185 lines
7.4 KiB
Bash
Executable file
185 lines
7.4 KiB
Bash
Executable file
#!/usr/bin/env sh
|
|
# set-vault-env-auto.sh
|
|
# Auto-detect & export: VAULT_ADDR, VAULT_CACERT, VAULT_CLIENT_CERT, VAULT_CLIENT_KEY, VAULT_TOKEN (+VAULT_ADMIN_TOKEN)
|
|
# Supports sudo reads from /home/vault/tls-<env>/… and optional copy into your $HOME.
|
|
# Usage: source ./set-vault-env-auto.sh [--env test|prod] [--addr URL] [--cacert PATH] [--client-cert PATH] [--client-key PATH] [--token-file PATH] [--token STRING] [--sudo-copy-ca] [-q]
|
|
|
|
# ---------- helpers ----------
|
|
usage() {
|
|
cat <<'EOF'
|
|
Usage: source ./set-vault-env-auto.sh [options]
|
|
Options:
|
|
--env NAME test|prod (default: test) → prefers /home/vault/tls-<env>/*
|
|
--addr URL e.g. https://127.0.0.1:22300 (default: https://127.0.0.1:22300)
|
|
--cacert PATH explicit CA file
|
|
--client-cert PATH admin/agent client cert
|
|
--client-key PATH admin/agent client key
|
|
--token-file PATH file with token (JSON or "Key Value" table or plaintext)
|
|
--token STRING token string directly
|
|
--sudo-copy-ca copy /home/vault/tls-<env>/ca_chain.pem → $HOME/vault/ca/ca.pem (via sudo)
|
|
-q, --quiet less output
|
|
Tip: must be *sourced* so exports persist in your shell.
|
|
EOF
|
|
}
|
|
|
|
msg() { [ -n "$QUIET" ] || printf '🟩 %s\n' "$*"; }
|
|
warn() { [ -n "$QUIET" ] || printf '🟨 %s\n' "$*" >&2; }
|
|
mask() {
|
|
s=$1; n=${#s}; if [ "$n" -le 10 ]; then printf '%s' "$s"; else
|
|
printf '%s…%s' "$(printf '%s' "$s" | cut -c1-6)" "$(printf '%s' "$s" | tail -c 5)"; fi
|
|
}
|
|
|
|
pick_first_readable() {
|
|
for f in "$@"; do [ -n "$f" ] && [ -r "$f" ] && { printf '%s' "$f"; return 0; }; done
|
|
printf ''
|
|
}
|
|
pick_first_readable_sudo() {
|
|
for f in "$@"; do
|
|
[ -n "$f" ] || continue
|
|
if command -v sudo >/dev/null 2>&1 && sudo test -r "$f" 2>/dev/null; then
|
|
printf '%s' "$f"; return 0
|
|
fi
|
|
done
|
|
printf ''
|
|
}
|
|
|
|
token_from_table() { awk 'BEGIN{FS="[ \t]+"} $1=="token"{print $2; exit}' "$1"; }
|
|
token_from_json() { command -v jq >/dev/null 2>&1 || return 1; jq -r '(.auth.client_token // .root_token // .data.token // .token // empty)' "$1"; }
|
|
|
|
# ---------- parse args ----------
|
|
ENV_NAME="test"; ADDR_OPT=""; CACERT_OPT=""; CCERT_OPT=""; CKEY_OPT=""; TOKEN_FILE_OPT=""; TOKEN_OPT=""
|
|
SUDO_COPY_CA=""
|
|
while [ $# -gt 0 ]; do
|
|
case "$1" in
|
|
--env) ENV_NAME=$2; shift 2;;
|
|
--addr) ADDR_OPT=$2; shift 2;;
|
|
--cacert) CACERT_OPT=$2; shift 2;;
|
|
--client-cert) CCERT_OPT=$2; shift 2;;
|
|
--client-key) CKEY_OPT=$2; shift 2;;
|
|
--token-file) TOKEN_FILE_OPT=$2; shift 2;;
|
|
--token) TOKEN_OPT=$2; shift 2;;
|
|
--sudo-copy-ca) SUDO_COPY_CA=1; shift;;
|
|
-q|--quiet) QUIET=1; shift;;
|
|
-h|--help) usage; return 0 2>/dev/null || exit 0;;
|
|
*) warn "Unknown arg: $1"; usage; return 2 2>/dev/null || exit 2;;
|
|
esac
|
|
done
|
|
|
|
# ---------- derive common paths ----------
|
|
TLS_DIR_VAULT="/home/vault/tls-${ENV_NAME}"
|
|
TLS_DIR_USER="$HOME/vault/tls-${ENV_NAME}"
|
|
USER_CA_DIR="$HOME/vault/ca"
|
|
USER_CA="$USER_CA_DIR/ca.pem"
|
|
OFFLINE_ROOT="$HOME/vault/offline-root/${ENV_NAME}"
|
|
|
|
# ---------- 1) VAULT_ADDR ----------
|
|
# default https; override with --addr if needed
|
|
VAULT_ADDR=${ADDR_OPT:-https://127.0.0.1:22300}
|
|
|
|
# ---------- 2) VAULT_CACERT (prefer CHAIN) ----------
|
|
if [ -n "$CACERT_OPT" ]; then
|
|
VAULT_CACERT=$CACERT_OPT
|
|
else
|
|
# try user's own CA, then sudo-read from /home/vault, then offline root as last resort
|
|
# VAULT_CACERT=$(pick_first_readable \
|
|
# "$TLS_DIR_USER/root_ca.pem" \
|
|
|
|
# "$OFFLINE_ROOT/root-ca.pem")
|
|
|
|
# "$USER_CA" \
|
|
#"$TLS_DIR_USER/ca_chain.pem" \
|
|
# "$OFFLINE_ROOT/root-ca.pem"
|
|
# )
|
|
#if [ -z "$VAULT_CACERT" ]; then
|
|
# VAULT_CACERT=$(pick_first_readable_sudo \
|
|
#"$TLS_DIR_VAULT/ca_chain.pem" \
|
|
# "$TLS_DIR_VAULT/root_ca.pem")
|
|
VAULT_CATCERT=$("/home/blade34242/vault/infra/root_ca.pem")
|
|
# Optionally copy into user's $HOME (so future runs don't need sudo)
|
|
if [ -n "$VAULT_CACERT" ] && [ -n "$SUDO_COPY_CA" ]; then
|
|
if command -v sudo >/dev/null 2>&1; then
|
|
# choose chain if available; otherwise whatever we found
|
|
SRC=$(pick_first_readable_sudo "$TLS_DIR_VAULT/ca_chain.pem")
|
|
[ -n "$SRC" ] || SRC="$VAULT_CACERT"
|
|
sudo install -d -m 0755 -o "$USER" -g "$USER" "$USER_CA_DIR" 2>/dev/null || true
|
|
sudo install -m 0644 -o "$USER" -g "$USER" "$SRC" "$USER_CA" 2>/dev/null && VAULT_CACERT="$USER_CA"
|
|
fi
|
|
fi
|
|
fi
|
|
#fi
|
|
|
|
# ---------- 3) VAULT_CLIENT_CERT/KEY ----------
|
|
if [ -n "$CCERT_OPT" ]; then VAULT_CLIENT_CERT=$CCERT_OPT; else
|
|
if [ -r "$HOME/vault/tls-admin/admin.crt" ]; then
|
|
VAULT_CLIENT_CERT="$HOME/vault/tls-admin/admin.crt"
|
|
elif [ -r "$HOME/vault/mtls/agent.crt" ]; then
|
|
VAULT_CLIENT_CERT="$HOME/vault/mtls/agent.crt"
|
|
else
|
|
VAULT_CLIENT_CERT=""
|
|
fi
|
|
fi
|
|
if [ -n "$CKEY_OPT" ]; then VAULT_CLIENT_KEY=$CKEY_OPT; else
|
|
if [ -r "$HOME/vault/tls-admin/admin.key" ]; then
|
|
VAULT_CLIENT_KEY="$HOME/vault/tls-admin/admin.key"
|
|
elif [ -r "$HOME/vault/mtls/agent.key" ]; then
|
|
VAULT_CLIENT_KEY="$HOME/vault/mtls/agent.key"
|
|
else
|
|
VAULT_CLIENT_KEY=""
|
|
fi
|
|
fi
|
|
|
|
# ---------- 4) VAULT_TOKEN (+VAULT_ADMIN_TOKEN) ----------
|
|
if [ -n "$TOKEN_OPT" ]; then
|
|
VAULT_TOKEN=$TOKEN_OPT
|
|
else
|
|
TOKEN_FILE_CAND=$TOKEN_FILE_OPT
|
|
if [ -z "$TOKEN_FILE_CAND" ]; then
|
|
for f in "$HOME/vault/secrets/new-admin-token2.txt" "$HOME/vault/secrets/vault-init.json" "$HOME/.vault-token"; do
|
|
[ -r "$f" ] && { TOKEN_FILE_CAND=$f; break; }
|
|
done
|
|
fi
|
|
if [ -n "$TOKEN_FILE_CAND" ] && [ -r "$TOKEN_FILE_CAND" ]; then
|
|
case "$TOKEN_FILE_CAND" in
|
|
*.json)
|
|
VAULT_TOKEN=$(token_from_json "$TOKEN_FILE_CAND")
|
|
[ -n "$VAULT_TOKEN" ] || VAULT_TOKEN=$(grep -Eo '"(root_token|token)"[[:space:]]*:[[:space:]]*"[^"]+"' "$TOKEN_FILE_CAND" | head -n1 | sed -E 's/.*"([^"]+)".*/\1/')
|
|
;;
|
|
*)
|
|
VAULT_TOKEN=$(token_from_table "$TOKEN_FILE_CAND")
|
|
[ -n "$VAULT_TOKEN" ] || VAULT_TOKEN=$(grep -E -m1 '^[[:alnum:]][[:alnum:]\.\-=_/]*$' "$TOKEN_FILE_CAND" 2>/dev/null || printf '')
|
|
;;
|
|
esac
|
|
else
|
|
VAULT_TOKEN=${VAULT_TOKEN:-}
|
|
fi
|
|
fi
|
|
[ -n "$VAULT_TOKEN" ] && VAULT_ADMIN_TOKEN="$VAULT_TOKEN"
|
|
|
|
# ---------- export ----------
|
|
export VAULT_ADDR VAULT_CACERT VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_TOKEN VAULT_ADMIN_TOKEN
|
|
|
|
# ---------- output ----------
|
|
msg "env gesetzt:"
|
|
printf ' VAULT_ADDR = %s\n' "${VAULT_ADDR}"
|
|
printf ' VAULT_CACERT = %s\n' "${VAULT_CACERT:-<unset>}"
|
|
printf ' VAULT_CLIENT_CERT = %s\n' "${VAULT_CLIENT_CERT:-<unset>}"
|
|
printf ' VAULT_CLIENT_KEY = %s\n' "${VAULT_CLIENT_KEY:-<unset>}"
|
|
printf ' VAULT_TOKEN = %s\n' "$(mask "${VAULT_TOKEN:-}")"
|
|
printf ' VAULT_ADMIN_TOKEN = %s\n' "$(mask "${VAULT_ADMIN_TOKEN:-}")"
|
|
|
|
[ -n "${VAULT_CACERT:-}" ] && [ ! -r "$VAULT_CACERT" ] && warn "VAULT_CACERT not readable (maybe sudo-only path; consider --sudo-copy-ca)."
|
|
[ -n "${VAULT_CLIENT_CERT:-}" ] && [ ! -r "$VAULT_CLIENT_CERT" ] && warn "VAULT_CLIENT_CERT not readable."
|
|
[ -n "${VAULT_CLIENT_KEY:-}" ] && [ ! -r "$VAULT_CLIENT_KEY" ] && warn "VAULT_CLIENT_KEY not readable."
|
|
[ -z "${VAULT_TOKEN:-}" ] && warn "No token found. Use --token-file or --token."
|
|
|
|
# ---------- tests ----------
|
|
if [ -z "$QUIET" ]; then
|
|
printf '\nTests:\n'
|
|
if [ -n "$VAULT_CACERT" ]; then
|
|
printf ' vault status\n'
|
|
printf ' curl -sS --cert "$VAULT_CLIENT_CERT" --key "$VAULT_CLIENT_KEY" --cacert "$VAULT_CACERT" "$VAULT_ADDR/v1/sys/health" | jq .\n'
|
|
else
|
|
printf ' (no CA set) vault status -ca-path <path-to-ca> # or set --sudo-copy-ca to pull from /home/vault\n'
|
|
fi
|
|
fi
|
|
|