Adding generic get-kv scripts (#7)

* Adding generic get-kv scripts Adding a couple generic "get kv" from tool scripts that can be used by other builds/tools * Upgrading Vault version for PLAT-3047 This uses the current version of the vault client * Adding put-consul-kv script and tests
asicsdigital · Jan 23, 2019 · 25e2251 · 25e2251
1 parent 034c1d3
commit 25e2251
Show file tree

Hide file tree

Showing 7 changed files with 137 additions and 2 deletions.
diff --git a/1.X/Dockerfile b/1.X/Dockerfile
@@ -3,7 +3,7 @@ FROM asicsdigital/dudewheresmy AS dudewheresmy
 # Download and verify the integrity of the download first
 FROM sethvargo/hashicorp-installer:0.1.3 AS installer
 ARG CONSUL_VERSION='1.4.0'
-ARG VAULT_VERSION='0.11.1'
+ARG VAULT_VERSION='1.0.2'
 RUN /install-hashicorp-tool "vault" "$VAULT_VERSION"
 RUN /install-hashicorp-tool "consul" "$CONSUL_VERSION"
 

diff --git a/1.X/scripts/functions b/1.X/scripts/functions
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -e
+set -o pipefail
+
+# Get value from Vault. Takes in two parameters <path> and  <field>
+function get_vault_kv {
+  vault_path=$1
+  vault_key=${2:-value}
+  if [[ "$VAULT_ADDR" ]]; then
+    #VAULT_KV=$(curl -s -H "X-Vault-Token: $(cat ~/.vault-token )" -X GET $VAULT_ADDR/v1/${vault_path} | jq -r .data.${vault_key})
+    VAULT_KV=$(vault kv get -field ${vault_key} ${vault_path})
+  fi
+}
+
+# PUT value from Consul prefix tasks a <path> parameters
+function put_consul_kv {
+  if [[ "$CONSUL_HTTP_ADDR" ]]; then
+    consul_path=$1
+    consul_value=$2
+    consul kv put ${consul_path} ${consul_value}
+  fi
+}
+
+# Get value from Consul prefix tasks a <path> parameters
+function get_consul_kv {
+  if [[ "$CONSUL_HTTP_ADDR" ]]; then
+    consul_path=$1
+    consul kv get $consul_path
+  fi
+}
+
+# Auth to Consul and set the correct env vars for use by other scripts and fucntions
+function auth_to_consul {
+  if [[ "$VAULT_ADDR" ]]; then
+    get_vault_kv "secret/consul" "http_auth"
+    CONSUL_HTTP_AUTH=$VAULT_KV
+    get_vault_kv "secret/consul" "http_addr"
+    CONSUL_HTTP_ADDR=$VAULT_KV
+    export CONSUL_HTTP_AUTH
+    export CONSUL_HTTP_ADDR
+  else
+    echo "MISSING VAULT_ADDR"
+    exit 1
+  fi
+}
diff --git a/1.X/scripts/get-consul-kv b/1.X/scripts/get-consul-kv
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# shellcheck shell=bash
+# Script for outputing consul kv values
+set -e
+set -o pipefail
+source /opt/hermes/bin/functions
+
+if [ -e "$(which consul)" ]; then
+  if [[ "$VAULT_ADDR" ]]; then
+    auth_to_consul
+    get_consul_kv $1
+    echo -n $CONSUL_KV
+  else
+    echo "MISSING VAULT_ADDR"
+    exit 1
+  fi
+else
+  echo "can not find consul"
+  exit 1
+fi
diff --git a/1.X/scripts/get-vault-kv b/1.X/scripts/get-vault-kv
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# shellcheck shell=bash
+# Script for outputing values from the Vault KV
+set -e
+set -o pipefail
+source /opt/hermes/bin/functions
+
+if [ -e "$(which vault)" ]; then
+  if [[ "$VAULT_ADDR" ]]; then
+    get_vault_kv $1 $2
+    echo -n $VAULT_KV
+  else
+    echo "MISSING VAULT_ADDR"
+    exit 1
+  fi
+else
+  echo "can not find vault"
+  exit 1
+fi
diff --git a/1.X/scripts/put-consul-kv b/1.X/scripts/put-consul-kv
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+# shellcheck shell=bash
+# Script for outputing consul kv values
+set -e
+set -o pipefail
+source /opt/hermes/bin/functions
+
+if [ -e "$(which consul)" ]; then
+  if [[ "$VAULT_ADDR" ]]; then
+    auth_to_consul
+    consul_path=$1
+    consul_value=$2
+    put_consul_kv ${consul_path} ${consul_value}
+  else
+    echo "MISSING VAULT_ADDR"
+    exit 1
+  fi
+else
+  echo "can not find consul"
+  exit 1
+fi
diff --git a/1.X/tests/goss.yaml b/1.X/tests/goss.yaml
@@ -60,6 +60,34 @@ file:
     group: root
     filetype: file
     contains: []
+  /opt/hermes/bin/functions:
+    exists: true
+    mode: "0644"
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /opt/hermes/bin/get-vault-kv:
+    exists: true
+    mode: "0755"
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /opt/hermes/bin/get-consul-kv:
+    exists: true
+    mode: "0755"
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /opt/hermes/bin/put-consul-kv:
+    exists: true
+    mode: "0755"
+    owner: root
+    group: root
+    filetype: file
+    contains: []
   /opt/hermes/bin/vault:
     exists: true
     mode: "0755"

diff --git a/README.md b/README.md
@@ -10,7 +10,9 @@ We've bundled a number of helpers.
 * `set-vault-token` - This helper authenticated to a vault server defined by `VAULT_ADDR` and places the token in `$HOME/.vault-token`
 * `get-iam-auth` - Helper for outputting $HOME/.aws/credentials for use by the terraform aws provider. In Addition this stores the lease_id in `$HOME/.env` for use later by `lease-revoke`
 * `lease-revoke` -  Helper for revoking vault leases sourced in from .env files
-
+* `get-consul-kv` - Get a plain test value out of Consul KV requires the Consul prefix (no leading slash) as the first Argument ex: `get-consul-kv foo/bar`
+* `put-consul-kv`-  Put a plain text value into the Consul KV requires the Consul path (no leading slash) as the first Argument and required the value of the prefix. Value can either be "value" or an input file if in the formate of `@input-file-name` ex: `put-consul-kv foo/bar baz` OR `put-consul-kv foo/bar @input-file`
+* `get-vault-kv` - Get a value from the Vault KV, requires the Vault KV prefix as the first argument, and optionally takes a parameter in the second position as the key name. (defaults to "value") ex: `get-vault-kv secret/foo bar`
 #### Environment Variables
 
 * `VAULT_ADDR` - Address of the Vault server expressed as a URL and port, ex: `VAULT_ADDR="https://vault.example.com"``