-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathbootstrap.sh
executable file
·102 lines (83 loc) · 3.76 KB
/
bootstrap.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#!/bin/sh
OUTPUT=/tmp/output.txt
export VAULT_ADDR=https://127.0.0.1:8200
export VAULT_SKIP_VERIFY=true
vault operator init -n 1 -t 1 >> ${OUTPUT?}
unseal=$(cat ${OUTPUT?} | grep "Unseal Key 1:" | sed -e "s/Unseal Key 1: //g")
root=$(cat ${OUTPUT?} | grep "Initial Root Token:" | sed -e "s/Initial Root Token: //g")
vault operator unseal ${unseal?}
vault login -no-print ${root?}
vault namespace create demo
# Add 'app' policy for each demo
vault policy write app /vault/userconfig/demo-vault/app-policy.hcl
vault policy write -namespace=demo app /vault/userconfig/demo-vault/app-policy.hcl
# Setup Kube Auth Method
vault auth enable kubernetes
vault auth enable -namespace=demo kubernetes
vault write auth/kubernetes/config \
disable_iss_validation="true" \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
vault write -namespace=demo auth/kubernetes/config \
disable_iss_validation="true" \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
vault write auth/kubernetes/role/app \
bound_service_account_names=app \
bound_service_account_namespaces=app \
policies=app \
token_max_ttl=20m \
ttl=10m
vault write -namespace=demo auth/kubernetes/role/app \
bound_service_account_names=app \
bound_service_account_namespaces=app \
policies=app \
token_max_ttl=20m \
ttl=10m
# Demo 1: Static Secrets
vault secrets enable -path=secret/ kv
vault secrets enable -namespace=demo -path=secret/ kv
vault kv put secret/hashiconf hashiconf=rocks
vault kv put -namespace=demo secret/hashiconf hashiconf=rocks
# Demo 2: Dynamic Secrets
vault secrets enable database
vault secrets enable -namespace=demo database
vault write database/config/postgresql \
plugin_name=postgresql-database-plugin \
allowed_roles="db-app" \
connection_url="postgresql://{{username}}:{{password}}@postgres.postgres.svc.cluster.local:5432/wizard?sslmode=disable" \
username="vault" \
password="vault"
vault write -namespace=demo database/config/postgresql \
plugin_name=postgresql-database-plugin \
allowed_roles="db-app" \
connection_url="postgresql://{{username}}:{{password}}@postgres.postgres.svc.cluster.local:5432/wizard?sslmode=disable" \
username="vault" \
password="vault"
vault write database/roles/db-app \
db_name=postgresql \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT CONNECT ON DATABASE wizard TO \"{{name}}\"; \
GRANT USAGE ON SCHEMA app TO \"{{name}}\"; \
GRANT CREATE ON SCHEMA app TO \"{{name}}\"; \
GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA app TO \"{{name}}\";" \
revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
default_ttl="1m" \
max_ttl="1h"
vault write -namespace=demo database/roles/db-app \
db_name=postgresql \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT CONNECT ON DATABASE wizard TO \"{{name}}\"; \
GRANT USAGE ON SCHEMA app TO \"{{name}}\"; \
GRANT CREATE ON SCHEMA app TO \"{{name}}\"; \
GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA app TO \"{{name}}\";" \
revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
default_ttl="1m" \
max_ttl="1h"
# Demo 3: Transit
vault secrets enable transit
vault secrets enable -namespace=demo transit
vault write -f transit/keys/app
vault write -namespace=demo -f transit/keys/app