scripts/vault/vault-init.sh

#!/bin/sh

test $VAULT_HOST || VAULT_HOST=localhost
test $VAULT_PORT || VAULT_PORT=8200
VAULT_ADDRESS="http://$VAULT_HOST:$VAULT_PORT"

test $TARGET_DIR || TARGET_DIR=/scripts
test $VAULT_KEYS_FILE || VAULT_KEYS_FILE=$TARGET_DIR/private_keys

TOKENS_LIST_FILE=$TARGET_DIR/token.list

test -d $TARGET_DIR || mkdir -p $TARGET_DIR


function show_usage() {
	echo "Usage: ${0##*/} --(init|unseal|authorise|create-policies|create-tokens|create-secrets)" 
	echo -e "\t Example: ${0##*/} --init"
	echo -e "\t Example: ${0##*/} --unseal"
	echo -e "\t Example: ${0##*/} --authorise"
	echo -e "\t Example: ${0##*/} --create-policies"
	echo -e "\t Example: ${0##*/} --create-tokens"
	echo -e "\t Example: ${0##*/} --create-secrets"
}

function show_error() {
		local message="$1"; local funcname="$2"; local log_date=`date '+%Y/%m/%d:%H:%M:%S %Z'`
		echo -e "[ERROR.$funcname $log_date] $message" >&2
		err=1
}

function show_notice() {
		local message="$1"; local funcname="$2"; local log_date=`date '+%Y/%m/%d:%H:%M:%S %Z'`
		echo -e "\n[NOTICE.$funcname $log_date] $message"
}


function vault_init() {
	local err=0;

	show_notice "Vault init and save keys to file $VAULT_KEYS_FILE started."
	vault operator init --address=$VAULT_ADDRESS | grep -E 'Initial Root Token:|Unseal Key .:' > $VAULT_KEYS_FILE

	return $err;
}

function vault_unseal() {
	local err=0;
	test -f $VAULT_KEYS_FILE || { show_error "Vault keys file: $VAULT_KEYS_FILE doesn't exist!" "$FUNCNAME"; return 1; }

	show_notice "Vault unseal started."
	list='1 2 3'
	for number in $list; do
		vault_unseal_key=`grep "Unseal Key $number" $VAULT_KEYS_FILE | awk -F':' '{print $2}' | tr '\n' ' ' | sed "s/ //g"`
		vault operator unseal -address=$VAULT_ADDRESS $vault_unseal_key
		echo
	done

	return $err;
}

function vault_authorise() {
	local err=0;
	test -f $VAULT_KEYS_FILE || { show_error "Vault keys file: $VAULT_KEYS_FILE doesn't exist!" "$FUNCNAME"; return 1; }

	show_notice "Vault authorise with root token started."
	vault_root_token=`grep 'Root Token' $VAULT_KEYS_FILE | awk -F':' '{print $2}' | tr '\n' ' ' | sed "s/ //g"`

	vault login --address=$VAULT_ADDRESS $vault_root_token
}

function vault_create_policies() {
	local err=0;
	test -d $TARGET_DIR/policies || { show_error "Dir: $TARGET_DIR/policies doesn't exist!" "$FUNCNAME"; return 1; }

	show_notice "Create Vault policies started."
	for policy in `ls -1 $TARGET_DIR/policies/ | grep '.hcl' | sed "s/\.hcl//g"`; do
		vault policy write --address=$VAULT_ADDRESS $policy $TARGET_DIR/policies/${policy}.hcl
	done

	return $err;
}

function vault_create_tokens() {
	local err=0;
	test -f $token_list || { show_error "Tokens file: $token_list doesn't exist!" "$FUNCNAME"; return 1; }

	show_notice "Create Vault tokens started."

	for token in `cat $TOKENS_LIST_FILE | awk '{print $1}'`; do
		show_notice "Create token: $token"
		token_policy=`grep $token $TOKENS_LIST_FILE | awk '{print $2}' | sed "s/\,/ -policy=/g"`
		vault token create -id=$token -policy=$token_policy --address=$VAULT_ADDRESS
		echo
	done

	return $err;
}

function vault_create_secrets() {
	local err=0;
	test -d $TARGET_DIR/secrets || { show_error "Dir: $TARGET_DIR/secrets doesn't exist!" "$FUNCNAME"; return 1; }

	show_notice "Create Vault secrets started."

	for secret in `find $TARGET_DIR/secrets/ -iname '*.json' -type f ! -size 0 -print | sed "s!$TARGET_DIR/secrets/!!g" | sed "s/\.json//g"`; do
		vault write --address=$VAULT_ADDRESS secret/$secret @$TARGET_DIR/secrets/${secret}.json
	done

	return $err;
}

function vault_check() {
	local err=0; local check=0;
	one_try_timeout=1
	seconds_timeout=60

	seconds=`date +%s`
	endTime=$(( $(date +%s) + $seconds_timeout ))
	while [  $seconds -lt $endTime ]; do
		sleep $one_try_timeout
		seconds=`date +%s`

		show_notice "Seconds until timeout: $(( $(date +%s) - $endTime ))"
		nc -vz $VAULT_HOST $VAULT_PORT >/dev/null && \
		{ seconds=$(($endTime+1)); show_notice "Vault is available."; check=1; }
	done

	test $seconds -gt $endTime -a $check -ne 1 && \
	{ show_error "Something go wrong, during $seconds_timeout seconds vault doesn't available on $VAULT_ADDRESS" "$FUNCNAME"; return 1; }

	return $err;
}

function vault_check_init() {
	local err=0;

	show_notice "Starting check that Vault is initialised."
	vault operator init --address=$VAULT_ADDRESS -status
	result=$?
	if [ "${result}" -eq "2" ] ; then
		show_notice "Vault doesn't initialised, executing init."
		vault_init
	else
		show_notice "All OK Vault aleready initialised."
	fi

	return $err;
}

function vault_check_unseal() {
	local err=0;

	show_notice "Starting check that Vault is unsealed."
	vault status --address=$VAULT_ADDRESS
	result=$?
	if [ "${result}" -eq "2" ] ; then
		show_notice "Vault sealed, executing unseal."
		vault_unseal
	else
		show_notice "All OK Vault aleready unsealed."
	fi

	return $err;
}



#Check script usage
test $# -eq 1 || { show_error "Wrong script usage!" ""; show_usage; exit 1; }
test x"$1" == x"" && show_usage


test x"$1" = x"--init" && {

		show_notice "Vault init started."
		vault_check && \
		vault_check_init && \
		vault_check_unseal && \
		sleep 5 && vault_authorise && \
		vault_create_policies && \
		vault_create_tokens && \
		vault_create_secrets

		echo "Script ended with value: $?"
}

test x"$1" = x"--unseal" && {
	vault_unseal
}

test x"$1" = x"--authorise" && {
	vault_authorise
}

test x"$1" = x"--create-policies" && {
	vault_create_policies
}

test x"$1" = x"--create-tokens" && {
	vault_create_tokens
}

test x"$1" = x"--create-secrets" && {
	vault_create_secrets
}