updating issuing certs to include issuer

hashicorp · Dec 13, 2024 · 2fab8d2 · 2fab8d2
1 parent 1091351
commit 2fab8d2
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 9 deletions.
diff --git a/enos/modules/verify_secrets_engines/modules/create/pki.tf b/enos/modules/verify_secrets_engines/modules/create/pki.tf
@@ -3,7 +3,7 @@
 
 locals {
   // Variables
-  pki_mount                 = "pki_secret" # secret
+  pki_mount                 = "pki" # secret
   pki_issuer_name           = "issuer"
   pki_common_name           = "common"
   pki_default_ttl           = "72h"
@@ -29,7 +29,7 @@ output "pki" {
 # Enable pki secrets engine
 resource "enos_remote_exec" "secrets_enable_pki_secret" {
   environment = {
-    ENGINE            = "pki"
+    ENGINE            = local.pki_mount
     MOUNT             = local.pki_mount
     VAULT_ADDR        = var.vault_addr
     VAULT_TOKEN       = var.vault_root_token
@@ -56,6 +56,7 @@ resource "enos_remote_exec" "pki_issue_certificates" {
     VAULT_INSTALL_DIR = var.vault_install_dir
     VAULT_TOKEN       = var.vault_root_token
     COMMON_NAME       = local.pki_common_name
+    ISSUER_NAME       = local.pki_issuer_name
     TTL               = local.pki_default_ttl
     TMP_TEST_RESULTS  = local.tmp_test_results
   }

diff --git a/enos/modules/verify_secrets_engines/modules/read/pki.tf b/enos/modules/verify_secrets_engines/modules/read/pki.tf
@@ -3,7 +3,7 @@
 
 locals {
   // Variables
-  pki_mount                 = "pki_secret" # secret
+  pki_mount                 = "pki" # secret
   pki_issuer_name           = "issuer"
   pki_common_name           = "common"
   pki_default_ttl           = "72h"
@@ -36,6 +36,7 @@ resource "enos_remote_exec" "pki_verify_certificates" {
     VAULT_INSTALL_DIR = var.vault_install_dir
     VAULT_TOKEN       = var.vault_root_token
     COMMON_NAME       = local.pki_common_name
+    ISSUER_NAME       = local.pki_issuer_name
     TTL               = local.pki_default_ttl
     TMP_TEST_RESULTS  = local.tmp_test_results
   }

diff --git a/enos/modules/verify_secrets_engines/scripts/kv-pki-issue-certificates.sh b/enos/modules/verify_secrets_engines/scripts/kv-pki-issue-certificates.sh
@@ -14,6 +14,7 @@ fail() {
 [[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
 [[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
 [[ -z "$COMMON_NAME" ]] && fail "COMMON_NAME env variable has not been set"
+[[ -z "$ISSUER_NAME" ]] && fail "ISSUER_NAME env variable has not been set"
 [[ -z "$TTL" ]] && fail "TTL env variable has not been set"
 [[ -z "$TMP_TEST_RESULTS" ]] && fail "TMP_TEST_RESULTS env variable has not been set"
 
@@ -33,19 +34,20 @@ mkdir "${TMP_TEST_RESULTS}"
 "$binpath" write "${MOUNT}/config/urls" issuing_certificates="${VAULT_ADDR}/v1/pki/ca" crl_distribution_points="${VAULT_ADDR}/v1/pki/crl"
 
 # Generating CA Certificate
-"$binpath" write "${MOUNT}/root/generate/internal" common_name="${COMMON_NAME}.com" ttl="${TTL}" -format=json | jq -r '.data.certificate' > "${TMP_TEST_RESULTS}/${CA_NAME}"
+"$binpath" write -format=json "${MOUNT}/root/generate/internal" common_name="${COMMON_NAME}.com" issuer_name="${ISSUER_NAME}" ttl="${TTL}" | jq -r '.data.issuing_ca' > "${TMP_TEST_RESULTS}/${CA_NAME}"
 # Creating a role
 "$binpath" write "${MOUNT}/roles/${ROLE_NAME}" allowed_domains="${COMMON_NAME}.com" allow_subdomains=true max_ttl="${TMP_TTL}"
 # Issuing Signed Certificate
 "$binpath" write "${MOUNT}/issue/${ROLE_NAME}" common_name="test.${COMMON_NAME}.com" ttl="${TMP_TTL}" | jq -r '.data.certificate' > "${TMP_TEST_RESULTS}/${SIGNED_CERT_NAME}"
 
 # ------ Generate and sign intermediate ------
 INTERMEDIATE_COMMON_NAME="intermediate-${COMMON_NAME}"
+INTERMEDIATE_ISSUER_NAME="intermediate-${ISSUER_NAME}"
 INTERMEDIATE_CA_NAME="${MOUNT}-${INTERMEDIATE_COMMON_NAME}.pem"
 INTERMEDIATE_SIGNED_NAME="${MOUNT}-${INTERMEDIATE_COMMON_NAME}-signed.pem"
 
-# Generate Intermediate CA
-"$binpath" write "${MOUNT}/intermediate/generate/internal" common_name="${INTERMEDIATE_COMMON_NAME}.com" ttl="${TTL}" | jq -r '.data.csr' > "${TMP_TEST_RESULTS}/${INTERMEDIATE_CA_NAME}"
+# Generate Intermediate CSR
+"$binpath" write "${MOUNT}/intermediate/generate/internal" common_name="${INTERMEDIATE_COMMON_NAME}.com" issuer_name="${INTERMEDIATE_ISSUER_NAME}" ttl="${TTL}" | jq -r '.data.csr' > "${TMP_TEST_RESULTS}/${INTERMEDIATE_CA_NAME}"
 # Sign Intermediate Certificate
 "$binpath" write "${MOUNT}/root/sign-intermediate" csr="@${TMP_TEST_RESULTS}/${INTERMEDIATE_CA_NAME}" format=pem_bundle ttl="${TMP_TTL}" | jq -r '.data.certificate' > "${TMP_TEST_RESULTS}/${INTERMEDIATE_SIGNED_NAME}"
 # Import Signed Intermediate Certificate into Vault

diff --git a/enos/modules/verify_secrets_engines/scripts/kv-pki-verify-certificates.sh b/enos/modules/verify_secrets_engines/scripts/kv-pki-verify-certificates.sh
@@ -14,17 +14,28 @@ fail() {
 [[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
 [[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
 [[ -z "$COMMON_NAME" ]] && fail "COMMON_NAME env variable has not been set"
+[[ -z "$ISSUER_NAME" ]] && fail "ISSUER_NAME env variable has not been set"
 [[ -z "$TTL" ]] && fail "TTL env variable has not been set"
 [[ -z "$TMP_TEST_RESULTS" ]] && fail "TMP_TEST_RESULTS env variable has not been set"
 
 binpath=${VAULT_INSTALL_DIR}/vault
 test -x "$binpath" || fail "unable to locate vault binary at $binpath" || fail "The certificate appears to be improperly configured or contains errors"
 export VAULT_FORMAT=json
 
-# Getting Certificates
-VAULT_CERTS=$("$binpath" list -format=json "${MOUNT}/certs" | jq -r '.[]')
+# Verifying List Roles
+ROLE=$("$binpath" list -format=json "${MOUNT}/roles" | jq -r '.[]')
+[[ -z "$ROLE" ]] && fail "No roles created!"
+
+# Verifying List Issuer
+ISSUER=$("$binpath" list -format=json "${MOUNT}/issuers" | jq -r '.[]')
+[[ -z "$ISSUER" ]] && fail "No issuers created!"
+
+# Verifying Root CA Certificate
+ROOT_CA_CERT=$("$binpath" read -format=json pki/cert/ca | jq -r '.data.certificate')
+[[ -z "$ROOT_CA_CERT" ]] && fail "No root ca certificate generated"
 
 # Verify List Certificate
+VAULT_CERTS=$("$binpath" list -format=json "${MOUNT}/certs" | jq -r '.[]')
 [[ -z "$VAULT_CERTS" ]] && fail "VAULT_CERTS should include vault certificates"
 
 # Verifying Certificates
@@ -45,4 +56,4 @@ for CERT in $VAULT_CERTS; do
 done
 
 # Verify List Revoked Certificate
-"$binpath" list -format=json "${MOUNT}/certs/revoked" | jq -r '.[]' || fail "There are no revoked certificate listed"
+"$binpath" list -format=json "${MOUNT}/certs/revoked" | jq -r '.[]' || fail "There are no revoked certificate listed"