Skip to content

Instantly share code, notes, and snippets.

@mastier

mastier/vault-unseal-and-authorize.sh

Last active May 3, 2024 15:10
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save mastier/1be2fbdc1cfe51c0d8b4f341a19e1e56 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save mastier/1be2fbdc1cfe51c0d8b4f341a19e1e56 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
vault-unseal-and-authorize.sh
export VAULT_ADDR="http://<IP of vault unit>:8200"
export VAULT_KEYS_PATH="vault-keys.txt"
vault operator init -key-shares=5 -key-threshold=3 > ${VAULT_KEYS_PATH}
for key in `cat ${VAULT_KEYS_PATH} |cut -f4 -d' '|head -3`; do vault operator unseal $key; done
export VAULT_TOKEN=`cat ${VAULT_KEYS_PATH} |grep 'Initial Root Token'|cut -f4 -d' '`
export CHARM_AUTH_TOKEN=`vault token create -ttl=10m|head -3|grep token|awk '{print $2}'`
juju run-action --wait vault/leader authorize-charm token="$CHARM_AUTH_TOKEN"
@ggouzi
Copy link

ggouzi commented May 3, 2024
edited
Loading

Hi @mastier, this script is useful but would need some refactoring. Mostly replacing run-unit by exec and run-action by run commands to be compatible with juju 3.x. Not tested

if ! type vault >/dev/null 2>&1; then "Please install vault. $ snap install vault"; exit 1; fi

export VAULT_KEYS_PATH="generated/vault-keys.txt"

vault_init() {
  VAULT_UNIT_IP=$(juju run --unit vault/leader "network-get access --ingress-address=true"); 
  export VAULT_ADDR="http://$VAULT_UNIT_IP:8200"
  echo "=== Initializing Vault by $VAULT_UNIT_IP ==="
  vault operator init -key-shares=5 -key-threshold=3 > ${VAULT_KEYS_PATH}
}

vault_unseal() {
  for key in `cat ${VAULT_KEYS_PATH} |cut -f4 -d' '|head -3`; do vault operator unseal $key; done
}

vault_unseal_all() {
  for i in 0 1 2; do
    VAULT_UNIT_IP=$(juju exec --unit vault/$i "network-get access --ingress-address=true"); 
    export VAULT_ADDR="http://$VAULT_UNIT_IP:8200"
    echo "== Unsealing vault/$i : $VAULT_UNIT_IP =="
    vault_unseal
  done
}

vault_authorize_charm() {
  VAULT_UNIT_IP=$(juju exec ---unit vault/leader "network-get access --ingress-address=true"); 
  export VAULT_ADDR="http://$VAULT_UNIT_IP:8200"
  export VAULT_TOKEN=`cat ${VAULT_KEYS_PATH} |grep 'Initial Root Token'|cut -f4 -d' '`
  echo "=== Create token by $VAULT_UNIT_IP  ==="
  export CHARM_AUTH_TOKEN=`vault token create -ttl=10m|head -3|grep token|awk '{print $2}'`
  echo "=== Authorizing charm ==="
  juju run --wait vault/leader authorize-charm token="$CHARM_AUTH_TOKEN"
}
  

### Init vault
vault_init

### Unseal all vault instances
vault_unseal_all

echo "=== Waiting 30s ==="
sleep 30

### Authorize charm
vault_authorize_charm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment