Merge 3fe1873da15ffd35d19a0c3080809b0bdeb6acb6 into a2c64e79ff1b597b15d7bf7cb17aa627e7b7eb3f

deploy/vault_cli.sh

@@ -12,6 +12,10 @@
 # additionally, you need to ensure that VAULT_TOKEN is avialable or
 # `vault auth` has applied the appropriate authorization for the vault binary
 # to access the vault server
+#
+# If VAULT_ROLE_ID and VAULT_ROLE_SECRET are available, get a valid token using the
+# vault approle authentication method.
+# https://www.vaultproject.io/docs/auth/approle
 
 #returns 0 means success, otherwise error.
 
@@ -49,6 +53,16 @@ vault_cli_deploy() {
     return 1
   fi
 
+  if [ -n "$VAULT_ROLE_ID" ]; then
+    VAULT_TOKEN=$(vault write -field=token auth/approle/login \
+      role_id="$VAULT_ROLE_ID" secret_id="$VAULT_ROLE_SECRET")
+    if [ ! $? ]; then
+      _err "cannot login to vault approle ${VAULT_ROLE_ID}!"
+      return 1
+    fi
+    export VAULT_TOKEN
+  fi
+
   if [ -n "$FABIO" ]; then
     $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
   else