-
Notifications
You must be signed in to change notification settings - Fork 0
/
init.sh
executable file
·92 lines (73 loc) · 2.83 KB
/
init.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/usr/bin/env bash
set -e
source ${BASH_SOURCE%/*}/functions.sh
keybase_path=$(get_keybase_path $1)
export VAULT_ADDR=http://127.0.0.1:8200
function enable_pki {
if [ -z "$(vault secrets list | grep $1/)" ] ; then
vault secrets enable -max-lease-ttl=$2 -path=$1 -description="$3" pki
fi
}
echo "Using '$keybase_path' for secret storage"
mkdir -p ${keybase_path}
if [ ! -f "${keybase_path}/init.txt" ] ; then
echo Initializing
vault operator init \
-key-shares=6 -key-threshold=3 > "${keybase_path}/init.txt"
else
echo Your Vault cluster was already initialized.
fi
echo See ${keybase_path}/init.txt for the keys and root token.
export VAULT_TOKEN=$(get_root_token $keybase_path)
echo
${BASH_SOURCE%/*}/unseal.sh $1
echo
echo Apply policies:
vault policy write ca policies/ca-policy.hcl
vault policy write issue-cert-philips-dot-dev policies/issue-cert-philips-dot-dev-policy.hcl
echo
echo Use ca policy enabled token:
export VAULT_TOKEN=$(vault token create -policy=ca -format=json -ttl=5m | jq -r .auth.client_token)
echo Token capabilities:
printf "%-20s | Capabilities\n" Path
printf "%-20s | --------------------\n" --------------------
print_token_capabilities sys/mounts
print_token_capabilities sys/mounts/*
print_token_capabilities pki*
echo
echo Enabling pki engine:
enable_pki pki 87600h "Root CA" # 10 years for root certificate
enable_pki pki_int 43800h "Intermediate CA" # 5 years for intermediate certificates
ca=$(curl -s $VAULT_ADDR/v1/pki/ca/pem)
if [ -z "$ca" ] ; then
echo Generating root CA.
ca=$(vault write -field=certificate pki/root/generate/internal \
common_name="Vault Certificate Authority" \
ttl=87600h)
else
echo Using existing root CA.
fi
vault write pki/config/urls \
issuing_certificates="$VAULT_ADDR/v1/pki/ca" \
crl_distribution_points="$VAULT_ADDR/v1/pki/crl"
intermediate=$(curl -s $VAULT_ADDR/v1/pki_int/ca/pem)
if [ -z "$intermediate" ] ; then
echo Generating intermediate CA.
vault write pki_int/intermediate/generate/internal \
common_name="Vault Intermediate Authority" \
-format=json | jq -r '.data.csr' > ${keybase_path}/pki_intermediate.csr
vault write pki/root/sign-intermediate csr=@${keybase_path}/pki_intermediate.csr \
format=pem_bundle ttl=43800h \
-format=json | jq -r '.data.certificate' > ${keybase_path}/intermediate.crt
vault write pki_int/intermediate/set-signed certificate=@${keybase_path}/intermediate.crt
else
echo Using existing intermediate CA.
fi
vault write pki_int/config/urls \
issuing_certificates="$VAULT_ADDR/v1/pki_int/ca" \
crl_distribution_points="$VAULT_ADDR/v1/pki_int/crl"
vault write pki_int/roles/philips-dot-dev \
allowed_domains="philips.dev" \
allow_subdomains=true \
max_ttl=720h
VAULT_TOKEN=$(get_root_token $keybase_path) vault operator seal