106 lines
2.7 KiB
Bash
Executable File
106 lines
2.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
OPENBAO_NAMESPACE="${OPENBAO_NAMESPACE:-openbao}"
|
|
OPENBAO_RELEASE="${OPENBAO_RELEASE:-openbao}"
|
|
KUBECTL="${KUBECTL:-kubectl}"
|
|
MODE="${1:-basic}"
|
|
|
|
ok() { printf '[OK] %s\n' "$*"; }
|
|
warn() { printf '[WARN] %s\n' "$*"; }
|
|
err() { printf '[ERR] %s\n' "$*" >&2; }
|
|
step() { printf '\n==> %s\n' "$*"; }
|
|
|
|
usage() {
|
|
cat <<'USAGE'
|
|
Usage: scripts/openbao-verify.sh [basic|post-unseal]
|
|
|
|
Runs non-secret OpenBao deployment checks. It never initializes, unseals, or
|
|
prints tokens.
|
|
|
|
Environment:
|
|
OPENBAO_NAMESPACE Kubernetes namespace. Default: openbao
|
|
OPENBAO_RELEASE Helm release / pod prefix. Default: openbao
|
|
KUBECTL kubectl command, including --kubeconfig if needed.
|
|
USAGE
|
|
}
|
|
|
|
if [ "$MODE" = "-h" ] || [ "$MODE" = "--help" ]; then
|
|
usage
|
|
exit 0
|
|
fi
|
|
|
|
if [ "$MODE" != "basic" ] && [ "$MODE" != "post-unseal" ]; then
|
|
err "unknown mode: $MODE"
|
|
usage >&2
|
|
exit 2
|
|
fi
|
|
|
|
pod="${OPENBAO_RELEASE}-0"
|
|
|
|
check_cmd() {
|
|
if ! command -v "${KUBECTL%% *}" >/dev/null 2>&1; then
|
|
err "kubectl command not found: $KUBECTL"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
run() {
|
|
# shellcheck disable=SC2086
|
|
$KUBECTL "$@"
|
|
}
|
|
|
|
check_cmd
|
|
|
|
step "OpenBao Kubernetes objects"
|
|
run get namespace "$OPENBAO_NAMESPACE" >/dev/null
|
|
ok "namespace exists: $OPENBAO_NAMESPACE"
|
|
|
|
run get pod "$pod" -n "$OPENBAO_NAMESPACE" >/dev/null
|
|
ok "pod exists: $OPENBAO_NAMESPACE/$pod"
|
|
|
|
phase="$(run get pod "$pod" -n "$OPENBAO_NAMESPACE" -o jsonpath='{.status.phase}')"
|
|
ready="$(run get pod "$pod" -n "$OPENBAO_NAMESPACE" -o jsonpath='{range .status.containerStatuses[*]}{.ready}{end}')"
|
|
printf 'Pod phase: %s\n' "$phase"
|
|
printf 'Container ready flags: %s\n' "${ready:-none}"
|
|
|
|
run get svc -n "$OPENBAO_NAMESPACE" \
|
|
"${OPENBAO_RELEASE}" \
|
|
"${OPENBAO_RELEASE}-active" \
|
|
"${OPENBAO_RELEASE}-internal" \
|
|
"${OPENBAO_RELEASE}-ui" >/dev/null
|
|
ok "expected services exist"
|
|
|
|
run get pvc -n "$OPENBAO_NAMESPACE" >/dev/null
|
|
ok "PVC query succeeded"
|
|
|
|
step "OpenBao seal/init status"
|
|
if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- bao status; then
|
|
ok "bao status command succeeded"
|
|
else
|
|
warn "bao status failed. Check pod logs and command availability."
|
|
fi
|
|
|
|
if [ "$MODE" = "basic" ]; then
|
|
exit 0
|
|
fi
|
|
|
|
step "Post-unseal unauthenticated checks"
|
|
if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- sh -c 'test -d /openbao/audit'; then
|
|
ok "audit directory exists"
|
|
else
|
|
warn "audit directory missing or inaccessible"
|
|
fi
|
|
|
|
if run exec -n "$OPENBAO_NAMESPACE" "$pod" -- sh -c 'test -d /openbao/data'; then
|
|
ok "raft data directory exists"
|
|
else
|
|
warn "raft data directory missing or inaccessible"
|
|
fi
|
|
|
|
warn "Authenticated checks are intentionally not run here."
|
|
warn "After unseal/configuration, verify with a platform-admin token:"
|
|
warn " bao audit list"
|
|
warn " bao secrets list"
|
|
warn " bao auth list"
|