forked from brianshumate/vaultron
-
Notifications
You must be signed in to change notification settings - Fork 0
/
blazing_sword
executable file
·337 lines (298 loc) · 9.11 KB
/
blazing_sword
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
#!/bin/sh
# =======================================================================
# ‼️ PLEASE DO NOT USE VAULTRON IN PRODUCTION ‼️
#
# blazing_sword
#
# Automatically starts and pre-populates Vault cluster for use in development
# or other evaluation style use cases:
#
# - Initialize Vault
# - Save key material to temporary file
# - Unseal Vault with key material from temporary file
# - Enable a range of auth methods and secrets engines with a vaultron prefix
# with blazing_sword Terraform configuration
# (see examples/terraform for the configuration used)
#
# shellcheck disable=SC1091,SC2039,SC2059,SC2086,SC2154
# =======================================================================
. ./skydome
export MSGSRC="[blazing_sword]"
begin="$(date +%s)"
# Check for the existence of a temporary key material file
check_vault_file() {
for file in "$TF_VAR_vault_flavor"/vault/vault_*.tmp
do
if [ -e "$file" ]
then
msg info "Existing Vault file detected- pass filename as first argument and it will be used for unsealing."
exit 0
fi
done
}
# Authenticate with initial root token
auth_root() {
check_cli_cap
get_initial_root_token "$1"
if [ "$VAULT_CLI_CAP" -eq "1" ]
then
local LOGIN_CMD="vault login $INITIAL_ROOT_TOKEN"
else
local LOGIN_CMD="vault auth $INITIAL_ROOT_TOKEN"
fi
msg info "Authenticate with initial root token ..."
if ! $LOGIN_CMD >> "$VAULTRON_LIFECYCLE_LOG" 2>&1
then
msg alert "Could not authenticate with initial root token!"
exit 1
else
msg success "Authenticated with initial root token!"
fi
}
# Enable all the things
enable_all() {
msg info "Enable audit device, auth methods, secrets engines, and policies ..."
cd examples/terraform || exit 1
{
rm -rf .terraform
rm -f terraform.tfstate
rm -f vault.plan >> "$VAULTRON_LIFECYCLE_LOG" 2>&1
}
terraform init >> "$VAULTRON_LIFECYCLE_LOG" 2>&1 && \
terraform plan -out vault.plan >> "$VAULTRON_LIFECYCLE_LOG" 2>&1 && \
terraform apply "vault.plan" >> "$VAULTRON_LIFECYCLE_LOG" 2>&1
msg success "Audit device, auth methods, secrets engines, and policies enabled!"
}
# List enabled auth methods and secrets engines
enabled() {
echo
msg info "Enabled Auth Methods:"
echo
check_cli_cap
if [ "$VAULT_CLI_CAP" -eq "1" ]
then
AUTH_LIST_CMD="vault auth list"
else
AUTH_LIST_CMD="vault auth -methods"
fi
if [ "$VAULT_CLI_CAP" -eq "1" ]
then
SECRETS_LIST_CMD="vault secrets list"
else
SECRETS_LIST_CMD="vault mounts"
fi
$AUTH_LIST_CMD
echo
msg info "Enabled Secrets Engines:"
echo
$SECRETS_LIST_CMD
echo
tput setaf 0
}
# Get unseal key
get_unseal_key() {
msg info "Get unseal key ..."
k0=$(grep 'Unseal Key 1' "$1" | awk '{print $NF}')
}
# Get initial root token
get_initial_root_token() {
INITIAL_ROOT_TOKEN=$(grep 'Initial Root Token' "$1" | awk '{print $NF}')
}
# Initialize Vault and save temporary unseal keys and root token
initialize_vault() {
check_cli_cap
if [ "$VAULT_CLI_CAP" -eq "1" ]
then
local INIT_CMD="vault operator init -key-shares=1 -key-threshold=1"
else
local INIT_CMD="vault init -key-shares=1 -key-threshold=1"
fi
msg info "Initialize Vault ..."
# Tidy control characters from initialization output before writing
if output="$($INIT_CMD)"
then
echo "$output" | awk '{gsub(/\033\[[0-9]+m/,""); print}' > "${VAULT_DAT}"
else
msg alert "Cannot initialize Vault!"
msg alert "$output"
exit 1
fi
msg complete "Vault initialized!"
}
# Initialize Vault Raft standby and save temporary unseal keys and root token
initialize_vault_raft_standby() {
local VAULT_ADDR="https://127.0.0.1:82${1}0"
local INIT_CMD="vault operator init -key-shares 1 -key-threshold 1"
msg info "Initialize Vault ..."
# Tidy control characters from initialization output before writing
if output="$($INIT_CMD)"
then
echo "$output" | awk '{gsub(/\033\[[0-9]+m/,""); print}' > "$2"
else
msg alert "Cannot initialize Vault!"
msg alert "$output"
exit 1
fi
msg complete "Vault initialized!"
}
# Get Vault status
status() {
msg info "Vault status:"
printf "\\n%s" "$(vault status)"
printf "\\n"
}
# Note about statsd server for Telemetry
telemetry_info() {
if VSTATSD_ADDR=$(docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' vaultron-vstatsd) >> "$VAULTRON_LIFECYCLE_LOG" 2>&1; then
msg info "Telemetry: statsd address: $VSTATSD_ADDR"
else
msg alert "Cannot determine statsd address!"
fi
}
# Consul leader container info
consul_leader_info() {
if CONSUL_LEADER_ADDR=$(docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' vaultron-consuls0) >> "$VAULTRON_LIFECYCLE_LOG" 2>&1; then
msg info "Consul leader address: $CONSUL_LEADER_ADDR"
else
msg alert "Cannot determine Consul leader address!"
fi
}
# Initial Vault active container info
vault_active_info() {
if VAULT_ACTIVE_ADDR=$(docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' vaultron-vault0) >> "$VAULTRON_LIFECYCLE_LOG" 2>&1; then
msg info "Active Vault address: $VAULT_ACTIVE_ADDR"
else
msg alert "Cannot determine active Vault address!"
fi
}
# Unseal Vault (with Consul storage)
unseal_vault_consul() {
check_cli_cap
if [ "$VAULT_CLI_CAP" -eq "1" ]; then
local UNSEAL_CMD="vault operator unseal"
else
local UNSEAL_CMD="vault unseal"
fi
msg info "Unseal Vault ..."
get_unseal_key $VAULT_DAT
if ! VAULT_ADDR="https://localhost:8200" \
$UNSEAL_CMD "$k0" >> "$VAULTRON_LIFECYCLE_LOG" 2>&1; then
msg alert "Cannot unseal Vault 1!"
errors=$((errors + $?))
exit $errors
fi
if ! VAULT_ADDR="https://localhost:8210" \
$UNSEAL_CMD "$k0" >> "$VAULTRON_LIFECYCLE_LOG" 2>&1; then
msg alert "Cannot unseal Vault 2!"
errors=$((errors + $?))
exit $errors
fi
if ! VAULT_ADDR="https://localhost:8220" \
$UNSEAL_CMD "$k0" >> "$VAULTRON_LIFECYCLE_LOG" 2>&1; then
msg alert "Cannot unseal Vault 3!"
errors=$((errors + $?))
exit $errors
fi
msg complete "Vault unsealed!"
}
# Join Raft primary
join_raft_primary() {
msg info "Raft flavored storage: Join ${1} to primary ..."
get_initial_root_token $VAULT_DAT
if ! VAULT_ADDR="https://127.0.0.1:82${1}0" VAULT_TOKEN="$INITIAL_ROOT_TOKEN" vault operator raft join $VAULT_RAFT_PRIMARY_ADDR; then
msg alert "Cannot join Vault ${1}!"
errors=$((errors + $?))
exit $errors
fi
msg complete "Raft flavored storage: Joined ${1} to primary!"
}
# Unseal Vault (with raft storage)
unseal_vault_raft() {
msg info "Unseal Vault ${1} ..."
get_unseal_key $VAULT_DAT
if ! VAULT_ADDR="https://localhost:82${1}0" \
vault operator unseal "$k0" >> "$VAULTRON_LIFECYCLE_LOG" 2>&1; then
msg alert "Cannot unseal Vault!"
errors=$((errors + $?))
exit $errors
fi
msg complete "Vault unsealed!"
}
msg greeting "Blazing Sword!"
sleep 30
check_flavor
VAULT_DAT="$PWD/flavors/$TF_VAR_vault_flavor/vault/vault_DEV_ONLY-$(date +%s).tmp"
VAULT_RAFT_PRIMARY_ADDR=https://10.10.42.200:8200
check_vault
# Ain't nobody got time for your stale token!
unset VAULT_TOKEN
# -----------------------------------------------------------------------
# Consul storage flavor
# -----------------------------------------------------------------------
if [ "$TF_VAR_vault_flavor" = "consul" ]; then
initialize_vault 0
unseal_vault_consul
auth_root "${VAULT_DAT}"
enable_all
status
enabled
vault_active_info
consul_leader_info
fi
# -----------------------------------------------------------------------
# Raft storage flavor
# -----------------------------------------------------------------------
if [ "$TF_VAR_vault_flavor" = "raft" ]; then
initialize_vault 0
unseal_vault_raft 0
msg info "Await Vault post unseal setup (10 seconds) ..."
sleep 10s
join_raft_primary 1
msg info "Raft flavored storage: Unseal Vault 1 ..."
if ! unseal_vault_raft 1; then
msg alert "Cannot unseal Vault 1!"
errors=$((errors + $?))
exit $errors
fi
join_raft_primary 2
msg info "Raft flavored storage: Unseal Vault 2 ..."
if ! unseal_vault_raft 2; then
msg alert "Cannot unseal Vault 2!"
errors=$((errors + $?))
exit $errors
fi
join_raft_primary 3
msg info "Raft flavored storage: Unseal Vault 3 ..."
if ! unseal_vault_raft 3; then
msg alert "Cannot unseal Vault 3!"
errors=$((errors + $?))
exit $errors
fi
join_raft_primary 4
msg info "Raft flavored storage: Unseal Vault 4 ..."
if ! unseal_vault_raft 4; then
msg alert "Cannot unseal Vault 4!"
errors=$((errors + $?))
exit $errors
fi
auth_root "${VAULT_DAT}"
enable_all
status
enabled
vault_active_info
msg info "Current cluster status:"
echo
vault operator raft list-peers
fi
if [ "$TF_VAR_vaultron_telemetry_count" = "1" ]; then
telemetry_info
fi
end="$(date +%s)"
runtime=$((end-begin))
echo
msg success "Blazing sword complete in ${runtime}s."
# -----------------------------------------------------------------------
# Fin
# -----------------------------------------------------------------------
unset VAULT_TOKEN
tput sgr0