coulomb/railiance-platform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5e4040d43d61470c2443ea7cfb7be90846a0f2b9
railiance-platform/scripts/openbao-verify.sh

132 lines
3.7 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
OPENBAO_RELEASE="${OPENBAO_RELEASE:-openbao}"
KUBECTL="${KUBECTL:-kubectl}"
MODE="${1:-basic}"
ok() { printf '[OK] %s\n' "$*"; }
warn() { printf '[WARN] %s\n' "$*"; }
err() { printf '[ERR] %s\n' "$*" >&2; }
step() { printf '\n==> %s\n' "$*"; }
usage() {
cat <<'USAGE'
Usage: scripts/openbao-verify.sh [basic|post-unseal]
Runs non-secret OpenBao deployment checks. It never initializes, unseals, or
prints tokens.
Environment:
OPENBAO_NAMESPACE Kubernetes namespace. Default: openbao
OPENBAO_RELEASE Helm release / pod prefix. Default: openbao
KUBECTL kubectl command, including --kubeconfig if needed.
USAGE
}
if [ "$MODE" = "-h" ] || [ "$MODE" = "--help" ]; then
usage
exit 0
fi
if [ "$MODE" != "basic" ] && [ "$MODE" != "post-unseal" ]; then
err "unknown mode: $MODE"
usage >&2
exit 2
fi
pod="${OPENBAO_RELEASE}-0"
check_cmd() {
if ! command -v "${KUBECTL%% *}" >/dev/null 2>&1; then
err "kubectl command not found: $KUBECTL"
exit 1
fi
}
run() {
# shellcheck disable=SC2086
$KUBECTL "$@"
}
check_cmd
step "OpenBao Kubernetes objects"
run get namespace "$OPENBAO_NAMESPACE" >/dev/null
ok "namespace exists: $OPENBAO_NAMESPACE"
run get pod "$pod" -n "$OPENBAO_NAMESPACE" >/dev/null
ok "pod exists: $OPENBAO_NAMESPACE/$pod"
phase="$(run get pod "$pod" -n "$OPENBAO_NAMESPACE" -o jsonpath='{.status.phase}')"
ready="$(run get pod "$pod" -n "$OPENBAO_NAMESPACE" -o jsonpath='{range .status.containerStatuses[*]}{.ready}{end}')"
printf 'Pod phase: %s\n' "$phase"
printf 'Container ready flags: %s\n' "${ready:-none}"
run get svc -n "$OPENBAO_NAMESPACE" \
"${OPENBAO_RELEASE}" \
"${OPENBAO_RELEASE}-active" \
"${OPENBAO_RELEASE}-internal" \
"${OPENBAO_RELEASE}-ui" >/dev/null
ok "expected services exist"
run get pvc -n "$OPENBAO_NAMESPACE" >/dev/null
ok "PVC query succeeded"
step "OpenBao seal/init status"
status_output=""
status_code=0
if status_output="$(run exec -n "$OPENBAO_NAMESPACE" "$pod" -- bao status 2>&1)"; then
status_code=0
else
status_code=$?
fi
printf '%s\n' "$status_output"
status_initialized="$(printf '%s\n' "$status_output" | awk '$1 == "Initialized" {print $2; exit}')"
status_sealed="$(printf '%s\n' "$status_output" | awk '$1 == "Sealed" {print $2; exit}')"
if [ "$status_code" -eq 0 ]; then
ok "bao status command succeeded"
elif [ "$status_code" -eq 2 ] && [ "$status_initialized" = "false" ] && [ "$status_sealed" = "true" ]; then
ok "OpenBao is reachable and waiting for first init/unseal ceremony"
elif [ "$status_code" -eq 2 ] && [ "$status_sealed" = "true" ]; then
if [ "$MODE" = "basic" ]; then
ok "OpenBao is reachable and sealed"
else
warn "OpenBao is still sealed; post-unseal verification is not complete"
fi
else
warn "bao status failed. Check pod logs and command availability."
fi
if [ "$MODE" = "basic" ]; then
exit 0
fi
step "Post-unseal unauthenticated checks"
if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- sh -c 'test -d /openbao/audit' >/dev/null 2>&1; then
ok "audit directory exists"
else
warn "audit directory missing or inaccessible"
fi
if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- sh -c 'test -s /openbao/audit/openbao-audit.log' >/dev/null 2>&1; then
ok "audit log file exists and is non-empty"
else
warn "audit log file missing or empty; declarative file audit is not verified"
fi
if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- sh -c 'test -d /openbao/data' >/dev/null 2>&1; then
ok "raft data directory exists"
else
warn "raft data directory missing or inaccessible"
fi
warn "Authenticated checks are intentionally not run here."
warn "After unseal/configuration, verify with a platform-admin token:"
warn " bao audit list"
warn " bao secrets list"
warn " bao auth list"
Reference in New Issue View Git Blame Copy Permalink