ops/vault: destroy existing secrets before provisioning a new one

This commit is contained in:
Luke Granger-Brown 2022-03-20 10:20:25 +00:00
parent 132cb805b3
commit 4020f310ce
2 changed files with 10 additions and 1 deletions

View file

@ -27,6 +27,9 @@
exit $RET exit $RET
fi fi
echo "$SECRET_ID" > /var/lib/vault-agent/secret-id echo "$SECRET_ID" > /var/lib/vault-agent/secret-id
systemctl restart vault-agent
systemctl restart secretsmgr || true
''; '';
}; };
} }

View file

@ -10,5 +10,11 @@ export VAULT_ADDR=https://vault.int.lukegb.com/
echo Checking login credentials... >&2 echo Checking login credentials... >&2
vault token lookup >/dev/null || vault login -method=oidc role=admin >&2 vault token lookup >/dev/null || vault login -method=oidc role=admin >&2
echo Destroying existing secrets for that server... >&2
vault list -format=json "auth/approle/role/${server_name}/secret-id" | jq -r '.[]' | while read -r secret_id_accessor; do
echo -ne "\t$secret_id_accessor\n"
vault write "auth/approle/role/${server_name}/secret-id-accessor/destroy" secret_id_accessor="${secret_id_accessor}"
done
echo Creating new secret... >&2 echo Creating new secret... >&2
vault write -f -format=json -wrap-ttl=3m auth/approle/role/${server_name}/secret-id | jq -r '.wrap_info.token' vault write -f -format=json -wrap-ttl=3m "auth/approle/role/${server_name}/secret-id" | jq -r '.wrap_info.token'