146 lines
5.4 KiB
Bash
Executable file
146 lines
5.4 KiB
Bash
Executable file
#!/usr/bin/env sh
|
||
# set-vault-env-auto.sh
|
||
# Auto-detect & export: VAULT_ADDR, VAULT_CACERT, VAULT_CLIENT_CERT, VAULT_CLIENT_KEY, VAULT_TOKEN (+VAULT_ADMIN_TOKEN)
|
||
# Options override auto-detection. Must be *sourced*.
|
||
|
||
# -------- helpers (POSIX) --------
|
||
usage() {
|
||
cat <<'EOF'
|
||
Usage: source ./set-vault-env-auto.sh [options]
|
||
Options (override auto-detection):
|
||
--addr URL e.g. https://127.0.0.1:22300
|
||
--cacert PATH e.g. $HOME/vault/offline-root/test/root-ca.pem
|
||
--client-cert PATH e.g. $HOME/vault/tls-admin/admin.crt
|
||
--client-key PATH e.g. $HOME/vault/tls-admin/admin.key
|
||
--token-file PATH file with token (JSON, "Key Value" table, or plaintext)
|
||
--token STRING token string directly
|
||
-q, --quiet less output
|
||
Tip: must be *sourced* (not executed) so exports persist in your shell.
|
||
EOF
|
||
}
|
||
|
||
msg() { [ -n "$QUIET" ] || printf '🟩 %s\n' "$*"; }
|
||
warn() { [ -n "$QUIET" ] || printf '🟨 %s\n' "$*" >&2; }
|
||
mask() {
|
||
s=$1; n=${#s}
|
||
if [ "$n" -le 10 ]; then printf '%s' "$s"; else
|
||
printf '%s…%s' "$(printf '%s' "$s" | cut -c1-6)" "$(printf '%s' "$s" | tail -c 5)"
|
||
fi
|
||
}
|
||
|
||
pick_first_readable() {
|
||
for f in "$@"; do
|
||
[ -n "$f" ] && [ -r "$f" ] && { printf '%s' "$f"; return 0; }
|
||
done
|
||
printf ''
|
||
}
|
||
|
||
token_from_table() { awk 'BEGIN{FS="[ \t]+"} $1=="token"{print $2; exit}' "$1"; }
|
||
token_from_json() {
|
||
command -v jq >/dev/null 2>&1 || return 1
|
||
jq -r '(.auth.client_token // .root_token // .data.token // .token // empty)' "$1"
|
||
}
|
||
|
||
# -------- parse args (override detection) --------
|
||
ADDR_OPT=""; CACERT_OPT=""; CCERT_OPT=""; CKEY_OPT=""; TOKEN_FILE_OPT=""; TOKEN_OPT=""
|
||
while [ $# -gt 0 ]; do
|
||
case "$1" in
|
||
--addr) ADDR_OPT=$2; shift 2;;
|
||
--cacert) CACERT_OPT=$2; shift 2;;
|
||
--client-cert) CCERT_OPT=$2; shift 2;;
|
||
--client-key) CKEY_OPT=$2; shift 2;;
|
||
--token-file) TOKEN_FILE_OPT=$2; shift 2;;
|
||
--token) TOKEN_OPT=$2; shift 2;;
|
||
-q|--quiet) QUIET=1; shift;;
|
||
-h|--help) usage; return 0 2>/dev/null || exit 0;;
|
||
*) warn "Unknown arg: $1"; usage; return 2 2>/dev/null || exit 2;;
|
||
esac
|
||
done
|
||
|
||
# -------- detect values (options > auto) --------
|
||
# 1) VAULT_ADDR
|
||
VAULT_ADDR=${ADDR_OPT:-https://127.0.0.1:22300}
|
||
|
||
# 2) VAULT_CACERT (Server-Trust) – Default: OFFLINE ROOT
|
||
if [ -n "$CACERT_OPT" ]; then
|
||
VAULT_CACERT=$CACERT_OPT
|
||
else
|
||
VAULT_CACERT=$(pick_first_readable \
|
||
"$HOME/vault/tls-test/ca_chain.pem" \
|
||
"/home/vault/tls-test/ca_chain.pem")
|
||
fi
|
||
|
||
# 3) Client cert/key (prefer admin, fallback agent)
|
||
if [ -n "$CCERT_OPT" ]; then VAULT_CLIENT_CERT=$CCERT_OPT; else
|
||
if [ -r "$HOME/vault/tls-admin/admin.crt" ]; then
|
||
VAULT_CLIENT_CERT="$HOME/vault/tls-admin/admin.crt"
|
||
elif [ -r "/vault/mtls/agent.crt" ]; then
|
||
VAULT_CLIENT_CERT="/vault/mtls/agent.crt"
|
||
else
|
||
VAULT_CLIENT_CERT=""
|
||
fi
|
||
fi
|
||
|
||
if [ -n "$CKEY_OPT" ]; then VAULT_CLIENT_KEY=$CKEY_OPT; else
|
||
if [ -r "$HOME/vault/tls-admin/admin.key" ]; then
|
||
VAULT_CLIENT_KEY="$HOME/vault/tls-admin/admin.key"
|
||
elif [ -r "/vault/mtls/agent.key" ]; then
|
||
VAULT_CLIENT_KEY="/vault/mtls/agent.key"
|
||
else
|
||
VAULT_CLIENT_KEY=""
|
||
fi
|
||
fi
|
||
|
||
# 4) Token (options > files > existing env)
|
||
if [ -n "$TOKEN_OPT" ]; then
|
||
VAULT_TOKEN=$TOKEN_OPT
|
||
else
|
||
TOKEN_FILE_CAND=$TOKEN_FILE_OPT
|
||
if [ -z "$TOKEN_FILE_CAND" ]; then
|
||
for f in "$HOME/vault/secrets/new-admin-token2.txt" "$HOME/vault/secrets/vault-init.json" "$HOME/.vault-token"; do
|
||
[ -r "$f" ] && { TOKEN_FILE_CAND=$f; break; }
|
||
done
|
||
fi
|
||
if [ -n "$TOKEN_FILE_CAND" ] && [ -r "$TOKEN_FILE_CAND" ]; then
|
||
case "$TOKEN_FILE_CAND" in
|
||
*.json)
|
||
VAULT_TOKEN=$(token_from_json "$TOKEN_FILE_CAND")
|
||
[ -n "$VAULT_TOKEN" ] || VAULT_TOKEN=$(grep -Eo '"(root_token|token)"[[:space:]]*:[[:space:]]*"[^"]+"' "$TOKEN_FILE_CAND" | head -n1 | sed -E 's/.*"([^"]+)".*/\1/')
|
||
;;
|
||
*)
|
||
VAULT_TOKEN=$(token_from_table "$TOKEN_FILE_CAND")
|
||
[ -n "$VAULT_TOKEN" ] || VAULT_TOKEN=$(grep -E -m1 '^[[:alnum:]][[:alnum:]\.\-=_/]*$' "$TOKEN_FILE_CAND" 2>/dev/null || printf '')
|
||
;;
|
||
esac
|
||
else
|
||
# fall back to existing env only if nothing else found
|
||
VAULT_TOKEN=${VAULT_TOKEN:-}
|
||
fi
|
||
fi
|
||
[ -n "$VAULT_TOKEN" ] && VAULT_ADMIN_TOKEN="$VAULT_TOKEN"
|
||
|
||
# -------- export --------
|
||
export VAULT_ADDR VAULT_CACERT VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_TOKEN VAULT_ADMIN_TOKEN
|
||
|
||
# -------- output --------
|
||
msg "env gesetzt:"
|
||
printf ' VAULT_ADDR = %s\n' "${VAULT_ADDR}"
|
||
printf ' VAULT_CACERT = %s\n' "${VAULT_CACERT:-<unset>}"
|
||
printf ' VAULT_CLIENT_CERT = %s\n' "${VAULT_CLIENT_CERT:-<unset>}"
|
||
printf ' VAULT_CLIENT_KEY = %s\n' "${VAULT_CLIENT_KEY:-<unset>}"
|
||
printf ' VAULT_TOKEN = %s\n' "$(mask "${VAULT_TOKEN:-}")"
|
||
printf ' VAULT_ADMIN_TOKEN = %s\n' "$(mask "${VAULT_ADMIN_TOKEN:-}")"
|
||
|
||
[ -n "${VAULT_CACERT:-}" ] && [ ! -r "$VAULT_CACERT" ] && warn "VAULT_CACERT not readable."
|
||
[ -n "${VAULT_CLIENT_CERT:-}" ] && [ ! -r "$VAULT_CLIENT_CERT" ] && warn "VAULT_CLIENT_CERT not readable."
|
||
[ -n "${VAULT_CLIENT_KEY:-}" ] && [ ! -r "$VAULT_CLIENT_KEY" ] && warn "VAULT_CLIENT_KEY not readable."
|
||
[ -z "${VAULT_TOKEN:-}" ] && warn "No token found. Use --token-file or --token to provide one."
|
||
|
||
# (print test hints)
|
||
if [ -z "$QUIET" ]; then
|
||
printf '\nTests:\n'
|
||
printf ' vault status\n'
|
||
printf ' curl -sSk --cert "$VAULT_CLIENT_CERT" --key "$VAULT_CLIENT_KEY" '
|
||
printf '--cacert "$VAULT_CACERT" "$VAULT_ADDR/v1/sys/health" | jq .\n'
|
||
fi
|
||
|