70 lines
2.0 KiB
Bash
Executable File
70 lines
2.0 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
set -euo pipefail
|
|
|
|
[[ $c := merge .monitoring . ]]
|
|
[[ template "common/vault.mkpki.sh" $c ]]
|
|
|
|
# Create a role for alertmanager
|
|
vault write [[ $c.vault.pki.path ]]/roles/[[ .instance ]]-alertmanager \
|
|
allowed_domains="[[ .instance ]]" \
|
|
allow_bare_domains=false \
|
|
allow_subdomains=true \
|
|
allow_localhost=false \
|
|
allow_ip_sans=true \
|
|
server_flag=true \
|
|
client_flag=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=100h \
|
|
ou="[[ $c.vault.pki.ou ]]"
|
|
|
|
# Create a role for prometheus (which will only be a client, for AlertManager)
|
|
vault write [[ $c.vault.pki.path ]]/roles/[[ .instance ]]-prometheus \
|
|
allowed_domains="[[ .instance ]]" \
|
|
allow_bare_domains=false \
|
|
allow_subdomains=true \
|
|
allow_localhost=false \
|
|
allow_ip_sans=false \
|
|
server_flag=false \
|
|
client_flag=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=100h \
|
|
ou="[[ $c.vault.pki.ou ]]"
|
|
|
|
# Create a role for metrics exporters (server only)
|
|
vault write [[ $c.vault.pki.path ]]/roles/metrics \
|
|
allowed_domains="[[ .instance ]]" \
|
|
allow_bare_domains=false \
|
|
allow_subdomains=true \
|
|
allow_localhost=false \
|
|
allow_ip_sans=true \
|
|
server_flag=true \
|
|
client_flag=false \
|
|
allow_wildcard_certificates=false \
|
|
require_cn=false \
|
|
max_ttl=72h \
|
|
no_store=true \
|
|
ou="[[ $c.vault.pki.ou ]]"
|
|
|
|
# Create a role on the Nomad PKI for the cluster exporter
|
|
vault write pki/nomad/roles/[[ .instance ]]-cluster-exporter \
|
|
allowed_domains='nomad.[[ .consul.domain ]]' \
|
|
allow_subdomains=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=168h \
|
|
allow_ip_sans=false \
|
|
server_flag=false \
|
|
client_flag=true \
|
|
ou="Cluster metrics exporter"
|
|
|
|
# Create a role on the Consul PKI for the cluster exporter
|
|
vault write pki/consul/roles/[[ .instance ]]-cluster-exporter \
|
|
allowed_domains="consul.[[ .consul.domain ]]" \
|
|
allow_bare_domains=false \
|
|
allow_subdomains=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=168h \
|
|
server_flags=false \
|
|
client_flags=true \
|
|
ou="Cluster metrics exporter"
|