#!/bin/sh

set -e

[[- $c := merge .elasticsearch.server .elasticsearch .]]
[[ template "common/vault.mkpki.sh.tpl" $c ]]

vault write [[ $c.vault.pki.path ]]/roles/server \
  allowed_domains="[[ .instance ]][[ .consul.suffix ]].service.[[ .consul.domain ]]" \
  allow_bare_domains=true \
  allow_subdomains=true \
  allow_localhost=false \
  allow_ip_sans=true \
  server_flag=true \
  client_flag=true \
  allow_wildcard_certificates=false \
  max_ttl=720h