#!/bin/bash # |*******************************************************************| # | Setup script | # | | # | Author: Alan Bridgeman | # | Created: 2024-03-30 | # | | # | COPYRIGHT © 2024 Bridgeman Accessible/Alan Bridgeman. | # | | # | This work is presented AS IS, with no warranty of any kind. | # | Any modification or use of this script is at the user's own risk. | # |*******************************************************************| # The `entrypoint.sh` script is responsible for setting up the Vault server. # It enables the AppRole auth method, creates a policy, and a role. # It then retrieves the role_id and secret_id and stores them in a file (`/role_vars/.env`). # Start and wait for the vault to get started start_and_wait_for_vault() { echo "+----------------+" echo "| Starting Vault |" echo "+----------------+" # Start the vault server (in the background) vault server -config=/vault/config/vault-config.hcl & #-dev & echo "+------------------------------+" echo "| Wait for Vault to be Started |" echo "+------------------------------+" # Wait for the vault server to start retries=0 poll_lock=false while [ "$poll_lock" = false ] && [ $retries -lt 10 ]; do # Sleep for 5 seconds (give some time before check and re-checking) # Note, we put this at the top of the loop so that there is no extra delay once we get the status sleep 5 echo "Attempt $((retries + 1)) to check if vault has started" # Attempt to get the vault status vault status # Check if the exit code of the `vault status` command (last command) is 0 (success) poll_lock=$(test $? -ne 1 && echo "true" || echo "false") # Increment the retries counter retries=$((retries + 1)) done # If the vault server did not start, exit with an error if [ "$poll_lock" = false ]; then echo "Failed to start vault server" exit 1 fi } # Function to initialize vault (including creating the root token and unseal keys) #init_vault() { # echo "*----------------------*" # echo "| Initialization Vault |" # echo "*----------------------*" # # # Initialize the vault # init_output=$(vault operator init -format=json) # # # Parse the unseal keys and root token from the initialization response # unseal_keys=$(echo $init_output | jq -r '.unseal_keys_b64[]') # root_token=$(echo $init_output | jq -r '.root_token') # # mkdir /vault/creds # touch /vault/creds/unseal-keys && echo "$unseal_keys" > /vault/creds/unseal-keys # touch /vault/creds/root-token && echo "$root_token" > /vault/creds/root-token #} # Function to check if the vault is unsealed #is_vault_unsealed() { # seal_status=$(vault status -format=json | jq -r '.sealed') # if [[ $seal_status == "false" ]]; then # return 0 # else # return 1 # fi #} # Function to unseal the vault #unseal_vault() { # echo "*-----------------*" # echo "| Unsealing Vault |" # echo "*-----------------*" # # # Use each key to unseal the vault # for key in $unseal_keys; do # vault operator unseal $key # # # If the vault is now unsealed break/escape from the loop # if is_vault_unsealed; then # echo "Vault is unsealed" # break # fi # done #} # Function to setup the secrets engine #setup_secrets_engine() { # echo "*---------------------------*" # echo "| Setting up secrets engine |" # echo "*---------------------------*" # # vault login $root_token # vault secrets enable -path secret kv #} #setup_app_role_access() { # echo "*----------------------------*" # echo "| Setting up App Role access |" # echo "*----------------------------*" # # # Run the custom entrypoint Python script # python3 /entrypoint.py $root_token #} start_and_wait_for_vault python3 /setup-scripts/prod-setup.py #init_vault #unseal_vault #setup_secrets_engine #setup_app_role_access # Start the snapshot server in the background # This is a custom server that is used to manually trigger and then return the snapshot over HTTP python3 /snapshot-server/server.py > /var/log/snapshot-server.log 2>&1 & # Keep the container running # By "following" the log file tail -f /vault/logs/vault-audit.log