github.com/pachyderm/pachyderm@v1.13.4/etc/testing/vault-s3-client/test.sh (about) 1 #!/bin/bash 2 3 SCRIPT_DIR="$(dirname "${0}")" 4 5 set -ex 6 7 # Build pachyderm and push the relevant images 8 make install || exit 1 9 VERSION=$(pachctl version --client-only) 10 git tag -f -am "Travis test v${VERSION}" v"${VERSION}" || exit 1 11 make docker-build || exit 1 12 make docker-push || exit 1 13 14 # Start kops cluster 15 "${SCRIPT_DIR}/../deploy/aws.sh" --create --no-pachyderm 16 17 # Deploy vault 18 kubectl create -f -<<EOF 19 kind: Pod 20 apiVersion: v1 21 metadata: 22 name: vault 23 labels: 24 app: vault 25 spec: 26 containers: 27 - name: vault 28 image: vault 29 command: 30 - vault 31 - server 32 args: 33 - -dev 34 - -dev-root-token-id=root 35 - -dev-listen-address=0.0.0.0:8200 36 - -log-level=debug 37 --- 38 # service (so pachd can talk to vault) 39 kind: Service 40 apiVersion: v1 41 metadata: 42 name: vault-svc 43 spec: 44 selector: 45 app: vault 46 type: NodePort 47 ports: 48 - name: main 49 port: 8200 50 EOF 51 52 # Wait for vault pod to come up 53 while [[ "$(kubectl get po/vault -o json | jq -r ".status.phase")" != "Running" ]] 54 do 55 sleep 1 56 done 57 58 # port-forward to vault and connect vault client 59 kubectl port-forward vault 8200 & 60 sleep 3 61 export VAULT_ADDR='http://127.0.0.1:8200' 62 echo root | vault login - 63 64 # Activate and configure the vault s3 secret engine 65 vault secrets enable aws 66 67 AWS_ID=$(grep aws_access_key_id < ~/.aws/credentials | cut -d " " -f 3) 68 AWS_SECRET=$(grep aws_secret_access_key < ~/.aws/credentials | cut -d " " -f 3) 69 AWS_REGION=us-west-1 # default region in aws.sh 70 vault write aws/config/root \ 71 access_key="${AWS_ID}" \ 72 secret_key="${AWS_SECRET}" \ 73 region="${AWS_REGION}" 74 75 # Create S3 bucket 76 export STORAGE_SIZE=100 77 export BUCKET=${RANDOM}-pachyderm-store 78 aws s3api create-bucket \ 79 --bucket ${BUCKET} \ 80 --region ${AWS_REGION} \ 81 --create-bucket-configuration LocationConstraint=${AWS_REGION} 82 echo "BUCKET is ${BUCKET}" 83 84 # Create AWS IAM policy in vault, that allows anyone with access 85 # to this vault path to access Pachyderm's s3 bucket 86 VAULT_ROLE=pachd-object-store-role 87 vault write aws/roles/${VAULT_ROLE} policy=-<<EOF 88 { 89 "Version": "2012-10-17", 90 "Statement": [ 91 { 92 "Effect": "Allow", 93 "Action": [ "s3:PutObject" 94 , "s3:GetObject" 95 , "s3:DeleteObject" 96 ], 97 "Resource": "arn:aws:s3:::${BUCKET}/*" 98 }, 99 { 100 "Effect": "Allow", 101 "Action": [ "s3:ListBucket" ], 102 "Resource": "arn:aws:s3:::${BUCKET}" 103 } 104 ] 105 } 106 EOF 107 108 # Create vault policy for accessing the above s3 path 109 curl -X POST -H "X-Vault-Token: root" --data ' 110 { 111 "policy": "{\"path\": {\"aws/creds/'"${VAULT_ROLE}"'\": { \"capabilities\": [\"read\"]}}}" 112 }' http://127.0.0.1:8200/v1/sys/policy/pachd-s3-policy 113 114 # Get vault token for Pachd 115 VAULT_TOKEN="$( 116 curl -X POST -H "X-Vault-Token: root" --data ' 117 { 118 "policies": ["pachd-s3-policy"] 119 }' http://127.0.0.1:8200/v1/auth/token/create \ 120 | jq --raw-output ".auth.client_token" 121 )" 122 123 # Deploy 124 pachctl deploy amazon ${BUCKET} ${AWS_REGION} ${STORAGE_SIZE} \ 125 --dynamic-etcd-nodes=1 \ 126 --no-dashboard \ 127 --vault=http://vault-svc.default.svc.cluster.local:8200,"${VAULT_ROLE}","${VAULT_TOKEN}"