Implement JSON credential storage

- Add JSON format for storing Vault credentials
- Update save_credentials function to support both formats
- Save both .json and .txt files for compatibility
- Update test_docker.sh to use jq for reliable JSON parsing
- Improve key extraction for unseal operations
- Update .gitignore to exclude JSON credentials

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Harald Hoyer 2025-03-20 13:16:39 +01:00
parent 98384791c3
commit 9b3ac63c3e
3 changed files with 150 additions and 159 deletions

View file

@ -99,22 +99,28 @@ wait_for_vault_init() {
# Wait for vault-init to complete
wait_for_vault_init
# Check if vault-credentials.txt was created
if [ -f "vault-credentials.txt" ]; then
log "INFO" "Credentials file was created successfully"
# Check if vault-credentials.json was created
if [ -f "vault-credentials.json" ]; then
log "INFO" "JSON credentials file was created successfully"
else
log "ERROR" "Credentials file was not created"
log "ERROR" "JSON credentials file was not created"
exit 1
fi
# Verify the content of vault-credentials.txt
if grep -q "Unseal Keys:" vault-credentials.txt && grep -q "Root Token:" vault-credentials.txt; then
log "INFO" "Credentials file contains expected content"
# Verify the content of vault-credentials.json
if jq -e '.keys_base64 | length' vault-credentials.json >/dev/null && \
jq -e '.root_token' vault-credentials.json >/dev/null; then
log "INFO" "JSON credentials file contains expected content"
else
log "ERROR" "Credentials file doesn't contain expected content"
log "ERROR" "JSON credentials file doesn't contain expected content"
exit 1
fi
# Also check for backward compatibility
if [ -f "vault-credentials.txt" ]; then
log "INFO" "Text credentials file was also created (for backward compatibility)"
fi
# Verify Vault is unsealed after initial setup
vault_status=$(docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault status -format=json 2>/dev/null || echo '{"sealed": true}')
@ -157,28 +163,35 @@ else
echo $vault_status
fi
# Extract keys from credentials file and root token
log "INFO" "Extracting unseal keys and root token from credentials file..."
unseal_keys=$(grep "Base64 Unseal Keys:" -A 3 vault-credentials.txt | grep "Key" | awk '{print $3}')
root_token=$(grep "Root Token:" vault-credentials.txt | awk '{print $3}')
# Extract keys from JSON credentials file
log "INFO" "Extracting unseal keys and root token from JSON credentials file..."
# Using jq to extract the first 3 unseal keys (as that's the threshold)
unseal_keys=$(jq -r '.keys_base64[0:3][]' vault-credentials.json)
root_token=$(jq -r '.root_token' vault-credentials.json)
# First, try running 'vault operator unseal' directly for a more robust test
log "INFO" "Attempting to unseal Vault directly with unseal keys..."
key1=$(echo "$unseal_keys" | head -n 1)
key2=$(echo "$unseal_keys" | head -n 2 | tail -n 1)
key3=$(echo "$unseal_keys" | head -n 3 | tail -n 1)
# Using an array to capture the keys
readarray -t key_array <<< "$unseal_keys"
docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal "$key1"
docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal "$key2"
docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal "$key3"
for key in "${key_array[@]}"; do
log "INFO" "Applying unseal key: ${key:0:8}..." # Show only first 8 chars for security
docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault operator unseal "$key"
done
# As a fallback, also try running vault-init with environment variables
log "INFO" "Starting vault-init with environment variables..."
docker-compose run -e VAULT_ADDR=http://vault:8200 \
-e VAULT_UNSEAL_KEY_1=$(echo "$unseal_keys" | head -n 1) \
-e VAULT_UNSEAL_KEY_2=$(echo "$unseal_keys" | head -n 2 | tail -n 1) \
-e VAULT_UNSEAL_KEY_3=$(echo "$unseal_keys" | head -n 3 | tail -n 1) \
--rm vault-init
# Check how many keys we have
key_count=${#key_array[@]}
env_vars="-e VAULT_ADDR=http://vault:8200"
# Add each key to environment variables
for i in $(seq 0 $((key_count-1))); do
env_vars="$env_vars -e VAULT_UNSEAL_KEY_$((i+1))=${key_array[$i]}"
done
# Run the command with all environment variables
docker-compose run $env_vars --rm vault-init
# Verify Vault is unsealed now
vault_status=$(docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault status -format=json 2>/dev/null || echo '{"sealed": true}')
@ -197,9 +210,16 @@ fi
# Test some basic Vault operations
log "INFO" "Testing basic Vault operations..."
# Write a secret
# Write a secret using the root token from JSON credentials
token_result=$(docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault login "$root_token" 2>&1)
log "INFO" "Login result: $(echo "$token_result" | grep "Success")"
login_success=$(echo "$token_result" | grep -c "Success" || echo "0")
if [ "$login_success" -gt 0 ]; then
log "INFO" "Successfully logged in with root token"
else
log "ERROR" "Failed to log in with root token"
echo "$token_result"
exit 1
fi
# Enable KV secrets engine
enable_result=$(docker-compose exec -T vault env VAULT_ADDR=http://127.0.0.1:8200 vault secrets enable -path=kv kv 2>&1 || echo "KV already enabled")