mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-31 19:41:12 +02:00
174da88b9d
* VAULT-28146: Add IPV6 support to enos scenarios Add support for testing all raft storage scenarios and variants when running Vault with IPV6 networking. We retain our previous support for IPV4 and create a new variant `ip_version` which can be used to configure the IP version that we wish to test with. It's important to note that the VPC in IPV6 mode is technically mixed and that target machines still associate public IPV6 addresses. That allows us to execute our resources against them from IPV4 networks like developer machines and CI runners. Despite that, we've taken care to ensure that only IPV6 addresses are used in IPV6 mode. Because we previously had assumed the IP Version, Vault address, and listener ports in so many places, this PR is essentially a rewrite and removal of those assumptions. There are also a few places where improvements to scenarios have been included as I encountered them while working on the IPV6 changes. Signed-off-by: Ryan Cragun <me@ryan.ec>
88 lines
2.2 KiB
Bash
88 lines
2.2 KiB
Bash
#!/usr/bin/env bash
|
|
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
|
|
set -e
|
|
|
|
binpath=${VAULT_INSTALL_DIR}/vault
|
|
|
|
fail() {
|
|
echo "$1" 1>&2
|
|
return 1
|
|
}
|
|
|
|
test -x "$binpath" || fail "unable to locate vault binary at $binpath"
|
|
|
|
[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
|
|
[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
|
|
|
|
# If approle was already enabled, disable it as we're about to re-enable it (the || true is so we don't fail if it doesn't already exist)
|
|
$binpath auth disable approle || true
|
|
|
|
$binpath auth enable approle
|
|
|
|
$binpath write auth/approle/role/proxy-role secret_id_ttl=700h token_num_uses=1000 token_ttl=600h token_max_ttl=700h secret_id_num_uses=1000
|
|
|
|
ROLEID=$($binpath read --format=json auth/approle/role/proxy-role/role-id | jq -r '.data.role_id')
|
|
|
|
if [[ "$ROLEID" == '' ]]; then
|
|
fail "expected ROLEID to be nonempty, but it is empty"
|
|
fi
|
|
|
|
SECRETID=$($binpath write -f --format=json auth/approle/role/proxy-role/secret-id | jq -r '.data.secret_id')
|
|
|
|
if [[ "$SECRETID" == '' ]]; then
|
|
fail "vault write -f --format=json auth/approle/role/proxy-role/secret-id did not return a .data.secret_id"
|
|
fi
|
|
|
|
echo "$ROLEID" > /tmp/role-id
|
|
echo "$SECRETID" > /tmp/secret-id
|
|
|
|
# Write the Vault Proxy's configuration to /tmp/vault-proxy.hcl
|
|
# The Proxy references the Vault server address passed in as $VAULT_ADDR
|
|
# The Proxy itself listens at the address passed in as $VAULT_PROXY_ADDRESS
|
|
cat > /tmp/vault-proxy.hcl <<- EOM
|
|
pid_file = "${VAULT_PROXY_PIDFILE}"
|
|
|
|
vault {
|
|
address = "${VAULT_ADDR}"
|
|
tls_skip_verify = true
|
|
retry {
|
|
num_retries = 10
|
|
}
|
|
}
|
|
|
|
api_proxy {
|
|
enforce_consistency = "always"
|
|
use_auto_auth_token = true
|
|
}
|
|
|
|
listener "tcp" {
|
|
address = "${VAULT_PROXY_ADDRESS}"
|
|
tls_disable = true
|
|
}
|
|
|
|
auto_auth {
|
|
method {
|
|
type = "approle"
|
|
config = {
|
|
role_id_file_path = "/tmp/role-id"
|
|
secret_id_file_path = "/tmp/secret-id"
|
|
}
|
|
}
|
|
sink {
|
|
type = "file"
|
|
config = {
|
|
path = "/tmp/token"
|
|
}
|
|
}
|
|
}
|
|
EOM
|
|
|
|
# If Proxy is still running from a previous run, kill it
|
|
pkill -F "${VAULT_PROXY_PIDFILE}" || true
|
|
|
|
# Run proxy in the background
|
|
$binpath proxy -config=/tmp/vault-proxy.hcl > /tmp/proxy-logs.txt 2>&1 &
|