Created
December 4, 2020 16:14
-
-
Save asyd/e627947f6c38bae0bcc6da2a0e52c299 to your computer and use it in GitHub Desktop.
A script to init vault cluster and unsealed it at start
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
export VAULT_ADDR=http://localhost:8200 | |
VAULT=/opt/vault/bin/vault | |
VAULT_DATA=/var/lib/vault | |
VAULT_POLICIES=/opt/vault/etc/policies | |
# Ensure policies directory exists | |
mkdir -p $VAULT_POLICIES | |
# Ensure vault is started | |
sleep 1 | |
# Check if vault is initialized | |
if [ ! -d "$VAULT_DATA"/sys ] ; then | |
$VAULT operator init -key-shares=1 -key-threshold=1 > /tmp/.vault-init | |
# Extract unseal key and root token | |
grep 'Unseal' /tmp/.vault-init | awk '{ print $NF }' > /etc/.vault-unseal-key | |
grep 'Root Token' /tmp/.vault-init | awk '{ print $NF }' > /etc/.vault-root-token | |
cp /etc/.vault-root-token /root/.vault-token | |
chmod 600 /root/.vault-token /etc/.vault-unseal-key /etc/.vault-root-token | |
fi | |
# Unseal vault | |
$VAULT operator unseal $(< /etc/.vault-unseal-key) | |
# Apply policies | |
for policy in ${VAULT_POLICIES}/*.hcl ; do | |
policy=$(basename $policy) | |
policy=${policy%.*} | |
$VAULT policy read $policy | |
if [ $? -gt 0 ] ; then | |
$VAULT policy write $policy ${VAULT_POLICIES}/$policy.hcl | |
fi | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ui = true | |
listener "tcp" { | |
address = "0.0.0.0:8200" | |
tls_disable = true | |
} | |
storage "file" { | |
path = "/var/lib/vault" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Unit] | |
Description=Vault server | |
[Service] | |
ExecStart=/opt/vault/bin/vault server -config=/etc/vault | |
ExecStartPost=/opt/vault/bin/post-start | |
Type=exec | |
User=root | |
Group=root | |
[Install] | |
WantedBy=default.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment