-
Notifications
You must be signed in to change notification settings - Fork 2
/
demo.sh
executable file
·137 lines (98 loc) · 3.3 KB
/
demo.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#!/bin/bash -x
# vim: syn=sh:expandtab:ts=4:sw=4:
# =========================================================================== CLEANUP
if [ "$1" = "clean" ]
then
killall vault
rm -fr etc var #bin
rm -f nohup.out *.token *.keys *.hcl *.crt *.key
exit
fi
killall vault 2>/dev/null
rm -fr var/vault/
mkdir -p etc/ssl/{certs,keys} etc/vault/plugins var/vault bin
# =========================================================================== VAULT SERVER
# --------------------------------------------------------------------------- vault binary
if [ ! -f "bin/vault" ]
then
ver="0.9.0"
zip="vault_${ver}_linux_amd64.zip"
url="https://releases.hashicorp.com/vault/$ver/$zip"
curl -SL "$url" -o "$zip"
unzip "$zip" -d "bin/"
rm -f $zip
fi
# --------------------------------------------------------------------------- self-signed HTTPS Certificates
key="etc/ssl/keys/vault.key"
crt="etc/ssl/certs/vault.crt"
if [ ! -f "$key" ] || [ ! -f "$crt" ]
then
openssl x509 \
-in <(
openssl req \
-days 3650 \
-newkey rsa:4096 \
-nodes \
-keyout "$key" \
-subj "/C=FR/L=Paris/O=frntn/OU=DevOps/CN=vault.local"
) \
-req \
-signkey "$key" \
-sha256 \
-days 3650 \
-out "$crt" \
-extfile <(echo -e "basicConstraints=critical,CA:true,pathlen:0\nsubjectAltName=DNS:vault.rocks,IP:127.0.0.1")
fi
export VAULT_SKIP_VERIFY=true
# --------------------------------------------------------------------------- server config
cat <<EOF > etc/vault/config.hcl
storage "file" {
path = "var/vault"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 0
tls_cert_file = "$crt"
tls_key_file = "$key"
}
plugin_directory = "etc/vault/plugins"
disable_mlock = true
api_addr = "https://127.0.0.1:8200"
EOF
# --------------------------------------------------------------------------- server init/unseal/auth
sleep 1
nohup ./bin/vault server -config=etc/vault/config.hcl &
sleep 3
vault init -key-shares=1 -key-threshold=1 \
| tee \
>(awk '/^Initial Root Token:/{print $4}' > root.token) \
>(awk '/^Unseal Key/{print $4}' > unseal.keys)
vault unseal $(cat unseal.keys)
vault auth $(cat root.token)
# =========================================================================== VAULT TOKEN HELPER
# --------------------------------------------------------------------------- helper binary
mkdir -p "$HOME/.vault.d/token-helpers"
cp vault-token-helper-gopass "$HOME/.vault.d/token-helpers"
chmod +x "$HOME/.vault.d/token-helpers/vault-token-helper-gopass"
# --------------------------------------------------------------------------- helper config
tk="token_helper = \"$HOME/.vault.d/token-helpers/vault-token-helper-gopass\""
if [ -f ~/.vault ]
then
if grep -q ^token_helper ~/.vault
then
sed -e "/^token_helper/s,.*,$tk," ~/.vault
else
echo "$tk" >> ~/.vault
fi
else
echo "$tk" > ~/.vault
fi
# =========================================================================== USAGE
set +x
echo "
===========================================================================
Usage :
$ export VAULT_SKIP_VERIFY=true
$ ./bin/vault auth \$(cat root.token)
===========================================================================
"