blade34242/vault-ops
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
vault-ops/infra/archiv/bootstrap_secret_agent.sh
Blade34242 0877de98b4 New working setup
2025-10-06 07:25:33 +02:00

106 lines
3.7 KiB
Bash
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/env bash
set -euo pipefail
# ============
# Usage & ENV
# ============
if [[ $# -ne 1 ]]; then
echo "Usage: sudo -E $0 <APPUSER>" >&2
echo "Erfordert: VAULT_ADDR und VAULT_TOKEN im Environment." >&2
exit 1
fi
APPUSER="$1"
: "${VAULT_ADDR:?Setze VAULT_ADDR, z.B. https://vault.example.com:8200}"
: "${VAULT_TOKEN:?Setze VAULT_TOKEN (Admin- oder Approver-Token)}"
: "${VAULT_NAMESPACE:=}" # optional (HCP/Enterprise)
# Ableitungen aus APPUSER
ROLE="secret-agent-${APPUSER}"
POLICY="${ROLE}-policy"
KV_PATH="kv" # KV v2 Mount (bei Bedarf anpassen)
SECRET_SUBPATH="${APPUSER}" # effektiv: kv/${APPUSER}
# Zielpfade für Creds
HOMEDIR="$(getent passwd "$APPUSER" | cut -d: -f6 || true)"
[[ -n "${HOMEDIR}" ]] || HOMEDIR="/home/${APPUSER}"
CREDS_DIR="${HOMEDIR}/vault/creds"
export VAULT_ADDR VAULT_TOKEN VAULT_NAMESPACE
need() { command -v "$1" >/dev/null 2>&1 || { echo "Fehlt: $1" >&2; exit 1; }; }
need vault; need getent; need sudo; need install
echo "==> Vault: ${VAULT_ADDR}"
[[ -n "${VAULT_NAMESPACE}" ]] && echo "==> Namespace: ${VAULT_NAMESPACE}"
echo "==> APPUSER: ${APPUSER}"
echo "==> ROLE: ${ROLE}"
echo "==> POLICY: ${POLICY}"
echo "==> KV mount: ${KV_PATH}"
echo "==> Secret subpath: ${SECRET_SUBPATH} (effektiv: ${KV_PATH}/${SECRET_SUBPATH})"
echo "==> Creds-Dir: ${CREDS_DIR}"
echo
# ==============================
# 1) Backend/Policy/AppRole (idempotent)
# ==============================
echo "==> Enable KV v2 (idempotent)…"
vault secrets enable -path="${KV_PATH}" kv-v2 >/dev/null 2>&1 || true
echo "==> Write policy ${POLICY} (read-only auf ${KV_PATH}/data/${SECRET_SUBPATH})…"
POLICY_FILE="$(mktemp)"
cat >"${POLICY_FILE}" <<EOF
path "${KV_PATH}/data/${SECRET_SUBPATH}" {
capabilities = ["read"]
}
EOF
vault policy write "${POLICY}" "${POLICY_FILE}" >/dev/null
rm -f "${POLICY_FILE}"
echo "==> Enable AppRole auth (idempotent)…"
vault auth enable approle >/dev/null 2>&1 || true
echo "==> Create/Update AppRole ${ROLE}"
vault write "auth/approle/role/${ROLE}" \
policies="${POLICY}" \
secret_id_ttl=0 \
secret_id_num_uses=0 \
token_ttl=15m \
token_max_ttl=30m >/dev/null
# ==============================
# 2) ROLE_ID & SECRET_ID holen
# ==============================
echo "==> Fetch role_id & secret_id…"
ROLE_ID="$(vault read -field=role_id "auth/approle/role/${ROLE}/role-id")"
SECRET_ID="$(vault write -field=secret_id -f "auth/approle/role/${ROLE}/secret-id")"
[[ -n "${ROLE_ID}" && -n "${SECRET_ID}" ]] || { echo "✖ ROLE_ID/SECRET_ID leer Abbruch"; exit 1; }
# ==============================
# 3) Dateien beim APPUSER installieren
# ==============================
echo "==> Install creds to ${CREDS_DIR}"
sudo install -d -o "${APPUSER}" -g "${APPUSER}" -m 0700 "${CREDS_DIR}"
printf "%s" "${ROLE_ID}" | sudo install -o "${APPUSER}" -g "${APPUSER}" -m 0400 /dev/stdin "${CREDS_DIR}/role_id"
printf "%s" "${SECRET_ID}"| sudo install -o "${APPUSER}" -g "${APPUSER}" -m 0400 /dev/stdin "${CREDS_DIR}/secret_id"
sudo ls -l "${CREDS_DIR}"
# ==============================
# 4) (optional) Seed-Secrets anlegen, falls nicht vorhanden
# ==============================
if ! vault kv get "${KV_PATH}/${SECRET_SUBPATH}" >/dev/null 2>&1; then
echo "==> Seed secrets at ${KV_PATH}/${SECRET_SUBPATH}"
vault kv put "${KV_PATH}/${SECRET_SUBPATH}" \
mariadb_root_password='CHANGE_ME_ROOT' \
mysql_password='CHANGE_ME_APP' >/dev/null
echo " - Beispiel-Secrets gesetzt (bitte später ändern)."
else
echo " - Secrets existieren bereits übersprungen."
fi
echo
echo "✔ Fertig. ROLE_ID/SECRET_ID installiert unter: ${CREDS_DIR}"
echo " Rolle: ${ROLE}"
echo " Policy: ${POLICY}"
echo " Secret: ${KV_PATH}/${SECRET_SUBPATH}"
Reference in a new issue View git blame Copy permalink