102 lines
2.6 KiB
Bash
Executable File
102 lines
2.6 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
|
|
|
|
#!/bin/sh
|
|
|
|
# vim: syntax=sh
|
|
|
|
set -euo pipefail
|
|
|
|
TMP=$(mktemp -d)
|
|
|
|
INITIAL_SETUP=false
|
|
if [ "$(vault secrets list -format json | jq -r '.["pki/postgres/"].type')" != "pki" ]; then
|
|
INITIAL_SETUP=true
|
|
fi
|
|
|
|
if [ "${INITIAL_SETUP}" = "true" ]; then
|
|
# Enable the secret engine
|
|
echo "Mounting new PKI secret engine at pki/postgres"
|
|
vault secrets enable -path=pki/postgres pki
|
|
else
|
|
echo "Secret engine already mounted at pki/postgres"
|
|
fi
|
|
|
|
# Configure max-lease-ttl
|
|
echo "Tune PKI secret engine"
|
|
vault secrets tune -max-lease-ttl=131400h pki/postgres
|
|
|
|
# Configure PKI URLs
|
|
echo "Configure URL endpoints"
|
|
vault write pki/postgres/config/urls \
|
|
issuing_certificates="${VAULT_ADDR}/v1/pki/postgres/ca" \
|
|
crl_distribution_points="${VAULT_ADDR}/v1/pki/postgres/crl" \
|
|
ocsp_servers="${VAULT_ADDR}/v1/pki/postgres/ocsp"
|
|
|
|
vault write pki/postgres/config/cluster \
|
|
path="${VAULT_ADDR}/v1pki/postgres"
|
|
|
|
vault write pki/postgres/config/crl \
|
|
auto_rebuild=true \
|
|
enable_delta=true
|
|
|
|
# Configure tidy
|
|
echo "Configure auto tidy for the PKI"
|
|
vault write pki/postgres/config/auto-tidy \
|
|
enabled=true \
|
|
tidy_cert_store=true \
|
|
tidy_expired_issuers=true \
|
|
tidy_revocation_queue=true \
|
|
tidy_revoked_cert_issuer_associations=true \
|
|
tidy_revoked_certs=true \
|
|
tidy_acme=true \
|
|
tidy_cross_cluster_revoked_certs=true \
|
|
tidy_move_legacy_ca_bundle=true \
|
|
maintain_stored_certificate_counts=true
|
|
|
|
if [ "${INITIAL_SETUP}" = "true" ]; then
|
|
# Generate an internal CA
|
|
echo "Generating an internal CA"
|
|
vault write -format=json pki/postgres/intermediate/generate/internal \
|
|
common_name="postgres Certificate Authority" \
|
|
ttl="131400h" \
|
|
organization="ACME Corp" \
|
|
ou="Postgres" \
|
|
locality="FooBar Ville" \
|
|
key_type=rsa \
|
|
key_bits=4096 \
|
|
| jq -r '.data.csr' > ${TMP}/postgres.csr
|
|
|
|
|
|
|
|
# Sign this PKI with a root PKI
|
|
echo "Signing the new CA with the authority from pki/root"
|
|
vault write -format=json pki/root/root/sign-intermediate \
|
|
csr=@${TMP}/postgres.csr \
|
|
format=pem_bundle \
|
|
ttl="131400h" \
|
|
| jq -r '.data.certificate' > ${TMP}/postgres.crt
|
|
|
|
# Update the intermediate CA with the signed one
|
|
echo "Update the new CA with the signed version"
|
|
vault write pki/postgres/intermediate/set-signed \
|
|
certificate=@${TMP}/postgres.crt
|
|
|
|
|
|
fi
|
|
|
|
# Remove temp files
|
|
echo "Cleaning temp files"
|
|
rm -rf ${TMP}
|
|
|
|
|
|
vault write pki/postgres/roles/postgres-server \
|
|
allowed_domains="postgres.service.consul" \
|
|
allow_bare_domains=true \
|
|
allow_subdomains=true \
|
|
allow_localhost=false \
|
|
allow_ip_sans=true \
|
|
allow_wildcard_certificates=false \
|
|
max_ttl=72h
|