Skip to content

Commit

Permalink
Merge pull request #20 from mhjacks/mhjacks-vault-pki
Browse files Browse the repository at this point in the history 
Vault PKI initialization
  • Loading branch information
@mhjacks
mhjacks authored Jan 6, 2022
2 parents 65700fd + 079f51d commit 8a9496e
Show file tree
Hide file tree
Showing 3 changed files with 62 additions and 0 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@
values-secret.yaml
.*-expected.yaml
pattern-vault.init
vault.init
1 change: 1 addition & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ uninstall:

vault-init:
common/scripts/vault-utils.sh vault_init common/pattern-vault.init
common/scripts/vault-utils.sh vault_pki_init common/pattern-vault.init

vault-unseal:
common/scripts/vault-utils.sh vault_unseal common/pattern-vault.init
Expand Down
60 changes: 60 additions & 0 deletions scripts/vault-utils.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,4 +78,64 @@ vault_init()
vault_unseal $file
}

# Retrieves the root token specified in the file $1
vault_get_root_token()
{
# Argument is expected to be the text output of the vault operator init command which includes Unseal Keys
# (5 by default) and a root token.
if [ -n "$1" ]; then
file=$1
else
file=common/vault.init
fi

token=`grep "Initial Root Token" $file | awk '{ print $4 }'`
echo -n $token
}

# Exec a vault command wrapped with the vault root token specified in the file
# $1
vault_token_exec()
{
file="$1"
token=`vault_get_root_token $file`
shift
cmd="$@"

oc -n vault exec vault-0 -- bash -c "VAULT_TOKEN=$token $cmd"
}

oc_get_domain()
{
oc get ingresses.config/cluster -o jsonpath={.spec.domain}
}

oc_get_pki_domain()
{
echo -n `oc_get_domain | cut -d. -f3-`
}

oc_get_pki_role()
{
pkidomain=`oc_get_pki_domain`
certrole=`echo $pkidomain | sed 's|\.|_|g'`
echo -n $certrole
}

vault_pki_init()
{
file="$1"
token=`vault_get_root_token $file`
shift

pkidomain=`oc_get_pki_role`
pkirole=`oc_get_pki_role`

vault_token_exec $file "vault secrets enable pki"
vault_token_exec $file "vault secrets tune --max-lease=8760h pki"
vault_token_exec $file "vault write pki/root/generate/internal common_name=$pkidomain ttl=8760h"
vault_token_exec $file 'vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"'
vault_token_exec $file "vault write pki/roles/$pkirole allowed_domains=$pkidomain allow_subdomains=true max_ttl=8760h"
}

$@

0 comments on commit 8a9496e

Please sign in to comment.