95 lines
2.9 KiB
Bash
Executable File
95 lines
2.9 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
set -euo pipefail
|
|
|
|
[[ $c := merge .monitoring . ]]
|
|
[[ template "common/vault.mkpki.sh" $c ]]
|
|
|
|
# Create a role for alertmanager
|
|
vault write [[ $c.vault.pki.path ]]/roles/alertmanager[[ .consul.suffix ]] \
|
|
allowed_domains="[[ .instance ]].[[ .consul.domain ]]" \
|
|
allow_bare_domains=false \
|
|
allow_subdomains=true \
|
|
allow_localhost=false \
|
|
allow_ip_sans=true \
|
|
server_flag=true \
|
|
client_flag=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=100h \
|
|
ou="[[ $c.vault.pki.ou ]]"
|
|
|
|
# Create a role for prometheus (which will only be a client, for AlertManager)
|
|
vault write [[ $c.vault.pki.path ]]/roles/prometheus[[ .consul.suffix ]] \
|
|
allowed_domains="[[ .instance ]].[[ .consul.domain ]]" \
|
|
allow_bare_domains=false \
|
|
allow_subdomains=true \
|
|
allow_localhost=false \
|
|
allow_ip_sans=false \
|
|
server_flag=false \
|
|
client_flag=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=100h \
|
|
ou="[[ $c.vault.pki.ou ]]"
|
|
|
|
# Create a role for loki (which will only be a client, for AlertManager)
|
|
vault write [[ $c.vault.pki.path ]]/roles/loki[[ .consul.suffix ]] \
|
|
allowed_domains="[[ .instance ]].[[ .consul.domain ]]" \
|
|
allow_bare_domains=false \
|
|
allow_subdomains=true \
|
|
allow_localhost=false \
|
|
allow_ip_sans=false \
|
|
server_flag=false \
|
|
client_flag=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=100h \
|
|
ou="[[ $c.vault.pki.ou ]]"
|
|
|
|
# Create a role for metrics exporters (server only)
|
|
vault write [[ $c.vault.pki.path ]]/roles/metrics[[ .consul.suffix ]] \
|
|
allowed_domains="[[ .instance ]].[[ .consul.domain ]]" \
|
|
allow_bare_domains=false \
|
|
allow_subdomains=true \
|
|
allow_localhost=false \
|
|
allow_ip_sans=true \
|
|
server_flag=true \
|
|
client_flag=false \
|
|
allow_wildcard_certificates=false \
|
|
require_cn=false \
|
|
max_ttl=72h \
|
|
no_store=true \
|
|
ou="[[ $c.vault.pki.ou ]]"
|
|
|
|
# Create a role on the Nomad PKI for the cluster exporter
|
|
vault write pki/nomad/roles/cluster-exporter[[ .consul.suffix ]] \
|
|
allowed_domains='nomad.[[ .consul.domain ]]' \
|
|
allow_subdomains=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=168h \
|
|
allow_ip_sans=false \
|
|
server_flag=false \
|
|
client_flag=true \
|
|
ou="Cluster metrics exporter"
|
|
|
|
# Create a role on the Consul PKI for the cluster exporter
|
|
vault write pki/consul/roles/cluster-exporter[[ .consul.suffix ]] \
|
|
allowed_domains="consul.[[ .consul.domain ]]" \
|
|
allow_bare_domains=false \
|
|
allow_subdomains=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=168h \
|
|
server_flag=false \
|
|
client_flag=true \
|
|
ou="Cluster metrics exporter"
|
|
|
|
# Create a role on the Nomad PKI for nomad-vector-logger
|
|
vault write pki/nomad/roles/nomad-vector-logger[[ .consul.suffix ]] \
|
|
allowed_domains='nomad-vector-logger[[ .consul.suffix ]].nomad.[[ .consul.domain ]]' \
|
|
allow_bare_domains=true \
|
|
allow_subdomains=false \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=168h \
|
|
allow_ip_sans=false \
|
|
server_flag=false \
|
|
client_flag=true \
|
|
ou="Nomad Vector Logger"
|