92 lines
3.0 KiB
Bash
92 lines
3.0 KiB
Bash
#!/bin/sh
|
|
|
|
# vim: syntax=sh
|
|
|
|
set -euo pipefail
|
|
|
|
TMP=$(mktemp -d)
|
|
|
|
INITIAL_SETUP=false
|
|
if [ "$(vault secrets list -format json | jq -r '.["[[ .vault.pki.path | regexp.Replace "^/" "" ]]/"].type')" != "pki" ]; then
|
|
INITIAL_SETUP=true
|
|
fi
|
|
|
|
if [ "${INITIAL_SETUP}" = "true" ]; then
|
|
# Enable the secret engine
|
|
echo "Mounting new PKI secret engine at [[ .vault.pki.path ]]"
|
|
vault secrets enable -path=[[ .vault.pki.path ]] pki
|
|
else
|
|
echo "Secret engine already mounted at [[ .vault.pki.path ]]"
|
|
fi
|
|
|
|
# Configure max-lease-ttl
|
|
echo "Tune PKI secret engine"
|
|
[[- if has .vault.pki "ttl" ]]
|
|
vault secrets tune -max-lease-ttl=[[ .vault.pki.ttl ]] [[ .vault.pki.path ]]
|
|
[[- end ]]
|
|
|
|
# Configure PKI URLs
|
|
echo "Configure URL endpoints"
|
|
vault write [[ .vault.pki.path ]]/config/urls \
|
|
issuing_certificates="${VAULT_ADDR}/v1/[[ .vault.pki.path | regexp.Replace "^/" "" ]]/ca" \
|
|
crl_distribution_points="${VAULT_ADDR}/v1/[[ .vault.pki.path | regexp.Replace "^/" "" ]]/crl" \
|
|
ocsp_servers="${VAULT_ADDR}/v1/[[ .vault.pki.path | regexp.Replace "^/" "" ]]/ocsp"
|
|
|
|
vault write [[ .vault.pki.path ]]/config/cluster \
|
|
path="${VAULT_ADDR}/v1[[ .vault.pki.path ]]"
|
|
|
|
vault write [[ .vault.pki.path ]]/config/crl \
|
|
auto_rebuild=true \
|
|
enable_delta=true
|
|
|
|
# Configure tidy
|
|
echo "Configure auto tidy for the PKI"
|
|
vault write [[ .vault.pki.path ]]/config/auto-tidy \
|
|
enabled=true \
|
|
tidy_cert_store=true \
|
|
tidy_expired_issuers=true \
|
|
tidy_revocation_queue=true \
|
|
tidy_revoked_cert_issuer_associations=true \
|
|
tidy_revoked_certs=true \
|
|
tidy_acme=true \
|
|
tidy_cross_cluster_revoked_certs=true \
|
|
tidy_move_legacy_ca_bundle=true \
|
|
maintain_stored_certificate_counts=true
|
|
|
|
if [ "${INITIAL_SETUP}" = "true" ]; then
|
|
# Generate an internal CA
|
|
echo "Generating an internal CA"
|
|
vault write -format=json [[ .vault.pki.path ]]/intermediate/generate/internal \
|
|
common_name="[[ if has .vault.pki "common_name" ]][[ .vault.pki.common_name ]][[ else ]][[ path.Base .vault.pki.path ]] Certificate Authority[[ end ]]" \
|
|
[[- if has .vault.pki "ttl" ]]
|
|
ttl="[[ .vault.pki.ttl ]]" \
|
|
[[- end ]]
|
|
organization="[[ .vault.pki.organization ]]" \
|
|
ou="[[ .vault.pki.ou ]]" \
|
|
locality="[[ .vault.pki.locality ]]" \
|
|
key_type=[[ .vault.pki.key_type ]] \
|
|
key_bits=[[ .vault.pki.key_bits ]] \
|
|
| jq -r '.data.csr' > ${TMP}/[[ path.Base .vault.pki.path ]].csr
|
|
|
|
[[ if has .vault.pki "issuer" ]]
|
|
|
|
# Sign this PKI with a root PKI
|
|
echo "Signing the new CA with the authority from [[ .vault.pki.issuer ]]"
|
|
vault write -format=json [[ .vault.pki.issuer ]]/root/sign-intermediate \
|
|
csr=@${TMP}/[[ path.Base .vault.pki.path ]].csr \
|
|
format=pem_bundle \
|
|
ttl="[[ .vault.pki.ttl ]]" \
|
|
| jq -r '.data.certificate' > ${TMP}/[[ path.Base .vault.pki.path ]].crt
|
|
|
|
# Update the intermediate CA with the signed one
|
|
echo "Update the new CA with the signed version"
|
|
vault write [[ .vault.pki.path ]]/intermediate/set-signed \
|
|
certificate=@${TMP}/[[ path.Base .vault.pki.path ]].crt
|
|
|
|
[[ end ]]
|
|
fi
|
|
|
|
# Remove temp files
|
|
echo "Cleaning temp files"
|
|
rm -rf ${TMP}
|