130 lines
3.5 KiB
Bash
Executable file
130 lines
3.5 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
set -Eeuo pipefail
|
|
# 04_enable_https_in_compose.sh
|
|
#
|
|
# Purpose:
|
|
# Replace Vault container config with HTTPS (using files in /home/vault/tls-<env>).
|
|
# Writes:
|
|
# - /home/vault/config/config.hcl (HTTPS listener)
|
|
# - /home/vault/docker-compose.tls.yml
|
|
#
|
|
# Usage:
|
|
# ./04_enable_https_in_compose.sh --env test --cn vault.int.privsec.ch --port 22300 [--rootless]
|
|
#
|
|
# After:
|
|
# cd /home/vault
|
|
# podman-compose down
|
|
# podman-compose -f docker-compose.tls.yml up -d
|
|
# curl --cacert tls-test/ca_chain.pem https://127.0.0.1:22300/v1/sys/health
|
|
|
|
if [[ -t 1 ]]; then B=$'\e[1m'; R=$'\e[0m'; G=$'\e[32m'; Y=$'\e[33m'; E=$'\e[31m'; else B= R= G= Y= E=; fi
|
|
ok(){ echo -e "🟩 ${G}${B}$*${R}"; }; die(){ echo -e "🟥 ${E}${B}$*${R}" >&2; exit 1; }
|
|
|
|
ENV_NAME="test"; CN="vault.int.local"; PORT="22300"; ROOTLESS=""
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
--env) ENV_NAME="$2"; shift 2;;
|
|
--cn) CN="$2"; shift 2;;
|
|
--port) PORT="$2"; shift 2;;
|
|
--rootless) ROOTLESS=1; shift 1;;
|
|
-h|--help) sed -n '1,200p' "$0"; exit 0;;
|
|
*) die "Unknown arg: $1";;
|
|
esac
|
|
done
|
|
|
|
SERVER_DIR="/home/vault"
|
|
TLS_DIR="${SERVER_DIR}/tls-${ENV_NAME}"
|
|
for f in server.key server.crt fullchain.crt ca_chain.pem; do
|
|
[[ -s "${TLS_DIR}/${f}" ]] || die "Missing ${TLS_DIR}/${f} (run script #03 first)"
|
|
done
|
|
|
|
# Write HTTPS config.hcl
|
|
CFG="${SERVER_DIR}/config/config.hcl"
|
|
sudo install -d -m 0755 -o vault -g vault "$(dirname "$CFG")"
|
|
TMP="$(mktemp)"; cat >"$TMP" <<HCL
|
|
ui = true
|
|
disable_mlock = ${ROOTLESS:+true}${ROOTLESS:-false}
|
|
|
|
api_addr = "https://${CN}:${PORT}"
|
|
cluster_addr = "https://${CN}:8201"
|
|
|
|
storage "file" {
|
|
path = "/vault/file"
|
|
}
|
|
|
|
listener "tcp" {
|
|
address = "0.0.0.0:8200"
|
|
tls_disable = 0
|
|
tls_min_version = "tls12"
|
|
tls_cert_file = "/vault/tls/server.crt"
|
|
tls_key_file = "/vault/tls/server.key"
|
|
# We are NOT enabling client cert auth here (no tls_require_and_verify_client_cert)
|
|
}
|
|
HCL
|
|
sudo install -m 0644 -o vault -g vault "$TMP" "$CFG"; rm -f "$TMP"
|
|
ok "Wrote ${CFG}"
|
|
|
|
# Write docker-compose.tls.yml
|
|
DC="${SERVER_DIR}/docker-compose.tls.yml"
|
|
TMP="$(mktemp)"
|
|
if [[ -n "$ROOTLESS" ]]; then
|
|
cat >"$TMP" <<YML
|
|
services:
|
|
vault:
|
|
image: docker.io/hashicorp/vault:1.17.6
|
|
container_name: vault
|
|
command: ["server","-config=/vault/config"]
|
|
ports:
|
|
- "127.0.0.1:${PORT}:8200"
|
|
environment:
|
|
VAULT_DISABLE_MLOCK: "true"
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
read_only: true
|
|
tmpfs:
|
|
- /tmp:rw,noexec,nosuid,nodev,size=32m
|
|
volumes:
|
|
- ./config:/vault/config:ro
|
|
- ./tls-${ENV_NAME}:/vault/tls:ro
|
|
- ./file:/vault/file:rw
|
|
restart: unless-stopped
|
|
YML
|
|
else
|
|
cat >"$TMP" <<YML
|
|
services:
|
|
vault:
|
|
image: docker.io/hashicorp/vault:1.17.6
|
|
container_name: vault
|
|
command: ["server","-config=/vault/config"]
|
|
ports:
|
|
- "127.0.0.1:${PORT}:8200"
|
|
environment:
|
|
VAULT_DISABLE_MLOCK: "false"
|
|
cap_add:
|
|
- IPC_LOCK
|
|
ulimits:
|
|
memlock:
|
|
soft: -1
|
|
hard: -1
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
read_only: true
|
|
tmpfs:
|
|
- /tmp:rw,noexec,nosuid,nodev,size=32m
|
|
volumes:
|
|
- ./config:/vault/config:ro
|
|
- ./tls-${ENV_NAME}:/vault/tls:ro
|
|
- ./file:/vault/file:rw
|
|
restart: unless-stopped
|
|
YML
|
|
fi
|
|
sudo install -m 0644 -o vault -g vault "$TMP" "$DC"; rm -f "$TMP"
|
|
ok "Wrote ${DC}
|
|
|
|
Next:
|
|
cd /home/vault
|
|
podman-compose down
|
|
podman-compose -f docker-compose.tls.yml up -d
|
|
curl --cacert tls-${ENV_NAME}/ca_chain.pem https://127.0.0.1:${PORT}/v1/sys/health
|
|
"
|
|
|