Skip to content

258 fix vault resetting secrets issue #261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ebrahimmfadae merged 2 commits into from
May 9, 2022
Merged

258 fix vault resetting secrets issue #261

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4af46e7
Fix vault secrets resetting on restart
ebrahimmfadae May 8, 2022
79d2cef
Improve workflow-vault.sh script
ebrahimmfadae May 8, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ services:
vault:
image: ghcr.io/opexdev/vault-opex
build: docker-images/vault
tty: true
volumes:
- vault-data:/vault/file
environment:
Expand Down Expand Up @@ -541,4 +542,4 @@ volumes:
admin-data:
networks:
default:
driver: bridge
driver: bridge
2 changes: 1 addition & 1 deletion docker-images/vault/vault.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,4 @@
"default_lease_ttl": "168h",
"max_lease_ttl": "0h",
"api_addr": "http://0.0.0.0:8200"
}
}
189 changes: 98 additions & 91 deletions docker-images/vault/workflow-vault.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,98 +1,105 @@
#!/bin/sh
vault server -config /vault/config/vault.json &
set -em

## Export values
## Export environment variables
export VAULT_ADDR='http://0.0.0.0:8200'
export VAULT_SKIP_VERIFY='true'

#
vault server -config /vault/config/vault.json &

# Wait for server to initialize
sleep 10

if [ ! -f /vault/file/generated_keys.txt ]; then
echo "Vault init"
vault operator init > /vault/file/generated_keys.txt
fi
echo "Generated Keys:"
cat /vault/file/generated_keys.txt
## Parse unsealed keys
(grep "Unseal Key " < /vault/file/generated_keys.txt | cut -c15-) > /vault/file/keys.txt

echo "Keys:"
cat /vault/file/keys.txt

while IFS= read -r line; do
echo "Key read from file: $line"
vault operator unseal $line
done < /vault/file/keys.txt
#
## Get root token
(grep "Initial Root Token: " < /vault/file/generated_keys.txt | cut -c21-) > /vault/file/tokens.txt
while IFS= read -r line; do
echo "Root token read from file: $line"
export VAULT_TOKEN=${line}
done < /vault/file/tokens.txt
## Enable kv
echo 'enable kv'
vault secrets enable -path=secret -version=1 kv
## Enable userpass and add default user
echo 'enable userpass and add default user'
vault auth enable userpass
echo 'enable panel policies'
vault policy write panel-policy /vault/config/panel-policy.hcl
echo 'set password '
echo ${PANEL_PASS}
vault write auth/userpass/users/admin password=${PANEL_PASS} policies=panel-policy
echo 'check login user/pass'
vault login -method=userpass username=admin password=${PANEL_PASS}

echo 'enable appid and add default user-id'
vault auth enable app-id
echo 'enable backend policies'
vault policy write backend-policy /vault/config/backend-policy.hcl
echo 'enable backend apps'
vault write auth/app-id/map/app-id/opex-accountant value=backend-policy display_name=opex-accountant
vault write auth/app-id/map/app-id/opex-api value=backend-policy display_name=opex-api
vault write auth/app-id/map/app-id/opex-bc-gateway value=backend-policy display_name=opex-bc-gateway
vault write auth/app-id/map/app-id/opex-eventlog value=backend-policy display_name=opex-eventlog
vault write auth/app-id/map/app-id/opex-auth value=backend-policy display_name=opex-auth
vault write auth/app-id/map/app-id/opex-wallet value=backend-policy display_name=opex-wallet
vault write auth/app-id/map/app-id/opex-websocket value=backend-policy display_name=opex-websocket
vault write auth/app-id/map/app-id/opex-payment value=backend-policy display_name=opex-payment
vault write auth/app-id/map/app-id/opex-admin value=backend-policy display_name=opex-admin
vault write auth/app-id/map/app-id/chain-scan-gateway value=backend-policy display_name=chain-scan-gateway
vault write auth/app-id/map/app-id/opex-referral value=backend-policy display_name=opex-referral
echo 'enable user-id'
vault write auth/app-id/map/user-id/${BACKEND_USER} value=opex-wallet,opex-websocket,opex-eventlog,opex-auth,opex-accountant,opex-api,opex-bc-gateway,opex-payment,opex-admin,chain-scan-gateway,opex-referral
echo 'check login appid'
vault write auth/app-id/login/opex-accountant user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-api user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-bc-gateway user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-eventlog user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-auth user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-wallet user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-websocket user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-payment user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-admin user_id=${BACKEND_USER}
vault write auth/app-id/login/chain-scan-gateway user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-referral user_id=${BACKEND_USER}

#
## Add secret values
echo 'put key/value'
vault kv put secret/opex smtppass=${SMTP_PASS}
vault kv put secret/opex-accountant dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-api dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-bc-gateway dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-eventlog dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS} admin_username=${KEYCLOAK_ADMIN_USERNAME} admin_password=${KEYCLOAK_ADMIN_PASSWORD}
vault kv put secret/opex-wallet dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-websocket dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-payment dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS} vandar_api_key=${VANDAR_API_KEY}
vault kv put secret/opex-admin keycloak_client_secret=${OPEX_ADMIN_KEYCLOAK_CLIENT_SECRET}
vault kv put secret/chain-scan-gateway dbusername=${DB_USER} dbpassword=${DB_PASS}
vault kv put secret/opex-referral dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}

# Keep alive
while pidof vault >/dev/null; do
sleep 10
done
unseal() {
## Generate keys
if [ ! -f /vault/file/generated_keys.txt ]; then
vault operator init > /vault/file/generated_keys.txt
else
exec
fi

## Parse unsealed keys
(grep "Unseal Key " < /vault/file/generated_keys.txt | cut -c15-) > /vault/file/keys.txt

while IFS= read -r line; do
vault operator unseal $line
done < /vault/file/keys.txt
}

init_secrets() {
## Get root token
(grep "Initial Root Token: " < /vault/file/generated_keys.txt | cut -c21-) > /vault/file/tokens.txt
while IFS= read -r line; do
export VAULT_TOKEN=${line}
done < /vault/file/tokens.txt

## Enable kv
vault secrets enable -path=secret -version=1 kv

## Enable user/pass and add default user
vault auth enable userpass

## Enable panel policies
vault policy write panel-policy /vault/config/panel-policy.hcl

## Set password
vault write auth/userpass/users/admin password=${PANEL_PASS} policies=panel-policy

## Check login user/pass
vault login -method=userpass username=admin password=${PANEL_PASS}

## Enable app-id and add default user-id
vault auth enable app-id

## Enable backend policies
vault policy write backend-policy /vault/config/backend-policy.hcl

## Enable backend apps
vault write auth/app-id/map/app-id/opex-accountant value=backend-policy display_name=opex-accountant
vault write auth/app-id/map/app-id/opex-api value=backend-policy display_name=opex-api
vault write auth/app-id/map/app-id/opex-bc-gateway value=backend-policy display_name=opex-bc-gateway
vault write auth/app-id/map/app-id/opex-eventlog value=backend-policy display_name=opex-eventlog
vault write auth/app-id/map/app-id/opex-auth value=backend-policy display_name=opex-auth
vault write auth/app-id/map/app-id/opex-wallet value=backend-policy display_name=opex-wallet
vault write auth/app-id/map/app-id/opex-websocket value=backend-policy display_name=opex-websocket
vault write auth/app-id/map/app-id/opex-payment value=backend-policy display_name=opex-payment
vault write auth/app-id/map/app-id/opex-admin value=backend-policy display_name=opex-admin
vault write auth/app-id/map/app-id/chain-scan-gateway value=backend-policy display_name=chain-scan-gateway
vault write auth/app-id/map/app-id/opex-referral value=backend-policy display_name=opex-referral

## Enable user-id
vault write auth/app-id/map/user-id/${BACKEND_USER} value=opex-wallet,opex-websocket,opex-eventlog,opex-auth,opex-accountant,opex-api,opex-bc-gateway,opex-payment,opex-admin,chain-scan-gateway,opex-referral

## Check login app-id
vault write auth/app-id/login/opex-accountant user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-api user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-bc-gateway user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-eventlog user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-auth user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-wallet user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-websocket user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-payment user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-admin user_id=${BACKEND_USER}
vault write auth/app-id/login/chain-scan-gateway user_id=${BACKEND_USER}
vault write auth/app-id/login/opex-referral user_id=${BACKEND_USER}

## Add secret values
vault kv put secret/opex smtppass=${SMTP_PASS}
vault kv put secret/opex-accountant dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-api dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-bc-gateway dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-eventlog dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-auth dbusername=${DB_USER} dbpassword=${DB_PASS} admin_username=${KEYCLOAK_ADMIN_USERNAME} admin_password=${KEYCLOAK_ADMIN_PASSWORD}
vault kv put secret/opex-wallet dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-websocket dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
vault kv put secret/opex-payment dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS} vandar_api_key=${VANDAR_API_KEY}
vault kv put secret/opex-admin keycloak_client_secret=${OPEX_ADMIN_KEYCLOAK_CLIENT_SECRET}
vault kv put secret/chain-scan-gateway dbusername=${DB_USER} dbpassword=${DB_PASS}
vault kv put secret/opex-referral dbusername=${DB_USER} dbpassword=${DB_PASS} db_backup_username=${DB_BACKUP_USER} db_backup_pass=${DB_BACKUP_PASS}
}

unseal
init_secrets

## Keep alive
fg %1