darkn3rd/vault_dgraph_1.sh

## vault_dgraph_1.sh
mkdir ./{vault,dgraph}

cat << 'EOF' > compose.yml
services:
  zero1:
    image: dgraph/dgraph:${DGRAPH_VERSION}
    command: dgraph zero --my=zero1:5080 --replicas 1 --raft idx=1
    ports:
      - 6080:6080
    container_name: zero1

  alpha1:
    image: dgraph/dgraph:${DGRAPH_VERSION}
    ports:
      - 8080:8080
      - 9080:9080
    environment:
      DGRAPH_ALPHA_CONFIG: /dgraph/config/config.yaml
    volumes:
      - ./dgraph/alpha.yaml:/dgraph/config/config.yaml
      - ./dgraph/vault_secret_id:/dgraph/vault/secret_id
      - ./dgraph/vault_role_id:/dgraph/vault/role_id
      - ./dgraph/backups:/dgraph/backups
      - ./dgraph/export:/dgraph/export
    command: dgraph alpha --my=alpha1:7080 --zero=zero1:5080
    container_name: alpha1

  vault:
    image: hashicorp/vault:${VAULT_VERSION}
    container_name: vault
    ports:
      - 8200:8200
    volumes:
      - ./vault/config.hcl:/vault/config/config.hcl
      - ./vault/data:/vault/data
    environment:
      VAULT_ADDR: http://127.0.0.1:8200
    entrypoint: vault server -config=/vault/config/config.hcl
    cap_add:
      - IPC_LOCK
EOF

cat << EOF > .env
DGRAPH_VERSION=v23.1.1
VAULT_VERSION=1.16
EOF

cat << EOF > ./vault/config.hcl
storage "raft" {
  path    = "/vault/data"
  node_id = "vault1"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = "true"
}

api_addr      = "http://127.0.0.1:8200"
cluster_addr  = "http://127.0.0.1:8201"
ui            = true
disable_mlock = true
EOF

cat << EOF > admin.hcl
# kv2 secret/dgraph/*
path "secret/metadata/dgraph/*" {
   capabilities = [ "create", "read", "update", "delete", "list" ]
}

path "secret/data/dgraph/*" {
   capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Mount the AppRole auth method
path "sys/auth/approle/" {
  capabilities = [ "create", "read", "update", "delete", "sudo" ]
}

# Configure the AppRole auth method
path "sys/auth/approle/*" {
  capabilities = [ "create", "read", "update", "delete" ]
}

# Create and manage roles
path "auth/approle/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Write ACL policies
path "sys/policies/acl/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}
EOF

cat << EOF > dgraph.hcl
path "secret/data/dgraph/*" {
  capabilities = [ "read", "update" ]
}
EOF

docker compose up --detach "vault"
docker compose ls

VAULT_CMD="docker compose exec vault vault"
$VAULT_CMD vault operator init | tee -a unseal.creds

for NUM in {1..3}; do
  $VAULT_CMD operator unseal $(grep -oP "(?<=Unseal Key $NUM: ).*" unseal.creds)
done

export VAULT_ROOT_TOKEN="$(grep -oP "(?<=Initial Root Token: ).*" unseal.creds)"
export VAULT_ADDRESS="127.0.0.1:8200"

vault auth enable approle
vault secrets enable -path=secret kv-v2

# Admin Policy
vault policy write admin ./vault/policy_admin.hcl
vault policy read admin

# Dgraph Policy
vault policy write dgraph ./vault/policy_dgraph.hcl
vault policy read dgraph

vault policy write admin policy_admin.hcl
vault policy write dgraph policy_dgraph.hcl

vault write auth/approle/role/admin \
  policies="admin" \
  token_ttl="1h" \
  token_max_ttl="4h"

ROLE_ID=$(vault read auth/approle/role/admin/role-id -format=json \
  | jq -r .data.role_id
)

SECRET_ID=$(vault write -f auth/approle/role/admin/secret-id -format=json \
  | jq -r .data.secret_id)

ADMIN_TOKEN=$(vault write auth/approle/login \
  role_id="$ROLE_ID" \
  secret_id="$SECRET_ID" \
  --format=json \
  | jq -r .auth.client_token
)

# login using admin token
vault login $ADMIN_TOKEN

# write secrets for Dgraph
vault kv put secret/dgraph/alpha \
  enc_key="12345678901234567890123456789012" \
  hmac_secret_file="12345678901234567890123456789012"

vault write auth/approle/role/dgraph \
  policies="dgraph" \
  token_ttl="1h" \
  token_max_ttl="4h"

ROLE_ID=$(vault read auth/approle/role/dgraph/role-id -format=json \
  | jq -r .data.role_id
)

SECRET_ID=$(vault write -f auth/approle/role/dgraph/secret-id -format=json \
  | jq -r .data.secret_id)

DGRAPH_TOKEN=$(vault write auth/approle/login \
  role_id="$ROLE_ID" \
  secret_id="$SECRET_ID" \
  --format=json \
  | jq -r .auth.client_token
)

vault login $DGRAPH_TOKEN

echo $ROLE_ID > ./dgraph/vault_role_id
echo $SECRET_ID > ./dgraph/vault_secret_id

vault kv get secret/dgraph/alpha
	mkdir ./{vault,dgraph}

	cat << 'EOF' > compose.yml
	services:
	zero1:
	image: dgraph/dgraph:${DGRAPH_VERSION}
	command: dgraph zero --my=zero1:5080 --replicas 1 --raft idx=1
	ports:
	- 6080:6080
	container_name: zero1

	alpha1:
	image: dgraph/dgraph:${DGRAPH_VERSION}
	ports:
	- 8080:8080
	- 9080:9080
	environment:
	DGRAPH_ALPHA_CONFIG: /dgraph/config/config.yaml
	volumes:
	- ./dgraph/alpha.yaml:/dgraph/config/config.yaml
	- ./dgraph/vault_secret_id:/dgraph/vault/secret_id
	- ./dgraph/vault_role_id:/dgraph/vault/role_id
	- ./dgraph/backups:/dgraph/backups
	- ./dgraph/export:/dgraph/export
	command: dgraph alpha --my=alpha1:7080 --zero=zero1:5080
	container_name: alpha1

	vault:
	image: hashicorp/vault:${VAULT_VERSION}
	container_name: vault
	ports:
	- 8200:8200
	volumes:
	- ./vault/config.hcl:/vault/config/config.hcl
	- ./vault/data:/vault/data
	environment:
	VAULT_ADDR: http://127.0.0.1:8200
	entrypoint: vault server -config=/vault/config/config.hcl
	cap_add:
	- IPC_LOCK
	EOF

	cat << EOF > .env
	DGRAPH_VERSION=v23.1.1
	VAULT_VERSION=1.16
	EOF

	cat << EOF > ./vault/config.hcl
	storage "raft" {
	path = "/vault/data"
	node_id = "vault1"
	}

	listener "tcp" {
	address = "0.0.0.0:8200"
	tls_disable = "true"
	}

	api_addr = "http://127.0.0.1:8200"
	cluster_addr = "http://127.0.0.1:8201"
	ui = true
	disable_mlock = true
	EOF

	cat << EOF > admin.hcl
	# kv2 secret/dgraph/*
	path "secret/metadata/dgraph/*" {
	capabilities = [ "create", "read", "update", "delete", "list" ]
	}

	path "secret/data/dgraph/*" {
	capabilities = [ "create", "read", "update", "delete", "list" ]
	}

	# Mount the AppRole auth method
	path "sys/auth/approle/" {
	capabilities = [ "create", "read", "update", "delete", "sudo" ]
	}

	# Configure the AppRole auth method
	path "sys/auth/approle/*" {
	capabilities = [ "create", "read", "update", "delete" ]
	}

	# Create and manage roles
	path "auth/approle/*" {
	capabilities = [ "create", "read", "update", "delete", "list" ]
	}

	# Write ACL policies
	path "sys/policies/acl/*" {
	capabilities = [ "create", "read", "update", "delete", "list" ]
	}
	EOF

	cat << EOF > dgraph.hcl
	path "secret/data/dgraph/*" {
	capabilities = [ "read", "update" ]
	}
	EOF

	docker compose up --detach "vault"
	docker compose ls

	VAULT_CMD="docker compose exec vault vault"
	$VAULT_CMD vault operator init \| tee -a unseal.creds

	for NUM in {1..3}; do
	$VAULT_CMD operator unseal $(grep -oP "(?<=Unseal Key $NUM: ).*" unseal.creds)
	done

	export VAULT_ROOT_TOKEN="$(grep -oP "(?<=Initial Root Token: ).*" unseal.creds)"
	export VAULT_ADDRESS="127.0.0.1:8200"

	vault auth enable approle
	vault secrets enable -path=secret kv-v2

	# Admin Policy
	vault policy write admin ./vault/policy_admin.hcl
	vault policy read admin

	# Dgraph Policy
	vault policy write dgraph ./vault/policy_dgraph.hcl
	vault policy read dgraph

	vault policy write admin policy_admin.hcl
	vault policy write dgraph policy_dgraph.hcl

	vault write auth/approle/role/admin \
	policies="admin" \
	token_ttl="1h" \
	token_max_ttl="4h"

	ROLE_ID=$(vault read auth/approle/role/admin/role-id -format=json \
	\| jq -r .data.role_id
	)

	SECRET_ID=$(vault write -f auth/approle/role/admin/secret-id -format=json \
	\| jq -r .data.secret_id)

	ADMIN_TOKEN=$(vault write auth/approle/login \
	role_id="$ROLE_ID" \
	secret_id="$SECRET_ID" \
	--format=json \
	\| jq -r .auth.client_token
	)

	# login using admin token
	vault login $ADMIN_TOKEN

	# write secrets for Dgraph
	vault kv put secret/dgraph/alpha \
	enc_key="12345678901234567890123456789012" \
	hmac_secret_file="12345678901234567890123456789012"

	vault write auth/approle/role/dgraph \
	policies="dgraph" \
	token_ttl="1h" \
	token_max_ttl="4h"

	ROLE_ID=$(vault read auth/approle/role/dgraph/role-id -format=json \
	\| jq -r .data.role_id
	)

	SECRET_ID=$(vault write -f auth/approle/role/dgraph/secret-id -format=json \
	\| jq -r .data.secret_id)

	DGRAPH_TOKEN=$(vault write auth/approle/login \
	role_id="$ROLE_ID" \
	secret_id="$SECRET_ID" \
	--format=json \
	\| jq -r .auth.client_token
	)

	vault login $DGRAPH_TOKEN

	echo $ROLE_ID > ./dgraph/vault_role_id
	echo $SECRET_ID > ./dgraph/vault_secret_id

	vault kv get secret/dgraph/alpha