This repository has been archived by the owner on Dec 5, 2021. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
adding vault.sh and secret2env to vault dir
- Loading branch information
1 parent
6ef5d62
commit f557b70
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,168 @@ | ||
| #!/bin/bash | ||
This comment has been minimized.
Sorry, something went wrong. |
||
|
|
||
| # Vault running in the container must listen on a different port. | ||
|
|
||
| VAULT_CREDENTIALS="/vault/config/unseal.json" | ||
|
|
||
| CONFIG_DIR="/vault/config" | ||
|
|
||
| CA_CERT="$CONFIG_DIR/ca.crt" | ||
| CA_KEY="$CONFIG_DIR/ca.key" | ||
| TLS_KEY="$CONFIG_DIR/my-service.key" | ||
| TLS_CERT="$CONFIG_DIR/my-service.crt" | ||
| CONFIG="$CONFIG_DIR/openssl.cnf" | ||
| CSR="$CONFIG_DIR/my-service.csr" | ||
|
|
||
| export VAULT_ADDR="$VAULT_ADDR" | ||
| export VAULT_CACERT="$CA_CERT" | ||
|
|
||
| function create_config { | ||
| cat > "$CONFIG" << EOF | ||
| [req] | ||
| default_bits = 2048 | ||
| encrypt_key = no | ||
| default_md = sha256 | ||
| prompt = no | ||
| utf8 = yes | ||
| # Speify the DN here so we aren't prompted (along with prompt = no above). | ||
| distinguished_name = req_distinguished_name | ||
| # Extensions for SAN IP and SAN DNS | ||
| req_extensions = v3_req | ||
| # Be sure to update the subject to match your organization. | ||
| [req_distinguished_name] | ||
| C = TH | ||
| ST = Bangkok | ||
| L = Vault | ||
| O = omiseGO | ||
| CN = localhost | ||
| # Allow client and server auth. You may want to only allow server auth. | ||
| # Link to SAN names. | ||
| [v3_req] | ||
| basicConstraints = CA:FALSE | ||
| subjectKeyIdentifier = hash | ||
| keyUsage = digitalSignature, keyEncipherment | ||
| extendedKeyUsage = clientAuth, serverAuth | ||
| subjectAltName = @alt_names | ||
| # Alternative names are specified as IP.# and DNS.# for IPs and | ||
| # DNS accordingly. | ||
| [alt_names] | ||
| IP.1 = 127.0.0.1 | ||
| IP.2 = 192.168.64.1 | ||
| IP.3 = 192.168.122.1 | ||
| DNS.1 = localhost | ||
| EOF | ||
| } | ||
|
|
||
| function gencerts { | ||
| create_config | ||
| openssl req \ | ||
| -new \ | ||
| -sha256 \ | ||
| -newkey rsa:2048 \ | ||
| -days 120 \ | ||
| -nodes \ | ||
| -x509 \ | ||
| -subj "/C=US/ST=Maryland/L=Vault/O=My Company CA" \ | ||
| -keyout "$CA_KEY" \ | ||
| -out "$CA_CERT" | ||
|
|
||
| # Generate the private key for the service. Again, you may want to increase | ||
| # the bits to 2048. | ||
| openssl genrsa -out "$TLS_KEY" 2048 | ||
|
|
||
| # Generate a CSR using the configuration and the key just generated. We will | ||
| # give this CSR to our CA to sign. | ||
| openssl req \ | ||
| -new -key "$TLS_KEY" \ | ||
| -out "$CSR" \ | ||
| -config "$CONFIG" | ||
|
|
||
| # Sign the CSR with our CA. This will generate a new certificate that is signed | ||
| # by our CA. | ||
| openssl x509 \ | ||
| -req \ | ||
| -days 120 \ | ||
| -in "$CSR" \ | ||
| -CA "$CA_CERT" \ | ||
| -CAkey "$CA_KEY" \ | ||
| -CAcreateserial \ | ||
| -sha256 \ | ||
| -extensions v3_req \ | ||
| -extfile "$CONFIG" \ | ||
| -out "$TLS_CERT" | ||
|
|
||
| openssl x509 -in "$TLS_CERT" -noout -text | ||
|
|
||
| rm openssl.cnf | ||
|
|
||
| chown -R nobody:nobody $CONFIG_DIR && chmod -R 777 $CONFIG_DIR | ||
| } | ||
|
|
||
| gencerts | ||
|
|
||
| nohup vault server -log-level=debug -config /vault/vault.hcl & | ||
| VAULT_PID=$! | ||
|
|
||
| function unseal() { | ||
| VAULT_INIT=$(cat $VAULT_CREDENTIALS) | ||
| UNSEAL_KEY=$(echo $VAULT_INIT | jq -r '.unseal_keys_hex[0]') | ||
| ROOT_TOKEN=$(echo $VAULT_INIT | jq -r .root_token) | ||
| vault operator unseal $UNSEAL_KEY | ||
| export VAULT_TOKEN=$ROOT_TOKEN | ||
| } | ||
|
|
||
| function configure_plugin { | ||
| plugin_file="immutability-eth-plugin" | ||
|
|
||
| echo "ADDING TO CATALOG: sys/plugins/catalog/secret/${plugin_file}" | ||
|
|
||
| # just testing for now | ||
| plugin_file="${plugin_file}" | ||
| sha256sum=`cat /vault/plugins/SHA256SUMS | awk '{print $1}'` | ||
| vault write sys/plugins/catalog/secret/${plugin_file} \ | ||
| sha_256="$sha256sum" \ | ||
| command="$plugin_file --ca-cert=$CA_CERT --client-cert=$TLS_CERT --client-key=$TLS_KEY" | ||
|
|
||
| if [[ $? -eq 2 ]] ; then | ||
| echo "Vault Catalog update failed!" | ||
| exit 2 | ||
| fi | ||
|
|
||
| echo "MOUNTING: ${plugin_file}" | ||
| vault secrets enable -path=${plugin_file} -plugin-name=${plugin_file} plugin | ||
| if [[ $? -eq 2 ]] ; then | ||
| echo "Failed to mount ${plugin_file} plugin for test!" | ||
| exit 2 | ||
| fi | ||
| } | ||
|
|
||
| if [ -f "$VAULT_CREDENTIALS" ]; then | ||
| sleep 10 | ||
| unseal | ||
| vault status | ||
| vault secrets list | ||
| else | ||
| sleep 10 | ||
| echo "Generating vault credentials" | ||
| VAULT_INIT=$(vault operator init -key-shares=1 -key-threshold=1 -format=json | jq .) | ||
| echo $VAULT_INIT > $VAULT_CREDENTIALS | ||
| echo $(cat $VAULT_CREDENTIALS) | ||
| unseal | ||
| configure_plugin | ||
| vault audit enable file file_path=stdout | ||
| vault status | ||
| vault secrets list | ||
| fi | ||
|
|
||
| if [ "$TEST" == "true" ]; then | ||
| echo "Dying." | ||
| else | ||
| echo "Don't exit until vault dies." | ||
| wait $VAULT_PID | ||
| fi | ||
IMO this should be adapted to whatever is suitable for production deploy. for example, this is generating certificates, logs vault with debug level, ... @petardenev