182 lines
4.8 KiB
Bash
Executable File
182 lines
4.8 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
set -euo pipefail
|
|
|
|
|
|
#!/bin/sh
|
|
|
|
# vim: syntax=sh
|
|
|
|
set -euo pipefail
|
|
|
|
TMP=$(mktemp -d)
|
|
|
|
INITIAL_SETUP=false
|
|
if [ "$(vault secrets list -format json | jq -r '.["pki/monitoring/"].type')" != "pki" ]; then
|
|
INITIAL_SETUP=true
|
|
fi
|
|
|
|
if [ "${INITIAL_SETUP}" = "true" ]; then
|
|
# Enable the secret engine
|
|
echo "Mounting new PKI secret engine at pki/monitoring"
|
|
vault secrets enable -path=pki/monitoring pki
|
|
else
|
|
echo "Secret engine already mounted at pki/monitoring"
|
|
fi
|
|
|
|
# Configure max-lease-ttl
|
|
echo "Tune PKI secret engine"
|
|
vault secrets tune -max-lease-ttl=131400h pki/monitoring
|
|
|
|
# Configure PKI URLs
|
|
echo "Configure URL endpoints"
|
|
vault write pki/monitoring/config/urls \
|
|
issuing_certificates="${VAULT_ADDR}/v1/pki/monitoring/ca" \
|
|
crl_distribution_points="${VAULT_ADDR}/v1/pki/monitoring/crl" \
|
|
ocsp_servers="${VAULT_ADDR}/v1/pki/monitoring/ocsp"
|
|
|
|
vault write pki/monitoring/config/cluster \
|
|
path="${VAULT_ADDR}/v1pki/monitoring"
|
|
|
|
vault write pki/monitoring/config/crl \
|
|
auto_rebuild=true \
|
|
enable_delta=true
|
|
|
|
# Configure tidy
|
|
echo "Configure auto tidy for the PKI"
|
|
vault write pki/monitoring/config/auto-tidy \
|
|
enabled=true \
|
|
tidy_cert_store=true \
|
|
tidy_expired_issuers=true \
|
|
tidy_revocation_queue=true \
|
|
tidy_revoked_cert_issuer_associations=true \
|
|
tidy_revoked_certs=true \
|
|
tidy_acme=true \
|
|
tidy_cross_cluster_revoked_certs=true \
|
|
tidy_move_legacy_ca_bundle=true \
|
|
maintain_stored_certificate_counts=true
|
|
|
|
if [ "${INITIAL_SETUP}" = "true" ]; then
|
|
# Generate an internal CA
|
|
echo "Generating an internal CA"
|
|
vault write -format=json pki/monitoring/intermediate/generate/internal \
|
|
common_name="monitoring Certificate Authority" \
|
|
ttl="131400h" \
|
|
organization="ACME Corp" \
|
|
ou="Monitoring" \
|
|
locality="FooBar Ville" \
|
|
key_type=rsa \
|
|
key_bits=4096 \
|
|
| jq -r '.data.csr' > ${TMP}/monitoring.csr
|
|
|
|
|
|
|
|
# Sign this PKI with a root PKI
|
|
echo "Signing the new CA with the authority from pki/root"
|
|
vault write -format=json pki/root/root/sign-intermediate \
|
|
csr=@${TMP}/monitoring.csr \
|
|
format=pem_bundle \
|
|
ttl="131400h" \
|
|
| jq -r '.data.certificate' > ${TMP}/monitoring.crt
|
|
|
|
# Update the intermediate CA with the signed one
|
|
echo "Update the new CA with the signed version"
|
|
vault write pki/monitoring/intermediate/set-signed \
|
|
certificate=@${TMP}/monitoring.crt
|
|
|
|
|
|
fi
|
|
|
|
# Remove temp files
|
|
echo "Cleaning temp files"
|
|
rm -rf ${TMP}
|
|
|
|
|
|
# Create a role for alertmanager
|
|
vault write pki/monitoring/roles/alertmanager \
|
|
allowed_domains="monitoring.consul" \
|
|
allow_bare_domains=false \
|
|
allow_subdomains=true \
|
|
allow_localhost=false \
|
|
allow_ip_sans=true \
|
|
server_flag=true \
|
|
client_flag=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=100h \
|
|
ou="Monitoring"
|
|
|
|
# Create a role for prometheus (which will only be a client, for AlertManager)
|
|
vault write pki/monitoring/roles/prometheus \
|
|
allowed_domains="monitoring.consul" \
|
|
allow_bare_domains=false \
|
|
allow_subdomains=true \
|
|
allow_localhost=false \
|
|
allow_ip_sans=false \
|
|
server_flag=false \
|
|
client_flag=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=100h \
|
|
ou="Monitoring"
|
|
|
|
# Create a role for loki (which will only be a client, for AlertManager)
|
|
vault write pki/monitoring/roles/loki \
|
|
allowed_domains="monitoring.consul" \
|
|
allow_bare_domains=false \
|
|
allow_subdomains=true \
|
|
allow_localhost=false \
|
|
allow_ip_sans=false \
|
|
server_flag=false \
|
|
client_flag=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=100h \
|
|
ou="Monitoring"
|
|
|
|
# Create a role for metrics exporters (server only)
|
|
vault write pki/monitoring/roles/metrics \
|
|
allowed_domains="monitoring.consul" \
|
|
allow_bare_domains=false \
|
|
allow_subdomains=true \
|
|
allow_localhost=false \
|
|
allow_ip_sans=true \
|
|
server_flag=true \
|
|
client_flag=false \
|
|
allow_wildcard_certificates=false \
|
|
require_cn=false \
|
|
max_ttl=72h \
|
|
no_store=true \
|
|
ou="Monitoring"
|
|
|
|
# Create a role on the Nomad PKI for the cluster exporter
|
|
vault write pki/nomad/roles/cluster-exporter \
|
|
allowed_domains='nomad.consul' \
|
|
allow_subdomains=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=168h \
|
|
allow_ip_sans=false \
|
|
server_flag=false \
|
|
client_flag=true \
|
|
ou="Cluster metrics exporter"
|
|
|
|
# Create a role on the Consul PKI for the cluster exporter
|
|
vault write pki/consul/roles/cluster-exporter \
|
|
allowed_domains="consul.consul" \
|
|
allow_bare_domains=false \
|
|
allow_subdomains=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=168h \
|
|
server_flag=false \
|
|
client_flag=true \
|
|
ou="Cluster metrics exporter"
|
|
|
|
# Create a role on the Nomad PKI for nomad-vector-logger
|
|
vault write pki/nomad/roles/nomad-vector-logger \
|
|
allowed_domains='nomad-vector-logger.nomad.consul' \
|
|
allow_bare_domains=true \
|
|
allow_subdomains=false \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=168h \
|
|
allow_ip_sans=false \
|
|
server_flag=false \
|
|
client_flag=true \
|
|
ou="Nomad Vector Logger"
|