vault/bin/vault-init

#!/usr/bin/env bash

set -e

REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd .. && pwd)"
GPG_KEY_ID="slawek@koszewscy.waw.pl"
GPG_PUB_KEY_FILE="$REPO_ROOT/slawek.key"

if [[ ! -f "$GPG_PUB_KEY_FILE" ]]; then
    gpg --export "$GPG_KEY_ID" > "$GPG_PUB_KEY_FILE"
fi

# Initialize the Vault and store the initialization output in a JSON file
# The single unseal key and the root token will be PGP-encrypted using the provided GPG public key
VAULT_ADDR='http://127.0.0.1:8200' vault operator init \
    -key-shares=1 \
    -key-threshold=1 \
    -pgp-keys="$GPG_PUB_KEY_FILE" \
    -root-token-pgp-key="$GPG_PUB_KEY_FILE" \
    -format=json > $REPO_ROOT/config/vault-init.json