Merge pull request #1140 from OWASP/fix/gcp-ingress-vault

fix: move gcp ingress to consul/vault script
OWASP · Dec 13, 2023 · 3af6f8f · 3af6f8f
2 parents eaf9925 + 6a2db25
commit 3af6f8f
Showing 1 changed file with 2 additions and 75 deletions.
diff --git a/gcp/k8s-vault-gcp-ingress-start.sh b/gcp/k8s-vault-gcp-ingress-start.sh
@@ -33,82 +33,9 @@ else
   kubectl apply -f ../k8s/challenge33.yml
 fi
 
-helm list | grep 'consul' &>/dev/null
-if [ $? == 0 ]; then
-  echo "Consul is already installed"
-else
-  helm repo add hashicorp https://helm.releases.hashicorp.com
-  helm install consul hashicorp/consul --values ../k8s/helm-consul-values.yml
-fi
-
-while [[ $(kubectl get pods -l app=consul -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True True True True True True" ]]; do echo "waiting for Consul" && sleep 2; done
-
-helm list | grep 'vault' &>/dev/null
-if [ $? == 0 ]; then
-  echo "Vault is already installed"
-else
-  helm repo add hashicorp https://helm.releases.hashicorp.com
-  helm install vault hashicorp/vault --values ../k8s/helm-vault-values.yml
-fi
+source ../scripts/install-consul.sh
 
-isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running)
-while [[ $isvaultrunning != *"vault-0"* ]]; do echo "waiting for Vault0" && sleep 2 && isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running); done
-while [[ $isvaultrunning != *"vault-1"* ]]; do echo "waiting for Vaul1" && sleep 2 && isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running); done
-while [[ $isvaultrunning != *"vault-2"* ]]; do echo "waiting for Vaul2" && sleep 2 && isvaultrunning=$(kubectl get pods --field-selector=status.phase=Running); done
-
-echo "Setting up port forwarding"
-kubectl port-forward vault-0 -n vault 8200:8200 &
-echo "Unsealing Vault"
-kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json >cluster-keys.json
-cat cluster-keys.json | jq -r ".unseal_keys_b64[]"
-VAULT_UNSEAL_KEY=$(cat cluster-keys.json | jq -r ".unseal_keys_b64[]")
-kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
-kubectl exec vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY
-kubectl exec vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY
-
-echo "Obtaining root token"
-jq .root_token cluster-keys.json >commentedroottoken
-
-sed "s/^\([\"']\)\(.*\)\1\$/\2/g" commentedroottoken >root_token
-ROOTTOKEN=$(cat root_token)
-
-echo "Logging in"
-kubectl exec vault-0 -- vault login $ROOTTOKEN
-
-echo "Enabling kv-v2 kubernetes"
-kubectl exec vault-0 -- vault secrets enable -path=secret kv-v2
-
-echo "Putting a secret in"
-kubectl exec vault-0 -- vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)"
-
-echo "Enable k8s auth"
-kubectl exec vault-0 -- vault auth enable kubernetes
-
-echo "Writing k8s auth config"
-
-kubectl exec vault-0 -- /bin/sh -c 'vault write auth/kubernetes/config \
-        token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
-        kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
-        kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
-
-echo "Writing policy for secret-challenge"
-kubectl exec vault-0 -- /bin/sh -c 'vault policy write secret-challenge - <<EOF
-path "secret/data/secret-challenge" {
-  capabilities = ["read"]
-}
-path "secret/data/application" {
-  capabilities = ["read"]
-}
-EOF'
-
-echo "Write secrets for secret-challenge"
-kubectl exec vault-0 -- vault write auth/kubernetes/role/secret-challenge \
-  bound_service_account_names=vault \
-  bound_service_account_namespaces=default \
-  policies=secret-challenge \
-  ttl=24h &&
-  vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)" &&
-  vault kv put secret/application vaultpassword.password="$(openssl rand -base64 16)"
+source ../scripts/install-vault.sh
 
 echo "Add secrets manager driver to repo"
 helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts