-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgenerate-root-token.sh
executable file
·71 lines (60 loc) · 2.11 KB
/
generate-root-token.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/usr/bin/env bash
# Creates a root token on all or specified cluster and prints it
. ./.helper-functions.sh
. ./prepare-env.sh
trap cleanup SIGINT
cleanup() {
# Cancel any unfinished attempts if Ctrl-C is hit
if [ $($VAULT operator generate-root -status -format=json | jq .started) == 'true' ] ; then
$VAULT operator generate-root -cancel
fi
}
generate_root_token() {
# Grab list of keys, init token generation, and return output
LIST_OF_KEYS="$(jq -r .recovery_keys_b64[] < ./keys/primary-init.json)"
OTP=$($VAULT operator generate-root -format=json -init | jq -r .otp)
NONCE=$($VAULT operator generate-root -format=json -status | jq -r .nonce)
for KEY in $LIST_OF_KEYS ; do
ENCODED_TOKEN=$($VAULT operator generate-root -nonce=$NONCE -format=json - <<< $KEY | jq -r .encoded_token)
done
$VAULT operator generate-root -nonce=$NONCE -decode=$ENCODED_TOKEN -otp=$OTP
}
print_root_token() {
# Print a friendly message with the resultant token
VAULT=$1
msg info "Generating token for ${1^} cluster:"
ROOT_TOKEN=$(generate_root_token)
msg success "${1^} Root Token: $ROOT_TOKEN"
}
determine_valid_cluster() {
# Determine if cluster is a DR secondary or not
MODE=$($1 read -format=json sys/replication/dr/status 2> /dev/null | jq -r .data.mode 2> /dev/null)
if [ "$MODE" == "secondary" ] ; then
msg info "${1^} cluster is a DR secondary, skipping..."
else
print_root_token $1
fi
}
parse_arguments() {
# Parse options and either generate on specified cluster, or all valid clusters
if [ -z "$1" ] ; then
msg aloha "Determining Primary and Performance clusters..."
for i in north east west ; do
determine_valid_cluster $i
done
else
case $1 in
north)
determine_valid_cluster $1 ;;
east)
determine_valid_cluster $1 ;;
west)
determine_valid_cluster $1 ;;
*)
msg error "Invalid cluster: $1. Specify a cluster from [north east west]" ;;
esac
fi
}
parse_arguments $1
# Cleanup any unfinished attempts if we make it this far
[ -n "$VAULT" -a "$MODE" == "secondary" ] && $VAULT operator generate-root -cancel 1>&2 > /dev/null