Merge pull request #167 from hasbro17/haseeb/add-create-cluster-script

hack/helper: add create-cluster.sh script

hack/helper/create-cluster.sh

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# This script creates a vault cluster, initializes and unseals the nodes and prints out the unseal key
+
+: ${KUBE_NS:?"Need to set KUBE_NS"}
+
+RETRY_INTERVAL=5
+
+kubectl version
+
+# Setup vault cluster
+kubectl -n ${KUBE_NS} create -f example/example_vault.yaml
+# TODO: Get cluster name from CR
+VAULT_CLUSTER_NAME="example-vault"
+
+# Wait for vault CR to appear
+until kubectl -n ${KUBE_NS} get vault ${VAULT_CLUSTER_NAME} > /dev/null 2>&1;
+do
+    echo "Waiting for vault CR"
+    sleep ${RETRY_INTERVAL}
+done
+
+# Get size of cluster N
+NUM_NODES=$(kubectl -n ${KUBE_NS} get vault ${VAULT_CLUSTER_NAME} -o jsonpath='{.spec.nodes}')
+
+# Wait for N sealed nodes
+echo "Waiting for ${NUM_NODES} sealed nodes..."
+NUM_SEALED=-1
+while [ "${NUM_SEALED}" -ne "${NUM_NODES}" ]
+do
+    sleep ${RETRY_INTERVAL}
+
+    SEALED_NODES=$(kubectl -n ${KUBE_NS} get vault ${VAULT_CLUSTER_NAME} -o jsonpath='{.status.sealedNodes}' | sed 's/^.\(.*\).$/\1/' )
+    IFS=' ' read -r -a SEALED_ARRAY <<< "${SEALED_NODES}"
+    NUM_SEALED=${#SEALED_ARRAY[@]}
+done
+
+# Init via the first sealed node
+echo $'Initializing vault\n'
+INIT_RESPONSE=$(kubectl -n ${KUBE_NS} exec ${SEALED_ARRAY[0]} \
+                -- /bin/sh -c "VAULT_ADDR=https://localhost:8200 VAULT_SKIP_VERIFY=true vault init --key-shares=1 --key-threshold=1" | tr '\n' ' ')
+
+# Write init response to file
+mkdir -p _output
+echo ${INIT_RESPONSE} > _output/init_response.txt
+echo "Unseal key and root token written to _output/init_response.txt"
+
+# Get the unseal key from the response
+UNSEAL_KEY=$(echo "${INIT_RESPONSE}" | sed 's/Unseal Key 1: \(.*\) Initial Root Token: .*/\1/')
+echo "UNSEAL KEY: ${UNSEAL_KEY}"
+
+# Unseal all the sealed nodes
+KUBE_NS=${KUBE_NS} VAULT_CLUSTER_NAME=${VAULT_CLUSTER_NAME} UNSEAL_KEY=${UNSEAL_KEY} hack/helper/unseal.sh
+
+# Wait for active node to show up
+ACT_NODE=""
+while [ -z "${ACT_NODE}" ]
+do
+    echo "Waiting for active node to show up"
+    sleep ${RETRY_INTERVAL}
+    ACT_NODE=$(kubectl -n ${KUBE_NS} get vault ${VAULT_CLUSTER_NAME} -o jsonpath='{.status.activeNode}')
+done
+
+echo "Vault cluster setup complete!"

hack/helper/unseal.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+# This script unseals all sealed nodes of a vault cluster
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# TODO: Use command line arguments
+: ${KUBE_NS:?"Need to set KUBE_NS"}
+: ${VAULT_CLUSTER_NAME:?"Need to set VAULT_CLUSTER_NAME"}
+: ${UNSEAL_KEY:?"Need to set UNSEAL_KEY"}
+
+# Get all sealed nodes
+SEALED_NODES=$(kubectl -n ${KUBE_NS} get vault ${VAULT_CLUSTER_NAME} -o jsonpath='{.status.sealedNodes}' | sed 's/^.\(.*\).$/\1/' )
+if [ "${SEALED_NODES}" == "nil" ]; then
+    echo "No sealed nodes found"
+    exit 0
+fi
+IFS=' ' read -r -a SEALED_ARRAY <<< "${SEALED_NODES}"
+
+
+# Unseal all sealed nodes
+for NODE in "${SEALED_ARRAY[@]}"
+do
+    echo "Unsealing ${NODE}"
+    kubectl -n ${KUBE_NS} exec ${NODE} -- /bin/sh -c "VAULT_ADDR=https://localhost:8200 VAULT_SKIP_VERIFY=true vault unseal ${UNSEAL_KEY} > /dev/null"
+done

hack/helper/upgrade.sh

@@ -13,6 +13,8 @@ set -o pipefail
 # TODO: Check current version and automatically alternate between the two versions: 0.8.3-0 and 0.8.3-1
 : ${UPGRADE_TO:?"Need to set the vault version to upgrade to UPGRADE_TO"}
 
+RETRY_INTERVAL=5
+
 if ! kubectl version 1> /dev/null ; then
     echo "kubectl with kubeconfig needs to be setup"
     exit 1
@@ -41,42 +43,42 @@ echo "Waiting for ${NUM_NODES} sealed nodes after upgrade..."
 NUM_SEALED=-1
 while [ "${NUM_SEALED}" -ne "${NUM_NODES}" ]
 do
+    sleep ${RETRY_INTERVAL}
+
     SEALED_NODES=$(kubectl -n ${KUBE_NS} get vault ${VAULT_CLUSTER_NAME} -o jsonpath='{.status.sealedNodes}' | sed 's/^.\(.*\).$/\1/' )
     IFS=' ' read -r -a SEALED_ARRAY <<< "${SEALED_NODES}"
     NUM_SEALED=${#SEALED_ARRAY[@]}
 done
 
 # Unseal all sealed nodes
-for NODE in "${SEALED_ARRAY[@]}"
-do
-    echo "Unsealing ${NODE}"
-    kubectl -n ${KUBE_NS} exec ${NODE} -- /bin/sh -c "VAULT_ADDR=https://localhost:8200 VAULT_SKIP_VERIFY=true vault unseal ${UNSEAL_KEY}"
-done
+KUBE_NS=${KUBE_NS} VAULT_CLUSTER_NAME=${VAULT_CLUSTER_NAME} UNSEAL_KEY=${UNSEAL_KEY} hack/helper/unseal.sh
 
 # Wait until new active node is of the new version
 echo "Waiting until active node is of new version ${UPGRADE_TO}"
 IS_UPGRADED="false"
 while [ "${IS_UPGRADED}" != "true" ]
 do
     # Wait before retrying
-    sleep 2
+    sleep ${RETRY_INTERVAL}
 
     # Get the active node name
     ACT_NODE=$(kubectl -n ${KUBE_NS} get vault ${VAULT_CLUSTER_NAME} -o jsonpath='{.status.activeNode}')
     if [ -z "$ACT_NODE" ]; then
-        echo "No active node in status"
+        echo "No active node found in CR status. Retrying"
         continue
     fi
 
-    # Get the image version tag of the active pod. Retry if "get pod" fails (if the pod of the active node shown has been deleted)
-    IMAGE=$(kubectl -n ${KUBE_NS} get pod ${ACT_NODE} -o jsonpath='{.spec.containers[0].image}' || echo "")
+    # Get the image version tag of the active node's pod.
+    # Retry if "kubectl get pod" fails for some reason (if the pod of the active node shown has been deleted)
+    IMAGE=$( (kubectl -n ${KUBE_NS} get pod ${ACT_NODE} -o jsonpath='{.spec.containers[0].image}' 2> /dev/null) || echo "")
     if [ -z "$IMAGE" ]; then
+        echo "Get active pod ${ACT_NODE} failed. Retrying."
         continue
     fi
     IFS=':' read -r -a IMAGE_TOK <<< "${IMAGE}"
     VERSION=${IMAGE_TOK[1]}
 
-    echo "Current active node version: ${VERSION}"
+    echo "Current active node: (${ACT_NODE}), version: (${VERSION})"
     if [ "${VERSION}" == "${UPGRADE_TO}" ]; then
         IS_UPGRADED="true"
     fi