oboukili/vault-cert.sh

## vault-cert.sh
#!/bin/sh

export VAULT_ADDR="https://active.vault.service.consul:8200"
export VAULT_PKI_PATH="v1/pki/issue/application"

# Getting a GCP JWT to authenticate against Vault GCP auth backend
JWT_TOKEN=$(curl -s -H "Metadata-Flavor: Google" 'http://metadata/computeMetadata/v1/instance/service-accounts/someserviceaccount/identity?audience=vault/apps&format=full')

# Getting a short lived Vault authentication token payload
until VAULT_TOKEN_PAYLOAD=$(curl -sfk -X POST ${VAULT_ADDR}/v1/auth/gcp/login -d "
    {
      \"role\": \"app\",
      \"jwt\": \"$JWT_TOKEN\"
    }
  ");do
  echo "WARN: Could not get a Vault auth token...";
  sleep 2;
done

# Extracting the token from the payload
VAULT_TOKEN=$(echo ${VAULT_TOKEN_PAYLOAD} | jq -e -r '.auth.client_token')

# Getting a short lived (15 days) TLS certificate bundle
until pki_issue=$(curl -sfk -H "X-Vault-Token: $VAULT_TOKEN" -X POST "${VAULT_ADDR}/$VAULT_PKI_PATH" -d "
  {
    \"common_name\": \"${COMMON_NAME}\",
    \"ttl\": \"360h\",
    \"alt_names\": \"localhost,${COMMON_NAME},$SERVICE_NAME.$NAMESPACE_NAME.svc,$SERVICE_NAME.$NAMESPACE_NAME.svc.cluster.local\",
    \"ip_sans\": \"127.0.0.1,${POD_IP}\"
  }
  ");do
  echo "WARN: could not get a certificate from Vault...";
  sleep 2;
done

# Preparing the certificate for openssl/keytool use
echo $pki_issue | jq -r '.data.ca_chain | join("\n")' | sed "s/\\n/\n/g" > /vault/vault.ca.crt
echo $pki_issue | jq -r '.data.certificate' | sed "s/\\n/\n/g" > /vault/application.crt
echo $pki_issue | jq -r '.data.private_key' | sed "s/\\n/\n/g" > /vault/application.key
chmod 600 /vault/application.key;

# Creating a new java trust store that includes the Vault CA certificate
if [ -z "$TRUSTSTORE_PASSWORD" ]; then
  echo "Skipping truststore creation, as no TRUSTSTORE_PASSWORD environment variable was found!"
else
  echo "Generating trust.jks..."
  cp /etc/ssl/certs/java/cacerts /vault/trust.jks
  keytool -storepasswd -keystore /vault/trust.jks -storepass changeit -new $TRUSTSTORE_PASSWORD
  keytool -importcert \
    -storepass "$TRUSTSTORE_PASSWORD" \
    -noprompt \
    -alias vault-service-consul \
    -file /vault/vault.ca.crt \
    -keystore /vault/trust.jks &&
  echo "Successfully generated trust.jks!";
  chmod 644 /vault/trust.jks;
fi

# Creating a new OpenSSL PKCS12 key store that includes the application TLS key and certificate
if [ -z "$KEYSTORE_PASSWORD" ]; then
  echo "Skipping keystore creation, as no KEYSTORE_PASSWORD environment variable was found!"
else
  echo "Generating keystore.p12..."
  openssl pkcs12 \
    -export \
    -in /vault/application.crt \
    -inkey /vault/application.key \
    -out /vault/keystore.p12 \
    -name application \
    -CAfile /vault/vault.ca.crt \
    -caname intermediate \
    -caname root \
    -passout pass:$KEYSTORE_PASSWORD &&
  echo "Successfully generated keystore.p12!";
  chmod 600 /vault/keystore.p12;
fi

shred -u /vault/application.key
	#!/bin/sh

	export VAULT_ADDR="https://active.vault.service.consul:8200"
	export VAULT_PKI_PATH="v1/pki/issue/application"

	# Getting a GCP JWT to authenticate against Vault GCP auth backend
	JWT_TOKEN=$(curl -s -H "Metadata-Flavor: Google" 'http://metadata/computeMetadata/v1/instance/service-accounts/someserviceaccount/identity?audience=vault/apps&format=full')

	# Getting a short lived Vault authentication token payload
	until VAULT_TOKEN_PAYLOAD=$(curl -sfk -X POST ${VAULT_ADDR}/v1/auth/gcp/login -d "
	{
	\"role\": \"app\",
	\"jwt\": \"$JWT_TOKEN\"
	}
	");do
	echo "WARN: Could not get a Vault auth token...";
	sleep 2;
	done

	# Extracting the token from the payload
	VAULT_TOKEN=$(echo ${VAULT_TOKEN_PAYLOAD} \| jq -e -r '.auth.client_token')

	# Getting a short lived (15 days) TLS certificate bundle
	until pki_issue=$(curl -sfk -H "X-Vault-Token: $VAULT_TOKEN" -X POST "${VAULT_ADDR}/$VAULT_PKI_PATH" -d "
	{
	\"common_name\": \"${COMMON_NAME}\",
	\"ttl\": \"360h\",
	\"alt_names\": \"localhost,${COMMON_NAME},$SERVICE_NAME.$NAMESPACE_NAME.svc,$SERVICE_NAME.$NAMESPACE_NAME.svc.cluster.local\",
	\"ip_sans\": \"127.0.0.1,${POD_IP}\"
	}
	");do
	echo "WARN: could not get a certificate from Vault...";
	sleep 2;
	done

	# Preparing the certificate for openssl/keytool use
	echo $pki_issue \| jq -r '.data.ca_chain \| join("\n")' \| sed "s/\\n/\n/g" > /vault/vault.ca.crt
	echo $pki_issue \| jq -r '.data.certificate' \| sed "s/\\n/\n/g" > /vault/application.crt
	echo $pki_issue \| jq -r '.data.private_key' \| sed "s/\\n/\n/g" > /vault/application.key
	chmod 600 /vault/application.key;

	# Creating a new java trust store that includes the Vault CA certificate
	if [ -z "$TRUSTSTORE_PASSWORD" ]; then
	echo "Skipping truststore creation, as no TRUSTSTORE_PASSWORD environment variable was found!"
	else
	echo "Generating trust.jks..."
	cp /etc/ssl/certs/java/cacerts /vault/trust.jks
	keytool -storepasswd -keystore /vault/trust.jks -storepass changeit -new $TRUSTSTORE_PASSWORD
	keytool -importcert \
	-storepass "$TRUSTSTORE_PASSWORD" \
	-noprompt \
	-alias vault-service-consul \
	-file /vault/vault.ca.crt \
	-keystore /vault/trust.jks &&
	echo "Successfully generated trust.jks!";
	chmod 644 /vault/trust.jks;
	fi

	# Creating a new OpenSSL PKCS12 key store that includes the application TLS key and certificate
	if [ -z "$KEYSTORE_PASSWORD" ]; then
	echo "Skipping keystore creation, as no KEYSTORE_PASSWORD environment variable was found!"
	else
	echo "Generating keystore.p12..."
	openssl pkcs12 \
	-export \
	-in /vault/application.crt \
	-inkey /vault/application.key \
	-out /vault/keystore.p12 \
	-name application \
	-CAfile /vault/vault.ca.crt \
	-caname intermediate \
	-caname root \
	-passout pass:$KEYSTORE_PASSWORD &&
	echo "Successfully generated keystore.p12!";
	chmod 600 /vault/keystore.p12;
	fi

	shred -u /vault/application.key
No results found