Skip to content

Commit

Permalink
fix: situation with nested paths/secrets (#24)
Browse files Browse the repository at this point in the history 
* fix: vault-backup validation
  • Loading branch information
@venkatamutyala
venkatamutyala authored Jan 18, 2024
1 parent 764d0ce commit 9a197f3
Showing 1 changed file with 49 additions and 5 deletions.
54 changes: 49 additions & 5 deletions vault-backup.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,22 +19,66 @@ aws s3 cp /app/vault_${date}.snap s3://${s3_destination}
unset VAULT_TOKEN
echo "Uploaded backup to s3. BUT we still need to validate the backup!!"
echo "Assuming vault-reader-role in vault"
export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login jwt=$SA_TOKEN role=reader-role);
echo "Reading first secret available in current vault environment. if it was updated since the backup was taken then this backup may fail!"
FIRST_SECRET=$(vault list -format=json secret/metadata/ | jq -r '.[0]')
# Authenticate and set VAULT_TOKEN
export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login jwt=$SA_TOKEN role=reader-role)

echo "Reading first secret available in current vault environment with actual data. If it was updated since the backup was taken then this backup may fail!"

# Global variable to store the first secret with data
FIRST_SECRET=""

# Function to find the first secret with data
function find_first_secret_with_data() {
# Exit if we have already found a secret
if [[ -n "$FIRST_SECRET" ]]; then
return
fi

local path=$1
local secrets=$(vault list -format=json "${path}" | jq -r '.[]' | grep -v '^\s*$')

for secret in $secrets; do
if [[ $secret == */ ]]; then
# It's a directory, go deeper
find_first_secret_with_data "${path}${secret}"
else
# Adjust the path for reading the secret
local adjusted_path="${path}${secret}"
adjusted_path=${adjusted_path/\/metadata\//\/data\/}
local secret_data=$(vault read -format=json "$adjusted_path" | jq '.data')
if [[ $secret_data != "{}" && $secret_data != "null" ]]; then
FIRST_SECRET="$adjusted_path"
return
fi
fi
done
}

# Find the first secret with actual data
find_first_secret_with_data "secret/metadata/"
echo "Found first secret with data: $FIRST_SECRET"

# Reading the data/values within the first secret
echo "Reading the data/values within the first secret"
VAULT_OUTPUT=$(vault read -format=json "secret/data/$FIRST_SECRET")
VAULT_OUTPUT=$(vault read -format=json "$FIRST_SECRET")
KEY_VALUES=$(echo $VAULT_OUTPUT | jq '.data.data')

# Rest of your script logic
echo "Getting s3 presigned url for vault backup"
BACKUP_S3_PRESIGNED_URL=$(aws s3 presign s3://${s3_destination} --expires-in 300)
echo "Getting s3 presigned url for vault access tokens"
TOKENS_S3_PRESIGNED_URL=$(aws s3 presign s3://${S3_BUCKET_NAME}/${CAPTAIN_DOMAIN}/hashicorp-vault-init/vault_access.json --expires-in 300)

BASE_JSON='{
"source_backup_url": "'"$BACKUP_S3_PRESIGNED_URL"'",
"source_keys_url": "'"$TOKENS_S3_PRESIGNED_URL"'",
"path_values_map":{},
"vault_version": "1.14.8"
}'
UPDATED_JSON=$(echo $BASE_JSON | jq --arg path "secret/$FIRST_SECRET" --argjson kv "$KEY_VALUES" '.path_values_map[$path] = $kv')

FIRST_SECRET_NO_PREFIX=${FIRST_SECRET#"secret/data/"}

UPDATED_JSON=$(echo $BASE_JSON | jq --arg path "secret/$FIRST_SECRET_NO_PREFIX" --argjson kv "$KEY_VALUES" '.path_values_map[$path] = $kv')

echo "Validating Backup now....."
curl glueops-backup-and-exports.glueops-core-backup.svc.cluster.local:8080/api/v1/validate --fail-with-body -X POST -d "${UPDATED_JSON}"

0 comments on commit 9a197f3

Please sign in to comment.