Re-Authenticate with MinIO Instances via Vault

vault-reauth.sh

#!/bin/sh

# Re-Authenticate all vault tokens.
# Dependencies: jq, curl
# Example:
#
# $ bash vault-renew.sh
# {
#   "minio_gateway_premium": {
#     "accessKeyId": "profile-blair-drummond-XXXXXXXXXXXXXXXX",
#     "secretAccessKey": "XXXXXXXXXXXXXXXXX"
#   },
#   "fdi_gateway_unclassified": {
#     "accessKeyId": "profile-blair-drummond-XXXXXXXXXXXXXXXX",
#     "secretAccessKey": "XXXXXXXXXXXXXXX"
#   },
#   "minio_gateway_standard": {
#     "accessKeyId": "profile-blair-drummond-XXXXXXXXXXXXXXXX",
#     "secretAccessKey": "XXXXXXXXXXXXXXXX"
#   }
# }


# Global settings
AAW_CLUSTER=${AAW_CLUSTER:-aaw-prod-cc-00}
PROFILE="profile-$(echo $NB_PREFIX | awk -F / '{print $3}')"
VAULT_ADDR=http://vault.vault-system:8200

# MinIO Instances/Vault Mounts
options () {
	find /vault/secrets -name '*.json' \
		| sed 's~.json$~~' \
		| tr '-' '_' | xargs -I{} basename {} 
}

# Grab options in a file, delete on exit
trap 'rm -f "$INSTANCES"' EXIT
INSTANCES=$(mktemp -t "minio-instances.XXXXX")
options > $INSTANCES
INSTANCE=$(grep gateway $INSTANCES | sed 1q)


# Get a Vault token from the service account JWT
token () {
	JWT="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
	curl --request POST \
		--data '{"jwt": "'"$JWT"'", "role": "'"$PROFILE"'"}' \
		-s -k $VAULT_ADDR/v1/auth/$AAW_CLUSTER/login | \
		jq -r '.auth.client_token'
}

# Get MinIO credentials from Vault

minio_creds () {
	INSTANCE=$1
	curl -s \
		-H "X-Vault-Request: true" \
		-H "X-Vault-Token: $(token)" \
		$VAULT_ADDR/v1/$INSTANCE/keys/$PROFILE
}
 
# Get all non-null results 
while read instance; do
	minio_creds $instance \
		| jq --arg KEY $instance '{"key" : $KEY, "value": .data }'
done < $INSTANCES \
	| jq -c 'select(.value != null)' \
	| jq --slurp . \
	| jq 'map(del(.value.accountStatus, .value.policy))' \
	| jq from_entries \