chore(contrib) - fixes for Vault (#7739)

update formatting on multi-line JSON in curl commands
dgraph-io · Aug 17, 2023 · 76de6cd · 76de6cd
1 parent 48b4b01
commit 76de6cd
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 25 deletions.
diff --git a/contrib/config/vault/docker/README.md b/contrib/config/vault/docker/README.md
@@ -22,7 +22,7 @@ Steps using `bind_secret_id`:
 11. [Verify secrets access using app persona](#Step-11-verify-secrets-access-using-app-persona)
 12. [Launch Dgraph](#Step-12-launch-Dgraph)
 
-Alternative Steps using `bound_cidr_list` (see [Using Hashicorp Vault CIDR List for Authentication](#Using-hashicorp-vault-cidr-list-for-authentication)):
+Alternative Steps using `bound_cidr_list` (see [Using HashiCorp Vault CIDR List for Authentication](#Using-hashicorp-vault-cidr-list-for-authentication)):
 
 1.  [Configure Dgraph and Vault Versions](#Step-1-configure-dgraph-and-vault-versions)
 2.  [Launch unsealed Vault server](#Step-2-launch-unsealed-Vault-server)
@@ -46,16 +46,16 @@ Alternative Steps using `bound_cidr_list` (see [Using Hashicorp Vault CIDR List
 
 ## Steps
 
-This configures an app role that requires log in with `role-id` and `secret-id` to login.  This is the default role setting where `bind_seccret_id` is enabled.
+This configures an app role that requires log in with `role-id` and `secret-id` to login.  This is the default role setting where `bind_secret_id` is enabled.
 
 ### Step 1: Configure Dgraph and Vault Versions
 
 ```bash
-export DGRAPH_VERSION="v21.03"  # default is 'latest'
-export VAULT_VERSION="1.7.0"    # default is 'latest'
+export DGRAPH_VERSION="v21.03.0" # default is 'latest'
+export VAULT_VERSION="1.7.0"     # default is 'latest'
 ```
 
-**NOTE**: This guide has been tested with Hashicorp Vault version `1.6.3` and `1.7.0`.
+**NOTE**: This guide has been tested with HashiCorp Vault version `1.6.3` and `1.7.0`.
 
 ### Step 2: Launch unsealed Vault server
 
@@ -78,9 +78,6 @@ Using the root token copied from `vault operator init`, we can enable these feat
 
 ```bash
 export VAULT_ROOT_TOKEN="<root-token>"
-```
-
-```bash
 export VAULT_ADDRESS="127.0.0.1:8200"
 
 curl --silent \
@@ -102,7 +99,8 @@ curl --silent \
 ## convert policies to json format
 cat <<EOF > ./vault/policy_admin.json
 {
-  "policy": "$(sed -e ':a;N;$!ba;s/\n/\\n/g' -e 's/"/\\"/g' vault/policy_admin.hcl)"
+  "policy": "$(sed -e ':a;N;$!ba;s/\n/\\n/g' \
+                   -e 's/"/\\"/g' vault/policy_admin.hcl)"
 }
 EOF
 
@@ -126,7 +124,11 @@ curl --silent \
 curl --silent \
   --header "X-Vault-Token: $VAULT_ROOT_TOKEN" \
   --request POST \
-  --data '{ "token_policies": "admin", "token_ttl": "1h", "token_max_ttl": "4h" }' \
+  --data '{
+  "token_policies": "admin",
+  "token_ttl": "1h",
+  "token_max_ttl": "4h"
+}' \
   http://$VAULT_ADDRESS/v1/auth/approle/role/admin
 
 ## verify the role
@@ -154,7 +156,10 @@ VAULT_ADMIN_SECRET_ID=$(curl --silent \
 
 export VAULT_ADMIN_TOKEN=$(curl --silent \
   --request POST \
-  --data "{ \"role_id\": \"$VAULT_ADMIN_ROLE_ID\", \"secret_id\": \"$VAULT_ADMIN_SECRET_ID\" }" \
+  --data "{
+  \"role_id\": \"$VAULT_ADMIN_ROLE_ID\",
+  \"secret_id\": \"$VAULT_ADMIN_SECRET_ID\"
+}" \
   http://$VAULT_ADDRESS/v1/auth/approle/login | jq -r '.auth.client_token'
 )
 ```
@@ -165,7 +170,8 @@ export VAULT_ADMIN_TOKEN=$(curl --silent \
 ## convert policies to json format
 cat <<EOF > ./vault/policy_dgraph.json
 {
-  "policy": "$(sed -e ':a;N;$!ba;s/\n/\\n/g' -e 's/"/\\"/g' vault/policy_dgraph.hcl)"
+  "policy": "$(sed -e ':a;N;$!ba;s/\n/\\n/g' \
+                   -e 's/"/\\"/g' vault/policy_dgraph.hcl)"
 }
 EOF
 
@@ -190,7 +196,11 @@ curl --silent \
 curl --silent \
  --header "X-Vault-Token: $VAULT_ADMIN_TOKEN" \
  --request POST \
- --data '{ "token_policies": "dgraph", "token_ttl": "1h", "token_max_ttl": "4h" }' \
+ --data '{
+  "token_policies": "dgraph",
+  "token_ttl": "1h",
+  "token_max_ttl": "4h"
+}' \
  http://$VAULT_ADDRESS/v1/auth/approle/role/dgraph
 
 ## verify the role
@@ -211,15 +221,15 @@ curl --silent \
   http://$VAULT_ADDRESS/v1/secret/data/dgraph/alpha | jq
 ```
 
-**NOTE**: When updating K/V Version 2 secrets, be sure to increment the `options.cas` value to increase the version.  For example, if updating the `enc_key` value to 32-bits, you would update `./vault/payload_alpha.secrests.json` to look like the following:
+**NOTE**: When updating K/V Version 2 secrets, be sure to increment the `options.cas` value to increase the version.  For example, if updating the `enc_key` value to 32-bits, you would update `./vault/payload_alpha_secrets.json` to look like the following:
 ```json
 {
   "options": {
     "cas": 1
   },
   "data": {
     "enc_key": "12345678901234567890123456789012",
-    "hmac_secret_file": "12345678901234567890123456789012"
+    "hmac_secret": "12345678901234567890123456789012"
   }
 }
 ```
@@ -240,7 +250,10 @@ VAULT_DGRAPH_SECRET_ID=$(curl --silent \
 
 export VAULT_DGRAPH_TOKEN=$(curl --silent \
   --request POST \
-  --data "{ \"role_id\": \"$VAULT_DGRAPH_ROLE_ID\", \"secret_id\": \"$VAULT_DGRAPH_SECRET_ID\" }" \
+  --data "{
+  \"role_id\": \"$VAULT_DGRAPH_ROLE_ID\",
+  \"secret_id\": \"$VAULT_DGRAPH_SECRET_ID\"
+}" \
   http://$VAULT_ADDRESS/v1/auth/approle/login | jq -r '.auth.client_token'
 )
 ```
@@ -274,9 +287,9 @@ You can verify encryption features are enabled with:
 curl localhost:8080/health | jq -r '.[].ee_features | .[]' | sed 's/^/* /'
 ```
 
-## Using Hashicorp Vault CIDR List for Authentication
+## Using HashiCorp Vault CIDR List for Authentication
 
-As an alternative, you can restrict access to a limited range of IP addresses and disable the requirement for a `secret-id`.  In this scenario, we will set `bind_seccret_id` to `false`, and supply a list of IP addresses ranges for the `bound_cidr_list` key.
+As an alternative, you can restrict access to a limited range of IP addresses and disable the requirement for a `secret-id`.  In this scenario, we will set `bind_seccret_id` to `false`, and supply a list of IP address ranges for the `bound_cidr_list` key.
 
 Only two steps will need to be changed, but otherwise the other steps are the same:
 
@@ -288,11 +301,16 @@ curl --silent \
  --header "X-Vault-Token: $VAULT_ADMIN_TOKEN" \
  --request POST \
  --data '{
-"token_policies": "dgraph",
-"token_ttl": "1h",
-"token_max_ttl": "4h",
-"bind_secret_id": false,
-"bound_cidr_list": ["10.0.0.0/8","172.0.0.0/8","192.168.0.0/16", "127.0.0.1/32"]
+  "token_policies": "dgraph",
+  "token_ttl": "1h",
+  "token_max_ttl": "4h",
+  "bind_secret_id": false,
+  "bound_cidr_list": [
+    "10.0.0.0/8",
+    "172.0.0.0/8",
+    "192.168.0.0/16",
+    "127.0.0.1/32"
+  ]
 }' \
  http://$VAULT_ADDRESS/v1/auth/approle/role/dgraph
 

diff --git a/contrib/config/vault/docker/dgraph_alpha_config.yaml b/contrib/config/vault/docker/dgraph_alpha_config.yaml
@@ -1,6 +1,6 @@
 vault:
   addr: http://vault:8200
-  acl_field: hmac_secret_file
+  acl_field: hmac_secret
   acl_format: raw
   enc_field: enc_key
   enc_format: raw

diff --git a/contrib/config/vault/docker/vault/payload_alpha_secrets.json b/contrib/config/vault/docker/vault/payload_alpha_secrets.json
@@ -4,6 +4,6 @@
   },
   "data": {
     "enc_key": "1234567890123456",
-    "hmac_secret_file": "12345678901234567890123456789012"
+    "hmac_secret": "12345678901234567890123456789012"
   }
 }