#!/bin/sh set -euo pipefail #!/bin/sh # vim: syntax=sh set -euo pipefail TMP=$(mktemp -d) INITIAL_SETUP=false if [ "$(vault secrets list -format json | jq -r '.["pki/monitoring/"].type')" != "pki" ]; then INITIAL_SETUP=true fi if [ "${INITIAL_SETUP}" = "true" ]; then # Enable the secret engine echo "Mounting new PKI secret engine at pki/monitoring" vault secrets enable -path=pki/monitoring pki else echo "Secret engine already mounted at pki/monitoring" fi # Configure max-lease-ttl echo "Tune PKI secret engine" vault secrets tune -max-lease-ttl=131400h pki/monitoring # Configure PKI URLs echo "Configure URL endpoints" vault write pki/monitoring/config/urls \ issuing_certificates="${VAULT_ADDR}/v1/pki/monitoring/ca" \ crl_distribution_points="${VAULT_ADDR}/v1/pki/monitoring/crl" \ ocsp_servers="${VAULT_ADDR}/v1/pki/monitoring/ocsp" vault write pki/monitoring/config/cluster \ path="${VAULT_ADDR}/v1pki/monitoring" vault write pki/monitoring/config/crl \ auto_rebuild=true \ enable_delta=true # Configure tidy echo "Configure auto tidy for the PKI" vault write pki/monitoring/config/auto-tidy \ enabled=true \ tidy_cert_store=true \ tidy_expired_issuers=true \ tidy_revocation_queue=true \ tidy_revoked_cert_issuer_associations=true \ tidy_revoked_certs=true \ tidy_acme=true \ tidy_cross_cluster_revoked_certs=true \ tidy_move_legacy_ca_bundle=true \ maintain_stored_certificate_counts=true if [ "${INITIAL_SETUP}" = "true" ]; then # Generate an internal CA echo "Generating an internal CA" vault write -format=json pki/monitoring/intermediate/generate/internal \ common_name="monitoring Certificate Authority" \ ttl="131400h" \ organization="ACME Corp" \ ou="Monitoring" \ locality="FooBar Ville" \ key_type=rsa \ key_bits=4096 \ | jq -r '.data.csr' > ${TMP}/monitoring.csr # Sign this PKI with a root PKI echo "Signing the new CA with the authority from pki/root" vault write -format=json pki/root/root/sign-intermediate \ csr=@${TMP}/monitoring.csr \ format=pem_bundle \ ttl="131400h" \ | jq -r '.data.certificate' > ${TMP}/monitoring.crt # Update the intermediate CA with the signed one echo "Update the new CA with the signed version" vault write pki/monitoring/intermediate/set-signed \ certificate=@${TMP}/monitoring.crt fi # Remove temp files echo "Cleaning temp files" rm -rf ${TMP} # Create a role for alertmanager vault write pki/monitoring/roles/alertmanager \ allowed_domains="monitoring.consul" \ allow_bare_domains=false \ allow_subdomains=true \ allow_localhost=false \ allow_ip_sans=true \ server_flag=true \ client_flag=true \ allow_wildcard_certificates=false \ max_ttl=100h \ ou="Monitoring" # Create a role for prometheus (which will only be a client, for AlertManager) vault write pki/monitoring/roles/prometheus \ allowed_domains="monitoring.consul" \ allow_bare_domains=false \ allow_subdomains=true \ allow_localhost=false \ allow_ip_sans=false \ server_flag=false \ client_flag=true \ allow_wildcard_certificates=false \ max_ttl=100h \ ou="Monitoring" # Create a role for loki (which will only be a client, for AlertManager) vault write pki/monitoring/roles/loki \ allowed_domains="monitoring.consul" \ allow_bare_domains=false \ allow_subdomains=true \ allow_localhost=false \ allow_ip_sans=false \ server_flag=false \ client_flag=true \ allow_wildcard_certificates=false \ max_ttl=100h \ ou="Monitoring" # Create a role for metrics exporters (server only) vault write pki/monitoring/roles/metrics \ allowed_domains="monitoring.consul" \ allow_bare_domains=false \ allow_subdomains=true \ allow_localhost=false \ allow_ip_sans=true \ server_flag=true \ client_flag=false \ allow_wildcard_certificates=false \ require_cn=false \ max_ttl=72h \ no_store=true \ ou="Monitoring" # Create a role on the Nomad PKI for the cluster exporter vault write pki/nomad/roles/cluster-exporter \ allowed_domains='nomad.consul' \ allow_subdomains=true \ allow_wildcard_certificates=false \ max_ttl=168h \ allow_ip_sans=false \ server_flag=false \ client_flag=true \ ou="Cluster metrics exporter" # Create a role on the Consul PKI for the cluster exporter vault write pki/consul/roles/cluster-exporter \ allowed_domains="consul.consul" \ allow_bare_domains=false \ allow_subdomains=true \ allow_wildcard_certificates=false \ max_ttl=168h \ server_flag=false \ client_flag=true \ ou="Cluster metrics exporter" # Create a role on the Nomad PKI for nomad-vector-logger vault write pki/nomad/roles/nomad-vector-logger \ allowed_domains='nomad-vector-logger.nomad.consul' \ allow_bare_domains=true \ allow_subdomains=false \ allow_wildcard_certificates=false \ max_ttl=168h \ allow_ip_sans=false \ server_flag=false \ client_flag=true \ ou="Nomad Vector Logger"