Clean up OpenBao config rerun output
This commit is contained in:
@@ -204,6 +204,9 @@ successfully with a warning after applying the other bootstrap configuration.
|
||||
Treat declarative audit configuration in the OpenBao server config/Helm values
|
||||
as mandatory before production secrets move in.
|
||||
|
||||
The helper is idempotent. Re-running it should report existing `platform/` and
|
||||
`kubernetes/` paths as already enabled instead of failing the ceremony.
|
||||
|
||||
After the helper succeeds, create a non-root admin token:
|
||||
|
||||
```bash
|
||||
|
||||
@@ -117,23 +117,47 @@ enable_file_audit() {
|
||||
fi
|
||||
|
||||
status=$?
|
||||
printf '%s\n' "$output" >&2
|
||||
case "$output" in
|
||||
*"cannot enable audit device via API"*)
|
||||
warn "OpenBao rejected API-managed audit enable. Configure audit devices declaratively in the OpenBao server config/Helm values."
|
||||
return 0
|
||||
;;
|
||||
*"path is already in use"*)
|
||||
warn "OpenBao file audit device already appears to be enabled."
|
||||
printf 'OK: OpenBao file audit device already appears to be enabled.\n'
|
||||
return 0
|
||||
;;
|
||||
*)
|
||||
printf '%s\n' "$output" >&2
|
||||
warn "OpenBao audit enable failed with exit code $status."
|
||||
return 0
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
enable_optional() {
|
||||
local token="$1"
|
||||
local already_message="$2"
|
||||
shift 2
|
||||
local output status
|
||||
if output="$(remote_bao "$token" "$@" 2>&1)"; then
|
||||
printf '%s\n' "$output"
|
||||
return 0
|
||||
fi
|
||||
|
||||
status=$?
|
||||
case "$output" in
|
||||
*"path is already in use"*)
|
||||
printf 'OK: %s\n' "$already_message"
|
||||
return 0
|
||||
;;
|
||||
*)
|
||||
printf '%s\n' "$output" >&2
|
||||
warn "OpenBao command failed with exit code $status: bao $*"
|
||||
return 0
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
show_audit_list() {
|
||||
local token="$1"
|
||||
local output status
|
||||
@@ -143,12 +167,12 @@ show_audit_list() {
|
||||
fi
|
||||
|
||||
status=$?
|
||||
printf '%s\n' "$output" >&2
|
||||
if printf '%s\n' "$output" | grep -qi "No audit devices are enabled"; then
|
||||
warn "No API-visible audit devices are enabled. Treat declarative audit configuration as a follow-up before production secrets."
|
||||
return 0
|
||||
fi
|
||||
|
||||
printf '%s\n' "$output" >&2
|
||||
warn "OpenBao audit list failed with exit code $status."
|
||||
return 0
|
||||
}
|
||||
@@ -162,8 +186,8 @@ fi
|
||||
remote_bao "$token" status
|
||||
|
||||
enable_file_audit "$token"
|
||||
remote_bao "$token" secrets enable -path=platform kv-v2 || true
|
||||
remote_bao "$token" auth enable kubernetes || true
|
||||
enable_optional "$token" "platform/ KV secrets engine is already enabled." secrets enable -path=platform kv-v2
|
||||
enable_optional "$token" "kubernetes/ auth method is already enabled." auth enable kubernetes
|
||||
|
||||
remote_sh "$token" 'bao write auth/kubernetes/config \
|
||||
kubernetes_host="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" \
|
||||
|
||||
Reference in New Issue
Block a user