Last active
June 27, 2019 18:59
-
-
Save vishalnayak/c39b7919bb647c596b850ae3329b559e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -aex | |
| cd dev | |
| pkill -9 vault || true | |
| pkill -9 v103 || true | |
| pkill -9 v0113 || true | |
| sleep 5s | |
| # Active of perf primary running Vault 0.11.3 | |
| vault11() { | |
| VAULT_ADDR=http://127.0.0.1:8211 ./v0113 $@ | |
| } | |
| # Active of perf secondary running Vault 0.11.3 | |
| vault21() { | |
| VAULT_ADDR=http://127.0.0.1:8221 ./v0113 $@ | |
| } | |
| # Standby of perf secondary running Vault 0.11.3 | |
| vault22() { | |
| VAULT_ADDR=http://127.0.0.1:8224 ./v0113 $@ | |
| } | |
| # Active of perf primary after upgrade from 0.11.3 to 1.0.3 | |
| vault11n() { | |
| VAULT_ADDR=http://127.0.0.1:8211 ./v12beta $@ | |
| } | |
| # Active of perf secondary after upgrade from 0.11.3 to 1.0.3 | |
| vault21n() { | |
| VAULT_ADDR=http://127.0.0.1:8221 ./v12beta $@ | |
| } | |
| # Standby of perf secondary after upgrade from 0.11.3 to 1.0.3 | |
| vault22n() { | |
| VAULT_ADDR=http://127.0.0.1:8224 ./v12beta $@ | |
| } | |
| cat > config/consul11.hcl -<<EOF | |
| storage "consul" { | |
| path = "vault1" | |
| address = "127.0.0.1:8500" | |
| scheme = "http" | |
| token = "test" | |
| } | |
| listener "tcp" { | |
| address = "127.0.0.1:8211" | |
| tls_disable = true | |
| } | |
| plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir" | |
| disable_mlock = "true" | |
| api_addr = "http://127.0.0.1:8211" | |
| default_lease_ttl = "300h" | |
| max_lease_ttl = "500h" | |
| EOF | |
| cat > config/consul21.hcl -<<EOF | |
| storage "consul" { | |
| path = "vault2" | |
| address = "127.0.0.1:8500" | |
| scheme = "http" | |
| token = "test" | |
| } | |
| listener "tcp" { | |
| address = "127.0.0.1:8221" | |
| tls_disable = true | |
| } | |
| plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir" | |
| disable_mlock = "true" | |
| api_addr = "http://127.0.0.1:8221" | |
| default_lease_ttl = "300h" | |
| max_lease_ttl = "500h" | |
| EOF | |
| cat > config/consul22.hcl -<<EOF | |
| storage "consul" { | |
| path = "vault2" | |
| address = "127.0.0.1:8500" | |
| scheme = "http" | |
| token = "test" | |
| } | |
| listener "tcp" { | |
| address = "127.0.0.1:8224" | |
| tls_disable = true | |
| } | |
| plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir" | |
| disable_mlock = "true" | |
| api_addr = "http://127.0.0.1:8224" | |
| default_lease_ttl = "300h" | |
| max_lease_ttl = "500h" | |
| EOF | |
| rm -rf /tmp/consul11.log | |
| rm -rf /tmp/consul12.log | |
| rm -rf /tmp/consul21.log | |
| # Start and initialize servers | |
| vault11 server -config config/consul11.hcl -log-level trace > /tmp/consul12.log 2>&1 & | |
| vault21 server -config config/consul21.hcl -log-level trace > /tmp/consul21.log 2>&1 & | |
| sleep 5s | |
| initResult=$(vault11 operator init -format json -key-shares 1 -key-threshold 1) | |
| unsealKey1=$(echo -n $initResult | jq -r '.unseal_keys_b64[0]') | |
| rootToken1=$(echo -n $initResult | jq -r '.root_token') | |
| echo -n $unsealKey1 > unsealKey1 | |
| echo -n $rootToken1 > rootToken1 | |
| vault11 operator unseal `cat unsealKey1` | |
| sleep 5s | |
| vault11 login `cat rootToken1` | |
| initResult=$(vault21 operator init -format json -key-shares 1 -key-threshold 1) | |
| unsealKey2=$(echo -n $initResult | jq -r '.unseal_keys_b64[0]') | |
| rootToken2=$(echo -n $initResult | jq -r '.root_token') | |
| echo -n $unsealKey2 > unsealKey2 | |
| echo -n $rootToken2 > rootToken2 | |
| vault21 operator unseal `cat unsealKey2` | |
| vault11 auth enable userpass | |
| accessor=$(vault11 auth list -format json | jq -r '.["userpass/"].accessor') | |
| vault11 write auth/userpass/users/vishal password=nayak | |
| vault11 write auth/userpass/login/vishal password=nayak | |
| entityID=$(vault11 list -format json identity/entity/id | jq -r '.[0]') | |
| # Create a duplicate alias with different cases for alias names | |
| vault11 write identity/entity-alias canonical_id=$entityID mount_accessor=$accessor name=Vishal | |
| vault11 list identity/entity-alias/id | |
| # Exercise a bug that creates exact duplicate aliases in an entity | |
| aliasCreationResult=$(vault11 write -format json identity/entity-alias name=alias1 mount_accessor=$accessor) | |
| aliasID1=$(echo -n $aliasCreationResult | jq -r '.data.id') | |
| entityID1=$(echo -n $aliasCreationResult | jq -r '.data.canonical_id') | |
| entityID2=$(vault11 write -format json identity/entity name=entity1 | jq -r '.data.id') | |
| vault11 write -format json identity/entity-alias/id/$aliasID1 canonical_id=$entityID2 name=alias1 mount_accessor=$accessor | |
| vault11 read -format json identity/entity/id/$entityID2 | jq -r '.data.aliases' | |
| sleep 5s | |
| pkill -9 v0113 || true | |
| exit 0 | |
| sleep 10s | |
| rm -rf /tmp/consul11.log | |
| rm -rf /tmp/consul21.log | |
| vault11n server -config config/consul11.hcl -log-level trace > /tmp/consul11.log 2>&1 & | |
| vault21n server -config config/consul21.hcl -log-level trace > /tmp/consul21.log 2>&1 & | |
| sleep 5s | |
| vault11n operator unseal $(cat unsealKey1) | |
| vault21n operator unseal $(cat unsealKey2) | |
| sleep 5s | |
| vault11n write -f sys/replication/primary/enable | |
| secondaryToken=$(vault11n write -field wrapping_token sys/replication/primary/secondary-token id=asdf) | |
| VAULT_TOKEN=$(cat rootToken2) vault21n write sys/replication/secondary/enable token=$secondaryToken | |
| sleep 10s | |
| grResult=$(vault21n operator generate-root -format json -init) | |
| grNonce=$(echo -n $grResult | jq -r '.nonce') | |
| grOTP=$(echo -n $grResult | jq -r '.otp') | |
| grResult=$(vault21n operator generate-root -nonce $grNonce -format json $unsealKey1) | |
| eToken=$(echo -n $grResult | jq -r '.encoded_token') | |
| rootToken2=$(vault21n operator generate-root -format json -decode $eToken -otp $grOTP) | |
| echo -n $rootToken2 > rootToken2 | |
| # Check if the root token can be used by the secondary's active node | |
| vault21n login $(cat rootToken2) | |
| vault22n server -config config/consul22.hcl -log-level trace > /tmp/consul22.log 2>&1 & | |
| sleep 5s | |
| vault22n operator unseal $(cat unsealKey1) | |
| sleep 5s | |
| vault22n status | |
| # Check if the root token can be used by the secondary's standby node | |
| vault22n login $(cat rootToken2) | |
| # Create a token from the standby and use it on both active and standby | |
| token=$(vault22n write -format json auth/userpass/login/vishal password=nayak | jq -r '.auth.client_token') | |
| vault22n login $token | |
| vault21n login $token | |
| # Create a token from the leader and use it on both active and standby | |
| token=$(vault21n write -format json auth/userpass/login/vishal password=nayak | jq -r '.auth.client_token') | |
| vault22n login $token | |
| vault21n login $token | |
| ========= | |
| Store the following in a different script file | |
| #!/bin/bash | |
| set -aex | |
| reset | |
| cd dev | |
| # Active of perf primary running Vault 0.11.3 | |
| vault11() { | |
| VAULT_ADDR=http://127.0.0.1:8211 ./v0113 $@ | |
| } | |
| # Active of perf secondary running Vault 0.11.3 | |
| vault21() { | |
| VAULT_ADDR=http://127.0.0.1:8221 ./v0113 $@ | |
| } | |
| # Standby of perf secondary running Vault 0.11.3 | |
| vault22() { | |
| VAULT_ADDR=http://127.0.0.1:8224 ./v0113 $@ | |
| } | |
| # Active of perf primary after upgrade from 0.11.3 to 1.0.3 | |
| vault11n() { | |
| VAULT_ADDR=http://127.0.0.1:8211 ./v12beta $@ | |
| } | |
| # Active of perf secondary after upgrade from 0.11.3 to 1.0.3 | |
| vault21n() { | |
| VAULT_ADDR=http://127.0.0.1:8221 ./v12beta $@ | |
| } | |
| # Standby of perf secondary after upgrade from 0.11.3 to 1.0.3 | |
| vault22n() { | |
| VAULT_ADDR=http://127.0.0.1:8224 ./v12beta $@ | |
| } | |
| cat > config/consul11.hcl -<<EOF | |
| storage "consul" { | |
| path = "vault1" | |
| address = "127.0.0.1:8500" | |
| scheme = "http" | |
| token = "test" | |
| } | |
| listener "tcp" { | |
| address = "127.0.0.1:8211" | |
| tls_disable = true | |
| } | |
| plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir" | |
| disable_mlock = "true" | |
| api_addr = "http://127.0.0.1:8211" | |
| default_lease_ttl = "300h" | |
| max_lease_ttl = "500h" | |
| EOF | |
| cat > config/consul21.hcl -<<EOF | |
| storage "consul" { | |
| path = "vault2" | |
| address = "127.0.0.1:8500" | |
| scheme = "http" | |
| token = "test" | |
| } | |
| listener "tcp" { | |
| address = "127.0.0.1:8221" | |
| tls_disable = true | |
| } | |
| plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir" | |
| disable_mlock = "true" | |
| api_addr = "http://127.0.0.1:8221" | |
| default_lease_ttl = "300h" | |
| max_lease_ttl = "500h" | |
| EOF | |
| cat > config/consul22.hcl -<<EOF | |
| storage "consul" { | |
| path = "vault2" | |
| address = "127.0.0.1:8500" | |
| scheme = "http" | |
| token = "test" | |
| } | |
| listener "tcp" { | |
| address = "127.0.0.1:8224" | |
| tls_disable = true | |
| } | |
| plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir" | |
| disable_mlock = "true" | |
| api_addr = "http://127.0.0.1:8224" | |
| default_lease_ttl = "300h" | |
| max_lease_ttl = "500h" | |
| EOF | |
| rm -rf /tmp/consul11.log | |
| rm -rf /tmp/consul21.log | |
| vault11n server -config config/consul11.hcl -log-level trace > /tmp/consul11.log 2>&1 & | |
| vault21n server -config config/consul21.hcl -log-level trace > /tmp/consul21.log 2>&1 & | |
| sleep 20s | |
| vault11n operator unseal $(cat unsealKey1) | |
| vault21n operator unseal $(cat unsealKey2) | |
| sleep 20s | |
| vault11n write -f sys/replication/primary/enable | |
| secondaryToken=$(vault11n write -field wrapping_token sys/replication/primary/secondary-token id=asdf) | |
| VAULT_TOKEN=$(cat rootToken2) vault21n write sys/replication/secondary/enable token=$secondaryToken | |
| sleep 10s | |
| grResult=$(vault21n operator generate-root -format json -init) | |
| grNonce=$(echo -n $grResult | jq -r '.nonce') | |
| grOTP=$(echo -n $grResult | jq -r '.otp') | |
| unsealKey1=$(cat unsealKey1) | |
| grResult=$(vault21n operator generate-root -nonce $grNonce -format json $unsealKey1) | |
| eToken=$(echo -n $grResult | jq -r '.encoded_token') | |
| rootToken2=$(vault21n operator generate-root -format json -decode $eToken -otp $grOTP) | |
| echo -n $rootToken2 > rootToken2 | |
| # Check if the root token can be used by the secondary's active node | |
| vault21n login $(cat rootToken2) | |
| vault22n server -config config/consul22.hcl -log-level trace > /tmp/consul22.log 2>&1 & | |
| sleep 5s | |
| vault22n operator unseal $(cat unsealKey1) | |
| sleep 5s | |
| vault22n status | |
| # Check if the root token can be used by the secondary's standby node | |
| vault22n login $(cat rootToken2) | |
| # Create a token from the standby and use it on both active and standby | |
| token=$(vault22n write -format json auth/userpass/login/vishal password=nayak | jq -r '.auth.client_token') | |
| vault22n login $token | |
| vault21n login $token | |
| pkill -9 v0113 || true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment