Created
May 13, 2020 16:50
-
-
Save brianshumate/0eca338cf5a5c9e28454f4350f841d76 to your computer and use it in GitHub Desktop.
microVault - a tiny filesystem storage based Vault for quick use cases
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # microvault | |
| # A tiny file storage based Vault server with TLS support running | |
| # at 127.0.0.1:8200 that is fully ready to use when executed | |
| # | |
| # shellcheck disable=SC1090,SC2009 | |
| set -e | |
| # --------------------------------------------------------------------------- | |
| # Variables | |
| # --------------------------------------------------------------------------- | |
| this="microvault.sh" | |
| begin="$(date +%s)" | |
| microvault_home="$PWD" | |
| microvault_vault_addr="https://127.0.0.1:8200" | |
| microvault_audit_log="$microvault_home/vault_audit.log" | |
| microvault_config="$microvault_home/vault_server.hcl" | |
| microvault_data="$microvault_home/data" | |
| microvault_pidfile="vault.pid" | |
| microvault_server_log="$microvault_home/vault_operational.log" | |
| microvault_ca="vault_ca.pem" | |
| microvault_cert="vault_cert.pem" | |
| microvault_key="vault_key.pem" | |
| microvault_root_token="$microvault_home/.root_token.txt" | |
| microvault_unseal_key="$microvault_home/.unseal_key.txt" | |
| microvault_unseal_json="$microvault_home/.unseal.json" | |
| OS="$(uname -s | awk '{print tolower($0)}')" | |
| VAULT_ADDR="$microvault_vault_addr" | |
| VAULT_CACERT="$microvault_ca" | |
| export VAULT_ADDR VAULT_CACERT | |
| # Colors because the world is a colorful place 🌎 | |
| txtblu="$(tput setaf 4)" | |
| txtcya="$(tput setaf 6)" | |
| txtgrn="$(tput setaf 2)" | |
| txtmgt="$(tput setaf 5)" | |
| txtred="$(tput setaf 1)" | |
| txtylw="$(tput setaf 3)" | |
| txtwht="$(tput setaf 7)" | |
| txtrst="$(tput sgr0)" | |
| # =========================================================================== | |
| # Functions | |
| # =========================================================================== | |
| # ----------------------------------------------------------------------- | |
| # Message function | |
| # ----------------------------------------------------------------------- | |
| msg() { | |
| MSGSRC="[μvault]" | |
| MSGTYPE="$1" | |
| MSGTXT="$2" | |
| case "${MSGTYPE}" in | |
| greeting) | |
| printf "%s%s [@] %s %s\\n" "$txtmgt" "$MSGSRC" "$MSGTXT" "$txtrst" | |
| ;; | |
| info) | |
| printf "%s%s [i] %s %s\\n" "$txtwht" "$MSGSRC" "$MSGTXT" "$txtrst" | |
| ;; | |
| success) | |
| printf "%s%s [+] %s %s\\n" "$txtgrn" "$MSGSRC" "$MSGTXT" "$txtrst" | |
| ;; | |
| complete) | |
| printf "%s%s [=] %s %s\\n" "$txtblu" "$MSGSRC" "$MSGTXT" "$txtrst" | |
| ;; | |
| boom) | |
| printf "%s%s [*] %s %s\\n" "$txtred" "$MSGSRC" "$MSGTXT" "$txtrst" >&2 | |
| ;; | |
| notice) | |
| printf "%s%s [^] %s %s\\n" "$txtylw" "$MSGSRC" "$MSGTXT" "$txtrst" | |
| ;; | |
| error) | |
| printf "%s%s [!] %s %s\\n" "$txtred" "$MSGSRC" "$MSGTXT" "$txtrst" >&2 | |
| ;; | |
| *) | |
| printf "%s%s [_] %s %s\\n" "$txtcya" "$MSGSRC" "$MSGTXT" "$txtrst" | |
| ;; | |
| esac | |
| } | |
| # ----------------------------------------------------------------------- | |
| # Cleanup function | |
| # ----------------------------------------------------------------------- | |
| cleanup() { | |
| msg info "Cleanup ..." | |
| rm -f vault && \ | |
| rm -f "$microvault_config" && \ | |
| rm -f "$microvault_root_token" && \ | |
| rm -f "$microvault_unseal_key" && \ | |
| rm -f "$microvault_unseal_json" && \ | |
| rm -f "$microvault_ca" && \ | |
| rm -f "$microvault_cert" && \ | |
| rm -f "$microvault_pidfile" && \ | |
| rm -f "$microvault_key" && \ | |
| rm -f "$microvault_audit_log" && \ | |
| rm -f "$microvault_server_log" && \ | |
| rm -rf "${microvault_data}" && \ | |
| rm -f "$this" # Hello, JS! 🤣 | |
| msg success "Cleanup complete" | |
| } | |
| # ----------------------------------------------------------------------- | |
| # Preflight function | |
| # ----------------------------------------------------------------------- | |
| preflight() { | |
| msg info "Preflight ... " | |
| check_existing_vault="$(ps auxww | grep vault | grep -c server)" | |
| if [ "$check_existing_vault" != "0" ]; then | |
| detected_vault_pid="$(pgrep vault)" | |
| msg notice "Detected another Vault with process ID: $detected_vault_pid" | |
| if curl --fail --include --location --silent --show-error --cacert="$microvault_ca" https://127.0.0.1:8200/v1/sys/health; then | |
| msg error "Found existing Vault process; please examine PID $detected_vault_pid and try again." | |
| exit 1 | |
| fi | |
| fi | |
| if [ "$local_binary" = "true" ]; then | |
| vault_found="$(command -v vault >/dev/null 2>&1; echo $?)" | |
| if [ "$vault_found" != 0 ]; then | |
| msg alert "Local vault binary flag used but binary not found on PATH" | |
| msg info "You must have a vault binary installed to use --local-binary" | |
| #cleanup | |
| exit 1 | |
| fi | |
| fi | |
| msg success "Preflight complete" | |
| } | |
| # ----------------------------------------------------------------------- | |
| # Get Vault function | |
| # ----------------------------------------------------------------------- | |
| get_vault() { | |
| latest_vault_version="$(curl --fail --location --silent --show-error https://releases.hashicorp.com/vault/index.json | jq -r '.versions[].version' | grep -Ev 'beta|rc|ent|hsm' | tail -n 1)" | |
| urlbase="https://releases.hashicorp.com/vault/${latest_vault_version}" | |
| vault_zip="vault_${latest_vault_version}_${OS}_amd64.zip" | |
| msg info "Downloading Vault OSS version $latest_vault_version ..." | |
| curl \ | |
| --fail \ | |
| --location \ | |
| --silent \ | |
| --show-error \ | |
| --output "${vault_zip}" \ | |
| "${urlbase}"/"${vault_zip}" && \ | |
| msg complete "Downloaded Vault" | |
| unzip -qq "${vault_zip}" && \ | |
| rm -f "${vault_zip}" && \ | |
| chmod +x vault && \ | |
| msg success "Unzipped Vault" | |
| } | |
| # ----------------------------------------------------------------------- | |
| # Write TLS Files function | |
| # ----------------------------------------------------------------------- | |
| write_tls_files() { | |
| msg info "Write TLS files ..." | |
| cat << EOF >> "$microvault_ca" | |
| -----BEGIN CERTIFICATE----- | |
| MIIEGjCCAwKgAwIBAgIUF1eBP18IQwB5l7UMsw5ezUmliCEwDQYJKoZIhvcNAQEL | |
| BQAwfzEhMB8GA1UEBhMYVW5pdGVkIFN0YXRlcyBvZiBBbWVyaWNhMRQwEgYDVQQI | |
| EwtPdXRlciBCYW5rczESMBAGA1UEBxMJS2l0dHloYXdrMRUwEwYDVQQKEwxWYXVs | |
| dHJvbiBMYWIxGTAXBgNVBAMTEG5vZGUuYXJ1cy5jb25zdWwwHhcNMTkwNzExMTg0 | |
| ODEzWhcNMjQwNDI1MTg0ODQzWjAbMRkwFwYDVQQDExBub2RlLmFydXMuY29uc3Vs | |
| MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv9PSC7oYLSha0lfXCIR3 | |
| CIBFOMfCGS6B3vG0+GApkoOH/CZPG+YLqWILOb8vp3ghERd4aUY6rLJI0u+WJ1lQ | |
| MHZ4tBcxKy4q2dN1WPfQkmbpwyqtyo80bDiDFMLLqk+Ljvo/XLPtxlqP64WxtIxI | |
| xSvng86vVXPQTR6bE6fYDTZ++sNKCGlU4SQ3XHOrLSmCu8k9kDbaIaztc8cKpuHl | |
| d1jvlOpvI39iOsdYX3Rlg2F9De7lM+32qTnl3/2gPVc20kkkBloZqIVWueP5384i | |
| dqPpKWf4D1rR9rTvFQByWUKeNB14waPVetwuSlVicUqhuneeaGZrwxKRvaMCMoIM | |
| VwIDAQABo4HxMIHuMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G | |
| A1UdDgQWBBRoV+dMM/N9Bg0RKOW5Q7zKKomIBTAfBgNVHSMEGDAWgBR5mwLrQgA+ | |
| Xl7AJcizTmSdaNrbJTA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAKGH2h0dHA6 | |
| Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2kvY2EwGwYDVR0RBBQwEoIQbm9kZS5hcnVz | |
| LmNvbnN1bDAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vMTI3LjAuMC4xOjgyMDAv | |
| djEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEA4L3zlRLO5yQXStSrz97zATch | |
| hjXU5wBIpTI5nbFmfcihJvXpL6RUNQnM/6xzvEadVV2M3/j6WokJjY5bj9zErvQ0 | |
| ifZdZI3+kLVSukVnztnU/avmm8zMkc0iXiFVfG0DqG4fXyw2UP5dTySdJnqcMZ/2 | |
| gD9qPGrTB1CRNWmVp0bxAk8PDE7rv8A8HYCOG94lDc4NEg/31Sl1uzKuCy1k+FsJ | |
| j1i5/fQH+D0o6W89/QyTu5mf8hOWUuQcgRRLdcAtJGYQnqb3VvUzRUCPYqqXZ3kl | |
| 29w7Ff0rVjsnipl9EWs+LJL80kzg/mgmbsKf4BLmabFzQZzTVjHvMTKx95iDTg== | |
| -----END CERTIFICATE----- | |
| -----BEGIN CERTIFICATE----- | |
| MIIEDTCCAvWgAwIBAgIUN9mEJ2kIO8i7AjJjP2NjWA3e3TEwDQYJKoZIhvcNAQEL | |
| BQAwfzEhMB8GA1UEBhMYVW5pdGVkIFN0YXRlcyBvZiBBbWVyaWNhMRQwEgYDVQQI | |
| EwtPdXRlciBCYW5rczESMBAGA1UEBxMJS2l0dHloYXdrMRUwEwYDVQQKEwxWYXVs | |
| dHJvbiBMYWIxGTAXBgNVBAMTEG5vZGUuYXJ1cy5jb25zdWwwHhcNMTkwNzExMTg0 | |
| NzAxWhcNMjUwMzI1MDI0NzMwWjB/MSEwHwYDVQQGExhVbml0ZWQgU3RhdGVzIG9m | |
| IEFtZXJpY2ExFDASBgNVBAgTC091dGVyIEJhbmtzMRIwEAYDVQQHEwlLaXR0eWhh | |
| d2sxFTATBgNVBAoTDFZhdWx0cm9uIExhYjEZMBcGA1UEAxMQbm9kZS5hcnVzLmNv | |
| bnN1bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOf37uQPWhir4pg2 | |
| xUSXV6gTutvJZI9TM5NK7BrFaUexdInpUl0CMGYDJJYKJ2gpiSjqOaU+Iya9YC2w | |
| +Wz88tI1p1FfT4nrUKzQCDqcqAgm3lFChgFqkALhWlWuXwaRUh2xIehV4KGVdkWG | |
| ZwH2kl/uE8fkgmfV5mOJvyfvz1z2ngVoKmODBfvN722AnQL9IGp9JA0IYji013Qv | |
| hElysRkosCMfVIwefiBGNpoV5HN7tdBhAl9bWbzBjmJ1bGwAmQGXEKhACaNJafBJ | |
| JCfrfaHfuWMJDMURkz5Blxu+wG7CWjaeuXPddW/Vd7iPomfh4CU+Qrlb8bQ9y/hh | |
| CWgC5I0CAwEAAaOBgDB+MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/ | |
| MB0GA1UdDgQWBBR5mwLrQgA+Xl7AJcizTmSdaNrbJTAfBgNVHSMEGDAWgBR5mwLr | |
| QgA+Xl7AJcizTmSdaNrbJTAbBgNVHREEFDASghBub2RlLmFydXMuY29uc3VsMA0G | |
| CSqGSIb3DQEBCwUAA4IBAQCbxtx8w0xHZR7cEpz1LDgP2wegqeQehzyDITEiqsOc | |
| lNuCfPTh4mDHHn2rr+czuLPpdJd/xcxqxf8PlTD3kHI+QstT4N9fWiMi3kWK5F7j | |
| HYDqenUoLixHQqGLAFqUP8IuqfjudQhmdCFYIkcmv1Y0f/yn7shbQy929G3HRVBT | |
| YykNjTBzixgKsbiGC+BwIpZInMoJUB4L/ujBKdPghN8tCTjS62+UH5U8Mt6hb/Mh | |
| +hhd1uRqQdoCNJU2whZ5gyeNXe7W/hUhN1bgC7puKHP0bSGowbr28KPUJkxKs5DB | |
| iiW+ZS/YMoshe8270u8uwe0WQ7TF1oCxcl5OLrhMexA8 | |
| -----END CERTIFICATE----- | |
| EOF | |
| cat << EOF >> "$microvault_cert" | |
| -----BEGIN CERTIFICATE----- | |
| MIIEhjCCA26gAwIBAgIUH2jZbUEeVAvPdBqE0ypjn9inIAwwDQYJKoZIhvcNAQEL | |
| BQAwGzEZMBcGA1UEAxMQbm9kZS5hcnVzLmNvbnN1bDAeFw0yMDA1MDcxNzI0NTVa | |
| Fw0yMjA4MTAxNzI1MjVaMIGKMSEwHwYDVQQGExhVbml0ZWQgU3RhdGVzIG9mIEFt | |
| ZXJpY2ExFDASBgNVBAgTC091dGVyIEJhbmtzMRIwEAYDVQQHEwlLaXR0eWhhd2sx | |
| FTATBgNVBAoTDFZhdWx0cm9uIExhYjEkMCIGA1UEAxMbbWljcm92YXVsdC5ub2Rl | |
| LmFydXMuY29uc3VsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvglH | |
| +AW5TZOgnrPF3OK3mtTxa9Lp+w4krMwmoxEfPgouVJjd7o2VtSIDfLga6W8BAYqj | |
| Wq1WBPZJaliv3LiYXxP6Ip18P734/62viICN7ODMTfoVXdZGKn3l9Oryg9J6YoxV | |
| iDJdDNgUdiRQPHGAUnZXq5NnrdNFvQN3MpIkmF4TwvGJAO5AfS/Dqqe4pGq0y0wW | |
| w1wKksF9TA6tUoA6Q4uotKKBVWibxU1fQSbr5p17dp0UzcUmb54UWtrhJJ70U/aL | |
| I5GsZwg9/68alI2oxOw8qpVfgcjih4p/tB4KggBwcUHUPU+GdiR0T+AG2wLDwTIr | |
| 2j3V8ai9SSu76/0/bQIDAQABo4IBUDCCAUwwDgYDVR0PAQH/BAQDAgOoMB0GA1Ud | |
| JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUfbZ8A7gyavd3tAnu | |
| qAQtYcQCP6MwHwYDVR0jBBgwFoAUaFfnTDPzfQYNESjluUO8yiqJiAUwPwYIKwYB | |
| BQUHAQEEMzAxMC8GCCsGAQUFBzAChiNodHRwOi8vMTI3LjAuMC4xOjgyMDAvdjEv | |
| cGtpX2ludC9jYTBjBgNVHREEXDBagglsb2NhbGhvc3SCG21pY3JvdmF1bHQubm9k | |
| ZS5hcnVzLmNvbnN1bIIWbWljcm92YXVsdC5ub2RlLmNvbnN1bIISc2VydmVyLmFy | |
| dXMuY29uc3VshwR/AAABMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly8xMjcuMC4w | |
| LjE6ODIwMC92MS9wa2lfaW50L2NybDANBgkqhkiG9w0BAQsFAAOCAQEAHVQ8r0v6 | |
| XUgcJy0UdnWG5mtSK8ls+eRXSdVodNDkO5duI2baUl64M1SwnH/JzRrQdJEAlfNu | |
| E2Ylz/n0sNXEF1zmu7yaBHA/EdOYSCGKOIQM2tMfbJSJraatnnb8XC2DqBKNWfIC | |
| 5iprPixHeJcrDZKYQP1vAblvIup1nGjVVt0xgbGNW1SWDCBUdET6+CMynHbjeUrk | |
| 1fsbGRNxcZeAdXKO0I86GoY9dPGgrQmigUGfeJYZpdcX09t8rXTXrqy60Jjl/XWo | |
| qzHMdYqCEQYTx16S7qE1sGDtBk4MXTUuOrxOvn/RkwV4pZJJoefIh10yKTaw0krq | |
| /fU7HhPp+3Zwig== | |
| -----END CERTIFICATE----- | |
| EOF | |
| cat << EOF >> "$microvault_key" | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIIEpAIBAAKCAQEAvglH+AW5TZOgnrPF3OK3mtTxa9Lp+w4krMwmoxEfPgouVJjd | |
| 7o2VtSIDfLga6W8BAYqjWq1WBPZJaliv3LiYXxP6Ip18P734/62viICN7ODMTfoV | |
| XdZGKn3l9Oryg9J6YoxViDJdDNgUdiRQPHGAUnZXq5NnrdNFvQN3MpIkmF4TwvGJ | |
| AO5AfS/Dqqe4pGq0y0wWw1wKksF9TA6tUoA6Q4uotKKBVWibxU1fQSbr5p17dp0U | |
| zcUmb54UWtrhJJ70U/aLI5GsZwg9/68alI2oxOw8qpVfgcjih4p/tB4KggBwcUHU | |
| PU+GdiR0T+AG2wLDwTIr2j3V8ai9SSu76/0/bQIDAQABAoIBAQCrVtDlxbtiP5WV | |
| IX9nfZ6PYildzyeZbRISHmtDoT9q/2Dwc3e+CzgMvWMpgxD4oVXl3usT6a7iAHEH | |
| CnldZ64yI1/m79lD23PyitX2G/patgBe2fmDxpsy2pqILYGE6zPfQKoph0cwOm6Q | |
| aoNRTACn2P2Iu/nB1vhMyCAjn3KRUMj5KTIHKkN1tIUIG6yVWaO9Yk7A1wRCbGIM | |
| L1cQ8hZWYUywE1MO/1PtWqaz2DxLGyoF436UqKYDD/DNOwvK4CAF8WSKlgqG0XS+ | |
| RRReVMS1GfkD6aJGMN/IZB8Hdm3PxWb5V9E5Je9zI69oTBKr9vKmjnzgV7QrN09n | |
| quXU82IhAoGBAMUHuiopM95hsSwA5VNFAZ3MMbiLOkwpbmOZu6P3Oa7hNVJAkQBy | |
| JY2Gqit5HrYPqtdBRuFErVBHvIhrrMsK3p4iRE3hQ7em6IC9uEeC/g1H1T9s+Xn5 | |
| HiCV4TGkk2fmKHrQWMTW9eoiIPBI3EPCOYScka0HRLz3mknAvKk2wvLFAoGBAPbp | |
| r3X1hWLSiCak6IXaWxHT6aG6ETcPPLv3SEGe7RLo5EOZ7fj0r3Qs8PgunJiWb4lj | |
| 6IX7OMcO9yCLkJEtVrL1z7TdbxcSn13ObnmqsNQTRoY6k+k+Qa/re9NNd7JmULXS | |
| RVfZ+mGAezx5B5Z48koi+uGijjAYVpNAOl3fSUSJAoGAUJn6pGi6mUypp/Ct38Sp | |
| Bp6T8IS0UpfYWtJ3Gnp2lH34zC8xolcP2bevQZ2I3L3IC8rebiUkKWVPUReLVnyZ | |
| 2WL3QkzW4PhcwN3b1xVVTKWILSwtWqJ4mqf1udMzohtbj/JPfibZ7vALPYDw6p83 | |
| 3HIYfgotKoi4C1fXVfnbAmkCgYEAzc0vu3E+kYULiLJRQSgkWjK4fF2bdboUlFNj | |
| fZaa4fUONa56pNRF3d6Lp0EqsyBIrUqCCBLCW2CE6TKK+AbDSf0K+CTNMH0MKmMi | |
| v/Re2RWL5duzZ2jF1XzAw/nA+AjB4xr1Q2ljgZtWnKwAgBIlWVfYpvMX8syGdMvH | |
| GnE/H4kCgYA8mH3hr38S1/ZlxGj8yvl75S6c33LwFnDijX65EdaDXecamiO+Oi8x | |
| fkDcyGqB11mKPyqI+6vDQfSQ316mSPFR7fRK1A/rYGkBfFJK6jQZhoIAynlT3dwl | |
| DNNavJBR4UvjHRmXKZPaWw3pdmDPv54+05BBc8MYi/RHek2T7rgNFQ== | |
| -----END RSA PRIVATE KEY----- | |
| EOF | |
| msg success "TLS files written" | |
| } | |
| # ----------------------------------------------------------------------- | |
| # Configure Vault function | |
| # ----------------------------------------------------------------------- | |
| configure_vault() { | |
| msg info "Configure Vault ... " | |
| cat << EOF >> "$microvault_config" | |
| api_addr = "$microvault_vault_addr" | |
| disable_mlock = true | |
| log_level = "trace" | |
| plugin_directory = "$PWD" | |
| ui = true | |
| listener "tcp" { | |
| address = "127.0.0.1:8200" | |
| tls_cert_file = "$microvault_cert" | |
| tls_key_file = "$microvault_key" | |
| } | |
| storage "file" { | |
| path = "$microvault_data" | |
| } | |
| telemetry { | |
| dogstatsd_addr = "localhost:8125" | |
| enable_hostname_label = true | |
| cluster_name = "microvault" | |
| enable_high_cardinality_labels = "" | |
| prometheus_retention_time = "0h" | |
| } | |
| EOF | |
| msg success "Vault configured" | |
| } | |
| # ----------------------------------------------------------------------- | |
| # Start Vault server function | |
| # ----------------------------------------------------------------------- | |
| start_vault() { | |
| msg info "Start Vault ... " | |
| "$1" server \ | |
| -config="$microvault_config" \ | |
| -log-level="trace" \ | |
| > "$microvault_server_log" 2>&1 & | |
| export MICROVAULT_SERVER_PID=$! | |
| echo "$MICROVAULT_SERVER_PID" > "$microvault_pidfile" | |
| # <wait 2> 🤣 | |
| sleep 2 | |
| msg success "Vault server started with VAULT_ADDR: $VAULT_ADDR" | |
| } | |
| # ----------------------------------------------------------------------- | |
| # Stop Vault server function | |
| # ----------------------------------------------------------------------- | |
| stop_vault() { | |
| msg notice "Stopping Vault server ..." | |
| if ! pkill vault; then | |
| if ! kill "$MICROVAULT_SERVER_PID" > /dev/null 2>&1; then | |
| VAULT_PID="$(cat $microvault_pidfile)" | |
| kill "$VAULT_PID" > /dev/null 2>&1 | |
| fi | |
| fi | |
| msg success "Vault server stopped" | |
| rm -f $MICROVAULT_SERVER_PID | |
| } | |
| # ----------------------------------------------------------------------- | |
| # Initialize Vault function | |
| # ----------------------------------------------------------------------- | |
| intialize_vault() { | |
| msg info "Initialize Vault ... " | |
| curl \ | |
| --fail \ | |
| --location \ | |
| --silent \ | |
| --show-error \ | |
| --cacert "$microvault_ca" \ | |
| --request PUT \ | |
| --data '{"secret_shares":1,"secret_threshold":1}' \ | |
| $microvault_vault_addr/v1/sys/init \ | |
| | jq -r '.root_token, .keys_base64[]' \ | |
| | awk 'NR==1 {print > ".root_token.txt"; next} {print > ".unseal_key.txt"}' | |
| msg success "Vault initialized" | |
| } | |
| # ----------------------------------------------------------------------- | |
| # Unseal Vault function | |
| # ----------------------------------------------------------------------- | |
| unseal_vault() { | |
| msg info "Unseal Vault ... " | |
| cat << EOF >> "$microvault_unseal_json" | |
| { | |
| "key": "$(cat "$microvault_unseal_key")" | |
| } | |
| EOF | |
| curl \ | |
| --silent \ | |
| --cacert "$microvault_ca" \ | |
| --request PUT \ | |
| --data @.unseal.json \ | |
| $microvault_vault_addr/v1/sys/unseal \ | |
| | jq | |
| msg success "Vault unsealed" | |
| } | |
| # ----------------------------------------------------------------------- | |
| # Enable Audit Device function | |
| # ----------------------------------------------------------------------- | |
| enable_audit_device() { | |
| msg info "Enable file audit device at file/ ... " | |
| VAULT_ADDR="$microvault_vault_addr" | |
| VAULT_CACERT="$microvault_ca" | |
| VAULT_TOKEN="$(cat "$microvault_root_token")" | |
| export VAULT_ADDR VAULT_CACERT VAULT_TOKEN | |
| RESULT="$(vault audit enable file file_path="$microvault_audit_log")" | |
| msg success "$RESULT" | |
| } | |
| # ----------------------------------------------------------------------- | |
| # Main function | |
| # ----------------------------------------------------------------------- | |
| main() { | |
| case "$1" in | |
| -l|--local-binary) | |
| local_binary="true" | |
| ;; | |
| "") | |
| local_binary="false" | |
| ;; | |
| *) | |
| echo 2>&1 "Usage: microvault [-l|--local-binary]" | |
| exit 1 | |
| ;; | |
| esac | |
| msg greeting "Hello from μVault!" | |
| preflight && \ | |
| cleanup && \ | |
| if [ "$local_binary" = "false" ]; then | |
| get_vault | |
| fi | |
| write_tls_files | |
| configure_vault | |
| if [ "$local_binary" = "true" ]; then | |
| start_vault "vault" | |
| else | |
| start_vault "./vault" | |
| fi | |
| intialize_vault | |
| unseal_vault | |
| enable_audit_device | |
| unseal_key=$(cat "$microvault_unseal_key") | |
| initial_root_token=$(cat "$microvault_root_token") | |
| msg complete "Vault server is ready." | |
| msg info "Use these commands in another terminal session to get started:" | |
| echo "export VAULT_ADDR=https://127.0.0.1:8200 | |
| vault operator unseal $unseal_key | |
| vault login $initial_root_token" | |
| msg complete "Stop the Vault server and clean up by pressing ENTER ..." | |
| read -r | |
| stop_vault | |
| cleanup | |
| } | |
| main "$1" | |
| end="$(date +%s)" | |
| runtime=$((end-begin)) | |
| msg complete "μVault complete after $runtime seconds." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment