Skip to content

Instantly share code, notes, and snippets.

@arodd

arodd/agent.hcl

Last active November 25, 2021 04:52
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save arodd/4a13da248835794fd8be514031721015 to your computer and use it in GitHub Desktop.
Save arodd/4a13da248835794fd8be514031721015 to your computer and use it in GitHub Desktop.
Download ZIP
Vault PKI - Basic Demo
Raw
agent.hcl
auto_auth {
method "approle" {
config = {
role_id_file_path = ".role-id"
secret_id_file_path = ".secret-id"
}
}
sink "file" {
config = {
path = "token-sink"
}
}
}
Raw
cert.pem.tpl
{{ with secret "pki/issue/consul-service" "common_name=profitapp.service.consul" }}
{{ .Data.issuing_ca }}
{{ .Data.certificate }}
{{ .Data.private_key }}
{{ end }}
Raw
run.md 
vault read -format=json auth/approle/role/certs/role-id | \
    jq -r .data.role_id > .role-id

vault write -format=json -f auth/approle/role/certs/secret-id | \
    jq -r .data.secret_id > .secret-id

Start the vault agent in one window(screen/tmux/tabs/etc.)

vault agent -config=agent.hcl

Start consul-template in another window

consul-template -vault-agent-token-file=token-sink -vault-renew-token=false \
    -template "cert.pem.tpl:cert.pem" -log-level=debug

Watch the file contents in another window(need to brew install watch on a mac)

watch -n 1 cat cert.pem
Raw
setup.md 
echo '
path "pki/issue/consul-service" {
    capabilities = ["create","update"]
}
path "pki/cert/ca" {
    capabilities = ["read"]
}
path "auth/token/renew" {
    capabilities = ["update"]
}
path "auth/token/renew-self" {
    capabilities = ["update"]
}
' | vault policy write certuser -
vault secrets enable pki
vault secrets tune -max-lease-ttl=8760h pki
vault write pki/root/generate/internal \
    common_name=service.consul \
    ttl=8760h
vault write pki/config/urls \
    issuing_certificates="http://active.vault.service.consul:8200/v1/pki/ca" \
    crl_distribution_points="http://active.vault.service.consul:8200/v1/pki/crl"
vault write pki/roles/consul-service \
    allowed_domains="service.consul" \
    allow_subdomains=true \
    generate_lease=true \
    ttl=5s \
    max_ttl=10s
vault auth enable approle
vault write auth/approle/role/certs policies="certuser" secret_id_ttl=24h token_num_uses=5000 token_ttl=5m token_max_ttl=30m secret_id_num_uses=5000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment