Files
connected-home/scripts/vault-init.sh
2023-09-22 14:27:52 -03:00

42 lines
1.5 KiB
Bash
Executable File

#!/bin/bash
# Wait for Vault pod to be running
#while [[ $(kubectl get pods -l app.kubernetes.io/name=vault -o 'jsonpath={..status.phase}') != "Running" ]]; do
while [[ $(kubectl get pod vault-server-0 -o 'jsonpath={..status.phase}') != "Running" ]]; do
echo "Waiting for Vault pod to be running..."
sleep 5
done
# Get Vault Pod name
#VAULT_POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=vault -o jsonpath="{.items[0].metadata.name}")
VAULT_POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=vault -o name | grep 'vault-server' | sed 's/pod\///')
# Initialize Vault
JSON=$(kubectl exec -i $VAULT_POD_NAME -- vault operator init -format=json)
if [ $? -ne 0 ]; then
echo "Vault has already been initialized. Unseal keys and root token can be found in .secrets/vault.json."
cat .secrets/vault.json
else
echo $JSON | jq '.' > .secrets/vault.json
echo $JSON
fi
# Unsealing Vault
cat .secrets/vault.json | jq -r ".unseal_keys_b64[]" | while read k; do
echo "Unsealing Vault..."
kubectl exec $VAULT_POD_NAME -- vault operator unseal $k
echo "Unsealed"
done
# Check if vault is unsealed before attempting login
while [[ $(kubectl exec -i $VAULT_POD_NAME -- vault status -format=json | jq -r '.sealed') == "true" ]]; do
echo "Waiting for vault to be fully unsealed..."
sleep 5
done
# Logging in to Vault
ROOT_TOKEN=$(jq -r ".root_token" .secrets/vault.json)
kubectl exec -i $VAULT_POD_NAME -- vault login $ROOT_TOKEN
echo "Vault has been initialized and unsealed. Unseal keys and root token can be found in .secrets/vault.json."