Last active
June 25, 2019 21:54
-
-
Save vishalnayak/93985c96e291ed7f77c073197856e92c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -aex | |
cd dev | |
pkill -9 vault || true | |
sleep 5s | |
vault11() { | |
VAULT_ADDR=http://127.0.0.1:8211 vault $@ | |
} | |
vault12() { | |
VAULT_ADDR=http://127.0.0.1:8212 vault $@ | |
} | |
vault21() { | |
VAULT_ADDR=http://127.0.0.1:8221 vault $@ | |
} | |
vault22() { | |
VAULT_ADDR=http://127.0.0.1:8224 vault $@ | |
} | |
vault11n() { | |
VAULT_ADDR=http://127.0.0.1:8211 vault $@ | |
} | |
vault12n() { | |
VAULT_ADDR=http://127.0.0.1:8212 vault $@ | |
} | |
vault21n() { | |
VAULT_ADDR=http://127.0.0.1:8221 vault $@ | |
} | |
vault22n() { | |
VAULT_ADDR=http://127.0.0.1:8224 vault $@ | |
} | |
cat > config/consul11.hcl -<<EOF | |
storage "consul" { | |
path = "vault1" | |
address = "127.0.0.1:8500" | |
scheme = "http" | |
token = "test" | |
} | |
listener "tcp" { | |
address = "127.0.0.1:8211" | |
tls_disable = true | |
} | |
plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir" | |
disable_mlock = "true" | |
api_addr = "http://127.0.0.1:8211" | |
default_lease_ttl = "300h" | |
max_lease_ttl = "500h" | |
EOF | |
cat > config/consul21.hcl -<<EOF | |
storage "consul" { | |
path = "vault2" | |
address = "127.0.0.1:8500" | |
scheme = "http" | |
token = "test" | |
} | |
listener "tcp" { | |
address = "127.0.0.1:8221" | |
tls_disable = true | |
} | |
plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir" | |
disable_mlock = "true" | |
api_addr = "http://127.0.0.1:8221" | |
default_lease_ttl = "300h" | |
max_lease_ttl = "500h" | |
EOF | |
cat > config/consul22.hcl -<<EOF | |
storage "consul" { | |
path = "vault2" | |
address = "127.0.0.1:8500" | |
scheme = "http" | |
token = "test" | |
} | |
listener "tcp" { | |
address = "127.0.0.1:8224" | |
tls_disable = true | |
} | |
plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir" | |
disable_mlock = "true" | |
api_addr = "http://127.0.0.1:8224" | |
default_lease_ttl = "300h" | |
max_lease_ttl = "500h" | |
EOF | |
rm -rf /tmp/consul11.log | |
rm -rf /tmp/consul12.log | |
rm -rf /tmp/consul21.log | |
vault11 server -config config/consul11.hcl -log-level trace > /tmp/consul12.log 2>&1 & | |
vault21 server -config config/consul21.hcl -log-level trace > /tmp/consul21.log 2>&1 & | |
sleep 5s | |
initResult=$(vault11 operator init -format json -key-shares 1 -key-threshold 1) | |
unsealKey1=$(echo -n $initResult | jq -r '.unseal_keys_b64[0]') | |
rootToken1=$(echo -n $initResult | jq -r '.root_token') | |
echo -n $unsealKey1 > unsealKey1 | |
echo -n $rootToken1 > rootToken1 | |
vault11 operator unseal `cat unsealKey1` | |
sleep 5s | |
vault11 login `cat rootToken1` | |
initResult=$(vault21 operator init -format json -key-shares 1 -key-threshold 1) | |
unsealKey2=$(echo -n $initResult | jq -r '.unseal_keys_b64[0]') | |
rootToken2=$(echo -n $initResult | jq -r '.root_token') | |
echo -n $unsealKey2 > unsealKey2 | |
echo -n $rootToken2 > rootToken2 | |
vault21 operator unseal `cat unsealKey2` | |
vault11 auth enable userpass | |
accessor=$(vault11 auth list -format json | jq -r '.["userpass/"].accessor') | |
vault11 write auth/userpass/users/vishal password=nayak | |
vault11 write auth/userpass/login/vishal password=nayak | |
entityID=$(vault11 list -format json identity/entity/id | jq -r '.[0]') | |
vault11 write identity/entity-alias canonical_id=$entityID mount_accessor=$accessor name=Vishal | |
sleep 5s | |
pkill vault | |
sleep 5s | |
rm -rf /tmp/consul11.log | |
rm -rf /tmp/consul21.log | |
vault11 server -config config/consul11.hcl -log-level trace > /tmp/consul12.log 2>&1 & | |
vault21 server -config config/consul21.hcl -log-level trace > /tmp/consul21.log 2>&1 & | |
sleep 5s | |
vault11 operator unseal $(cat unsealKey1) | |
vault21 operator unseal $(cat unsealKey2) | |
vault11 write -f sys/replication/primary/enable | |
secondaryToken=$(vault11 write -field wrapping_token sys/replication/primary/secondary-token id=asdf) | |
VAULT_TOKEN=$(cat rootToken2) vault21 write sys/replication/secondary/enable token=$secondaryToken | |
sleep 10s | |
grResult=$(vault21 operator generate-root -format json -init) | |
grNonce=$(echo -n $grResult | jq -r '.nonce') | |
grOTP=$(echo -n $grResult | jq -r '.otp') | |
grResult=$(vault21 operator generate-root -nonce $grNonce -format json $unsealKey1) | |
eToken=$(echo -n $grResult | jq -r '.encoded_token') | |
rootToken2=$(vault21 operator generate-root -format json -decode $eToken -otp $grOTP) | |
echo -n $rootToken2 > rootToken2 | |
# Check if the root token can be used by the secondary's active node | |
vault21 login $(cat rootToken2) | |
vault22 server -config config/consul22.hcl -log-level trace > /tmp/consul22.log 2>&1 & | |
sleep 5s | |
vault22 operator unseal $(cat unsealKey1) | |
sleep 5s | |
vault22 status | |
# Check if the root token can be used by the secondary's standby node | |
vault22 login $(cat rootToken2) | |
# Create a token from the standby and use it on both active and standby | |
token=$(vault22 write -format json auth/userpass/login/vishal password=nayak | jq -r '.auth.client_token') | |
vault22 login $token | |
vault21 login $token | |
# Create a token from the leader and use it on both active and standby | |
token=$(vault21 write -format json auth/userpass/login/vishal password=nayak | jq -r '.auth.client_token') | |
vault22 login $token | |
vault21 login $token |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment