-
-
Save hemanth22/2f98e272dc09295d4409044054ecb8a4 to your computer and use it in GitHub Desktop.
vault scriptbash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
export vault=/usr/local/bin/vault | |
export VAULT_TOKEN=$(cat /root/.vault-token) | |
vault_cacert='-ca-cert=/path/to/your/ca.pem' | |
local_vault="-address=https://$(hostname -f):8200" | |
unsealed_vault="-address=https://$(getent hosts $(dig +short vault.service.consul | tail -n 1) | awk '{ print $2 }'):8200" | |
leader_vault="-address=https://$($vault status $vault_cacert $unsealed_vault 2> /dev/null | grep Leader | awk '{ print $2 }' | sed 's/^http\(\|s\):\/\///g'):8200" | |
vault_read="$vault read $vault_cacert $leader_vault" | |
vault_unseal="$vault unseal $vault_cacert $local_vault" | |
vault_status="$vault status $vault_cacert $local_vault" | |
function check_unsealed(){ | |
$vault_status &> /dev/null | |
if [[ ! $? == "0" ]] | |
then | |
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Local Vault instance was unsuccessfully unsealed (the instance is still sealed)." | |
exit 1 | |
fi | |
} | |
function get_keys(){ | |
vault_key_1=$($vault_read -field=value secret/vault/keys/1 2> /dev/null) | |
vault_key_2=$($vault_read -field=value secret/vault/keys/2 2> /dev/null) | |
vault_key_3=$($vault_read -field=value secret/vault/keys/3 2> /dev/null) | |
vault_key_4=$($vault_read -field=value secret/vault/keys/4 2> /dev/null) | |
vault_key_5=$($vault_read -field=value secret/vault/keys/5 2> /dev/null) | |
if [[ -z "$vault_key_1" ]] || [[ -z "$vault_key_2" ]] || [[ -z "$vault_key_3" ]] || [[ -z "$vault_key_4" ]] || [[ -z "$vault_key_5" ]] | |
then | |
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error retrieving unseal keys from Vault secret store!" | |
exit 1 | |
fi | |
} | |
function unseal_vault(){ | |
$vault_unseal $vault_key_1 &> /dev/null; | |
status_1=$? | |
$vault_unseal $vault_key_2 &> /dev/null; | |
status_2=$? | |
$vault_unseal $vault_key_3 &> /dev/null; | |
status_3=$? | |
# Only need three to unseal | |
#$vault_unseal $vault_key_4 &> /dev/null; | |
#status_4=$? | |
#$vault_unseal $vault_key_5 &> /dev/null; | |
#status_5=$? | |
if [[ ! $status_1 == "0" ]] || [[ ! $status_2 == "0" ]] || [[ ! $status_3 == "0" ]] # || [[ ! "status_4" == "0" ]] || [[ ! "status_5" == "0" ]] | |
then | |
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Error unsealing local Vault instance!" | |
exit 1 | |
fi | |
} | |
function main(){ | |
$vault_status &> /dev/null | |
if [[ $? == "0" ]] | |
then | |
echo "VaultSealManager-[$(date +'%X %x')]-[IFNO]: Local Vault instance is already unsealed!" | |
exit 0 | |
fi | |
if [[ -z "$unsealed_vault" ]] | |
then | |
echo "VaultSealManager-[$(date +'%X %x')]-[ERROR]: Consul service returned no unsealed Vault instances!" | |
exit 1 | |
else | |
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Consul service returned unsealed Vault instance..." | |
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to get secured keys from Vault secret store..." | |
get_keys | |
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Got unseal keys successfull..." | |
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Attempting to unseal local Vault instance with acquired unseal keys..." | |
unseal_vault | |
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Checking local seal status..." | |
check_unsealed | |
echo "VaultSealManager-[$(date +'%X %x')]-[INFO]: Local Vault instance is now unsealed!" | |
fi | |
} | |
main | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment