Last active
April 25, 2024 19:18
-
-
Save darkn3rd/f83848830717333e9ac115aff8e9abeb to your computer and use it in GitHub Desktop.
Revisions
-
darkn3rd revised this gist
Apr 25, 2024 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ mkdir ./{vault,dgraph} cat << 'EOF' > compose.yml services: zero1: image: dgraph/dgraph:${DGRAPH_VERSION} @@ -26,7 +26,7 @@ services: container_name: alpha1 vault: image: hashicorp/vault:${VAULT_VERSION} container_name: vault ports: - 8200:8200 @@ -42,7 +42,7 @@ EOF cat << EOF > .env DGRAPH_VERSION=v23.1.1 VAULT_VERSION=1.16 EOF cat << EOF > ./vault/config.hcl -
Apr 25, 2024 . 1 changed file with 19 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,5 @@ mkdir ./{vault,dgraph} cat << EOF > compose.yml services: zero1: @@ -43,6 +45,23 @@ DGRAPH_VERSION=v23.1.1 VAULT_VERSION=1.13.3 EOF cat << EOF > ./vault/config.hcl storage "raft" { path = "/vault/data" node_id = "vault1" } listener "tcp" { address = "0.0.0.0:8200" tls_disable = "true" } api_addr = "http://127.0.0.1:8200" cluster_addr = "http://127.0.0.1:8201" ui = true disable_mlock = true EOF cat << EOF > admin.hcl # kv2 secret/dgraph/* path "secret/metadata/dgraph/*" { -
Apr 24, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,161 @@ cat << EOF > compose.yml services: zero1: image: dgraph/dgraph:${DGRAPH_VERSION} command: dgraph zero --my=zero1:5080 --replicas 1 --raft idx=1 ports: - 6080:6080 container_name: zero1 alpha1: image: dgraph/dgraph:${DGRAPH_VERSION} ports: - 8080:8080 - 9080:9080 environment: DGRAPH_ALPHA_CONFIG: /dgraph/config/config.yaml volumes: - ./dgraph/alpha.yaml:/dgraph/config/config.yaml - ./dgraph/vault_secret_id:/dgraph/vault/secret_id - ./dgraph/vault_role_id:/dgraph/vault/role_id - ./dgraph/backups:/dgraph/backups - ./dgraph/export:/dgraph/export command: dgraph alpha --my=alpha1:7080 --zero=zero1:5080 container_name: alpha1 vault: image: vault:${VAULT_VERSION} container_name: vault ports: - 8200:8200 volumes: - ./vault/config.hcl:/vault/config/config.hcl - ./vault/data:/vault/data environment: VAULT_ADDR: http://127.0.0.1:8200 entrypoint: vault server -config=/vault/config/config.hcl cap_add: - IPC_LOCK EOF cat << EOF > .env DGRAPH_VERSION=v23.1.1 VAULT_VERSION=1.13.3 EOF cat << EOF > admin.hcl # kv2 secret/dgraph/* path "secret/metadata/dgraph/*" { capabilities = [ "create", "read", "update", "delete", "list" ] } path "secret/data/dgraph/*" { capabilities = [ "create", "read", "update", "delete", "list" ] } # Mount the AppRole auth method path "sys/auth/approle/" { capabilities = [ "create", "read", "update", "delete", "sudo" ] } # Configure the AppRole auth method path "sys/auth/approle/*" { capabilities = [ "create", "read", "update", "delete" ] } # Create and manage roles path "auth/approle/*" { capabilities = [ "create", "read", "update", "delete", "list" ] } # Write ACL policies path "sys/policies/acl/*" { capabilities = [ "create", "read", "update", "delete", "list" ] } EOF cat << EOF > dgraph.hcl path "secret/data/dgraph/*" { capabilities = [ "read", "update" ] } EOF docker compose up --detach "vault" docker compose ls VAULT_CMD="docker compose exec vault vault" $VAULT_CMD vault operator init | tee -a unseal.creds for NUM in {1..3}; do $VAULT_CMD operator unseal $(grep -oP "(?<=Unseal Key $NUM: ).*" unseal.creds) done export VAULT_ROOT_TOKEN="$(grep -oP "(?<=Initial Root Token: ).*" unseal.creds)" export VAULT_ADDRESS="127.0.0.1:8200" vault auth enable approle vault secrets enable -path=secret kv-v2 # Admin Policy vault policy write admin ./vault/policy_admin.hcl vault policy read admin # Dgraph Policy vault policy write dgraph ./vault/policy_dgraph.hcl vault policy read dgraph vault policy write admin policy_admin.hcl vault policy write dgraph policy_dgraph.hcl vault write auth/approle/role/admin \ policies="admin" \ token_ttl="1h" \ token_max_ttl="4h" ROLE_ID=$(vault read auth/approle/role/admin/role-id -format=json \ | jq -r .data.role_id ) SECRET_ID=$(vault write -f auth/approle/role/admin/secret-id -format=json \ | jq -r .data.secret_id) ADMIN_TOKEN=$(vault write auth/approle/login \ role_id="$ROLE_ID" \ secret_id="$SECRET_ID" \ --format=json \ | jq -r .auth.client_token ) # login using admin token vault login $ADMIN_TOKEN # write secrets for Dgraph vault kv put secret/dgraph/alpha \ enc_key="12345678901234567890123456789012" \ hmac_secret_file="12345678901234567890123456789012" vault write auth/approle/role/dgraph \ policies="dgraph" \ token_ttl="1h" \ token_max_ttl="4h" ROLE_ID=$(vault read auth/approle/role/dgraph/role-id -format=json \ | jq -r .data.role_id ) SECRET_ID=$(vault write -f auth/approle/role/dgraph/secret-id -format=json \ | jq -r .data.secret_id) DGRAPH_TOKEN=$(vault write auth/approle/login \ role_id="$ROLE_ID" \ secret_id="$SECRET_ID" \ --format=json \ | jq -r .auth.client_token ) vault login $DGRAPH_TOKEN echo $ROLE_ID > ./dgraph/vault_role_id echo $SECRET_ID > ./dgraph/vault_secret_id vault kv get secret/dgraph/alpha