33 lines
1.0 KiB
Bash
33 lines
1.0 KiB
Bash
#!/bin/sh
|
|
|
|
set -euo pipefail
|
|
|
|
TMP=$(mktemp -d)
|
|
|
|
INITIAL_SETUP=false
|
|
if [ "$(vault secrets list -format json | jq -r '.["[[ .vault.root | regexp.Replace "^/" "" ]]transit/"].type')" != "transit" ]; then
|
|
INITIAL_SETUP=true
|
|
fi
|
|
|
|
if [ "${INITIAL_SETUP}" = "true" ]; then
|
|
# Enable the transit engine
|
|
echo "Mounting new PKI secret engine at [[ .vault.root ]]transit"
|
|
vault secrets enable -path=[[ .vault.root ]]transit transit
|
|
else
|
|
echo "Secret engine already mounted at [[ .vault.root ]]transit"
|
|
fi
|
|
|
|
if ! vault read [[ .vault.root ]]transit/keys/[[ .instance ]] > /dev/null 2>&1; then
|
|
echo "Creating transit key [[ .vault.root ]]transit/keys/[[ .instance ]]"
|
|
vault write [[ .vault.root ]]transit/keys/[[ .instance ]] \
|
|
[[- $last_param := "" ]]
|
|
[[- range $k, $v := .vault.transit.params ]]
|
|
[[- $last_param = $k ]]
|
|
[[- end ]]
|
|
[[- range $k, $v := .vault.transit.params ]]
|
|
[[ $k ]]=[[ $v ]][[- if ne $k $last_param ]] \[[ end ]]
|
|
[[- end ]]
|
|
else
|
|
echo "Transit key [[ .vault.root ]]transit/keys/[[ .instance ]] is already configured"
|
|
fi
|