hashipi

Raspberry Pi Test Cluster for HashiCorp Vault, Nomad and Consul
git clone https://git.in0rdr.ch/hashipi.git
Log | Files | Refs | Pull requests | README

vault-tls.sh (1183B)

      1 #!/usr/bin/env bash
      2 #
      3 # Creates a set of certificates for use with HashiCorp Vault
      4 # https://learn.hashicorp.com/vault/operations/ops-deployment-guide
      5 
      6 # set -o errexit
      7 # set -o nounset
      8 # set -o xtrace
      9 
     10 # https://www.shellhacks.com/yes-no-bash-script-prompt-confirmation/
     11 # read -p "Do you want to generate a new set of Vault certicates in the directory \"./tls/vault/\" [y/N]? " -n 1 -r
     12 read -p "Do you want to generate a new Vault CA certicate in the directory \"./tls/vault/\" [y/N]? " -n 1 -r
     13 echo    # (optional) move to a new line
     14 if [[ ! $REPLY =~ ^[Yy]$ ]]
     15 then
     16     exit 1
     17 fi
     18 
     19 # Set working dir
     20 VAULT_TLS_BASE_PATH="${VAULT_TLS_BASE_PATH:-./tls/vault/}"
     21 mkdir -p "$VAULT_TLS_BASE_PATH"
     22 cd "$VAULT_TLS_BASE_PATH"
     23 
     24 # Cleanup previously generated certificates
     25 rm -rf certs ca
     26 mkdir -p certs ca
     27 
     28 # Create CA cert
     29 CA_CONFIG="
     30 [ req ]
     31 distinguished_name = dn
     32 [ dn ]
     33 [ ext ]
     34 basicConstraints   = critical, CA:true, pathlen:1
     35 keyUsage           = critical, digitalSignature, cRLSign, keyCertSign
     36 "
     37 openssl req -config <(echo "$CA_CONFIG") -new -newkey rsa:2048 -nodes -days 730 \
     38   -subj "/CN=Snake Root CA" -x509 -extensions ext -keyout "./ca/vault_ca.key" -out "./ca/vault_ca.pem"