blade34242/vault-ops
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
vault-ops/infra/versions/cleanup-vault-leftovers-v1.0.sh
Blade34242 112d10d959 Normalize infra wrappers and versioned scripts
2026-04-14 11:45:15 +07:00

196 lines
5.7 KiB
Bash
Executable file
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/env bash
set -Eeuo pipefail
# ============ Vault Cleanup (Leftovers) ============
# Zweck:
# - Entfernt alte/ungenutzte PKI-Rollen, Cert-Auth-Mappings und AppRole-Rollen,
# die bei dir als "Schrott" übrig sind Proxy-bezogene Einträge werden ausgespart.
#
# Sicherheit:
# - Default ist DRY-RUN. Erst mit --apply wird wirklich gelöscht.
# - Vor/nach dem Cleanup werden Bestandslisten ausgegeben.
#
# Voraussetzungen:
# - VAULT_ADDR + VAULT_TOKEN (Admin) gesetzt
# - vault CLI + jq vorhanden
#
# Was wir NICHT löschen:
# - *proxy*-Dinge (z.B. agent-mtls-proxytest-vault, pki-ca-read-proxytest)
# - aktive nginx-* Rollen (Server-Zertausstellung)
# - vault-server Rolle
#
# Optional: „Normierung“ der Policies für aktive mTLS-Agenten:
# - agent-apptest -> pki-issue-apptest,debug-policy
# - agent-nctest -> pki-issue-nctest,secret-agent-nctest-policy,debug-policy
# Falls du das NICHT willst: --no-normalize angeben.
# ===================================================
APPLY=0
NORMALIZE=1
for arg in "$@"; do
case "$arg" in
--apply) APPLY=1 ;;
--dry-run) APPLY=0 ;;
--no-normalize) NORMALIZE=0 ;;
-h|--help)
echo "Usage: $0 [--apply] [--dry-run] [--no-normalize]"
exit 0
;;
esac
done
ts(){ date +"%Y-%m-%d %H:%M:%S"; }
if [[ -t 1 ]]; then B=$'\e[1m'; R=$'\e[0m'; BL=$'\e[34m'; G=$'\e[32m'; Y=$'\e[33m'; E=$'\e[31m'; else B= R= BL= G= Y= E=; fi
info(){ echo -e "🟦 ${BL}${B}[$(ts)]${R} $*"; }
ok(){ echo -e "🟩 ${G}${B}[$(ts)]${R} $*"; }
warn(){ echo -e "🟨 ${Y}${B}[$(ts)]${R} $*"; }
err(){ echo -e "🟥 ${E}${B}[$(ts)]${R} $*" >&2; }
need(){ command -v "$1" >/dev/null || { err "missing: $1"; exit 2; }; }
need vault; need jq
: "${VAULT_ADDR:?VAULT_ADDR not set}"
: "${VAULT_TOKEN:?VAULT_TOKEN not set}"
MODE="DRY-RUN"; (( APPLY )) && MODE="APPLY"
info "Start Cleanup (mode=${MODE}) VAULT_ADDR=${VAULT_ADDR}"
# ---------- Kandidaten-Listen ----------
# PKI-Rollen: alles was klar „leftover“ ist (keine nginx-*, keine proxy*, keine vault-server)
PKI_ROLES_REMOVE=(
admin-client
agent-mtls-apptest
agent-mtls-nctest
agent-mtls-nctest-pki
agent-mtls-nctest-sidecar
agent-mtls-nctest-vault
agent-mtls-nctest-vault-sidecar
client-apptest
client-nctest
client-proxytest
)
# Cert-Auth-Mappings: alte Test-Mappings, Proxy bleibt
CERT_CERTS_REMOVE=(
apptest-test
nctest-test
nctest-test-pki
nctest-test-sidecar
# proxytest-test-vault # ← bleibt bewusst erhalten
)
# AppRole-Rollen: wir sind auf cert umgestiegen; Proxy-bezogenes bleibt
APPROLE_ROLES_REMOVE=(
appbar-pki-issue
appfoo-pki-issue
apptest-pki-issue
nctest
nctest-pki-ca
nctest-pki-client
nctest-pki-issue
secret-agent-nctest
test-pki-issue
# proxytest-pki-ca # ← bleibt
# proxytest-pki-issue # ← bleibt
)
# ---------- Bestandsaufnahme (vorher) ----------
info "Inventar VOR Cleanup:"
vault auth list -detailed | sed 's/^/ 📋 /'
echo
info "Cert-Auth Mappings:"
vault list -format=json auth/cert/certs | jq -r '.[]' | sed 's/^/ 🔑 /' || true
echo
info "AppRole Rollen:"
vault list -format=json auth/approle/role | jq -r '.[]' | sed 's/^/ 🧩 /' || true
echo
info "PKI Rollen:"
vault list -format=json pki-test/roles | jq -r '.[]' | sed 's/^/ 📜 /' || true
echo
# ---------- Hilfsfunktionen ----------
exists_path(){ # $1 path
vault read -format=json "$1" >/dev/null 2>&1 || vault list -format=json "$1" >/dev/null 2>&1
}
del_if_exists(){
local path="$1"
if exists_path "$path"; then
if (( APPLY )); then
if vault delete "$path" >/dev/null 2>&1; then
ok "deleted: $path"
else
err "delete failed: $path"
fi
else
warn "DRY-RUN would delete: $path"
fi
else
info "skip (not found): $path"
fi
}
# ---------- Löschen: PKI-Rollen ----------
info "PKI-Rollen bereinigen…"
for r in "${PKI_ROLES_REMOVE[@]}"; do
[[ "$r" == vault-server ]] && continue
[[ "$r" == nginx-* ]] && continue
[[ "$r" == *proxy* ]] && continue
del_if_exists "pki-test/roles/$r"
done
echo
# ---------- Löschen: Cert-Auth-Mappings ----------
info "Cert-Auth Mappings bereinigen…"
for c in "${CERT_CERTS_REMOVE[@]}"; do
[[ "$c" == *proxy* ]] && continue
del_if_exists "auth/cert/certs/$c"
done
echo
# ---------- Löschen: AppRole-Rollen ----------
info "AppRole-Rollen bereinigen…"
for a in "${APPROLE_ROLES_REMOVE[@]}"; do
[[ "$a" == *proxy* ]] && continue
del_if_exists "auth/approle/role/$a"
done
echo
# ---------- Optional: Policies normalisieren für aktive Agenten ----------
if (( NORMALIZE )); then
info "Policies normalisieren (agent-apptest / agent-nctest)…"
norm(){
local cert="$1" policies="$2"
local path="auth/cert/certs/$cert"
if exists_path "$path"; then
if (( APPLY )); then
vault write "$path" policies="$policies" >/dev/null \
&& ok "normalized: $path → policies=[$policies]" \
|| err "normalize failed: $path"
else
warn "DRY-RUN would write: $path policies=[$policies]"
fi
else
info "skip normalize (not found): $path"
fi
}
norm "agent-apptest" "pki-issue-apptest,debug-policy"
norm "agent-nctest" "pki-issue-nctest,secret-agent-nctest-policy,debug-policy"
echo
else
info "Policy-Normalisierung übersprungen (--no-normalize)"
fi
# ---------- Bestandsaufnahme (nachher) ----------
info "Inventar NACH Cleanup:"
info "Cert-Auth Mappings:"
vault list -format=json auth/cert/certs | jq -r '.[]' | sed 's/^/ 🔑 /' || true
echo
info "AppRole Rollen:"
vault list -format=json auth/approle/role | jq -r '.[]' | sed 's/^/ 🧩 /' || true
echo
info "PKI Rollen:"
vault list -format=json pki-test/roles | jq -r '.[]' | sed 's/^/ 📜 /' || true
echo
ok "Cleanup abgeschlossen (mode=${MODE})"
Reference in a new issue View git blame Copy permalink