chore: Common secret store init script for rhel & deb

src/packages/src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-generate-tls-certificate.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+
+echo "Generating OpenBao TLS certificates for X-Road..."
+# Generate in temporary location first
+TEMP_DIR=$(mktemp -d)
+cd "$TEMP_DIR"
+
+# Generate certificates with proper permissions
+if ! openssl req \
+    -out tls.crt \
+    -new \
+    -keyout tls.key \
+    -newkey rsa:4096 \
+    -nodes \
+    -sha256 \
+    -x509 \
+    -subj "/O=OpenBao/CN=OpenBao" \
+    -days 7300 \
+    -addext "subjectAltName = IP:127.0.0.1" \
+    -addext "keyUsage = digitalSignature,keyEncipherment" \
+    -addext "extendedKeyUsage = serverAuth"; then
+    echo "Failed to generate certificates"
+    exit 1
+fi
+
+# Set proper permissions and ownership
+chmod 640 tls.key tls.crt
+chown openbao:openbao tls.key tls.crt
+
+# Move files to final location
+mv -f tls.key tls.crt /opt/openbao/tls/
+
+# Cleanup temp directory
+rm -rf "$TEMP_DIR"

src/packages/src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-init.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+
+STATUS=$(bao status -format=json) # exits with non-zero status if not initialized or sealed
+
+set -e
+
+INITIALIZED=$(jq -r '.initialized' <<< $STATUS)
+SEALED=$(jq -r '.sealed' <<< $STATUS)
+KEYS_FILE="/etc/openbao/secret-store-keys.json"
+
+if [ "$INITIALIZED" = "true" ]; then
+  echo "OpenBao already initialized"
+else
+  echo "Initializing OpenBao..."
+  bao operator init -key-shares=3 -key-threshold=2 -format=json > $KEYS_FILE
+  chmod 600 $KEYS_FILE
+fi
+
+
+if [ ! -f "$KEYS_FILE" ]; then
+  echo "Keys file not found"
+  exit 1
+fi
+
+
+if [ "$SEALED" = "false" ]; then
+  echo "OpenBao already unsealed"
+else
+  echo "Unsealing OpenBao..."
+  # Read first two keys for unsealing
+  KEY1=$(jq -r '.unseal_keys_b64[0]' "$KEYS_FILE")
+  KEY2=$(jq -r '.unseal_keys_b64[1]' "$KEYS_FILE")
+
+  # Unseal with two keys
+  bao operator unseal "$KEY1"
+  bao operator unseal "$KEY2"
+fi
+
+
+export BAO_TOKEN=$(cat $KEYS_FILE | jq -r '.root_token')
+
+XRD_PKI_CONFIGURED=$(bao secrets list -format=json | jq 'has("xrd-pki/")')
+if [ "$XRD_PKI_CONFIGURED" = "true" ]; then
+  echo "X-Road secrets engine already initialized"
+else
+  echo "Initializing X-Road secrets engine ..."
+
+  # Enable secrets engines
+  bao secrets enable -path=xrd-pki pki || exit 1
+  bao secrets enable -path=xrd-secret kv || exit 1
+  bao secrets enable -path=xrd-ds-secret -version=2 kv || exit 1
+
+  # Configure PKI
+  bao secrets tune -max-lease-ttl=87600h xrd-pki || exit 1
+  bao write xrd-pki/root/generate/internal common_name="localhost" ttl=8760h || exit 1
+  bao write xrd-pki/config/urls \
+    issuing_certificates="https://127.0.0.1:8200/v1/xrd-pki/ca" \
+    crl_distribution_points="https://127.0.0.1:8200/v1/xrd-pki/crl" || exit 1
+
+  # Configure PKI tidy settings
+  bao write xrd-pki/config/auto-tidy \
+    tidy_cert_store=true \
+    tidy_revoked_certs=true \
+    safety_buffer="72h" \
+    interval_duration="24h" || exit 1
+
+  # Configure roles
+  bao write xrd-pki/roles/xrd-rpc-internal \
+    allow_any_name=true \
+    allow_subdomains=true \
+    allow_localhost=true \
+    allow_ip_sans=true \
+    max_ttl="300h" || exit 1
+
+  # Create policy for PKI and secret access
+  bao policy write xroad-policy - <<EOF
+path "xrd-pki/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+path "xrd-secret/*" {
+  capabilities = ["read", "list"]
+}
+path "xrd-secret" {
+  capabilities = ["list"]
+}
+path "xrd-ds-secret/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+path "sys/internal/ui/mounts/*" {
+  capabilities = ["read", "list"]
+}
+EOF
+fi
+
+CLIENT_TOKEN_FILE="/etc/xroad/secret-store-client-token"
+if [ -f $CLIENT_TOKEN_FILE ]; then
+  echo "X-Road client token already exists"
+else
+  echo "Generating X-Road client token.."
+  CLIENT_TOKEN=$(bao token create -policy=xroad-policy -format=json | jq -r '.auth.client_token')
+  echo "$CLIENT_TOKEN" > $CLIENT_TOKEN_FILE
+  chmod 640 $CLIENT_TOKEN_FILE
+  chown xroad:xroad $CLIENT_TOKEN_FILE
+fi
+
+unset BAO_TOKEN

src/packages/src/xroad/redhat/SOURCES/secret-store-local/xroad-secret-store-local.service

@@ -1,14 +1,14 @@
 [Unit]
-Description=X-Road OpenBao Auto Unseal Service
+Description=X-Road OpenBao Auto Init Service
 After=network.target openbao.service
 Requires=openbao.service
 BindsTo=openbao.service
 
 [Service]
 Type=oneshot
-User=xroad
-Group=xroad
-ExecStart=/usr/share/xroad/scripts/secret-store-unseal.sh
+User=openbao
+Group=openbao
+ExecStart=/usr/share/xroad/scripts/secret-store-init.sh
 RemainAfterExit=yes
 
 [Install]

src/packages/src/xroad/redhat/SPECS/xroad-secret-store-local.spec

@@ -14,7 +14,7 @@ Requires:           xroad-base = %version-%release
 Conflicts:          xroad-secret-store-local-remote
 
 %description
-X-Road OpenBao Auto Unseal Service
+X-Road OpenBao Auto Init Service
 
 %clean
 rm -rf %{buildroot}
@@ -30,95 +30,38 @@ mkdir -p %{buildroot}/etc/xroad/services/
 
 cp -p %{_sourcedir}/secret-store-local/xroad-secret-store-local.service %{buildroot}%{_unitdir}
 cp -p %{srcdir}/common/xroad-secret-store-local/etc/xroad/services/secret-store-local.conf %{buildroot}/etc/xroad/services/
-cp -p %{srcdir}/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-unseal.sh %{buildroot}/usr/share/xroad/scripts/
-cp -p %{srcdir}/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-setup.sh %{buildroot}/usr/share/xroad/scripts/
+cp -p %{srcdir}/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-generate-tls-certificate.sh %{buildroot}/usr/share/xroad/scripts/
+cp -p %{srcdir}/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-init.sh %{buildroot}/usr/share/xroad/scripts/
 
 %files
 %defattr(0640,xroad,xroad,0751)
 %attr(644,root,root) %{_unitdir}/xroad-secret-store-local.service
 %config /etc/xroad/services/secret-store-local.conf
-%attr(554,root,xroad)  /usr/share/xroad/scripts/secret-store-unseal.sh
-%attr(554,root,xroad) /usr/share/xroad/scripts/secret-store-setup.sh
+%attr(554,root,xroad) /usr/share/xroad/scripts/secret-store-generate-tls-certificate.sh
+%attr(554,root,xroad) /usr/share/xroad/scripts/secret-store-init.sh
 
 %pre -p /bin/bash
 %upgrade_check
 
-set -e
 
-# Function to handle errors - only clean up on failure
-cleanup() {
-    if [ $? -ne 0 ]; then
-        echo "Installation failed, cleaning up..."
-        if [ -d "/opt/openbao/tls" ]; then
-            rm -f /opt/openbao/tls/tls.{key,crt} 2>/dev/null || true
-        fi
-        rm -f /etc/pki/ca-trust/source/anchors/openbao.crt 2>/dev/null || true
-    fi
-}
-
-trap cleanup EXIT
-
-if [ $1 -eq 1 ] || [ $1 -eq 2 ]; then  # 1 = fresh install, 2 = upgrade
-    # Ensure directory exists and has proper permissions
-    install -d -m 750 /opt/openbao/tls
-    chown openbao:openbao /opt/openbao/tls
-
-    echo "Generating OpenBao TLS certificates..."
-    # Generate in temporary location first
-    TEMP_DIR=$(mktemp -d)
-    cd "$TEMP_DIR" || exit 1
-
-    # Generate certificates with proper permissions
-    if ! openssl req \
-        -out tls.crt \
-        -new \
-        -keyout tls.key \
-        -newkey rsa:4096 \
-        -nodes \
-        -sha256 \
-        -x509 \
-        -subj "/O=OpenBao/CN=OpenBao" \
-        -days 7300 \
-        -addext "subjectAltName = IP:127.0.0.1" \
-        -addext "keyUsage = digitalSignature,keyEncipherment" \
-        -addext "extendedKeyUsage = serverAuth"; then
-        echo "Failed to generate certificates"
-        exit 1
-    fi
-
-    # Set proper permissions and ownership
-    chmod 640 tls.key tls.crt
-    chown openbao:openbao tls.key tls.crt
-
-    # Move files to final location
-    mv tls.key tls.crt /opt/openbao/tls/
-
-    # Install certificate to system
+%post
+if [ $1 -eq 1 ]; then  # $1 == 1 means fresh install, $1 == 2 means upgrade
+    /usr/share/xroad/scripts/secret-store-generate-tls-certificate.sh
+    # Install generated certificate to system
     install -m 644 /opt/openbao/tls/tls.crt /etc/pki/ca-trust/source/anchors/openbao.crt
     update-ca-trust
 
-    # Cleanup temp directory
-    rm -rf "$TEMP_DIR"
-fi
-
-%post
-if [ $1 -eq 1 ]; then  # $1 == 1 means fresh install, $1 == 2 means upgrade
     # Enable and start service
     if ! systemctl enable openbao.service; then
         echo "Failed to enable OpenBao service"
         exit 1
     fi
 
-    if ! systemctl start openbao.service; then
-        echo "Failed to start OpenBao service"
+    if ! systemctl restart openbao.service; then
+        echo "Failed to restart OpenBao service"
         exit 1
     fi
 
-    BAO_ADDR='https://127.0.0.1:8200'
-    TMP_INIT_FILE="/tmp/bao-init.json"
-    UNSEAL_KEYS_FILE="/etc/xroad/secret-store-unseal-keys.json"
-    ROOT_TOKEN_FILE="/etc/xroad/secret-store-root-token"
-
     echo "Waiting for OpenBao to be ready..."
     for i in $(seq 1 30); do
         if curl -sf "${BAO_ADDR}/v1/sys/health" >/dev/null 2>&1; then
@@ -128,21 +71,8 @@ if [ $1 -eq 1 ]; then  # $1 == 1 means fresh install, $1 == 2 means upgrade
     done
 
     echo "Initializing OpenBao.."
-    if ! bao operator init -key-shares=3 -key-threshold=2 -format=json >${TMP_INIT_FILE}; then
-        echo "Failed to initialize OpenBao"
-        exit 1
-    fi
-
-    jq -r '.unseal_keys_b64' ${TMP_INIT_FILE} >${UNSEAL_KEYS_FILE}
-    jq -r '.root_token' ${TMP_INIT_FILE} >${ROOT_TOKEN_FILE}
-
-    rm -f ${TMP_INIT_FILE}
-
-    echo "Running unseal service.."
     systemctl enable xroad-secret-store-local.service
     systemctl start xroad-secret-store-local.service
-
-    /usr/share/xroad/scripts/secret-store-setup.sh
 else
     echo "Upgrade detected, skipping initialization"
 fi

src/packages/src/xroad/ubuntu/generic/xroad-secret-store-local.install

@@ -1,3 +1,3 @@
-../../../../src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-unseal.sh usr/share/xroad/scripts
-../../../../src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-setup.sh usr/share/xroad/scripts
+../../../../src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-generate-tls-certificate.sh usr/share/xroad/scripts
+../../../../src/xroad/common/xroad-secret-store-local/usr/share/xroad/scripts/secret-store-init.sh usr/share/xroad/scripts
 ../../../../src/xroad/common/xroad-secret-store-local/etc/xroad/services/secret-store-local.conf etc/xroad/services