vitess.io/vitess@v0.16.2/go/test/endtoend/vault/vault-setup.sh (about) 1 # We expect environment variables like the following to be set 2 #export VAULT_ADDR=https://test:9123 3 #export VAULT=/path/to/vitess/test/bin/vault-1.6.1 4 #export VAULT_CACERT=./vault-cert.pem 5 6 # For debugging purposes 7 set -x 8 TMPFILE=/tmp/setup.sh.tmp.$RANDOM 9 $VAULT operator init -key-shares=1 -key-threshold=1 | grep ": " | awk '{ print $NF }' > $TMPFILE 10 export UNSEAL="$(head -1 $TMPFILE)" 11 export VAULT_TOKEN="$(tail -1 $TMPFILE)" 12 rm -f $TMPFILE 13 14 # Unseal Vault 15 $VAULT operator unseal $UNSEAL 16 17 # Enable secrets engine (v2); prefix will be /kv 18 $VAULT secrets enable -version=2 kv 19 20 # Enable approles 21 $VAULT auth enable approle 22 23 # Write a custom policy to allow credential access 24 $VAULT policy write dbcreds dbcreds_policy.hcl 25 26 # Load up the db credentials (vttablet -> MySQL) secret 27 $VAULT kv put kv/prod/dbcreds @dbcreds_secret.json 28 29 # Load up the vtgate credentials (app -> vttablet) secret 30 $VAULT kv put kv/prod/vtgatecreds @vtgatecreds_secret.json 31 32 # Configure approle 33 # Keep the ttl low, so we can test a refresh 34 $VAULT write auth/approle/role/vitess secret_id_ttl=10m token_num_uses=0 token_ttl=30s token_max_ttl=0 secret_id_num_uses=4 policies=dbcreds 35 $VAULT read auth/approle/role/vitess 36 37 # Read the role-id of the approle, we need to extract it 38 export ROLE_ID=$($VAULT read auth/approle/role/vitess/role-id | grep ^role_id | awk '{ print $NF }') 39 40 # Get a secret_id for the approle 41 export SECRET_ID=$($VAULT write auth/approle/role/vitess/secret-id k=v | grep ^secret_id | head -1 | awk '{ print $NF }') 42 43 # Echo it back, so the controlling process can read it from the log 44 echo "ROLE_ID=$ROLE_ID" 45 echo "SECRET_ID=$SECRET_ID" 46