From 4af46e7a6be4f72bc45e8c23c1eb3cf23494d9d0 Mon Sep 17 00:00:00 2001
From: ebrahimmfadae <ebrahimmfadae@gmail.com>
Date: Mon, 9 May 2022 00:07:43 +0430
Subject: [PATCH 1/2] Fix vault secrets resetting on restart

---
 docker-compose.yml                    |   3 +-
 docker-images/vault/vault.json        |   2 +-
 docker-images/vault/workflow-vault.sh | 193 +++++++++++++-------------
 3 files changed, 103 insertions(+), 95 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index a33338584..182f046ea 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -95,6 +95,7 @@ services:
   vault:
     image: ghcr.io/opexdev/vault-opex
     build: docker-images/vault
+    tty: true
     volumes:
       - vault-data:/vault/file
     environment:
@@ -541,4 +542,4 @@ volumes:
   admin-data:
 networks:
   default:
-    driver: bridge
\ No newline at end of file
+    driver: bridge
diff --git a/docker-images/vault/vault.json b/docker-images/vault/vault.json
index 105035688..fbe384e20 100644
--- a/docker-images/vault/vault.json
+++ b/docker-images/vault/vault.json
@@ -13,4 +13,4 @@
   "default_lease_ttl": "168h",
   "max_lease_ttl": "0h",
   "api_addr": "http://0.0.0.0:8200"
-}
\ No newline at end of file
+}
diff --git a/docker-images/vault/workflow-vault.sh b/docker-images/vault/workflow-vault.sh
index 51d8d14e2..71789e280 100755
--- a/docker-images/vault/workflow-vault.sh
+++ b/docker-images/vault/workflow-vault.sh
@@ -1,98 +1,105 @@
 #!/bin/sh
-vault server -config /vault/config/vault.json &
+set -em
 
-## Export values
+## Export environment variables
 export VAULT_ADDR='http://0.0.0.0:8200'
 export VAULT_SKIP_VERIFY='true'
 
-#
-sleep 10
-
-if [ ! -f /vault/file/generated_keys.txt ]; then
-    echo "Vault init"
-    vault operator init > /vault/file/generated_keys.txt
-fi
-echo "Generated Keys:"
-cat /vault/file/generated_keys.txt
-## Parse unsealed keys
-(grep "Unseal Key " < /vault/file/generated_keys.txt | cut -c15-) > /vault/file/keys.txt
-
-echo "Keys:"
-cat /vault/file/keys.txt
-
-while IFS= read -r line; do
-    echo "Key read from file: $line"
-    vault operator unseal $line
-done < /vault/file/keys.txt
-#
-## Get root token
-(grep "Initial Root Token: " < /vault/file/generated_keys.txt | cut -c21-) > /vault/file/tokens.txt
-while IFS= read -r line; do
-    echo "Root token read from file: $line"
-    export VAULT_TOKEN=${line}
-done < /vault/file/tokens.txt
-## Enable kv
-echo 'enable kv'
-vault secrets enable -path=secret -version=1 kv
-## Enable userpass and add default user
-echo 'enable userpass and add default user'
-vault auth enable userpass
-echo 'enable panel policies'
-vault policy write panel-policy /vault/config/panel-policy.hcl
-echo 'set password '
-echo ${PANEL_PASS}
-vault write auth/userpass/users/admin password=${PANEL_PASS} policies=panel-policy
-echo 'check login user/pass'
-vault login -method=userpass username=admin password=${PANEL_PASS}
-
-echo 'enable appid and add default user-id'
-vault auth enable app-id
-echo 'enable backend policies'
-vault policy write backend-policy /vault/config/backend-policy.hcl
-echo 'enable backend apps'
-vault write auth/app-id/map/app-id/opex-accountant value=backend-policy display_name=opex-accountant
-vault write auth/app-id/map/app-id/opex-api value=backend-policy display_name=opex-api
-vault write auth/app-id/map/app-id/opex-bc-gateway value=backend-policy display_name=opex-bc-gateway
-vault write auth/app-id/map/app-id/opex-eventlog value=backend-policy display_name=opex-eventlog
-vault write auth/app-id/map/app-id/opex-auth value=backend-policy display_name=opex-auth
-vault write auth/app-id/map/app-id/opex-wallet value=backend-policy display_name=opex-wallet
-vault write auth/app-id/map/app-id/opex-websocket value=backend-policy display_name=opex-websocket
-vault write auth/app-id/map/app-id/opex-payment value=backend-policy display_name=opex-payment
-vault write auth/app-id/map/app-id/opex-admin value=backend-policy display_name=opex-admin
-vault write auth/app-id/map/app-id/chain-scan-gateway value=backend-policy display_name=chain-scan-gateway
-vault write auth/app-id/map/app-id/opex-referral value=backend-policy display_name=opex-referral
-echo 'enable user-id'
-vault write auth/app-id/map/user-id/${BACKEND_USER} value=opex-wallet,opex-websocket,opex-eventlog,opex-auth,opex-accountant,opex-api,opex-bc-gateway,opex-payment,opex-admin,chain-scan-gateway,opex-referral
-echo 'check login appid'
-vault write auth/app-id/login/opex-accountant user_id=${BACKEND_USER}
-vault write auth/app-id/login/opex-api user_id=${BACKEND_USER}
-vault write auth/app-id/login/opex-bc-gateway user_id=${BACKEND_USER}
-vault write auth/app-id/login/opex-eventlog user_id=${BACKEND_USER}
-vault write auth/app-id/login/opex-auth user_id=${BACKEND_USER}
-vault write auth/app-id/login/opex-wallet user_id=${BACKEND_USER}
-vault write auth/app-id/login/opex-websocket user_id=${BACKEND_USER}
-vault write auth/app-id/login/opex-payment user_id=${BACKEND_USER}
-vault write auth/app-id/login/opex-admin user_id=${BACKEND_USER}
-vault write auth/app-id/login/chain-scan-gateway user_id=${BACKEND_USER}
-vault write auth/app-id/login/opex-referral user_id=${BACKEND_USER}
-
-#
-## Add secret values
-echo 'put key/value'
-vault kv put secret/opex smtppass=${SMTP_PASS}
-vault kv put secret/opex-accountant dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
-vault kv put secret/opex-api dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
-vault kv put secret/opex-bc-gateway dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
-vault kv put secret/opex-eventlog dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
-vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS} admin_username=${KEYCLOAK_ADMIN_USERNAME} admin_password=${KEYCLOAK_ADMIN_PASSWORD}
-vault kv put secret/opex-wallet dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
-vault kv put secret/opex-websocket dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
-vault kv put secret/opex-payment dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS} vandar_api_key=${VANDAR_API_KEY}
-vault kv put secret/opex-admin keycloak_client_secret=${OPEX_ADMIN_KEYCLOAK_CLIENT_SECRET}
-vault kv put secret/chain-scan-gateway dbusername=${DB_USER} dbpassword=${DB_PASS}
-vault kv put secret/opex-referral dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
-
-# Keep alive
-while pidof vault >/dev/null; do
-  sleep 10
-done
+vault server -config /vault/config/vault.json &
+
+# Wait for server to initialize
+sleep 3
+
+unseal() {
+  ## Generate keys
+  if [ ! -f /vault/file/generated_keys.txt ]; then
+      vault operator init > /vault/file/generated_keys.txt
+  else
+    exec wait -n
+  fi
+
+  ## Parse unsealed keys
+  (grep "Unseal Key " < /vault/file/generated_keys.txt | cut -c15-) > /vault/file/keys.txt
+
+  while IFS= read -r line; do
+      vault operator unseal $line
+  done < /vault/file/keys.txt
+}
+
+init_secrets() {
+  ## Get root token
+  (grep "Initial Root Token: " < /vault/file/generated_keys.txt | cut -c21-) > /vault/file/tokens.txt
+  while IFS= read -r line; do
+      export VAULT_TOKEN=${line}
+  done < /vault/file/tokens.txt
+
+  ## Enable kv
+  vault secrets enable -path=secret -version=1 kv
+
+  ## Enable user/pass and add default user
+  vault auth enable userpass
+
+  ## Enable panel policies
+  vault policy write panel-policy /vault/config/panel-policy.hcl
+
+  ## Set password
+  vault write auth/userpass/users/admin password=${PANEL_PASS} policies=panel-policy
+
+  ## Check login user/pass
+  vault login -method=userpass username=admin password=${PANEL_PASS}
+
+  ## Enable app-id and add default user-id
+  vault auth enable app-id
+
+  ## Enable backend policies
+  vault policy write backend-policy /vault/config/backend-policy.hcl
+
+  ## Enable backend apps
+  vault write auth/app-id/map/app-id/opex-accountant value=backend-policy display_name=opex-accountant
+  vault write auth/app-id/map/app-id/opex-api value=backend-policy display_name=opex-api
+  vault write auth/app-id/map/app-id/opex-bc-gateway value=backend-policy display_name=opex-bc-gateway
+  vault write auth/app-id/map/app-id/opex-eventlog value=backend-policy display_name=opex-eventlog
+  vault write auth/app-id/map/app-id/opex-auth value=backend-policy display_name=opex-auth
+  vault write auth/app-id/map/app-id/opex-wallet value=backend-policy display_name=opex-wallet
+  vault write auth/app-id/map/app-id/opex-websocket value=backend-policy display_name=opex-websocket
+  vault write auth/app-id/map/app-id/opex-payment value=backend-policy display_name=opex-payment
+  vault write auth/app-id/map/app-id/opex-admin value=backend-policy display_name=opex-admin
+  vault write auth/app-id/map/app-id/chain-scan-gateway value=backend-policy display_name=chain-scan-gateway
+  vault write auth/app-id/map/app-id/opex-referral value=backend-policy display_name=opex-referral
+
+  ## Enable user-id
+  vault write auth/app-id/map/user-id/${BACKEND_USER} value=opex-wallet,opex-websocket,opex-eventlog,opex-auth,opex-accountant,opex-api,opex-bc-gateway,opex-payment,opex-admin,chain-scan-gateway,opex-referral
+
+  ## Check login app-id
+  vault write auth/app-id/login/opex-accountant user_id=${BACKEND_USER}
+  vault write auth/app-id/login/opex-api user_id=${BACKEND_USER}
+  vault write auth/app-id/login/opex-bc-gateway user_id=${BACKEND_USER}
+  vault write auth/app-id/login/opex-eventlog user_id=${BACKEND_USER}
+  vault write auth/app-id/login/opex-auth user_id=${BACKEND_USER}
+  vault write auth/app-id/login/opex-wallet user_id=${BACKEND_USER}
+  vault write auth/app-id/login/opex-websocket user_id=${BACKEND_USER}
+  vault write auth/app-id/login/opex-payment user_id=${BACKEND_USER}
+  vault write auth/app-id/login/opex-admin user_id=${BACKEND_USER}
+  vault write auth/app-id/login/chain-scan-gateway user_id=${BACKEND_USER}
+  vault write auth/app-id/login/opex-referral user_id=${BACKEND_USER}
+
+  ## Add secret values
+  vault kv put secret/opex smtppass=${SMTP_PASS}
+  vault kv put secret/opex-accountant dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
+  vault kv put secret/opex-api dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
+  vault kv put secret/opex-bc-gateway dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
+  vault kv put secret/opex-eventlog dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
+  vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS} admin_username=${KEYCLOAK_ADMIN_USERNAME} admin_password=${KEYCLOAK_ADMIN_PASSWORD}
+  vault kv put secret/opex-wallet dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
+  vault kv put secret/opex-websocket dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
+  vault kv put secret/opex-payment dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS} vandar_api_key=${VANDAR_API_KEY}
+  vault kv put secret/opex-admin keycloak_client_secret=${OPEX_ADMIN_KEYCLOAK_CLIENT_SECRET}
+  vault kv put secret/chain-scan-gateway dbusername=${DB_USER} dbpassword=${DB_PASS}
+  vault kv put secret/opex-referral dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
+}
+
+unseal
+init_secrets
+
+## Keep alive
+fg %1

From 79d2cef9e440a3a3969f4ec56dec6efc6cb997f8 Mon Sep 17 00:00:00 2001
From: ebrahimmfadae <ebrahimmfadae@gmail.com>
Date: Mon, 9 May 2022 00:14:07 +0430
Subject: [PATCH 2/2] Improve workflow-vault.sh script

---
 docker-images/vault/workflow-vault.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker-images/vault/workflow-vault.sh b/docker-images/vault/workflow-vault.sh
index 71789e280..afa7a9c39 100755
--- a/docker-images/vault/workflow-vault.sh
+++ b/docker-images/vault/workflow-vault.sh
@@ -8,14 +8,14 @@ export VAULT_SKIP_VERIFY='true'
 vault server -config /vault/config/vault.json &
 
 # Wait for server to initialize
-sleep 3
+sleep 10
 
 unseal() {
   ## Generate keys
   if [ ! -f /vault/file/generated_keys.txt ]; then
       vault operator init > /vault/file/generated_keys.txt
   else
-    exec wait -n
+    exec
   fi
 
   ## Parse unsealed keys