mikegreen · May 13, 2020 15:05
diff --git a/raft_migration.sh b/raft_migration.sh
 #!/bin/bash
 # this was shared by Nick on the Vault gg, all credit to him
 # https://groups.google.com/d/msg/vault-tool/hmejXvIFuOU/M3bKDKFBBwAJ

 # Test Vault migration from consul to raft.

 # Dependencies: vault, consul, nc (netcat)
 # Writes to (and blows away) ~/migrate_consul_to_raft.
 # Kills any running vault or consul processes.
 # Tested on MacOS and Linux.

 set -ex

 kill -9 `ps axuw |grep -e '(vault|consul)' |awk '{print $1}'` || true

 while nc -w 1 localhost 8200 </dev/null; do sleep 1; done
 while nc -w 1 localhost 8500 </dev/null; do sleep 1; done

 export VAULT_ADDR=http://127.0.0.1:8200

 workdir=$HOME/$(basename $0 .sh)/
 rm -rf $workdir
 mkdir -p $workdir/raft_migrated



 # Start consul

 cat > $workdir/consulconfig.json -<<EOF
 {
  "datacenter": "east-aws",
  "data_dir": "$workdir/consuldata",
  "log_level": "TRACE",
  "node_name": "node1",
  "server": true,
  "acl" : {
    "tokens": [
 	  {
        "master": "token"
 	  }
    ]
  },
  "bootstrap": true
 }
 EOF

 consul agent -ui -bind 127.0.0.1 -config-file $workdir/consulconfig.json > $workdir/consul.log 2>&1 &
 while ! nc -w 1 localhost 8500 </dev/null; do sleep 1; done
 sleep 3



 # Start Vault using consul, initialize it, then kill it

 tee $workdir/vaultconsul.hcl <<EOF
 disable_mlock = true
 storage "consul" {
 address = "127.0.0.1:8500"
 path = "vault"
 }
 listener "tcp" {
 address = "127.0.0.1:8200"
 tls_disable = true
 }
 EOF

 vault server -log-level trace -config $workdir/vaultconsul.hcl > $workdir/vaultconsul.log 2>&1 &
 while ! nc -w 1 localhost 8200 </dev/null; do sleep 1; done

 initResult=$(vault operator init -format=json -key-shares 1 -key-threshold 1)
 unsealKey=$(echo -n $initResult | jq -r '.unseal_keys_b64[0]')
 rootToken=$(echo -n $initResult | jq -r '.root_token')

 echo -n $unsealKey > $workdir/unsealKey
 echo -n $rootToken > $workdir/rootToken

 vault operator unseal `cat $workdir/unsealKey`
 vault login `cat $workdir/rootToken`
 pkill vault
 while nc -w 1 localhost 8200 </dev/null; do sleep 1; done



 # Do the migration

 tee $workdir/migrate_consul_raft.hcl <<EOF
 storage_source "consul" {
 address = "127.0.0.1:8500"
 path = "vault"
 }

 storage_destination "raft" {
 path = "$workdir/raft_migrated"
 node_id = "raft_migrated"
 }
 cluster_addr = "http://127.0.0.1:8201"
 api_addr = "http://127.0.0.1:8200"
 EOF

 vault operator migrate -config $workdir/migrate_consul_raft.hcl > $workdir/migrate_consul_raft.log

 # Now start Vault using raft

 tee $workdir/vaultraft.hcl <<EOF
 disable_mlock = true
 storage "raft" {
 path = "$workdir/raft_migrated"
 node_id = "raft_migrated"
 }
 listener "tcp" {
 address = "127.0.0.1:8200"
 tls_disable = true
 }
 cluster_addr = "http://127.0.0.1:8201"
 api_addr = "http://127.0.0.1:8200"
 EOF

 vault server -log-level trace -config $workdir/vaultraft.hcl > $workdir/vaultraft.log 2>&1 &
 while ! nc -w 1 localhost 8200 </dev/null; do sleep 1; done
 vault status || true
 vault operator unseal `cat $workdir/unsealKey`
 vault login `cat $workdir/rootToken`
 vault status

 echo "Migration completed successfully"
	#!/bin/bash
	# this was shared by Nick on the Vault gg, all credit to him
	# https://groups.google.com/d/msg/vault-tool/hmejXvIFuOU/M3bKDKFBBwAJ

	# Test Vault migration from consul to raft.

	# Dependencies: vault, consul, nc (netcat)
	# Writes to (and blows away) ~/migrate_consul_to_raft.
	# Kills any running vault or consul processes.
	# Tested on MacOS and Linux.

	set -ex

	kill -9 `ps axuw \|grep -e '(vault\|consul)' \|awk '{print $1}'` \|\| true

	while nc -w 1 localhost 8200 </dev/null; do sleep 1; done
	while nc -w 1 localhost 8500 </dev/null; do sleep 1; done

	export VAULT_ADDR=http://127.0.0.1:8200

	workdir=$HOME/$(basename $0 .sh)/
	rm -rf $workdir
	mkdir -p $workdir/raft_migrated



	# Start consul

	cat > $workdir/consulconfig.json -<<EOF
	{
	"datacenter": "east-aws",
	"data_dir": "$workdir/consuldata",
	"log_level": "TRACE",
	"node_name": "node1",
	"server": true,
	"acl" : {
	"tokens": [
	{
	"master": "token"
	}
	]
	},
	"bootstrap": true
	}
	EOF

	consul agent -ui -bind 127.0.0.1 -config-file $workdir/consulconfig.json > $workdir/consul.log 2>&1 &
	while ! nc -w 1 localhost 8500 </dev/null; do sleep 1; done
	sleep 3



	# Start Vault using consul, initialize it, then kill it

	tee $workdir/vaultconsul.hcl <<EOF
	disable_mlock = true
	storage "consul" {
	address = "127.0.0.1:8500"
	path = "vault"
	}
	listener "tcp" {
	address = "127.0.0.1:8200"
	tls_disable = true
	}
	EOF

	vault server -log-level trace -config $workdir/vaultconsul.hcl > $workdir/vaultconsul.log 2>&1 &
	while ! nc -w 1 localhost 8200 </dev/null; do sleep 1; done

	initResult=$(vault operator init -format=json -key-shares 1 -key-threshold 1)
	unsealKey=$(echo -n $initResult \| jq -r '.unseal_keys_b64[0]')
	rootToken=$(echo -n $initResult \| jq -r '.root_token')

	echo -n $unsealKey > $workdir/unsealKey
	echo -n $rootToken > $workdir/rootToken

	vault operator unseal `cat $workdir/unsealKey`
	vault login `cat $workdir/rootToken`
	pkill vault
	while nc -w 1 localhost 8200 </dev/null; do sleep 1; done



	# Do the migration

	tee $workdir/migrate_consul_raft.hcl <<EOF
	storage_source "consul" {
	address = "127.0.0.1:8500"
	path = "vault"
	}

	storage_destination "raft" {
	path = "$workdir/raft_migrated"
	node_id = "raft_migrated"
	}
	cluster_addr = "http://127.0.0.1:8201"
	api_addr = "http://127.0.0.1:8200"
	EOF

	vault operator migrate -config $workdir/migrate_consul_raft.hcl > $workdir/migrate_consul_raft.log

	# Now start Vault using raft

	tee $workdir/vaultraft.hcl <<EOF
	disable_mlock = true
	storage "raft" {
	path = "$workdir/raft_migrated"
	node_id = "raft_migrated"
	}
	listener "tcp" {
	address = "127.0.0.1:8200"
	tls_disable = true
	}
	cluster_addr = "http://127.0.0.1:8201"
	api_addr = "http://127.0.0.1:8200"
	EOF

	vault server -log-level trace -config $workdir/vaultraft.hcl > $workdir/vaultraft.log 2>&1 &
	while ! nc -w 1 localhost 8200 </dev/null; do sleep 1; done
	vault status \|\| true
	vault operator unseal `cat $workdir/unsealKey`
	vault login `cat $workdir/rootToken`
	vault status

	echo "Migration completed successfully"