Attempted to fix issue where the vault tries to re-initialized even though it's already initialized (because of PV backed storage) + uncommented some of the CI/CD automation (as become more comforatable with it
All checks were successful
Build and deploy Bridgeman Accessible Hashicorp Vault Implementation / deploy (push) Successful in 2m13s
All checks were successful
Build and deploy Bridgeman Accessible Hashicorp Vault Implementation / deploy (push) Successful in 2m13s
This commit is contained in:
Alan Bridgeman
parent
42343bbad7
commit
b2054f85ec
5 changed files with 313 additions and 118 deletions
|
|
@ -2,6 +2,46 @@ import os, json
|
|||
from CommandRunner import CommandRunner
|
||||
|
||||
class Initializer:
|
||||
def check_if_initialized(self) -> bool:
|
||||
"""Check if the vault is already initialized
|
||||
|
||||
Returns:
|
||||
bool: If the vault is initialized or not
|
||||
"""
|
||||
|
||||
# Get the status of the vault
|
||||
# Note, because it returns a non-zero exit code when the vault is uninitialized, we set check to False
|
||||
# Which is also why we need to check the return code manually
|
||||
init_status_returncode, init_status_raw, init_status_err = CommandRunner.run_command('vault status -format=json', False)
|
||||
|
||||
# Verify the return code
|
||||
# Note, because there can be other meanings for return (ex. 2 for Sealed), we don't use a hard check here.
|
||||
if init_status_returncode != 0 and init_status_returncode != 2:
|
||||
print(f'[WARNING] Status Return Code (for Init Check): {init_status_returncode}')
|
||||
#raise RuntimeError('Failed to get the initialization status of the vault')
|
||||
|
||||
# Print the raw status
|
||||
#print(init_status_raw)
|
||||
|
||||
# Parse the initialized stat from the status
|
||||
init_status = json.loads(init_status_raw)['initialized']
|
||||
|
||||
print(f'Is Initialized: {init_status}')
|
||||
|
||||
return init_status
|
||||
|
||||
def check_root_token_and_unseal_keys_files_exist(self) -> bool:
|
||||
"""Check if the root token and unseal keys files exist
|
||||
|
||||
Returns:
|
||||
bool: If both files exist
|
||||
"""
|
||||
|
||||
root_token_exists = os.path.exists('/vault/creds/root-token')
|
||||
unseal_keys_exists = os.path.exists('/vault/creds/unseal-keys')
|
||||
|
||||
return root_token_exists and unseal_keys_exists
|
||||
|
||||
def create_unseal_keys_file(self, file = '/vault/creds/unseal-keys'):
|
||||
"""Write the vault's unseal keys to a file
|
||||
|
||||
|
|
@ -46,11 +86,11 @@ class Initializer:
|
|||
self.create_unseal_keys_file()
|
||||
self.create_root_token_file()
|
||||
|
||||
def is_vault_unsealed(self) -> bool:
|
||||
def is_vault_sealed(self) -> bool:
|
||||
"""Check if the vault is sealed or not
|
||||
|
||||
Returns:
|
||||
bool: If the vault is unsealed or not
|
||||
bool: If the vault is sealed or not
|
||||
"""
|
||||
|
||||
# Get the status of the vault
|
||||
|
|
@ -63,7 +103,7 @@ class Initializer:
|
|||
raise RuntimeError('Failed to get the status of the vault')
|
||||
|
||||
# Print the raw status
|
||||
print(seal_status_raw)
|
||||
#print(seal_status_raw)
|
||||
|
||||
# Parse the seal stat from the status
|
||||
seal_status = json.loads(seal_status_raw)['sealed']
|
||||
|
|
@ -128,17 +168,35 @@ class Initializer:
|
|||
|
||||
def main():
|
||||
initializer = Initializer()
|
||||
# Check if the root-token file and unseal keys files exist
|
||||
#if os.path.exists('/vault/creds/root-token') and os.path.exists('/vault/creds/unseal-keys'):
|
||||
if not initializer.is_vault_unsealed():
|
||||
print('Vault already setup. Skipping...')
|
||||
# QUESTION: Should there be code here to get the Role ID and Secret ID in case the originally created .env file doesn't exist for some reason
|
||||
else:
|
||||
|
||||
# We only want to initialize the vault if it isn't initialized already
|
||||
# Because we use Persistent Volumes (PVs) for vault data on restarts the vault is already initialized
|
||||
if not initializer.check_if_initialized():
|
||||
initializer.init_vault()
|
||||
initializer.unseal_vault()
|
||||
|
||||
# This is just a safety check/measure to ensure the script can continue
|
||||
# The only time this would likely be triggered is if there was some kind of PV desyncronization but it shouldn't really happen.
|
||||
if not initializer.check_root_token_and_unseal_keys_files_exist():
|
||||
raise RuntimeError('Vault is in an inconsistent state for this script to continue. Please ensure the vault can be initialized OR both the root token and unseal keys files exist alongside and initialized vault.')
|
||||
|
||||
# Check if the vault is sealed (as we need to unseal it to set it up)
|
||||
if initializer.is_vault_sealed():
|
||||
initializer.unseal_vault()
|
||||
else:
|
||||
print('Vault is already unsealed. Proceeding to setup...')
|
||||
|
||||
# QUESTION: If the vault data is already setup (PV on restart) do we need to re-setup this stuff?
|
||||
initializer.setup_secrets_engine()
|
||||
initializer.setup_audit_device()
|
||||
initializer.setup_app_role_access()
|
||||
else:
|
||||
print('Vault is already initialized. Skipping initialization and setup...')
|
||||
|
||||
# Check if the vault is already unsealed (we assume it's already setup properly if it is)
|
||||
if initializer.is_vault_sealed():
|
||||
initializer.unseal_vault()
|
||||
|
||||
# Code goes here to get the Role ID and Secret ID (app role access) in the case that the originally created .env file doesn't exist anymore for some reason
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
Loading…
Add table
Add a link
Reference in a new issue