You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

74 lines
2.2 KiB

7 years ago
7 years ago
5 years ago
7 years ago
  1. #!/usr/bin/env sh
  2. # Here is a script to deploy cert to hashicorp vault
  3. # (https://www.vaultproject.io/)
  4. #
  5. # it requires the vault binary to be available in PATH, and the following
  6. # environment variables:
  7. #
  8. # VAULT_PREFIX - this contains the prefix path in vault
  9. # VAULT_ADDR - vault requires this to find your vault server
  10. #
  11. # additionally, you need to ensure that VAULT_TOKEN is avialable or
  12. # `vault auth` has applied the appropriate authorization for the vault binary
  13. # to access the vault server
  14. #
  15. # If VAULT_ROLE_ID and VAULT_ROLE_SECRET are available, get a valid token using the
  16. # vault approle authentication method.
  17. # https://www.vaultproject.io/docs/auth/approle
  18. #returns 0 means success, otherwise error.
  19. ######## Public functions #####################
  20. #domain keyfile certfile cafile fullchain
  21. vault_cli_deploy() {
  22. _cdomain="$1"
  23. _ckey="$2"
  24. _ccert="$3"
  25. _cca="$4"
  26. _cfullchain="$5"
  27. _debug _cdomain "$_cdomain"
  28. _debug _ckey "$_ckey"
  29. _debug _ccert "$_ccert"
  30. _debug _cca "$_cca"
  31. _debug _cfullchain "$_cfullchain"
  32. # validate required env vars
  33. if [ -z "$VAULT_PREFIX" ]; then
  34. _err "VAULT_PREFIX needs to be defined (contains prefix path in vault)"
  35. return 1
  36. fi
  37. if [ -z "$VAULT_ADDR" ]; then
  38. _err "VAULT_ADDR needs to be defined (contains vault connection address)"
  39. return 1
  40. fi
  41. VAULT_CMD=$(command -v vault)
  42. if [ ! $? ]; then
  43. _err "cannot find vault binary!"
  44. return 1
  45. fi
  46. if [ -n "$VAULT_ROLE_ID" ]; then
  47. export VAULT_TOKEN=$(vault write -field=token auth/approle/login \
  48. role_id="$VAULT_ROLE_ID" secret_id="$VAULT_ROLE_SECRET")
  49. if [ ! $? ]; then
  50. _err "cannot login to vault approle ${VAULT_ROLE_ID}!"
  51. return 1
  52. fi
  53. fi
  54. if [ -n "$FABIO" ]; then
  55. $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
  56. else
  57. $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
  58. $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
  59. $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
  60. $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
  61. fi
  62. }