You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

131 lines
4.7 KiB

2 years ago
2 years ago
  1. #!/usr/bin/env sh
  2. # Here is a script to deploy cert to hashicorp vault using curl
  3. # (https://www.vaultproject.io/)
  4. #
  5. # it requires following environment variables:
  6. #
  7. # VAULT_PREFIX - this contains the prefix path in vault
  8. # VAULT_ADDR - vault requires this to find your vault server
  9. # VAULT_SAVE_TOKEN - set to anything if you want to save the token
  10. # VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying
  11. # VAULT_KV_V2 - set to anything if you are using v2 of the kv engine
  12. #
  13. # additionally, you need to ensure that VAULT_TOKEN is avialable
  14. # to access the vault server
  15. #returns 0 means success, otherwise error.
  16. ######## Public functions #####################
  17. #domain keyfile certfile cafile fullchain
  18. vault_deploy() {
  19. _cdomain="$1"
  20. _ckey="$2"
  21. _ccert="$3"
  22. _cca="$4"
  23. _cfullchain="$5"
  24. _debug _cdomain "$_cdomain"
  25. _debug _ckey "$_ckey"
  26. _debug _ccert "$_ccert"
  27. _debug _cca "$_cca"
  28. _debug _cfullchain "$_cfullchain"
  29. # validate required env vars
  30. _getdeployconf VAULT_PREFIX
  31. if [ -z "$VAULT_PREFIX" ]; then
  32. _err "VAULT_PREFIX needs to be defined (contains prefix path in vault)"
  33. return 1
  34. fi
  35. _savedeployconf VAULT_PREFIX "$VAULT_PREFIX"
  36. _getdeployconf VAULT_ADDR
  37. if [ -z "$VAULT_ADDR" ]; then
  38. _err "VAULT_ADDR needs to be defined (contains vault connection address)"
  39. return 1
  40. fi
  41. _savedeployconf VAULT_ADDR "$VAULT_ADDR"
  42. _getdeployconf VAULT_SAVE_TOKEN
  43. _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN"
  44. _getdeployconf VAULT_RENEW_TOKEN
  45. _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN"
  46. _getdeployconf VAULT_KV_V2
  47. _savedeployconf VAULT_KV_V2 "$VAULT_KV_V2"
  48. _getdeployconf VAULT_TOKEN
  49. if [ -z "$VAULT_TOKEN" ]; then
  50. _err "VAULT_TOKEN needs to be defined"
  51. return 1
  52. fi
  53. if [ -n "$VAULT_SAVE_TOKEN" ]; then
  54. _savedeployconf VAULT_TOKEN "$VAULT_TOKEN"
  55. fi
  56. _migratedeployconf FABIO VAULT_FABIO_MODE
  57. # JSON does not allow multiline strings.
  58. # So replacing new-lines with "\n" here
  59. _ckey=$(sed -e ':a' -e N -e '$ ! ba' -e 's/\n/\\n/g' <"$2")
  60. _ccert=$(sed -e ':a' -e N -e '$ ! ba' -e 's/\n/\\n/g' <"$3")
  61. _cca=$(sed -e ':a' -e N -e '$ ! ba' -e 's/\n/\\n/g' <"$4")
  62. _cfullchain=$(sed -e ':a' -e N -e '$ ! ba' -e 's/\n/\\n/g' <"$5")
  63. export _H1="X-Vault-Token: $VAULT_TOKEN"
  64. if [ -n "$VAULT_RENEW_TOKEN" ]; then
  65. URL="$VAULT_ADDR/v1/auth/token/renew-self"
  66. _info "Renew the Vault token to default TTL"
  67. if ! _post "" "$URL" >/dev/null; then
  68. _err "Failed to renew the Vault token"
  69. return 1
  70. fi
  71. fi
  72. URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain"
  73. if [ -n "$VAULT_FABIO_MODE" ]; then
  74. _info "Writing certificate and key to $URL in Fabio mode"
  75. if [ -n "$VAULT_KV_V2" ]; then
  76. _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1
  77. else
  78. _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" >/dev/null || return 1
  79. fi
  80. else
  81. if [ -n "$VAULT_KV_V2" ]; then
  82. _info "Writing certificate to $URL/cert.pem"
  83. _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" >/dev/null || return 1
  84. _info "Writing key to $URL/cert.key"
  85. _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" >/dev/null || return 1
  86. _info "Writing CA certificate to $URL/ca.pem"
  87. _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/ca.pem" >/dev/null || return 1
  88. _info "Writing full-chain certificate to $URL/fullchain.pem"
  89. _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" >/dev/null || return 1
  90. else
  91. _info "Writing certificate to $URL/cert.pem"
  92. _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" >/dev/null || return 1
  93. _info "Writing key to $URL/cert.key"
  94. _post "{\"value\": \"$_ckey\"}" "$URL/cert.key" >/dev/null || return 1
  95. _info "Writing CA certificate to $URL/ca.pem"
  96. _post "{\"value\": \"$_cca\"}" "$URL/ca.pem" >/dev/null || return 1
  97. _info "Writing full-chain certificate to $URL/fullchain.pem"
  98. _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" >/dev/null || return 1
  99. fi
  100. # To make it compatible with the wrong ca path `chain.pem` which was used in former versions
  101. if _contains "$(_get "$URL/chain.pem")" "-----BEGIN CERTIFICATE-----"; then
  102. _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning"
  103. _info "Updating CA certificate to $URL/chain.pem for backward compatibility"
  104. if [ -n "$VAULT_KV_V2" ]; then
  105. _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" >/dev/null || return 1
  106. else
  107. _post "{\"value\": \"$_cca\"}" "$URL/chain.pem" >/dev/null || return 1
  108. fi
  109. fi
  110. fi
  111. }