Platform secret setup
This commit is contained in:
105
scripts/openbao-verify.sh
Executable file
105
scripts/openbao-verify.sh
Executable file
@@ -0,0 +1,105 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
|
||||
OPENBAO_RELEASE="${OPENBAO_RELEASE:-openbao}"
|
||||
KUBECTL="${KUBECTL:-kubectl}"
|
||||
MODE="${1:-basic}"
|
||||
|
||||
ok() { printf '[OK] %s\n' "$*"; }
|
||||
warn() { printf '[WARN] %s\n' "$*"; }
|
||||
err() { printf '[ERR] %s\n' "$*" >&2; }
|
||||
step() { printf '\n==> %s\n' "$*"; }
|
||||
|
||||
usage() {
|
||||
cat <<'USAGE'
|
||||
Usage: scripts/openbao-verify.sh [basic|post-unseal]
|
||||
|
||||
Runs non-secret OpenBao deployment checks. It never initializes, unseals, or
|
||||
prints tokens.
|
||||
|
||||
Environment:
|
||||
OPENBAO_NAMESPACE Kubernetes namespace. Default: openbao
|
||||
OPENBAO_RELEASE Helm release / pod prefix. Default: openbao
|
||||
KUBECTL kubectl command, including --kubeconfig if needed.
|
||||
USAGE
|
||||
}
|
||||
|
||||
if [ "$MODE" = "-h" ] || [ "$MODE" = "--help" ]; then
|
||||
usage
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$MODE" != "basic" ] && [ "$MODE" != "post-unseal" ]; then
|
||||
err "unknown mode: $MODE"
|
||||
usage >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
pod="${OPENBAO_RELEASE}-0"
|
||||
|
||||
check_cmd() {
|
||||
if ! command -v "${KUBECTL%% *}" >/dev/null 2>&1; then
|
||||
err "kubectl command not found: $KUBECTL"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
run() {
|
||||
# shellcheck disable=SC2086
|
||||
$KUBECTL "$@"
|
||||
}
|
||||
|
||||
check_cmd
|
||||
|
||||
step "OpenBao Kubernetes objects"
|
||||
run get namespace "$OPENBAO_NAMESPACE" >/dev/null
|
||||
ok "namespace exists: $OPENBAO_NAMESPACE"
|
||||
|
||||
run get pod "$pod" -n "$OPENBAO_NAMESPACE" >/dev/null
|
||||
ok "pod exists: $OPENBAO_NAMESPACE/$pod"
|
||||
|
||||
phase="$(run get pod "$pod" -n "$OPENBAO_NAMESPACE" -o jsonpath='{.status.phase}')"
|
||||
ready="$(run get pod "$pod" -n "$OPENBAO_NAMESPACE" -o jsonpath='{range .status.containerStatuses[*]}{.ready}{end}')"
|
||||
printf 'Pod phase: %s\n' "$phase"
|
||||
printf 'Container ready flags: %s\n' "${ready:-none}"
|
||||
|
||||
run get svc -n "$OPENBAO_NAMESPACE" \
|
||||
"${OPENBAO_RELEASE}" \
|
||||
"${OPENBAO_RELEASE}-active" \
|
||||
"${OPENBAO_RELEASE}-internal" \
|
||||
"${OPENBAO_RELEASE}-ui" >/dev/null
|
||||
ok "expected services exist"
|
||||
|
||||
run get pvc -n "$OPENBAO_NAMESPACE" >/dev/null
|
||||
ok "PVC query succeeded"
|
||||
|
||||
step "OpenBao seal/init status"
|
||||
if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- bao status; then
|
||||
ok "bao status command succeeded"
|
||||
else
|
||||
warn "bao status failed. Check pod logs and command availability."
|
||||
fi
|
||||
|
||||
if [ "$MODE" = "basic" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
step "Post-unseal unauthenticated checks"
|
||||
if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- sh -c 'test -d /openbao/audit'; then
|
||||
ok "audit directory exists"
|
||||
else
|
||||
warn "audit directory missing or inaccessible"
|
||||
fi
|
||||
|
||||
if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- sh -c 'test -d /openbao/data'; then
|
||||
ok "raft data directory exists"
|
||||
else
|
||||
warn "raft data directory missing or inaccessible"
|
||||
fi
|
||||
|
||||
warn "Authenticated checks are intentionally not run here."
|
||||
warn "After unseal/configuration, verify with a platform-admin token:"
|
||||
warn " bao audit list"
|
||||
warn " bao secrets list"
|
||||
warn " bao auth list"
|
||||
Reference in New Issue
Block a user