Tips-Of-Mine/vault
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update readme
Some checks failed
Deployment Verification / deploy-and-test (push) Failing after 5m11s
Details

Browse Source
This commit is contained in:
Hubert Cornet
2025-01-03 20:10:31 +01:00
parent 4e2a668d80
commit 5f9f0cdc19
5 changed files with 112 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
README.md
View File

@ -37,12 +37,47 @@ Modification des labels pour traefik
docker compose logs -f
~~~
On se connecte sur le docker
~~~bash
docker exec -it vault-app /bin/sh
~~~
Nous ajoutons les paquets manquant
~~~bash
vault operator init
apk add jq curl
~~~
Nous lancons initialitation
~~~bash
vault operator init -key-shares=5 -key-threshold=3 -format=json > /vault/file/unseal.json
~~~
~~~bash
vault operator unseal $(jq -r '.unseal_keys_b64[0]' /vault/file/unseal.json)
~~~
~~~bash
export VAULT_TOKEN=$(jq -r '.root_token' /vault/file/unseal.json)
~~~
~~~bash
vault secrets enable -version=2 -path=secret kv
~~~
~~~bash
vault policy write readwrite /vault/policy/secrets-readwrite.hcl
~~~
~~~bash
vault policy write readonly /vault/policy/secrets-read.hcl
~~~
~~~bash
vault policy write terraform /vault/policy/secrets-terraform.hcl
~~~
~~~bash
vault write auth/approle/role/terraform secret_id_ttl=10m token_num_uses=10 token_ttl=20m token_max_ttl=30m secret_id_num_uses=40 token_policies=terraform
~~~
# Buy me a coffe

50
file/vault-unseal.sh Normal file
View File

@ -0,0 +1,50 @@
#!/usr/bin/env sh
#Define a timestamp function
timestamp() {
date "+%b %d %Y %T %Z"
}
URL=https://vault.tips-of-mine.com
KEYS_FILE=/vault/file/unseal.json
LOG=info
SKIP_TLS_VERIFY=true
if [ true = "$SKIP_TLS_VERIFY" ]
then
CURL_PARAMS="-sk"
else
CURL_PARAMS="-s"
fi
# Add timestamp
echo "$(timestamp): Vault-useal started" | tee -a $LOG
echo "-------------------------------------------------------------------------------" | tee -a $LOG
initialized=$(curl $CURL_PARAMS $URL/v1/sys/health | jq '.initialized')
if [ true = "$initialized" ]
then
echo "$(timestamp): Vault already initialized" | tee -a $LOG
while true
do
status=$(curl $CURL_PARAMS $URL/v1/sys/health | jq '.sealed')
if [ true = "$status" ]
then
echo "$(timestamp): Vault Sealed. Trying to unseal" | tee -a $LOG
# Get keys from json file
for i in `jq -r '.keys[]' $KEYS_FILE`
do curl $CURL_PARAMS --request PUT --data "{\"key\": \"$i\"}" $URL/v1/sys/unseal
done
sleep 10
else
echo "$(timestamp): Vault unsealed" | tee -a $LOG
break
fi
done
else
echo "$(timestamp): Vault not initialized yet"
fi

3
policy/secrets-read.hcl Normal file
View File

@ -0,0 +1,3 @@
path "secret/*" {
capabilities = [ "read" ]
}

3
policy/secrets-readwrite.hcl Normal file
View File

@ -0,0 +1,3 @@
path "secret/*" {
capabilities = [ "create", "read", "update", "delete", "list", "patch" ]
}

20
policy/secrets-terraform.hcl Normal file
View File

@ -0,0 +1,20 @@
path "*" {
capabilities = ["list", "read"]
}
path "secrets/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "kv/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "auth/token/create" {
capabilities = ["create", "read", "update", "list"]
}