refactor

deploy/scripts/vault-init-template.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+vault secrets enable pki
+vault secrets tune -max-lease-ttl=87600h pki
+
+vault write -field=certificate pki/root/generate/internal \
+        common_name="ego.io" \
+        ttl=87600h > CA_cert.crt
+
+vault write pki/config/urls \
+        issuing_certificates="https://127.0.0.1:8200/v1/pki/ca" \
+        crl_distribution_points="https://127.0.0.1:8200/v1/pki/crl"
+
+vault secrets enable -path=pki_int pki
+vault secrets tune -max-lease-ttl=43800h pki_int
+
+vault write -format=json pki_int/intermediate/generate/internal \
+        common_name="ego.io Intermediate Authority" \
+        | jq -r '.data.csr' > pki_intermediate.csr
+
+vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr \
+        format=pem_bundle ttl="43800h" \
+        | jq -r '.data.certificate' > intermediate.cert.pem
+
+vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
+
+vault write pki_int/roles/ego.io \
+  allowed_domains="ego.io" \
+  allow_subdomains=true \
+  generate_lease=true \
+  max_ttl="720h"
+
+vault write pki_int/issue/ego.io \
+  common_name="catalog.service.ego.io" \
+  ttl="24h" | tee certs.txt
+
+
+# CONFIGURE CONSUL
+mkdir -p /opt/consul/agent-certs
+
+grep -Pzo "(?s)(?<=certificate)[^\-]*.*?END CERTIFICATE[^\n]*\n" certs.txt | sed 's/^\s*-/-/g' > /opt/consul/agent-certs/agent.crt
+grep -Pzo "(?s)(?<=private_key)[^\-]*.*?END RSA PRIVATE KEY[^\n]*\n" certs.txt | sed 's/^\s*-/-/g' > /opt/consul/agent-certs/agent.key
+grep -Pzo "(?s)(?<=issuing_ca)[^\-]*.*?END CERTIFICATE[^\n]*\n" certs.txt | sed 's/^\s*-/-/g' > /opt/consul/agent-certs/ca.crt
+## FIXME ^^ invalid pattern flag...
+