github.com/Ilhicas/nomad@v1.0.4-0.20210304152020-e86851182bc3/e2e/terraform/scripts/bootstrap-vault.sh

github.com/Ilhicas/nomad@v1.0.4-0.20210304152020-e86851182bc3/e2e/terraform/scripts/bootstrap-vault.sh (about)

     1  #!/bin/bash
     2  
     3  DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
     4  
     5  # unseal vault and get a root operator token; the vault is configured to
     6  # autounseal with AWS KMS
     7  while true :
     8  do
     9      ROOT_TOKEN=$(vault operator init -recovery-shares=1 -recovery-threshold=1 | awk '/Initial Root Token/{print $4}')
    10      if [ ! -z $ROOT_TOKEN ]; then break; fi
    11      sleep 5
    12  done
    13  set -e
    14  
    15  export VAULT_TOKEN="$ROOT_TOKEN"
    16  
    17  mkdir -p ../keys
    18  echo $VAULT_TOKEN > "${DIR}/../keys/vault_root_token"
    19  
    20  # write policies for Nomad to Vault, and then configure Nomad to use the
    21  # token from those policies
    22  
    23  vault policy write nomad-server "${DIR}/vault-nomad-server-policy.hcl"
    24  vault write /auth/token/roles/nomad-cluster "@${DIR}/vault-nomad-cluster-role.json"
    25  
    26  NOMAD_VAULT_TOKEN=$(vault token create -policy nomad-server -period 72h -orphan | awk '/token /{print $2}')
    27  
    28  cat <<EOF > "${DIR}/../keys/nomad_vault.hcl"
    29  vault {
    30    enabled          = true
    31    address          = "http://active.vault.service.consul:8200"
    32    task_token_ttl   = "1h"
    33    create_from_role = "nomad-cluster"
    34    token            = "$NOMAD_VAULT_TOKEN"
    35  }
    36  
    37  EOF