Merge pull request #4447 from PMExtra/feature/vault
improve vault and vault_cli deployhooks
This commit is contained in:
commit
40002e8040
@ -7,13 +7,16 @@
|
|||||||
#
|
#
|
||||||
# VAULT_PREFIX - this contains the prefix path in vault
|
# VAULT_PREFIX - this contains the prefix path in vault
|
||||||
# VAULT_ADDR - vault requires this to find your vault server
|
# VAULT_ADDR - vault requires this to find your vault server
|
||||||
|
# VAULT_SAVE_TOKEN - set to anything if you want to save the token
|
||||||
|
# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying
|
||||||
|
# VAULT_KV_V2 - set to anything if you are using v2 of the kv engine
|
||||||
#
|
#
|
||||||
# additionally, you need to ensure that VAULT_TOKEN is avialable
|
# additionally, you need to ensure that VAULT_TOKEN is avialable
|
||||||
# to access the vault server
|
# to access the vault server
|
||||||
|
|
||||||
#returns 0 means success, otherwise error.
|
#returns 0 means success, otherwise error.
|
||||||
|
|
||||||
######## Public functions #####################
|
######## Public functions #####################
|
||||||
|
|
||||||
#domain keyfile certfile cafile fullchain
|
#domain keyfile certfile cafile fullchain
|
||||||
vault_deploy() {
|
vault_deploy() {
|
||||||
@ -45,6 +48,26 @@ vault_deploy() {
|
|||||||
fi
|
fi
|
||||||
_savedeployconf VAULT_ADDR "$VAULT_ADDR"
|
_savedeployconf VAULT_ADDR "$VAULT_ADDR"
|
||||||
|
|
||||||
|
_getdeployconf VAULT_SAVE_TOKEN
|
||||||
|
_savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN"
|
||||||
|
|
||||||
|
_getdeployconf VAULT_RENEW_TOKEN
|
||||||
|
_savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN"
|
||||||
|
|
||||||
|
_getdeployconf VAULT_KV_V2
|
||||||
|
_savedeployconf VAULT_KV_V2 "$VAULT_KV_V2"
|
||||||
|
|
||||||
|
_getdeployconf VAULT_TOKEN
|
||||||
|
if [ -z "$VAULT_TOKEN" ]; then
|
||||||
|
_err "VAULT_TOKEN needs to be defined"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
if [ -n "$VAULT_SAVE_TOKEN" ]; then
|
||||||
|
_savedeployconf VAULT_TOKEN "$VAULT_TOKEN"
|
||||||
|
fi
|
||||||
|
|
||||||
|
_migratedeployconf FABIO VAULT_FABIO_MODE
|
||||||
|
|
||||||
# JSON does not allow multiline strings.
|
# JSON does not allow multiline strings.
|
||||||
# So replacing new-lines with "\n" here
|
# So replacing new-lines with "\n" here
|
||||||
_ckey=$(sed -z 's/\n/\\n/g' <"$2")
|
_ckey=$(sed -z 's/\n/\\n/g' <"$2")
|
||||||
@ -52,26 +75,56 @@ vault_deploy() {
|
|||||||
_cca=$(sed -z 's/\n/\\n/g' <"$4")
|
_cca=$(sed -z 's/\n/\\n/g' <"$4")
|
||||||
_cfullchain=$(sed -z 's/\n/\\n/g' <"$5")
|
_cfullchain=$(sed -z 's/\n/\\n/g' <"$5")
|
||||||
|
|
||||||
URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain"
|
|
||||||
export _H1="X-Vault-Token: $VAULT_TOKEN"
|
export _H1="X-Vault-Token: $VAULT_TOKEN"
|
||||||
|
|
||||||
if [ -n "$FABIO" ]; then
|
if [ -n "$VAULT_RENEW_TOKEN" ]; then
|
||||||
|
URL="$VAULT_ADDR/v1/auth/token/renew-self"
|
||||||
|
_info "Renew the Vault token to default TTL"
|
||||||
|
if ! _post "" "$URL" >/dev/null; then
|
||||||
|
_err "Failed to renew the Vault token"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain"
|
||||||
|
|
||||||
|
if [ -n "$VAULT_FABIO_MODE" ]; then
|
||||||
|
_info "Writing certificate and key to $URL in Fabio mode"
|
||||||
if [ -n "$VAULT_KV_V2" ]; then
|
if [ -n "$VAULT_KV_V2" ]; then
|
||||||
_post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL"
|
_post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1
|
||||||
else
|
else
|
||||||
_post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL"
|
_post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" >/dev/null || return 1
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [ -n "$VAULT_KV_V2" ]; then
|
if [ -n "$VAULT_KV_V2" ]; then
|
||||||
_post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem"
|
_info "Writing certificate to $URL/cert.pem"
|
||||||
_post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key"
|
_post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" >/dev/null || return 1
|
||||||
_post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem"
|
_info "Writing key to $URL/cert.key"
|
||||||
_post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem"
|
_post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" >/dev/null || return 1
|
||||||
|
_info "Writing CA certificate to $URL/ca.pem"
|
||||||
|
_post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/ca.pem" >/dev/null || return 1
|
||||||
|
_info "Writing full-chain certificate to $URL/fullchain.pem"
|
||||||
|
_post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" >/dev/null || return 1
|
||||||
else
|
else
|
||||||
_post "{\"value\": \"$_ccert\"}" "$URL/cert.pem"
|
_info "Writing certificate to $URL/cert.pem"
|
||||||
_post "{\"value\": \"$_ckey\"}" "$URL/cert.key"
|
_post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" >/dev/null || return 1
|
||||||
_post "{\"value\": \"$_cca\"}" "$URL/chain.pem"
|
_info "Writing key to $URL/cert.key"
|
||||||
_post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem"
|
_post "{\"value\": \"$_ckey\"}" "$URL/cert.key" >/dev/null || return 1
|
||||||
|
_info "Writing CA certificate to $URL/ca.pem"
|
||||||
|
_post "{\"value\": \"$_cca\"}" "$URL/ca.pem" >/dev/null || return 1
|
||||||
|
_info "Writing full-chain certificate to $URL/fullchain.pem"
|
||||||
|
_post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" >/dev/null || return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# To make it compatible with the wrong ca path `chain.pem` which was used in former versions
|
||||||
|
if _contains "$(_get "$URL/chain.pem")" "-----BEGIN CERTIFICATE-----"; then
|
||||||
|
_err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning"
|
||||||
|
_info "Updating CA certificate to $URL/chain.pem for backward compatibility"
|
||||||
|
if [ -n "$VAULT_KV_V2" ]; then
|
||||||
|
_post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" >/dev/null || return 1
|
||||||
|
else
|
||||||
|
_post "{\"value\": \"$_cca\"}" "$URL/chain.pem" >/dev/null || return 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -8,6 +8,8 @@
|
|||||||
#
|
#
|
||||||
# VAULT_PREFIX - this contains the prefix path in vault
|
# VAULT_PREFIX - this contains the prefix path in vault
|
||||||
# VAULT_ADDR - vault requires this to find your vault server
|
# VAULT_ADDR - vault requires this to find your vault server
|
||||||
|
# VAULT_SAVE_TOKEN - set to anything if you want to save the token
|
||||||
|
# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying
|
||||||
#
|
#
|
||||||
# additionally, you need to ensure that VAULT_TOKEN is avialable or
|
# additionally, you need to ensure that VAULT_TOKEN is avialable or
|
||||||
# `vault auth` has applied the appropriate authorization for the vault binary
|
# `vault auth` has applied the appropriate authorization for the vault binary
|
||||||
@ -33,15 +35,36 @@ vault_cli_deploy() {
|
|||||||
_debug _cfullchain "$_cfullchain"
|
_debug _cfullchain "$_cfullchain"
|
||||||
|
|
||||||
# validate required env vars
|
# validate required env vars
|
||||||
|
_getdeployconf VAULT_PREFIX
|
||||||
if [ -z "$VAULT_PREFIX" ]; then
|
if [ -z "$VAULT_PREFIX" ]; then
|
||||||
_err "VAULT_PREFIX needs to be defined (contains prefix path in vault)"
|
_err "VAULT_PREFIX needs to be defined (contains prefix path in vault)"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
_savedeployconf VAULT_PREFIX "$VAULT_PREFIX"
|
||||||
|
|
||||||
|
_getdeployconf VAULT_ADDR
|
||||||
if [ -z "$VAULT_ADDR" ]; then
|
if [ -z "$VAULT_ADDR" ]; then
|
||||||
_err "VAULT_ADDR needs to be defined (contains vault connection address)"
|
_err "VAULT_ADDR needs to be defined (contains vault connection address)"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
_savedeployconf VAULT_ADDR "$VAULT_ADDR"
|
||||||
|
|
||||||
|
_getdeployconf VAULT_SAVE_TOKEN
|
||||||
|
_savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN"
|
||||||
|
|
||||||
|
_getdeployconf VAULT_RENEW_TOKEN
|
||||||
|
_savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN"
|
||||||
|
|
||||||
|
_getdeployconf VAULT_TOKEN
|
||||||
|
if [ -z "$VAULT_TOKEN" ]; then
|
||||||
|
_err "VAULT_TOKEN needs to be defined"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
if [ -n "$VAULT_SAVE_TOKEN" ]; then
|
||||||
|
_savedeployconf VAULT_TOKEN "$VAULT_TOKEN"
|
||||||
|
fi
|
||||||
|
|
||||||
|
_migratedeployconf FABIO VAULT_FABIO_MODE
|
||||||
|
|
||||||
VAULT_CMD=$(command -v vault)
|
VAULT_CMD=$(command -v vault)
|
||||||
if [ ! $? ]; then
|
if [ ! $? ]; then
|
||||||
@ -49,13 +72,33 @@ vault_cli_deploy() {
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$FABIO" ]; then
|
if [ -n "$VAULT_RENEW_TOKEN" ]; then
|
||||||
|
_info "Renew the Vault token to default TTL"
|
||||||
|
if ! $VAULT_CMD token renew; then
|
||||||
|
_err "Failed to renew the Vault token"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$VAULT_FABIO_MODE" ]; then
|
||||||
|
_info "Writing certificate and key to ${VAULT_PREFIX}/${_cdomain} in Fabio mode"
|
||||||
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
|
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
|
||||||
else
|
else
|
||||||
|
_info "Writing certificate to ${VAULT_PREFIX}/${_cdomain}/cert.pem"
|
||||||
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
|
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
|
||||||
|
_info "Writing key to ${VAULT_PREFIX}/${_cdomain}/cert.key"
|
||||||
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
|
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
|
||||||
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
|
_info "Writing CA certificate to ${VAULT_PREFIX}/${_cdomain}/ca.pem"
|
||||||
|
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/ca.pem" value=@"$_cca" || return 1
|
||||||
|
_info "Writing full-chain certificate to ${VAULT_PREFIX}/${_cdomain}/fullchain.pem"
|
||||||
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
|
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
|
||||||
|
|
||||||
|
# To make it compatible with the wrong ca path `chain.pem` which was used in former versions
|
||||||
|
if $VAULT_CMD kv get "${VAULT_PREFIX}/${_cdomain}/chain.pem" >/dev/null; then
|
||||||
|
_err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning"
|
||||||
|
_info "Updating CA certificate to ${VAULT_PREFIX}/${_cdomain}/chain.pem for backward compatibility"
|
||||||
|
$VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user