upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-02-03 20:40:45 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

(enos) generalize container startup script (#31483)

Browse source
This commit is contained in:
Luis (LT) Carbonell 2025-08-14 10:06:05 -04:00 committed by GitHub
parent a607fb181c
commit bfa0c41c6d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 204 additions and 95 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
enos/modules/set_up_external_integration_target/main.tf
View file

@ -46,21 +46,18 @@ module "install_packages" {
packages = var.packages
}
# Creating OpenLDAP Server
# Creating OpenLDAP Server using generic container script
resource "enos_remote_exec" "setup_openldap" {
depends_on = [module.install_packages]
environment = {
LDAP_CONTAINER_VERSION = local.ldap_server.version
LDAP_DOMAIN = local.ldap_server.domain
LDAP_ORG = local.ldap_server.org
LDAP_ADMIN_PW = local.ldap_server.admin_pw
LDAP_IP_ADDRESS = local.test_server_address
LDAP_PORT = local.ldap_server.port
LDAPS_PORT = local.ldap_server.secure_port
}
scripts = [abspath("${path.module}/scripts/start-container.sh")]
scripts = [abspath("${path.module}/scripts/set-up-openldap.sh")]
environment = {
CONTAINER_IMAGE = "docker.io/osixia/openldap:${local.ldap_server.version}"
CONTAINER_NAME = "openldap"
CONTAINER_PORTS = "${local.ldap_server.port},${local.ldap_server.secure_port}"
CONTAINER_ENVS = "LDAP_ORGANISATION=${local.ldap_server.org},LDAP_DOMAIN=${local.ldap_server.domain},LDAP_ADMIN_PASSWORD=${local.ldap_server.admin_pw}"
}
transport = {
ssh = {
@ -69,16 +66,23 @@ resource "enos_remote_exec" "setup_openldap" {
}
}
# Creating KMIP Server
# Creating KMIP Server using generic container script
resource "enos_remote_exec" "create_kmip" {
depends_on = [module.install_packages]
environment = {
VAULT_ADDR = var.ip_version == "6" ? var.hosts[0].ipv6 : var.hosts[0].public_ip
KMIP_PORT = var.ports.kmip.port
}
inline = [
"mkdir -p /tmp/kmip_temp"
]
scripts = [abspath("${path.module}/scripts/setup_kmip.sh")]
scripts = [abspath("${path.module}/scripts/start-container.sh")]
environment = {
CONTAINER_IMAGE = "docker.io/percona/percona-server:8.0"
CONTAINER_NAME = "kmip"
CONTAINER_VOLUMES = "/tmp/kmip_temp:/TEMP_DIR"
CONTAINER_ENVS = "KMIP_ADDR=${local.test_server_address},MYSQL_ROOT_PASSWORD=testpassword"
CONTAINER_ARGS = "--port ${var.ports.kmip.port}"
}
transport = {
ssh = {

36
enos/modules/set_up_external_integration_target/scripts/set-up-openldap.sh
View file

@ -1,36 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -e
fail() {
echo "$1" 1>&2
exit 1
}
[[ -z "${LDAP_DOMAIN}" ]] && fail "LDAP_DOMAIN env variable has not been set"
[[ -z "${LDAP_ORG}" ]] && fail "LDAP_ORG env variable has not been set"
[[ -z "${LDAP_ADMIN_PW}" ]] && fail "LDAP_ADMIN_PW env variable has not been set"
[[ -z "${LDAP_CONTAINER_VERSION}" ]] && fail "LDAP_CONTAINER_VERSION env variable has not been set"
[[ -z "${LDAP_PORT}" ]] && fail "LDAP_PORT env variable has not been set"
[[ -z "${LDAPS_PORT}" ]] && fail "LDAPS_PORT env variable has not been set"
# Pulling image
CONTAINER_CMD="sudo podman"
LDAP_DOCKER_NAME="docker.io/osixia/openldap:${LDAP_CONTAINER_VERSION}"
echo "Pulling image: ${LDAP_DOCKER_NAME}"
${CONTAINER_CMD} pull "${LDAP_DOCKER_NAME}"
# Run OpenLDAP container
echo "Starting OpenLDAP container..."
${CONTAINER_CMD} run -d \
--name openldap \
-p "${LDAP_PORT}:${LDAP_PORT}" \
-p "${LDAPS_PORT}:${LDAPS_PORT}" \
-e LDAP_ORGANISATION="${LDAP_ORG}" \
-e LDAP_DOMAIN="${LDAP_DOMAIN}" \
-e LDAP_ADMIN_PASSWORD="${LDAP_ADMIN_PW}" \
"${LDAP_DOCKER_NAME}"
echo "OpenLDAP server is now running in Docker!"

34
enos/modules/set_up_external_integration_target/scripts/setup_kmip.sh
View file

@ -1,34 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -e
fail() {
echo "$1" 1>&2
exit 1
}
[[ -z "${VAULT_ADDR}" ]] && fail "VAULT_ADDR env variable has not been set"
[[ -z "${KMIP_PORT}" ]] && fail "KMIP_PORT env variable has not been set"
# Pull KMIP Docker image
CONTAINER_CMD="sudo podman"
KMIP_DOCKER_NAME="docker.io/percona/percona-server:8.0"
${CONTAINER_CMD} pull "${KMIP_DOCKER_NAME}"
mkdir TEMP_DIR
cd TEMP_DIR
TEMP_DIR=$(pwd)
# Run KMIP container
echo "Starting KMIP container..."
${CONTAINER_CMD} run -d \
--name kmip \
--volume "${TEMP_DIR}":/TEMP_DIR \
-e KMIP_ADDR="${VAULT_ADDR}" \
-e MYSQL_ROOT_PASSWORD=testpassword \
"${KMIP_DOCKER_NAME}" \
--port "${KMIP_PORT}"
echo "KMIP server is now running in Docker!"

171
enos/modules/set_up_external_integration_target/scripts/start-container.sh Executable file
View file

@ -0,0 +1,171 @@
#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -e
fail() {
echo "$1" 1>&2
exit 1
}
show_help() {
cat << EOF
Usage: $0 --image IMAGE [OPTIONS]
Required:
--image IMAGE Docker image to run (e.g., osixia/openldap:latest)
Optional:
--name NAME Container name (default: auto-generated)
--port PORT[:HOST_PORT] Port mapping (can be used multiple times)
--env KEY=VALUE Environment variable (can be used multiple times)
--volume SRC:DEST Volume mount (can be used multiple times)
--container-cmd CMD Container command (default: sudo podman)
--args ARGS Additional arguments to pass to container run command
--help Show this help message
Examples:
# Basic LDAP setup
$0 --image osixia/openldap:latest --port 389 --port 636 --name openldap \\
--env LDAP_ORGANISATION="My Org" --env LDAP_DOMAIN="example.com"
# KMIP/Percona setup
$0 --image percona/percona-server:8.0 --name kmip \\
--volume "\$(pwd)":/TEMP_DIR --env MYSQL_ROOT_PASSWORD=testpassword \\
--args "--port 3306"
EOF
}
# Default values
CONTAINER_CMD="sudo podman"
NAME=""
DOCKER_IMAGE=""
PORTS=()
ENVS=()
VOLUMES=()
ADDITIONAL_ARGS=""
# Check for environment variable configuration (Terraform style)
if [[ -n "${CONTAINER_IMAGE}" ]]; then
DOCKER_IMAGE="${CONTAINER_IMAGE}"
fi
if [[ -n "${CONTAINER_NAME}" ]]; then
NAME="${CONTAINER_NAME}"
fi
if [[ -n "${CONTAINER_PORTS}" ]]; then
IFS=',' read -ra PORT_ARRAY <<< "${CONTAINER_PORTS}"
PORTS=("${PORT_ARRAY[@]}")
fi
if [[ -n "${CONTAINER_ENVS}" ]]; then
IFS=',' read -ra ENV_ARRAY <<< "${CONTAINER_ENVS}"
ENVS=("${ENV_ARRAY[@]}")
fi
if [[ -n "${CONTAINER_VOLUMES}" ]]; then
IFS=',' read -ra VOL_ARRAY <<< "${CONTAINER_VOLUMES}"
VOLUMES=("${VOL_ARRAY[@]}")
fi
if [[ -n "${CONTAINER_ARGS}" ]]; then
ADDITIONAL_ARGS="${CONTAINER_ARGS}"
fi
# Parse command line arguments (these will override environment variables)
while [[ $# -gt 0 ]]; do
case $1 in
--image)
DOCKER_IMAGE="$2"
shift 2
;;
--name)
NAME="$2"
shift 2
;;
--port)
PORTS+=("$2")
shift 2
;;
--env)
ENVS+=("$2")
shift 2
;;
--volume)
VOLUMES+=("$2")
shift 2
;;
--container-cmd)
CONTAINER_CMD="$2"
shift 2
;;
--args)
ADDITIONAL_ARGS="$2"
shift 2
;;
--help | -h)
show_help
exit 0
;;
*)
fail "Unknown option: $1. Use --help for usage information."
;;
esac
done
# Validate required parameters
[[ -z "${DOCKER_IMAGE}" ]] && fail "Docker image is required. Use --image to specify."
# Generate container name if not provided
if [[ -z "${NAME}" ]]; then
NAME=$(echo "${DOCKER_IMAGE}" | sed 's/.*\///' | sed 's/:.*$//')
echo "Using auto-generated container name: ${NAME}"
fi
# Pull the Docker image
echo "Pulling image: ${DOCKER_IMAGE}"
${CONTAINER_CMD} pull "${DOCKER_IMAGE}"
# Build the run command
RUN_CMD="${CONTAINER_CMD} run -d --name ${NAME}"
# Add port mappings
for port in "${PORTS[@]}"; do
if [[ "${port}" == *":"* ]]; then
# Port mapping format: host_port:container_port
RUN_CMD="${RUN_CMD} -p ${port}"
else
# Same port for host and container
RUN_CMD="${RUN_CMD} -p ${port}:${port}"
fi
done
# Add environment variables
for env in "${ENVS[@]}"; do
RUN_CMD="${RUN_CMD} -e ${env}"
done
# Add volume mounts
for volume in "${VOLUMES[@]}"; do
RUN_CMD="${RUN_CMD} --volume ${volume}"
done
# Add the image
RUN_CMD="${RUN_CMD} ${DOCKER_IMAGE}"
# Add any additional arguments
if [[ -n "${ADDITIONAL_ARGS}" ]]; then
RUN_CMD="${RUN_CMD} ${ADDITIONAL_ARGS}"
fi
# Execute the run command
echo "Starting container with command:"
echo "${RUN_CMD}"
echo ""
eval "${RUN_CMD}"
echo "${NAME} container is now running!"

20
enos/modules/verify_secrets_engines/scripts/kmip/kmip-client-configure.sh
View file

@ -15,18 +15,22 @@ fail() {
[[ -z "${KMIP_PORT}" ]] && fail "KMIP_PORT env variable has not been set"
cd ~ || fail "Failed to change directory to home"
echo "${SERVER_CA}" > TEMP_DIR/vault-ca.pem
echo "${CLIENT_CA}" > TEMP_DIR/client.pem
TEMP_DIR=/tmp/kmip_temp
mkdir -p "${TEMP_DIR}" || fail "Failed to create temporary directory"
echo "${SERVER_CA}" > "${TEMP_DIR}"/vault-ca.pem
echo "${CLIENT_CA}" > "${TEMP_DIR}"/client.pem
# Extract certificate and key from client bundle
cd TEMP_DIR
cd "${TEMP_DIR}" || fail "Failed to change directory to ${TEMP_DIR}"
# Assuming CLIENT_CA contains both cert and key, split them
csplit -f client- client.pem '/-----BEGIN.*PRIVATE KEY-----/' '{*}'
mv client-00 cert.pem
mv client-01 key.pem
# Connect to the Percona Docker container
CONTAINER_CMD="sudo docker"
# Connect to the Percona KMIP Docker container and configure it
CONTAINER_CMD="sudo podman"
KMIP_DOCKER_NAME="kmip"
# Create MySQL data directory
@ -38,6 +42,6 @@ ${CONTAINER_CMD} exec -d "${KMIP_DOCKER_NAME}" mysqld \
--early-plugin-load=keyring_kmip.so \
--keyring_kmip_server_name="${VAULT_ADDR}" \
--keyring_kmip_server_port="${KMIP_PORT}" \
--keyring_kmip_client_ca=/TEMP_DIR/vault-ca.pem \
--keyring_kmip_client_key=/TEMP_DIR/key.pem \
--keyring_kmip_client_cert=/TEMP_DIR/cert.pem
--keyring_kmip_client_ca="${TEMP_DIR}/vault-ca.pem" \
--keyring_kmip_client_key="${TEMP_DIR}/key.pem" \
--keyring_kmip_client_cert="${TEMP_DIR}/cert.pem"