vault-migration.go

package main

import (
	"encoding/json"
	"fmt"
	"io/ioutil"
	"os"
	"path/filepath"

	"github.com/hashicorp/consul/api"
	"github.com/hashicorp/go-cleanhttp"
)

var consulClient *api.Client
var consulClientErr error

var rootDir = "/tmp/vault-storage"

func main() {
	// Setup Consul Config and ACL Token
	config := api.DefaultConfig()
	config.Scheme = "https"
	config.Address = "my-consul:8500"
	config.Token = "ABC-123"

	httpClient := cleanhttp.DefaultClient()
	transport := cleanhttp.DefaultPooledTransport()
	httpClient.Transport = transport

        // This is important if Consul is using your own CA
	tlsConfig, err := api.SetupTLSConfig(&api.TLSConfig{
		CAFile:             "/Users/kallan/ca/ca.pem",
		InsecureSkipVerify: false,
	})
	if err != nil {
		panic(err)
	}
	transport.TLSClientConfig = tlsConfig
	config.HttpClient = httpClient

	consulClient, consulClientErr = api.NewClient(config)
	if consulClientErr != nil {
		panic(consulClientErr)
	}

	// Walk the root directory tree calling vaultWalk on each entry
	filepath.Walk(rootDir, vaultWalk)
}

// vaultWalk is executed for each file under rootDir
func vaultWalk(path string, info os.FileInfo, err error) error {
	// When we see a directory, skip it and move to the next entry
	if info.IsDir() {
		return nil
	}

	// For a file, read it and unmarshal into a Consul api.KVPair
	var kv api.KVPair
	data, err := ioutil.ReadFile(path)
	if err != nil {
		return err
	}
	err = json.Unmarshal(data, &kv)
	if err != nil {
		return err
	}

	// Modify the key so its prefaced with Vault
	kv.Key = fmt.Sprintf("vault/%s", kv.Key)

	// Send the data into Consul
	_, err = consulClient.KV().Put(&kv, nil)
	if err != nil {
		return err
	}
	fmt.Printf("Wrote key %s to Consul\n", kv.Key)
	return nil
}

Used this to great success last night with minor modification around some of the CAFile and vaultWalk sections. Thanks!