32 lines
1.4 KiB
Bash
Executable File
32 lines
1.4 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
[[- if has .pg.server "public_url" ]]
|
|
if [ "$(vault secrets list -format json | jq -r '.["[[ .vault.root ]]database/"].type')" != "database" ]; then
|
|
echo "Enabling database secret on [[ .vault.root ]]database"
|
|
vault secrets enable -path [[ .vault.root ]]database database
|
|
else
|
|
echo "Database secret already enabled at [[ .vault.root ]]database"
|
|
fi
|
|
|
|
if [ "$(vault list -format json [[ .vault.root ]]database/config | jq '.[] | test("^[[ .instance ]]$")')" != "true" ]; then
|
|
echo "Configuring database plugin [[ .vault.root ]]database/config/[[ .instance ]]"
|
|
vault write [[ .vault.root ]]database/config/[[ .instance ]] \
|
|
plugin_name="postgresql-database-plugin" \
|
|
connection_url="postgresql://{{username}}:{{password}}@[[ (urlParse .pg.server.public_url).Host ]]/postgres" \
|
|
allowed_roles="*" \
|
|
username=vault \
|
|
password="$(vault kv get -field vault_initial_pwd [[ .vault.root ]]kv/service/[[ .instance ]])" \
|
|
password_authentication=scram-sha-256 \
|
|
disable_escaping=true
|
|
echo "Rotating root password"
|
|
vault write -force [[ .vault.root ]]database/rotate-root/[[ .instance ]]
|
|
else
|
|
echo "Database plugin already configured for [[ .vault.root ]]database/config/[[ .instance ]]"
|
|
fi
|
|
[[- else ]]
|
|
echo "Required .pg.server.public_url is missing"
|
|
[[- end ]]
|
|
|
|
echo "Creating dba role in vault"
|
|
[[- template "common/vault.mkpgrole.sh.tpl" merge .pg . ]]
|