Last active
April 25, 2024 19:18
-
-
Save darkn3rd/f83848830717333e9ac115aff8e9abeb to your computer and use it in GitHub Desktop.
Vault Dgraph Part 1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mkdir ./{vault,dgraph} | |
cat << 'EOF' > compose.yml | |
services: | |
zero1: | |
image: dgraph/dgraph:${DGRAPH_VERSION} | |
command: dgraph zero --my=zero1:5080 --replicas 1 --raft idx=1 | |
ports: | |
- 6080:6080 | |
container_name: zero1 | |
alpha1: | |
image: dgraph/dgraph:${DGRAPH_VERSION} | |
ports: | |
- 8080:8080 | |
- 9080:9080 | |
environment: | |
DGRAPH_ALPHA_CONFIG: /dgraph/config/config.yaml | |
volumes: | |
- ./dgraph/alpha.yaml:/dgraph/config/config.yaml | |
- ./dgraph/vault_secret_id:/dgraph/vault/secret_id | |
- ./dgraph/vault_role_id:/dgraph/vault/role_id | |
- ./dgraph/backups:/dgraph/backups | |
- ./dgraph/export:/dgraph/export | |
command: dgraph alpha --my=alpha1:7080 --zero=zero1:5080 | |
container_name: alpha1 | |
vault: | |
image: hashicorp/vault:${VAULT_VERSION} | |
container_name: vault | |
ports: | |
- 8200:8200 | |
volumes: | |
- ./vault/config.hcl:/vault/config/config.hcl | |
- ./vault/data:/vault/data | |
environment: | |
VAULT_ADDR: http://127.0.0.1:8200 | |
entrypoint: vault server -config=/vault/config/config.hcl | |
cap_add: | |
- IPC_LOCK | |
EOF | |
cat << EOF > .env | |
DGRAPH_VERSION=v23.1.1 | |
VAULT_VERSION=1.16 | |
EOF | |
cat << EOF > ./vault/config.hcl | |
storage "raft" { | |
path = "/vault/data" | |
node_id = "vault1" | |
} | |
listener "tcp" { | |
address = "0.0.0.0:8200" | |
tls_disable = "true" | |
} | |
api_addr = "http://127.0.0.1:8200" | |
cluster_addr = "http://127.0.0.1:8201" | |
ui = true | |
disable_mlock = true | |
EOF | |
cat << EOF > admin.hcl | |
# kv2 secret/dgraph/* | |
path "secret/metadata/dgraph/*" { | |
capabilities = [ "create", "read", "update", "delete", "list" ] | |
} | |
path "secret/data/dgraph/*" { | |
capabilities = [ "create", "read", "update", "delete", "list" ] | |
} | |
# Mount the AppRole auth method | |
path "sys/auth/approle/" { | |
capabilities = [ "create", "read", "update", "delete", "sudo" ] | |
} | |
# Configure the AppRole auth method | |
path "sys/auth/approle/*" { | |
capabilities = [ "create", "read", "update", "delete" ] | |
} | |
# Create and manage roles | |
path "auth/approle/*" { | |
capabilities = [ "create", "read", "update", "delete", "list" ] | |
} | |
# Write ACL policies | |
path "sys/policies/acl/*" { | |
capabilities = [ "create", "read", "update", "delete", "list" ] | |
} | |
EOF | |
cat << EOF > dgraph.hcl | |
path "secret/data/dgraph/*" { | |
capabilities = [ "read", "update" ] | |
} | |
EOF | |
docker compose up --detach "vault" | |
docker compose ls | |
VAULT_CMD="docker compose exec vault vault" | |
$VAULT_CMD vault operator init | tee -a unseal.creds | |
for NUM in {1..3}; do | |
$VAULT_CMD operator unseal $(grep -oP "(?<=Unseal Key $NUM: ).*" unseal.creds) | |
done | |
export VAULT_ROOT_TOKEN="$(grep -oP "(?<=Initial Root Token: ).*" unseal.creds)" | |
export VAULT_ADDRESS="127.0.0.1:8200" | |
vault auth enable approle | |
vault secrets enable -path=secret kv-v2 | |
# Admin Policy | |
vault policy write admin ./vault/policy_admin.hcl | |
vault policy read admin | |
# Dgraph Policy | |
vault policy write dgraph ./vault/policy_dgraph.hcl | |
vault policy read dgraph | |
vault policy write admin policy_admin.hcl | |
vault policy write dgraph policy_dgraph.hcl | |
vault write auth/approle/role/admin \ | |
policies="admin" \ | |
token_ttl="1h" \ | |
token_max_ttl="4h" | |
ROLE_ID=$(vault read auth/approle/role/admin/role-id -format=json \ | |
| jq -r .data.role_id | |
) | |
SECRET_ID=$(vault write -f auth/approle/role/admin/secret-id -format=json \ | |
| jq -r .data.secret_id) | |
ADMIN_TOKEN=$(vault write auth/approle/login \ | |
role_id="$ROLE_ID" \ | |
secret_id="$SECRET_ID" \ | |
--format=json \ | |
| jq -r .auth.client_token | |
) | |
# login using admin token | |
vault login $ADMIN_TOKEN | |
# write secrets for Dgraph | |
vault kv put secret/dgraph/alpha \ | |
enc_key="12345678901234567890123456789012" \ | |
hmac_secret_file="12345678901234567890123456789012" | |
vault write auth/approle/role/dgraph \ | |
policies="dgraph" \ | |
token_ttl="1h" \ | |
token_max_ttl="4h" | |
ROLE_ID=$(vault read auth/approle/role/dgraph/role-id -format=json \ | |
| jq -r .data.role_id | |
) | |
SECRET_ID=$(vault write -f auth/approle/role/dgraph/secret-id -format=json \ | |
| jq -r .data.secret_id) | |
DGRAPH_TOKEN=$(vault write auth/approle/login \ | |
role_id="$ROLE_ID" \ | |
secret_id="$SECRET_ID" \ | |
--format=json \ | |
| jq -r .auth.client_token | |
) | |
vault login $DGRAPH_TOKEN | |
echo $ROLE_ID > ./dgraph/vault_role_id | |
echo $SECRET_ID > ./dgraph/vault_secret_id | |
vault kv get secret/dgraph/alpha |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment