diff --git a/gcp/k8s-vault-gcp-ingress-start.sh b/gcp/k8s-vault-gcp-ingress-start.sh index b3f1a64d9..03d0b6908 100755 --- a/gcp/k8s-vault-gcp-ingress-start.sh +++ b/gcp/k8s-vault-gcp-ingress-start.sh @@ -33,82 +33,9 @@ else kubectl apply -f ../k8s/challenge33.yml fi -helm list | grep 'consul' &>/dev/null -if [ $? == 0 ]; then - echo "Consul is already installed" -else - helm repo add hashicorp https://helm.releases.hashicorp.com - helm install consul hashicorp/consul --values ../k8s/helm-consul-values.yml -fi - -while [[ $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True True True True True" ]]; do echo "waiting for Consul" && sleep 2; done - -helm list | grep 'vault' &>/dev/null -if [ $? == 0 ]; then - echo "Vault is already installed" -else - helm repo add hashicorp https://helm.releases.hashicorp.com - helm install vault hashicorp/vault --values ../k8s/helm-vault-values.yml -fi +source ../scripts/install-consul.sh -isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running) -while [[ $isvaultrunning != *"vault-0"* ]]; do echo "waiting for Vault0" && sleep 2 && isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running); done -while [[ $isvaultrunning != *"vault-1"* ]]; do echo "waiting for Vaul1" && sleep 2 && isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running); done -while [[ $isvaultrunning != *"vault-2"* ]]; do echo "waiting for Vaul2" && sleep 2 && isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running); done - -echo "Setting up port forwarding" -kubectl port-forward vault-0 -n vault 8200:8200 & -echo "Unsealing Vault" -kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json >cluster-keys.json -cat cluster-keys.json | jq -r ".unseal_keys_b64[]" -VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]") -kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY -kubectl exec vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY -kubectl exec vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY - -echo "Obtaining root token" -jq .root_token cluster-keys.json >commentedroottoken - -sed "s/^\([\"']\)\(.*\)\1\$/\2/g" commentedroottoken >root_token -ROOTTOKEN=$(cat root_token) - -echo "Logging in" -kubectl exec vault-0 -- vault login $ROOTTOKEN - -echo "Enabling kv-v2 kubernetes" -kubectl exec vault-0 -- vault secrets enable -path=secret kv-v2 - -echo "Putting a secret in" -kubectl exec vault-0 -- vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)" - -echo "Enable k8s auth" -kubectl exec vault-0 -- vault auth enable kubernetes - -echo "Writing k8s auth config" - -kubectl exec vault-0 -- /bin/sh -c 'vault write auth/kubernetes/config \ - token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ - kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' - -echo "Writing policy for secret-challenge" -kubectl exec vault-0 -- /bin/sh -c 'vault policy write secret-challenge - <