727277793b
Provisions vault with the policies described in the Nomad Vault integration guide, and drops a configuration file for Nomad vault server configuration with its token. The vault root token is exposed to the E2E runner so that tests can write additional policies to vault.
38 lines
1.1 KiB
Bash
Executable file
38 lines
1.1 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
|
|
|
|
# unseal vault and get a root operator token; the vault is configured to
|
|
# autounseal with AWS KMS
|
|
while true :
|
|
do
|
|
ROOT_TOKEN=$(vault operator init -recovery-shares=1 -recovery-threshold=1 | awk '/Initial Root Token/{print $4}')
|
|
if [ ! -z $ROOT_TOKEN ]; then break; fi
|
|
sleep 5
|
|
done
|
|
set -e
|
|
|
|
export VAULT_TOKEN="$ROOT_TOKEN"
|
|
|
|
mkdir -p ../keys
|
|
echo $VAULT_TOKEN > "${DIR}/../keys/vault_root_token"
|
|
|
|
# write policies for Nomad to Vault, and then configure Nomad to use the
|
|
# token from those policies
|
|
|
|
vault policy write nomad-server "${DIR}/vault-nomad-server-policy.hcl"
|
|
vault write /auth/token/roles/nomad-cluster "@${DIR}/vault-nomad-cluster-role.json"
|
|
|
|
NOMAD_VAULT_TOKEN=$(vault token create -policy nomad-server -period 72h -orphan | awk '/token /{print $2}')
|
|
|
|
cat <<EOF > "${DIR}/../keys/nomad_vault.hcl"
|
|
vault {
|
|
enabled = true
|
|
address = "http://active.vault.service.consul:8200"
|
|
task_token_ttl = "1h"
|
|
create_from_role = "nomad-cluster"
|
|
token = "$NOMAD_VAULT_TOKEN"
|
|
}
|
|
|
|
EOF
|