elasticsearch/example/init/elasticsearch-vault-pki

#!/bin/sh

set -e
#!/bin/sh

# vim: syntax=sh

set -euo pipefail

TMP=$(mktemp -d)

INITIAL_SETUP=false
if [ "$(vault secrets list -format json | jq -r '.["pki/elasticsearch/"].type')" != "pki" ]; then
  INITIAL_SETUP=true
fi

if [ "${INITIAL_SETUP}" = "true" ]; then
  # Enable the secret engine
  echo "Mounting new PKI secret engine at pki/elasticsearch"
  vault secrets enable -path=pki/elasticsearch pki
else
  echo "Secret engine already mounted at pki/elasticsearch"
fi

# Configure max-lease-ttl
echo "Tune PKI secret engine"
vault secrets tune -max-lease-ttl=131400h pki/elasticsearch

# Configure PKI URLs
echo "Configure URL endpoints"
vault write pki/elasticsearch/config/urls \
  issuing_certificates="${VAULT_ADDR}/v1/pki/elasticsearch/ca" \
  crl_distribution_points="${VAULT_ADDR}/v1/pki/elasticsearch/crl" \
  ocsp_servers="${VAULT_ADDR}/v1/pki/elasticsearch/ocsp"

vault write pki/elasticsearch/config/cluster \
  path="${VAULT_ADDR}/v1/pki/elasticsearch"

vault write pki/elasticsearch/config/crl \
  auto_rebuild=true \
  enable_delta=true

# Configure tidy
echo "Configure auto tidy for the PKI"
vault write pki/elasticsearch/config/auto-tidy \
  enabled=true \
  tidy_cert_store=true \
  tidy_expired_issuers=true \
  tidy_revocation_queue=true \
  tidy_revoked_cert_issuer_associations=true \
  tidy_revoked_certs=true \
  tidy_acme=true \
  tidy_cross_cluster_revoked_certs=true \
  tidy_move_legacy_ca_bundle=true \
  maintain_stored_certificate_counts=true

if [ "${INITIAL_SETUP}" = "true" ]; then
  # Generate an internal CA
  echo "Generating an internal CA"
  vault write -format=json pki/elasticsearch/intermediate/generate/internal \
    common_name="elasticsearch Certificate Authority" \
    ttl="131400h" \
    organization="ACME Corp" \
    ou="Elasticsearch Cluster" \
    locality="FooBar Ville" \
    key_type=rsa \
    key_bits=4096 \
      | jq -r '.data.csr' > ${TMP}/elasticsearch.csr



  # Sign this PKI with a root PKI
  echo "Signing the new CA with the authority from pki/root"
  vault write -format=json pki/root/root/sign-intermediate \
      csr=@${TMP}/elasticsearch.csr \
      format=pem_bundle \
      ttl="131400h" \
        | jq -r '.data.certificate' > ${TMP}/elasticsearch.crt

  # Update the intermediate CA with the signed one
  echo "Update the new CA with the signed version"
  vault write pki/elasticsearch/intermediate/set-signed \
    certificate=@${TMP}/elasticsearch.crt


fi

# Remove temp files
echo "Cleaning temp files"
rm -rf ${TMP}


vault write pki/elasticsearch/roles/server \
  allowed_domains="elasticsearch.service.consul" \
  allow_bare_domains=true \
  allow_subdomains=true \
  allow_localhost=false \
  allow_ip_sans=true \
  server_flag=true \
  client_flag=true \
  allow_wildcard_certificates=false \
  max_ttl=720h