/
run_ockam.sh
executable file
·39 lines (34 loc) · 1.49 KB
/
run_ockam.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/bin/bash
set -ex
# Change into ec2-user's home directory and use sudo to run the commands as ec2-user
cd /home/ec2-user
sudo -u ec2-user bash << 'EOS'
set -ex
# Install Ockam Command
curl --proto '=https' --tlsv1.2 -sSfL https://install.command.ockam.io | bash
source "$HOME/.ockam/env"
# Run `ockam project enroll ...`
#
# The `project enroll` command creates a new vault and generates a cryptographic identity with
# private keys stored in that vault.
#
# The enrollment ticket includes routes and identitifiers for the project membership authority
# and the project’s node that offers the relay service.
#
# The enrollment ticket also includes an enrollment token. The project enroll command
# creates a secure channel with the project membership authority and presents this enrollment token.
# The authority enrolls presented identity and returns a project membership credential.
#
# The command, stores this credential for later use and exits.
ockam project enroll "$ENROLLMENT_TICKET"
# Create an ockam node.
#
# Create an access control policy that only allows project members that possesses a credential with
# attribute monitoring-api-outlet="true" to connect to TCP Portal Inlets on this node.
#
# Create a TCP Portal Inlet to postgres.
# This makes the remote postgres available on all localhost IPs at - 0.0.0.0:3000
ockam node create
ockam policy create --resource-type tcp-inlet --expression '(= subject.monitoring-api-outlet "true")'
ockam tcp-inlet create --from 0.0.0.0:3000 --via monitoring-api
EOS