-
Notifications
You must be signed in to change notification settings - Fork 3
/
Taskfile.yml
160 lines (137 loc) · 5.18 KB
/
Taskfile.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
# https://taskfile.dev
version: 3
output: prefixed
silent: false
vars:
VERSION: "0.9"
PROJECT_ROOT:
sh: pwd
ADDR_DEFAULT: "[::]"
DEV_PORT: 8200
DEV_ADDR: '{{.ADDR_DEFAULT}}:{{.DEV_PORT}}'
DEV_OPTIONS: '{"listener": [{"tcp":{"address": "{{.DEV_ADDR}}","tls_disable":"1"}}], "ui": true, "api_addr": "http://127.0.0.1:{{.DEV_PORT}}"}'
DEV_ROOT_TOKEN_ID: SP2021
VAULT_PORT: 8200
# DEV_OPTIONS: '{"listener": [{"tcp":{"address": "{{.DEV_ADDR}}","tls_disable":"1"}}], "ui": true, "api_addr": "http://127.0.0.1:{{.DEV_PORT}}"}'
# DEV_OPTIONS: '{"listener": [{"tcp":{"address": "{{.DEV_ADDR}}","tls_disable":"1"}}], "ui": true, "api_addr": "http://127.0.0.1:8101"}'
VAULT_DEV_ROOT_TOKEN_ID: SP2021
VAULT_DEV_LISTEN_ADDRESS: localhost:8100
env:
VAULT_ADDR: "http://localhost:{{.DEV_PORT}}"
MAIN_VAULT_ADDR: http://localhost:{{.VAULT_PORT}}
MAIN_VAULT_PORT: 8300
MAIN_VAULT_VOLUME_ROOT: ./volumes/vault
TRANSIT_VAULT_PORT: 8200
TRANSIT_VAULT_ADDR: http://localhost:{{.TRANSIT_VAULT_PORT}}
TRANSIT_VAULT_VOLUME_ROOT: ./volumes/transit
tasks:
dev:_stop:
desc: Stop the vaultDEV container
ignore_error: true
cmds:
- docker stop vaultDEV
dev:_rm:
desc: Delete the vaultDEV container
ignore_error: true
cmds:
- docker rm vaultDEV
dev:start:
desc: Start the vaultDEV container on {{.DEV_ADDR}}.
summary: |
This task stops the vault-dev container, deletes it and finaly starts it.
Runs on localhost entry point {{.VAULT_DEV_LISTEN_ADDRESS}}. Token is '{{.VAULT_DEV_LISTEN_ADDRESS}}'
env:
VAULT_DEV_ROOT_TOKEN_ID: "{{.VAULT_DEV_ROOT_TOKEN_ID}}"
VAULT_DEV_LISTEN_ADDRESS: "{{.VAULT_DEV_LISTEN_ADDRESS}}"
VAULT_API_ADDR: "{{.VAULT_DEV_LISTEN_ADDRESS}}"
DEV_PORT: "{{.DEV_PORT}}"
# -e 'VAULT_LOCAL_CONFIG={{.DEV_OPTIONS}}'
dir: vaultserver
cmds:
- task: dev:_stop
- task: dev:_rm
- echo starting Vault-dev on {{.VAULT_DEV_LISTEN_ADDRESS}}
- docker compose -f docker-compose.yml run vault-dev
dev:init:
env:
VAULT_TOKEN: "{{.VAULT_DEV_ROOT_TOKEN_ID}}"
VAULT_ADDR: "http://{{.VAULT_DEV_LISTEN_ADDRESS}}"
cmds:
- echo add policies, secrets and tokens for secret/DIGIT/ULYSSE using $VAULT_ADDR with token $VAULT_TOKEN
- docker run --rm --cap-add=IPC_LOCK
-e 'VAULT_DEV_ROOT_TOKEN_ID={{.DEV_ROOT_TOKEN_ID}}'
-e 'VAULT_LOCAL_CONFIG={{.DEV_OPTIONS}}'
-p {{.DEV_PORT}}:{{.DEV_PORT}}/tcp dockerfile-VaultDEV-init vaultinit
dev:brol:
cmds:
- docker run -it --rm \
--env VAULT_TOKEN:={{.VAULT_DEV_ROOT_TOKEN_ID}} \
--env VAULT_ADDR=http://localhost:.DEV_PORT \
--link vault \
--name summon summon
- task: dev:init:_policies
- task: dev:init:_secrets
- task: dev:init:_tokens
dev:init:_policies:
env:
VAULT_TOKEN: "{{.DEV_ROOT_TOKEN_ID}}"
VAULT_ADDR: "{{.VAULT_ADDR}}"
cmds:
- vault policy write ULYSSE-developer vault-DEV-config/ULYSSE-developer.hcl
- vault policy write ULYSSE-operation vault-DEV-config/ULYSSE-operation.hcl
- vault policy write ULYSSE-servers vault-DEV-config/ULYSSE-servers.hcl
- vault policy write ULYSSE-server-prod vault-DEV-config/ULYSSE-server-prod.hcl
dev:init:_secrets:
env:
VAULT_TOKEN: "{{.VAULT_DEV_ROOT_TOKEN_ID}}"
VAULT_ADDR: "{{.VAULT_ADDR}}"
cmds:
- vault kv put secret/DIGIT/ULYSSE/dev password=my-long-password-dev
- vault kv put secret/DIGIT/ULYSSE/test password=my-long-password-test
- vault kv put secret/DIGIT/ULYSSE/acc password=my-long-password-acc
- vault kv put secret/DIGIT/ULYSSE/prod password=my-long-password-prod
dev:init:_tokens:
env:
VAULT_TOKEN: "{{.VAULT_DEV_ROOT_TOKEN_ID}}"
VAULT_ADDR: "{{.VAULT_ADDR}}"
cmds:
- sudo --stdin vault token create -id dev -policy=ULYSSE-developer -display-name Developers
- sudo --stdin vault token create -id ops policy=ULYSSE-operation -display-name Operational Team
- sudo --stdin vault token create -id dc -policy=ULYSSE-servers -display-name DC
- sudo --stdin vault token create -id dcPROD -policy=ULYSSE-server-prod -display-name DC PROD
compose-run-transit:
dir: vaultserver
cmds:
- docker compose -f docker-compose.yml run transitvault
silent: false
compose-run-vault:
dir: vaultserver
cmds:
- docker compose -f docker-compose.yml run vault
compose-run:
dir: vaultserver
cmds:
- docker compose -f docker-compose.yml run transitvault vault
silent: false
default:
cmds:
- echo DEV_VAULT_ADDR "{{.VAULT_ADDR}}"
- echo DEV_ROOT_TOKEN_ID "{{.VAULT_DEV_ROOT_TOKEN_ID}}"
# VAULT_RETRIES=5
# echo "Vault is starting..."
# until vault status > /dev/null 2>&1 || [ "$VAULT_RETRIES" -eq 0 ]; do
#echo "Waiting for vault to start...: $((VAULT_RETRIES--))"
# sleep 1
# done
#
# echo "Authenticating to vault..."
# vault login token=vault-plaintext-root-token
#
# echo "Initializing vault..."
# vault secrets enable -version=2 -path=my.secrets kv
#
# echo "Adding entries..."
# vault kv put my.secrets/dev username=test_user
# vault kv put my.secrets/dev password=test_password
#
# echo "Complete..."