Implement JSON credential storage
- Add JSON format for storing Vault credentials - Update save_credentials function to support both formats - Save both .json and .txt files for compatibility - Update test_docker.sh to use jq for reliable JSON parsing - Improve key extraction for unseal operations - Update .gitignore to exclude JSON credentials 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
parent
98384791c3
commit
9b3ac63c3e
3 changed files with 150 additions and 159 deletions
|
@ -99,22 +99,28 @@ wait_for_vault_init() {
|
|||
# Wait for vault-init to complete
|
||||
wait_for_vault_init
|
||||
|
||||
# Check if vault-credentials.txt was created
|
||||
if [ -f "vault-credentials.txt" ]; then
|
||||
log "INFO" "Credentials file was created successfully"
|
||||
# Check if vault-credentials.json was created
|
||||
if [ -f "vault-credentials.json" ]; then
|
||||
log "INFO" "JSON credentials file was created successfully"
|
||||
else
|
||||
log "ERROR" "Credentials file was not created"
|
||||
log "ERROR" "JSON credentials file was not created"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Verify the content of vault-credentials.txt
|
||||
if grep -q "Unseal Keys:" vault-credentials.txt && grep -q "Root Token:" vault-credentials.txt; then
|
||||
log "INFO" "Credentials file contains expected content"
|
||||
# Verify the content of vault-credentials.json
|
||||
if jq -e '.keys_base64 | length' vault-credentials.json >/dev/null && \
|
||||
jq -e '.root_token' vault-credentials.json >/dev/null; then
|
||||
log "INFO" "JSON credentials file contains expected content"
|
||||
else
|
||||
log "ERROR" "Credentials file doesn't contain expected content"
|
||||
log "ERROR" "JSON credentials file doesn't contain expected content"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Also check for backward compatibility
|
||||
if [ -f "vault-credentials.txt" ]; then
|
||||
log "INFO" "Text credentials file was also created (for backward compatibility)"
|
||||
fi
|
||||
|
||||
# Verify Vault is unsealed after initial setup
|
||||
vault_status=$(docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault status -format=json 2>/dev/null || echo '{"sealed": true}')
|
||||
|
||||
|
@ -157,28 +163,35 @@ else
|
|||
echo $vault_status
|
||||
fi
|
||||
|
||||
# Extract keys from credentials file and root token
|
||||
log "INFO" "Extracting unseal keys and root token from credentials file..."
|
||||
unseal_keys=$(grep "Base64 Unseal Keys:" -A 3 vault-credentials.txt | grep "Key" | awk '{print $3}')
|
||||
root_token=$(grep "Root Token:" vault-credentials.txt | awk '{print $3}')
|
||||
# Extract keys from JSON credentials file
|
||||
log "INFO" "Extracting unseal keys and root token from JSON credentials file..."
|
||||
# Using jq to extract the first 3 unseal keys (as that's the threshold)
|
||||
unseal_keys=$(jq -r '.keys_base64[0:3][]' vault-credentials.json)
|
||||
root_token=$(jq -r '.root_token' vault-credentials.json)
|
||||
|
||||
# First, try running 'vault operator unseal' directly for a more robust test
|
||||
log "INFO" "Attempting to unseal Vault directly with unseal keys..."
|
||||
key1=$(echo "$unseal_keys" | head -n 1)
|
||||
key2=$(echo "$unseal_keys" | head -n 2 | tail -n 1)
|
||||
key3=$(echo "$unseal_keys" | head -n 3 | tail -n 1)
|
||||
# Using an array to capture the keys
|
||||
readarray -t key_array <<< "$unseal_keys"
|
||||
|
||||
docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal "$key1"
|
||||
docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal "$key2"
|
||||
docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal "$key3"
|
||||
for key in "${key_array[@]}"; do
|
||||
log "INFO" "Applying unseal key: ${key:0:8}..." # Show only first 8 chars for security
|
||||
docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal "$key"
|
||||
done
|
||||
|
||||
# As a fallback, also try running vault-init with environment variables
|
||||
log "INFO" "Starting vault-init with environment variables..."
|
||||
docker-compose run -e VAULT_ADDR=http://vault:8200 \
|
||||
-e VAULT_UNSEAL_KEY_1=$(echo "$unseal_keys" | head -n 1) \
|
||||
-e VAULT_UNSEAL_KEY_2=$(echo "$unseal_keys" | head -n 2 | tail -n 1) \
|
||||
-e VAULT_UNSEAL_KEY_3=$(echo "$unseal_keys" | head -n 3 | tail -n 1) \
|
||||
--rm vault-init
|
||||
# Check how many keys we have
|
||||
key_count=${#key_array[@]}
|
||||
env_vars="-e VAULT_ADDR=http://vault:8200"
|
||||
|
||||
# Add each key to environment variables
|
||||
for i in $(seq 0 $((key_count-1))); do
|
||||
env_vars="$env_vars -e VAULT_UNSEAL_KEY_$((i+1))=${key_array[$i]}"
|
||||
done
|
||||
|
||||
# Run the command with all environment variables
|
||||
docker-compose run $env_vars --rm vault-init
|
||||
|
||||
# Verify Vault is unsealed now
|
||||
vault_status=$(docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault status -format=json 2>/dev/null || echo '{"sealed": true}')
|
||||
|
@ -197,9 +210,16 @@ fi
|
|||
# Test some basic Vault operations
|
||||
log "INFO" "Testing basic Vault operations..."
|
||||
|
||||
# Write a secret
|
||||
# Write a secret using the root token from JSON credentials
|
||||
token_result=$(docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault login "$root_token" 2>&1)
|
||||
log "INFO" "Login result: $(echo "$token_result" | grep "Success")"
|
||||
login_success=$(echo "$token_result" | grep -c "Success" || echo "0")
|
||||
if [ "$login_success" -gt 0 ]; then
|
||||
log "INFO" "Successfully logged in with root token"
|
||||
else
|
||||
log "ERROR" "Failed to log in with root token"
|
||||
echo "$token_result"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Enable KV secrets engine
|
||||
enable_result=$(docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault secrets enable -path=kv kv 2>&1 || echo "KV already enabled")
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue