monitoring/init/pki

#!/bin/sh

set -euo pipefail

[[ $c := merge .monitoring . ]]
[[ template "common/vault.mkpki.sh" $c ]]

# Create a role for alertmanager
vault write [[ $c.vault.pki.path ]]/roles/[[ .instance ]]-alertmanager \
  allowed_domains="[[ .instance ]]" \
  allow_bare_domains=false \
  allow_subdomains=true \
  allow_localhost=false \
  allow_ip_sans=true \
  server_flag=true \
  client_flag=true \
  allow_wildcard_certificates=false \
  max_ttl=100h \
  ou="[[ $c.vault.pki.ou ]]"

# Create a role for prometheus (which will only be a client, for AlertManager)
vault write [[ $c.vault.pki.path ]]/roles/[[ .instance ]]-prometheus \
  allowed_domains="[[ .instance ]]" \
  allow_bare_domains=false \
  allow_subdomains=true \
  allow_localhost=false \
  allow_ip_sans=false \
  server_flag=false \
  client_flag=true \
  allow_wildcard_certificates=false \
  max_ttl=100h \
  ou="[[ $c.vault.pki.ou ]]"

# Create a role for metrics exporters (server only)
vault write [[ $c.vault.pki.path ]]/roles/metrics \
  allowed_domains="[[ .instance ]]" \
  allow_bare_domains=false \
  allow_subdomains=true \
  allow_localhost=false \
  allow_ip_sans=true \
  server_flag=true \
  client_flag=false \
  allow_wildcard_certificates=false \
  require_cn=false \
  max_ttl=72h \
  no_store=true \
  ou="[[ $c.vault.pki.ou ]]"

# Create a role on the Nomad PKI for the cluster exporter
vault write pki/nomad/roles/[[ .instance ]]-cluster-exporter \
  allowed_domains='nomad.[[ .consul.domain ]]' \
  allow_subdomains=true \
  allow_wildcard_certificates=false \
  max_ttl=168h \
  allow_ip_sans=false \
  server_flag=false \
  client_flag=true \
  ou="Cluster metrics exporter"

# Create a role on the Consul PKI for the cluster exporter
vault write pki/consul/roles/[[ .instance ]]-cluster-exporter \
  allowed_domains="consul.[[ .consul.domain ]]" \
  allow_bare_domains=false \
  allow_subdomains=true \
  allow_wildcard_certificates=false \
  max_ttl=168h \
  server_flags=false \
  client_flags=true \
  ou="Cluster metrics exporter"