blade34242/vault-ops
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
vault-ops/archiv/bootstrap-proxytest-approle.sh
Blade34242 99f7685c35 New working setup
2025-09-22 10:27:22 +02:00

109 lines
4.1 KiB
Bash
Executable file
Raw Permalink Blame History

#!/usr/bin/env bash
set -Eeuo pipefail
# --- Config (tweak if needed) ---
: "${VAULT_ADDR:=http://127.0.0.1:22300}"
: "${PKI_MOUNT:=pki-test}" # your PKI mount
APP="${1:-proxytest}" # app name; default proxytest
USER="${2:-proxytest}" # target unix user; default proxytest
CN="${3:-apptest.int.privsec.ch}" # CN used for pki role (uncritical)
PKI_ROLE="nginx-${APP}" # e.g. nginx-proxytest
ROLE_NAME="${APP}-pki-issue" # approle name
POLICY_NAME="pki-issue-${APP}"
HOME_DIR="/home/${USER}"
AGENT_DIR="${HOME_DIR}/.vault-agent-${APP}"
ROLE_ID_FILE="${AGENT_DIR}/role_id"
SECRET_ID_FILE="${AGENT_DIR}/secret_id"
ts(){ date +"[%Y-%m-%d %H:%M:%S]"; }
log(){ echo "$(ts) [INFO] $*"; }
err(){ echo "$(ts) [ERROR] $*" >&2; }
# --- Admin token required ---
if [[ -z "${VAULT_ADMIN_TOKEN:-}" ]]; then
err "VAULT_ADMIN_TOKEN is not set. Run: VAULT_ADMIN_TOKEN='hvs.XXX' $0 [app] [user] [cn]"
exit 2
fi
export VAULT_ADDR VAULT_TOKEN="${VAULT_ADMIN_TOKEN}"
log "Bootstrap for APP=${APP}, USER=${USER}, CN=${CN}"
log "VAULT_ADDR=${VAULT_ADDR}, PKI_MOUNT=${PKI_MOUNT}, PKI_ROLE=${PKI_ROLE}"
# --- sanity: user/home exists ---
if ! id -u "${USER}" >/dev/null 2>&1; then
err "User ${USER} does not exist"
exit 3
fi
sudo install -d -m 0755 -o "${USER}" -g "${USER}" "${HOME_DIR}"
sudo install -d -m 0700 -o "${USER}" -g "${USER}" "${AGENT_DIR}"
# 1) Policy: allow issuing on our PKI role + approle ops
log "Upserting policy: ${POLICY_NAME}"
POL="$(mktemp)"
cat >"$POL" <<EOF
path "${PKI_MOUNT}/issue/${PKI_ROLE}" { capabilities = ["create","update"] }
path "auth/approle/role/${ROLE_NAME}/role-id" { capabilities = ["read"] }
path "auth/approle/role/${ROLE_NAME}/secret-id" { capabilities = ["create","update"] }
path "auth/token/renew-self" { capabilities = ["update"] }
EOF
vault policy write "${POLICY_NAME}" "$POL" >/dev/null
rm -f "$POL"
# 2) PKI Role: light constraints (we only need ca_chain for proxytrust)
log "Upserting PKI role: ${PKI_ROLE}"
vault write "${PKI_MOUNT}/roles/${PKI_ROLE}" \
allowed_domains="int.privsec.ch" \
allow_bare_domains=true \
allow_subdomains=false \
allow_wildcard_certificates=false \
max_ttl="720h" >/dev/null || true
# 3) AppRole with unlimited secret-id usage/ttl (for agent)
log "Upserting AppRole: ${ROLE_NAME}"
vault write "auth/approle/role/${ROLE_NAME}" \
policies="${POLICY_NAME}" \
secret_id_ttl=0 secret_id_num_uses=0 \
token_ttl=24h token_max_ttl=0 \
bind_secret_id=true >/dev/null
# 4) Fetch RoleID + SecretID and write to user's agent dir
ROLE_ID="$(vault read -field=role_id "auth/approle/role/${ROLE_NAME}/role-id")"
SECRET_ID="$(vault write -f -field=secret_id "auth/approle/role/${ROLE_NAME}/secret-id")"
log "RoleID: ${ROLE_ID}"
log "SecretID: ${SECRET_ID:0:6}******** (masked)"
sudo bash -c "umask 077; printf '%s\n' '${ROLE_ID}' > '${ROLE_ID_FILE}'; chown ${USER}:${USER} '${ROLE_ID_FILE}'; chmod 600 '${ROLE_ID_FILE}'"
sudo bash -c "umask 077; printf '%s\n' '${SECRET_ID}' > '${SECRET_ID_FILE}'; chown ${USER}:${USER} '${SECRET_ID_FILE}'; chmod 600 '${SECRET_ID_FILE}'"
# 5) Quick verify on disk
log "Wrote: ${ROLE_ID_FILE} and ${SECRET_ID_FILE}"
sudo -u "${USER}" bash -c "ls -l '${AGENT_DIR}' | sed 's/^/ /'"
cat <<EOF
$(ts) [INFO] Done.
Next steps (manual debug run of the agent as ${USER}):
# a) check the files:
sudo -u ${USER} bash -lc 'ls -l ${AGENT_DIR}'
# b) run agent in foreground (debug) to render CA chain and reload nginx:
sudo -u ${USER} bash -lc '
export VAULT_ADDR="${VAULT_ADDR}"
${VAULT_BIN:-/usr/bin/vault} agent -log-level=debug -config="${AGENT_DIR}/vault-agent.hcl"
'
# c) or start the user systemd unit (if you already created it):
APP_UID=\$(id -u ${USER})
sudo loginctl enable-linger ${USER}
sudo systemctl start "user@\${APP_UID}.service" || true
sudo -u ${USER} XDG_RUNTIME_DIR=/run/user/\${APP_UID} systemctl --user daemon-reload
sudo -u ${USER} XDG_RUNTIME_DIR=/run/user/\${APP_UID} systemctl --user enable --now "vault-agent-${APP}.service"
# d) live logs (user journal):
sudo -u ${USER} XDG_RUNTIME_DIR=/run/user/\${APP_UID} journalctl --user -u "vault-agent-${APP}.service" -f -o cat
EOF
Reference in a new issue View git blame Copy permalink