-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathvault-setup.sh
executable file
·77 lines (57 loc) · 2.05 KB
/
vault-setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/bin/sh
## NOTE
## tests should be run with venom (tests.yml)
## but this file is still useful for local development
# Start the Vault server in the background
# vault server -config=/vault/config/config.hcl &
vault server -dev -dev-listen-address="0.0.0.0:8200" &
# Wait for Vault to start
while ! vault status > /dev/null 2>&1; do
sleep 1
done
# https://developer.hashicorp.com/vault/docs/secrets/pki/setup
vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki
vault write pki/root/generate/internal \
common_name=my-website.com \
ttl=8760h
vault write pki/config/urls \
issuing_certificates="http://vault:8200/v1/pki/ca" \
crl_distribution_points="http://vault:8200/v1/pki/crl"
vault write pki/config/crl expiry="400h"
# make two roles with different OUs to ensure we get metrics for the same CN with different OUs
vault write pki/roles/foo-role \
allowed_domains=my-website.com \
allow_subdomains=true \
max_ttl=72h \
ou="Foo"
vault write pki/roles/bar-role \
allowed_domains=my-website.com \
allow_subdomains=true \
max_ttl=72h \
ou="Bar"
apk add jq
# Test revoking a certificate for CRL metrics
CERT_OUTPUT=$(vault write -format=json pki/issue/foo-role common_name=www.revokme.my-website.com)
CERT_SERIAL=$(echo $CERT_OUTPUT | jq -r '.data.serial_number')
vault write pki/revoke serial_number="$CERT_SERIAL"
# issue 2 certs with same CNs but different OUs - want metrics for both
vault write pki/issue/foo-role \
common_name=www.duplicate-ou-cert.my-website.com
vault write pki/issue/bar-role \
common_name=www.duplicate-ou-cert.my-website.com
vault read pki/crl/rotate
# make non-default second issuer
# help test getting multiple CRLs
vault write pki/root/generate/internal \
common_name=mysecondwebsite.com \
ttl=8760h \
issuer_name=second
vault write pki/roles/second-role \
allowed_domains=mysecondwebsite.com \
allow_subdomains=true \
max_ttl=72h \
issuer_ref=second
vault write pki/issue/second-role \
common_name=www.mysecondwebsite.com
tail -f /dev/null