provisioning/scripts/vault_populate.sh
#!/bin/bash
echo 'Waiting for vault...'
while true
do
START=`docker logs dev-vault 2>&1 | grep "post-unseal setup complete"`
if [ -n "$START" ]; then
break
else
sleep 2
fi
done
POLICY_NAME=openfaas
TOKEN=vagrant
VAULT_URL=http://127.0.0.1:8200
export VAULT_ADDR=${VAULT_URL}
export VAULT_TOKEN=${TOKEN}
vault auth enable approle
vault policy write ${POLICY_NAME} /vagrant/provisioning/scripts/policy.hcl
# create approle openfaas
curl -i \
--header "X-Vault-Token: ${TOKEN}" \
--request POST \
--data '{"policies": "openfaas", "period": "5m"}' \
${VAULT_URL}/v1/auth/approle/role/${POLICY_NAME}
curl -i \
--header "X-Vault-Token: ${TOKEN}" \
${VAULT_URL}/v1/auth/approle/role/${POLICY_NAME}/role-id -o ./role_id.json
curl -i \
--header "X-Vault-Token: ${TOKEN}" \
--request POST \
${VAULT_URL}/v1/auth/approle/role/${POLICY_NAME}/secret-id -o ./secret_id.json
echo 'enabling pki backend...'
curl -i -H "X-Vault-Token: ${TOKEN}" -H "Content-Type: application/json" \
-XPOST -d '{"type":"pki"}' ${VAULT_URL}/v1/sys/mounts/pki
echo 'generate root ca...'
curl -i -H "X-Vault-Token: ${TOKEN}" -H "Content-Type: application/json" \
-XPOST -d '{"common_name":"nomad.local", "ip_sans": "192.168.50.2"}' ${VAULT_URL}/v1/pki/root/generate/internal
echo 'configure issuing urls...'
curl -i -H "X-Vault-Token: ${TOKEN}" -H "Content-Type: application/json" \
-XPOST -d '{"issuing_certificates": ["http://localhost:8200/v1/pki/ca"], "crl_distribution_points": ["http://localhost:8200/v1/pki/crl"]}' ${VAULT_URL}/v1/pki/config/urls
echo 'create role...'
curl -i -H "X-Vault-Token: ${TOKEN}" -H "Content-Type: application/json" \
-XPOST -d '{"allowed_domains": ["nomad.local"], "allow_subdomains": true, "max_ttl": "72h"}' ${VAULT_URL}/v1/pki/roles/faas-nomad
echo 'get certficates...'
curl -H "X-Vault-Token: ${TOKEN}" -H "Content-Type: application/json" \
-XPOST -d '{"common_name": "server.nomad.local", "ip_sans": "192.168.50.2"}' ${VAULT_URL}/v1/pki/issue/faas-nomad -o ./output.json
apt-get install jq -y
jq -r '.data.issuing_ca' < ./output.json > ./placeholder-ca.crt
jq -r '.data.certificate' < ./output.json > ./placeholder.crt
jq -r '.data.private_key' < ./output.json > ./placeholder.key