mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-23 07:31:09 +02:00
Code Issues Projects Releases Wiki Activity
vault/enos/modules/vault_proxy/scripts/set-up-approle-and-proxy.sh
Ryan Cragun b5d32b7bec
enos: add shfmt formatting to enos module scripts (#28142) 
Signed-off-by: Ryan Cragun <me@ryan.ec>
2024-08-23 13:45:30 -06:00

87 lines
2.2 KiB
Bash
Raw Permalink Blame History

#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -e
binpath=${VAULT_INSTALL_DIR}/vault
fail() {
echo "$1" 1>&2
return 1
}
test -x "$binpath" || fail "unable to locate vault binary at $binpath"
[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
# If approle was already enabled, disable it as we're about to re-enable it (the || true is so we don't fail if it doesn't already exist)
$binpath auth disable approle || true
$binpath auth enable approle
$binpath write auth/approle/role/proxy-role secret_id_ttl=700h token_num_uses=1000 token_ttl=600h token_max_ttl=700h secret_id_num_uses=1000
ROLEID=$($binpath read --format=json auth/approle/role/proxy-role/role-id | jq -r '.data.role_id')
if [[ "$ROLEID" == '' ]]; then
fail "expected ROLEID to be nonempty, but it is empty"
fi
SECRETID=$($binpath write -f --format=json auth/approle/role/proxy-role/secret-id | jq -r '.data.secret_id')
if [[ "$SECRETID" == '' ]]; then
fail "vault write -f --format=json auth/approle/role/proxy-role/secret-id did not return a .data.secret_id"
fi
echo "$ROLEID" > /tmp/role-id
echo "$SECRETID" > /tmp/secret-id
# Write the Vault Proxy's configuration to /tmp/vault-proxy.hcl
# The Proxy references the Vault server address passed in as $VAULT_ADDR
# The Proxy itself listens at the address passed in as $VAULT_PROXY_ADDRESS
cat > /tmp/vault-proxy.hcl <<- EOM
pid_file = "${VAULT_PROXY_PIDFILE}"
vault {
address = "${VAULT_ADDR}"
tls_skip_verify = true
retry {
num_retries = 10
}
}
api_proxy {
enforce_consistency = "always"
use_auto_auth_token = true
}
listener "tcp" {
address = "${VAULT_PROXY_ADDRESS}"
tls_disable = true
}
auto_auth {
method {
type = "approle"
config = {
role_id_file_path = "/tmp/role-id"
secret_id_file_path = "/tmp/secret-id"
}
}
sink {
type = "file"
config = {
path = "/tmp/token"
}
}
}
EOM
# If Proxy is still running from a previous run, kill it
pkill -F "${VAULT_PROXY_PIDFILE}" || true
# Run proxy in the background
$binpath proxy -config=/tmp/vault-proxy.hcl > /tmp/proxy-logs.txt 2>&1 &
Reference in New Issue View Git Blame Copy Permalink