Mirror
/
acme.sh
mirror of https://github.com/acmesh-official/acme.sh.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5477 Commits
8 Branches
43 Tags
26 MiB
Tree: cb8293f1d9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'cb8293f1d9'
${ noResults }
acme.sh/deploy/vault.sh

131 lines
4.6 KiB
Raw Normal View History

Vault deploy hook
4 years ago
improve vault and vault_api deployhooks
2 years ago
Vault deploy hook
4 years ago
improve vault and vault_api deployhooks
2 years ago
Vault deploy hook
4 years ago
Use _getdeployconf for env vars
4 years ago
Vault deploy hook
4 years ago
Use _savedeployconf
4 years ago
Vault deploy hook
4 years ago
Use _getdeployconf for env vars
4 years ago
Vault deploy hook
4 years ago
Use _savedeployconf
4 years ago
Vault deploy hook
4 years ago
improve vault and vault_api deployhooks
2 years ago
migrate FABIO to VAULT_FABIO_MODE and persist it
2 years ago
Vault deploy hook
4 years ago
Using _post function
4 years ago
Vault deploy hook
4 years ago
improve vault and vault_api deployhooks
2 years ago
improve logging
2 years ago
improve vault and vault_api deployhooks
2 years ago
improve logging
2 years ago
improve vault and vault_api deployhooks
2 years ago
migrate FABIO to VAULT_FABIO_MODE and persist it
2 years ago
improve vault and vault_api deployhooks
2 years ago
Support Vault KV v2 (#3502)
3 years ago
improve vault and vault_api deployhooks
2 years ago
Support Vault KV v2 (#3502)
3 years ago
improve vault and vault_api deployhooks
2 years ago
Support Vault KV v2 (#3502)
3 years ago
Vault deploy hook
4 years ago
Support Vault KV v2 (#3502)
3 years ago
improve vault and vault_api deployhooks
2 years ago
Support Vault KV v2 (#3502)
3 years ago
improve vault and vault_api deployhooks
2 years ago
improve chain.pem exists evaluating
2 years ago
improve vault and vault_api deployhooks
2 years ago
Support Vault KV v2 (#3502)
3 years ago
Vault deploy hook
4 years ago
  1. #!/usr/bin/env sh
  3. # Here is a script to deploy cert to hashicorp vault using curl
  4. # (https://www.vaultproject.io/)
  5. #
  6. # it requires following environment variables:
  7. #
  8. # VAULT_PREFIX - this contains the prefix path in vault
  9. # VAULT_ADDR - vault requires this to find your vault server
  10. # VAULT_SAVE_TOKEN - set to anything if you want to save the token
  11. # VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying
  12. # VAULT_KV_V2 - set to anything if you are using v2 of the kv engine
  13. #
  14. # additionally, you need to ensure that VAULT_TOKEN is avialable
  15. # to access the vault server
  17. #returns 0 means success, otherwise error.
  19. ######## Public functions #####################
  21. #domain keyfile certfile cafile fullchain
  22. vault_deploy() {
  24. _cdomain="$1"
  25. _ckey="$2"
  26. _ccert="$3"
  27. _cca="$4"
  28. _cfullchain="$5"
  30. _debug _cdomain "$_cdomain"
  31. _debug _ckey "$_ckey"
  32. _debug _ccert "$_ccert"
  33. _debug _cca "$_cca"
  34. _debug _cfullchain "$_cfullchain"
  36. # validate required env vars
  37. _getdeployconf VAULT_PREFIX
  38. if [ -z "$VAULT_PREFIX" ]; then
  39. _err "VAULT_PREFIX needs to be defined (contains prefix path in vault)"
  40. return 1
  41. fi
  42. _savedeployconf VAULT_PREFIX "$VAULT_PREFIX"
  44. _getdeployconf VAULT_ADDR
  45. if [ -z "$VAULT_ADDR" ]; then
  46. _err "VAULT_ADDR needs to be defined (contains vault connection address)"
  47. return 1
  48. fi
  49. _savedeployconf VAULT_ADDR "$VAULT_ADDR"
  51. _getdeployconf VAULT_SAVE_TOKEN
  52. _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN"
  54. _getdeployconf VAULT_RENEW_TOKEN
  55. _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN"
  57. _getdeployconf VAULT_KV_V2
  58. _savedeployconf VAULT_KV_V2 "$VAULT_KV_V2"
  60. _getdeployconf VAULT_TOKEN
  61. if [ -z "$VAULT_TOKEN" ]; then
  62. _err "VAULT_TOKEN needs to be defined"
  63. return 1
  64. fi
  65. if [ -n "$VAULT_SAVE_TOKEN" ]; then
  66. _savedeployconf VAULT_TOKEN "$VAULT_TOKEN"
  67. fi
  69. _migratedeployconf FABIO VAULT_FABIO_MODE
  71. # JSON does not allow multiline strings.
  72. # So replacing new-lines with "\n" here
  73. _ckey=$(sed -z 's/\n/\\n/g' <"$2")
  74. _ccert=$(sed -z 's/\n/\\n/g' <"$3")
  75. _cca=$(sed -z 's/\n/\\n/g' <"$4")
  76. _cfullchain=$(sed -z 's/\n/\\n/g' <"$5")
  78. export _H1="X-Vault-Token: $VAULT_TOKEN"
  80. if [ -n "$VAULT_RENEW_TOKEN" ]; then
  81. URL="$VAULT_ADDR/v1/auth/token/renew-self"
  82. _info "Renew the Vault token to default TTL"
  83. if ! _post "" "$URL" >/dev/null; then
  84. _err "Failed to renew the Vault token"
  85. return 1
  86. fi
  87. fi
  89. URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain"
  91. if [ -n "$VAULT_FABIO_MODE" ]; then
  92. _info "Writing certificate and key to $URL in Fabio mode"
  93. if [ -n "$VAULT_KV_V2" ]; then
  94. _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1
  95. else
  96. _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" >/dev/null || return 1
  97. fi
  98. else
  99. if [ -n "$VAULT_KV_V2" ]; then
  100. _info "Writing certificate to $URL/cert.pem"
  101. _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" >/dev/null || return 1
  102. _info "Writing key to $URL/cert.key"
  103. _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" >/dev/null || return 1
  104. _info "Writing CA certificate to $URL/ca.pem"
  105. _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/ca.pem" >/dev/null || return 1
  106. _info "Writing full-chain certificate to $URL/fullchain.pem"
  107. _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" >/dev/null || return 1
  108. else
  109. _info "Writing certificate to $URL/cert.pem"
  110. _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" >/dev/null || return 1
  111. _info "Writing key to $URL/cert.key"
  112. _post "{\"value\": \"$_ckey\"}" "$URL/cert.key" >/dev/null || return 1
  113. _info "Writing CA certificate to $URL/ca.pem"
  114. _post "{\"value\": \"$_cca\"}" "$URL/ca.pem" >/dev/null || return 1
  115. _info "Writing full-chain certificate to $URL/fullchain.pem"
  116. _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" >/dev/null || return 1
  117. fi
  119. # To make it compatible with the wrong ca path `chain.pem` which was used in former versions
  120. if _contains "$(_get "$URL/chain.pem")" "-----BEGIN CERTIFICATE-----"; then
  121. _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning"
  122. _info "Updating CA certificate to $URL/chain.pem for backward compatibility"
  123. if [ -n "$VAULT_KV_V2" ]; then
  124. _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" >/dev/null || return 1
  125. else
  126. _post "{\"value\": \"$_cca\"}" "$URL/chain.pem" >/dev/null || return 1
  127. fi
  128. fi
  129. fi
  131. }