fix certs compose & vault script

Signed-off-by: Arvindh <[email protected]>
absmach · Feb 19, 2024 · 5650ae7 · 5650ae7
1 parent 3c777c4
commit 5650ae7
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 35 deletions.
diff --git a/docker/addons/certs/docker-compose.yml b/docker/addons/certs/docker-compose.yml
@@ -47,8 +47,8 @@ services:
       MG_CERTS_VAULT_NAMESPACE: ${MG_CERTS_VAULT_NAMESPACE}
       MG_CERTS_VAULT_APPROLE_ROLEID: ${MG_CERTS_VAULT_APPROLE_ROLEID}
       MG_CERTS_VAULT_APPROLE_SECRET: ${MG_CERTS_VAULT_APPROLE_SECRET}
-      MG_CERTS_VAULT_PKI_INT_PATH: ${MG_CERTS_VAULT_PKI_INT_PATH}
-      MG_CERTS_VAULT_PKI_INT_ROLE_NAME: ${MG_CERTS_VAULT_PKI_INT_ROLE_NAME}
+      MG_CERTS_VAULT_THINGS_CERTS_PKI_PATH: ${MG_CERTS_VAULT_THINGS_CERTS_PKI_PATH}
+      MG_CERTS_VAULT_THINGS_CERTS_PKI_ROLE_NAME: ${MG_CERTS_VAULT_THINGS_CERTS_PKI_ROLE_NAME}
       MG_CERTS_HTTP_HOST: ${MG_CERTS_HTTP_HOST}
       MG_CERTS_HTTP_PORT: ${MG_CERTS_HTTP_PORT}
       MG_CERTS_HTTP_SERVER_CERT: ${MG_CERTS_HTTP_SERVER_CERT}

diff --git a/docker/addons/vault/README.md b/docker/addons/vault/README.md
@@ -6,8 +6,9 @@ When the Vault service is started, some initialization steps need to be done to
 
 ## Configuration
 
+
 | Variable                                | Description                                                                   | Default                               |
-| :-------------------------------------- | ----------------------------------------------------------------------------- | ------------------------------------- |
+| :---------------------------------------- | ------------------------------------------------------------------------------- | --------------------------------------- |
 | MG_VAULT_HOST                           | Vault service address                                                         | vault                                 |
 | MG_VAULT_PORT                           | Vault service port                                                            | 8200                                  |
 | MG_VAULT_ADDR                           | Vault Address                                                                 | http://vault:8200                     |
@@ -49,13 +50,9 @@ When the Vault service is started, some initialization steps need to be done to
 
 The following scripts are provided, which work on the running Vault service in Docker.
 
-1. `vault-init.sh`
-
-Calls `vault operator init` to perform the initial vault initialization and generates
-a `docker/addons/vault/data/secrets` file which contains the Vault unseal keys and root tokens.
+### 1. `vault-init.sh`
 
-After this step, the corresponding Vault environment variables (`MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`,
-`MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3`) should be updated in `.env` file.
+Calls `vault operator init` to perform the initial vault initialization and generates a `docker/addons/vault/data/secrets` file which contains the Vault unseal keys and root tokens.
 
 Example contents for `data/secrets`:
 
@@ -83,37 +80,41 @@ bash-4.4
 Use 3 out of five keys presented and put it into .env file and than start the composition again Vault should be in unsealed state ( take a note that this is not recommended in terms of security, this is deployment for development) A real production deployment can use Vault auto unseal mode where vault gets unseal keys from some 3rd party KMS ( on AWS for example)
 ```
 
-2. `vault-unseal.sh`
+### 2. `vault-env-copy.sh`
 
-This can be run after the initialization to unseal Vault, which is necessary for it to be used to store and/or get secrets.
-This can be used if you don't want to restart the service.
+After first step, the corresponding Vault environment variables (`MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`, `MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3`) should be updated in `.env` file.
 
-The unseal environment variables need to be set in `.env` for the script to work (`MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`,
-`MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3`).
+`vault-env-copy.sh` scripts copies values from `docker/addons/vault/data/secrets` file and update environmental variables `MG_VAULT_TOKEN`, `MG_VAULT_UNSEAL_KEY_1`, `MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3` present in `.env` file.
 
-This script should not be necessary to run after the initial setup, since the Vault service unseals itself when
-starting the container.
+### 3. `vault-unseal.sh`
 
-3. `vault-set-pki.sh`
+This can be run after the initialization to unseal Vault, which is necessary for it to be used to store and/or get secrets.
+
+This can be used if you don't want to restart the service.
 
-This script is used to generate the root certificate, intermediate certificate and HTTPS server certificate.
+The unseal environment variables need to be set in `.env` for the script to work (`MG_VAULT_TOKEN`,`MG_VAULT_UNSEAL_KEY_1`, `MG_VAULT_UNSEAL_KEY_2`, `MG_VAULT_UNSEAL_KEY_3`).
 
-All generate certificates, keys and CSR by `vault-set-pki.sh` will be present at `docker/addons/vault/data`
+This script should not be necessary to run after the initial setup, since the Vault service unseals itself when starting the container.
 
-The parameters required for generating certificate are obtained from the environment variables which are loaded from `docker/.env`.
+### 4. `vault-set-pki.sh`
 
-Environmental variables starting with `MG_VAULT_PKI` in `docker/.env` file are used by `vault-set-pki.sh` to generate root CA. 
+This script is used to generate the root certificate, intermediate certificate and HTTPS server certificate.  
+All generate certificates, keys and CSR by `vault-set-pki.sh` will be present at `docker/addons/vault/data`.  
 
-Environmental variables starting with`MG_VAULT_PKI_INT` in `docker/.env` file are used by `vault-set-pki.sh` to generate intermediate CA
+The parameters required for generating certificate are obtained from the environment variables which are loaded from `docker/.env`.  
 
+Environmental variables starting with `MG_VAULT_PKI` in `docker/.env` file are used by `vault-set-pki.sh` to generate root CA.  
+Environmental variables starting with`MG_VAULT_PKI_INT` in `docker/.env` file are used by `vault-set-pki.sh` to generate intermediate CA.  
 
-4. `vault-create-approle.sh`
+### 5. `vault-create-approle.sh`  
 
-This script is used to enable app role authorization in Vault. Certs service used the approle credentials to issue , revoke things certificate from vault intermedate CA.
+This script is used to enable app role authorization in Vault. Certs service used the approle credentials to issue, revoke things certificate from vault intermedate CA.  
 
-`vault-create-approle` script by default tries to enable auth approle. If approle is already enabled in vault, then use args `skip_enable_app_role` to skip enable auth approle step, `vault-create-approle.sh skip_enable_app_role`
+`vault-create-approle` script by default tries to enable auth approle.  
+If approle is already enabled in vault, then use args `skip_enable_app_role` to skip enable auth approle step.  
+To skip enable auth approle step use the following  `vault-create-approle.sh   skip_enable_app_role`
 
-5. `vault-certs-copy.sh`
+### 6. `vault-certs-copy.sh`
 
 This scripts copies the necessary certificates and keys from `docker/addons/vault/data` to the `docker/ssl/certs` folder.
 

diff --git a/docker/addons/vault/vault-create-approle.sh b/docker/addons/vault/vault-create-approle.sh
@@ -36,7 +36,7 @@ vaultCreatePolicy() {
 vaultEnableAppRole() {
    if [ "$SKIP_ENABLE_APP_ROLE" == "skip_enable_app_role" ]; then
         echo "Skipping Enable AppRole"
-    elif
+    else
         echo "Enabling AppRole"
         vault auth enable -namespace=${MG_VAULT_NAMESPACE} -address=${MG_VAULT_ADDR} approle
     fi

diff --git a/docker/addons/vault/vault-env-copy.sh b/docker/addons/vault/vault-env-copy.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/bash
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+set -euo pipefail
+
+scriptdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
+export MAGISTRALA_DIR=$scriptdir/../../../
+
+cd $scriptdir
+
+write_env() {
+    sed -i "s,MG_VAULT_UNSEAL_KEY_1=.*,MG_VAULT_UNSEAL_KEY_1=$(awk -F ": " '$1 == "Unseal Key 1" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env
+    sed -i "s,MG_VAULT_UNSEAL_KEY_2=.*,MG_VAULT_UNSEAL_KEY_2=$(awk -F ": " '$1 == "Unseal Key 2" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env
+    sed -i "s,MG_VAULT_UNSEAL_KEY_3=.*,MG_VAULT_UNSEAL_KEY_3=$(awk -F ": " '$1 == "Unseal Key 3" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env
+    sed -i "s,MG_VAULT_TOKEN=.*,MG_VAULT_TOKEN=$(awk -F ": " '$1 == "Initial Root Token" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env
+}
+
+
+
+write_env
diff --git a/docker/addons/vault/vault-init.sh b/docker/addons/vault/vault-init.sh
@@ -9,18 +9,10 @@ export MAGISTRALA_DIR=$scriptdir/../../../
 
 cd $scriptdir
 
-write_env() {
-    sed -i "s,MG_VAULT_UNSEAL_KEY_1=.*,MG_VAULT_UNSEAL_KEY_1=$(awk -F ": " '$1 == "Unseal Key 1" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env
-    sed -i "s,MG_VAULT_UNSEAL_KEY_2=.*,MG_VAULT_UNSEAL_KEY_2=$(awk -F ": " '$1 == "Unseal Key 2" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env
-    sed -i "s,MG_VAULT_UNSEAL_KEY_3=.*,MG_VAULT_UNSEAL_KEY_3=$(awk -F ": " '$1 == "Unseal Key 3" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env
-    sed -i "s,MG_VAULT_TOKEN=.*,MG_VAULT_TOKEN=$(awk -F ": " '$1 == "Initial Root Token" {print $2}' data/secrets)," $MAGISTRALA_DIR/docker/.env
-}
 vault() {
     docker exec -it magistrala-vault vault "$@"
 }
 
 mkdir -p data
 
 vault operator init 2>&1 | tee >(sed -r 's/\x1b\[[0-9;]*m//g' > data/secrets)
-
-write_env