|
|
@ -7,6 +7,9 @@ |
|
|
|
# |
|
|
|
# VAULT_PREFIX - this contains the prefix path in vault |
|
|
|
# VAULT_ADDR - vault requires this to find your vault server |
|
|
|
# VAULT_SAVE_TOKEN - set to anything if you want to save the token |
|
|
|
# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying |
|
|
|
# VAULT_KV_V2 - set to anything if you are using v2 of the kv engine |
|
|
|
# |
|
|
|
# additionally, you need to ensure that VAULT_TOKEN is avialable |
|
|
|
# to access the vault server |
|
|
@ -45,6 +48,24 @@ vault_deploy() { |
|
|
|
fi |
|
|
|
_savedeployconf VAULT_ADDR "$VAULT_ADDR" |
|
|
|
|
|
|
|
_getdeployconf VAULT_SAVE_TOKEN |
|
|
|
_savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN" |
|
|
|
|
|
|
|
_getdeployconf VAULT_RENEW_TOKEN |
|
|
|
_savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN" |
|
|
|
|
|
|
|
_getdeployconf VAULT_KV_V2 |
|
|
|
_savedeployconf VAULT_KV_V2 "$VAULT_KV_V2" |
|
|
|
|
|
|
|
_getdeployconf VAULT_TOKEN |
|
|
|
if [ -z "$VAULT_TOKEN" ]; then |
|
|
|
_err "VAULT_TOKEN needs to be defined" |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
if [ -n "$VAULT_SAVE_TOKEN" ]; then |
|
|
|
_savedeployconf VAULT_TOKEN "$VAULT_TOKEN" |
|
|
|
fi |
|
|
|
|
|
|
|
# JSON does not allow multiline strings. |
|
|
|
# So replacing new-lines with "\n" here |
|
|
|
_ckey=$(sed -z 's/\n/\\n/g' <"$2") |
|
|
@ -52,26 +73,56 @@ vault_deploy() { |
|
|
|
_cca=$(sed -z 's/\n/\\n/g' <"$4") |
|
|
|
_cfullchain=$(sed -z 's/\n/\\n/g' <"$5") |
|
|
|
|
|
|
|
URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain" |
|
|
|
export _H1="X-Vault-Token: $VAULT_TOKEN" |
|
|
|
|
|
|
|
if [ -n "$VAULT_RENEW_TOKEN" ]; then |
|
|
|
URL="$VAULT_ADDR/v1/auth/token/renew-self" |
|
|
|
_info "Renew the token to default TTL" |
|
|
|
if ! _post "" "$URL" >/dev/null; then |
|
|
|
_err "Failed to renew the token" |
|
|
|
return 1 |
|
|
|
fi |
|
|
|
fi |
|
|
|
|
|
|
|
URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain" |
|
|
|
|
|
|
|
if [ -n "$FABIO" ]; then |
|
|
|
_info "Writing certificate and key to $URL in Fabio mode" |
|
|
|
if [ -n "$VAULT_KV_V2" ]; then |
|
|
|
_post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" |
|
|
|
_post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1 |
|
|
|
else |
|
|
|
_post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" |
|
|
|
_post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" >/dev/null || return 1 |
|
|
|
fi |
|
|
|
else |
|
|
|
if [ -n "$VAULT_KV_V2" ]; then |
|
|
|
_post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" |
|
|
|
_post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" |
|
|
|
_post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" |
|
|
|
_post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" |
|
|
|
_info "Writing certificate to $URL/cert.pem" |
|
|
|
_post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" >/dev/null || return 1 |
|
|
|
_info "Writing key to $URL/cert.key" |
|
|
|
_post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" >/dev/null || return 1 |
|
|
|
_info "Writing CA certificate to $URL/ca.pem" |
|
|
|
_post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/ca.pem" >/dev/null || return 1 |
|
|
|
_info "Writing full-chain certificate to $URL/fullchain.pem" |
|
|
|
_post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" >/dev/null || return 1 |
|
|
|
else |
|
|
|
_post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" |
|
|
|
_post "{\"value\": \"$_ckey\"}" "$URL/cert.key" |
|
|
|
_post "{\"value\": \"$_cca\"}" "$URL/chain.pem" |
|
|
|
_post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" |
|
|
|
_info "Writing certificate to $URL/cert.pem" |
|
|
|
_post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" >/dev/null || return 1 |
|
|
|
_info "Writing key to $URL/cert.key" |
|
|
|
_post "{\"value\": \"$_ckey\"}" "$URL/cert.key" >/dev/null || return 1 |
|
|
|
_info "Writing CA certificate to $URL/ca.pem" |
|
|
|
_post "{\"value\": \"$_cca\"}" "$URL/ca.pem" >/dev/null || return 1 |
|
|
|
_info "Writing full-chain certificate to $URL/fullchain.pem" |
|
|
|
_post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" >/dev/null || return 1 |
|
|
|
fi |
|
|
|
|
|
|
|
# To make it compatible with the wrong ca path `chain.pem` which was used in former versions |
|
|
|
if _get "$URL/chain.pem" >/dev/null; then |
|
|
|
_err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning" |
|
|
|
_info "Updating CA certificate to $URL/chain.pem for backward compatibility" |
|
|
|
if [ -n "$VAULT_KV_V2" ]; then |
|
|
|
_post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" >/dev/null || return 1 |
|
|
|
else |
|
|
|
_post "{\"value\": \"$_cca\"}" "$URL/chain.pem" >/dev/null || return 1 |
|
|
|
fi |
|
|
|
fi |
|
|
|
fi |
|
|
|
|
|
|
|