}"
echo "found key5: ${key_5}"
echo "found root: ${key_root}"
# save keys
touch tmp/vault/keys.txt
echo -e "keys: \n${key_1}" > tmp/vault/keys.txt
echo -e "${key_2}" >> tmp/vault/keys.txt
echo -e "${key_3}" >> tmp/vault/keys.txt
echo -e "${key_4}" >> tmp/vault/keys.txt
echo -e "${key_5}" >> tmp/vault/keys.txt
echo -e "root: \n${key_root}" >> tmp/vault/keys.txt
docker cp tmp/vault/keys.txt $vault:/vault/config/
else
echo ">> retrieving keys"
key_1=$(head -n 2 tmp/vault/keys.txt | tail -n 1)
key_2=$(head -n 3 tmp/vault/keys.txt | tail -n 1)
key_3=$(head -n 4 tmp/vault/keys.txt | tail -n 1)
key_root=$(tail -n 1 tmp/vault/keys.txt)
fi
echo $key_root
echo ">> attempting to automatically unseal vault:"
docker exec $vault sh -c "vault operator unseal ${key_1}"
docker exec $vault sh -c "vault operator unseal ${key_2}"
docker exec $vault sh -c "vault operator unseal ${key_3}"
# login
echo
echo ">> logging in automatically -- " #copy and paste this: ${key_root}"
docker exec $vault sh -c "vault login ${key_root}"
# configuration
# audit file
# echo
# echo ">> enabling audit file"
# docker exec $vault sh -c "vault audit enable file file_path=/vault/vault-audit.log"
# enable approle
echo
echo ">> enabling approle"
docker exec $vault sh -c "vault auth enable approle"
echo ">> setting up approle policy"
docker exec $vault sh -c "echo 'path \"auth/approle/role/*\" {capabilities = [\"create\", \"update\", \"read\", \"delete\"]}' > approle-policy.hcl; vault policy write approle approle-policy.hcl"
echo
echo ">> setting up approle role"
cidr_block=$(docker network inspect --format "{{json .IPAM.Config}}" candigv2_default | jq '.[0].Gateway')
cidr_block=$(echo ${cidr_block} | tr -d '"')
cidr_block="${cidr_block}/27"
if [ $PCGL_DEBUG_MODE -eq 1 ]; then
echo "{}" > tmp/temp.json
else
echo "{\"bound_cidrs\": [\"${cidr_block}\"]}" > tmp/temp.json
fi
curl --request POST --header "X-Vault-Token: ${key_root}" --data @tmp/temp.json $VAULT_SERVICE_PUBLIC_URL/v1/auth/token/roles/approle
rm tmp/temp.json
echo
echo ">> setting up approle token"
echo "{\"policies\": [\"approle\"]}" > tmp/temp.json
curl --request POST --header "X-Vault-Token: ${key_root}" --data @tmp/temp.json $VAULT_SERVICE_PUBLIC_URL/v1/auth/token/create/approle | jq '.auth.client_token' -r > tmp/vault/approle-token
docker cp tmp/vault/approle-token $vault:/vault/config/approle-token
rm tmp/temp.json
# Containers need to access the client secret and id:
docker exec $vault vault secrets enable -path=keycloak -description="keycloak kv store" kv
curl --request POST --header "X-Vault-Token: ${key_root}" --data "{\"value\": \"$PCGL_CLIENT_SECRET\"}" $VAULT_SERVICE_PUBLIC_URL/v1/keycloak/client-secret
curl --request POST --header "X-Vault-Token: ${key_root}" --data "{\"value\": \"$PCGL_CLIENT_ID\"}" $VAULT_SERVICE_PUBLIC_URL/v1/keycloak/client-id
## SPECIAL STORES ACCESS
docker restart $vault_runner