greenbrian/vault_demo.sh

## vault_demo.sh
#!/bin/bash

## The following command starts Vault in development mode
## specifiying a root token value of 'root'
##
# VAULT_UI=true vault server -dev -dev-root-token-id="root"

## Login with root token
## Good for demo mode, should only be used on production cluster
## during initial configuration
vault login root

## Create an administrative policy named 'vault-admin'
echo '
path "*" {
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}' | vault policy write vault-admin -


## Create a normal user policy named 'user'
echo '
path "sys/mounts" {
  capabilities = ["list","read"]
}
path "secret/*" {
  capabilities = ["list", "read"]
}
path "kv1/mysecret" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
path "kv1-very-secret/*" {
  capabilities = ["list", "read"]
}
path "kv2/data/secret" {
  capabilities = ["list", "read"]
}' | vault policy write user -
```

## Write some secrets
## remembering we are still logged in as root
vault secrets enable -version=1 -path=kv1 kv
vault kv put kv1/mysecret username=bart password=simpson
vault secrets enable -version=1 -path=kv1-very-secret kv
vault kv put kv1-very-secret/mysecret admin_user=root admin_password=P@55w3rd
vault secrets enable -version=1 -path=kv1-super-secret kv
vault kv put kv1-super-secret/sensitive key=value password=35616164316lasfdasfasdfasdfasdfasf
vault secrets enable -version=2 -path=kv2 kv
vault kv put kv2/secret username=admin password=qwertyasdf
vault kv put kv2/othersecrets username=root password=QWERTYUIOSDFGHJ


## Enable the userpass authentcation mode
vault auth enable userpass

## Create an administrative user, and a normal user
## These users will correlate to the policies created in previous steps
vault write auth/userpass/users/vault password=vault policies=vault-admin
vault write auth/userpass/users/test password=test policies=user


## Login with normal user
vault login -method=userpass username=test password=test

## Read secret paths as normal user
## The 'user' policy does not allow the last operation (read kv1-super-secret deny by default)
vault kv get kv1/mysecret
vault kv get kv1-very-secret/mysecret
vault kv get kv1-super-secret/sensitive

## Write secret paths as normal user to versioned kv path
## neither operation is allowed due to policy
vault kv put kv2/secret username=moe password=syzslak
vault kv put kv2/othersecrets admin_user=root admin_password=passw3rD

## Read secret paths as normal user from versioned kv path
## Second operation fails due to policy
vault kv get kv2/secret
vault kv get kv2/othersecrets

## Create template file for consul-template
echo -n 'this is my fake config file
[config]{{ with $secret := secret "kv1/mysecret" }}
username={{$secret.Data.username}}
password={{$secret.Data.password}}{{ end }}
'> file.tpl

## Execute consul template to render file to stdout
## This assumes you have consul-template installed
consul-template -log-level=err -template=file.tpl -once -dry

## Enable PKI backend for certificate issuance
vault login root
mkdir -p /tmp/certs/

## Enable PKI secret engine for root CA
vault secrets enable -path vault-ca-root -max-lease-ttl=87600h pki

## Generate root CA certificate
vault write -format=json vault-ca-root/root/generate/internal \
  common_name="vault-ca-root" ttl=87600h | tee \
  >(jq -r .data.certificate > /tmp/certs/ca.pem) \
  >(jq -r .data.issuing_ca > /tmp/certs/issuing_ca.pem) \
  >(jq -r .data.private_key > /tmp/certs/ca-key.pem)

## Enable & configure PKI secret engine for intermediate
vault secrets enable -path vault-ca-intermediate pki
vault secrets tune -max-lease-ttl=87600h vault-ca-intermediate

## Generate intermediate
vault write -format=json vault-ca-intermediate/intermediate/generate/internal \
  common_name="vault-ca-intermediate" ttl=43800h | tee \
  >(jq -r .data.csr > /tmp/certs/vault-ca-intermediate.csr) \
  >(jq -r .data.private_key > /tmp/certs/vault-ca-intermediate.pem)

## Sign the intermediate by the root CA
vault write -format=json vault-ca-root/root/sign-intermediate \
  csr=@/tmp/certs/vault-ca-intermediate.csr \
  common_name="vault-ca-intermediate" ttl=43800h | tee \
  >(jq -r .data.certificate > /tmp/certs/vault-ca-intermediate.pem) \
  >(jq -r .data.issuing_ca > /tmp/certs/vault-ca-intermediate_issuing_ca.pem)
vault write vault-ca-intermediate/intermediate/set-signed certificate=@/tmp/certs/vault-ca-intermediate.pem

## Create a role
vault write vault-ca-intermediate/roles/example-dot-com allow_any_name=true max_ttl="1m"

## Generate a certificate
vault write vault-ca-intermediate/issue/example-dot-com common_name=foo.example.com

## Create template for use with Consul-template
echo -n '{{ with secret "vault-ca-intermediate/issue/example-dot-com" "common_name=foo.example.com" }}
{{ .Data.certificate }}
{{ .Data.private_key }}
{{ end }}' > cert.tpl

## Use consul-template to render template to stdout
consul-template -log-level=err -template=cert.tpl -once -dry

## Use consul-template to render template to file
consul-template -log-level=err -template=cert.tpl:file.crt -once

## verify cert with openssl
openssl x509 -in file.crt -text -noout
	#!/bin/bash

	## The following command starts Vault in development mode
	## specifiying a root token value of 'root'
	##
	# VAULT_UI=true vault server -dev -dev-root-token-id="root"

	## Login with root token
	## Good for demo mode, should only be used on production cluster
	## during initial configuration
	vault login root

	## Create an administrative policy named 'vault-admin'
	echo '
	path "*" {
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	}' \| vault policy write vault-admin -


	## Create a normal user policy named 'user'
	echo '
	path "sys/mounts" {
	capabilities = ["list","read"]
	}
	path "secret/*" {
	capabilities = ["list", "read"]
	}
	path "kv1/mysecret" {
	capabilities = ["create", "read", "update", "delete", "list"]
	}
	path "kv1-very-secret/*" {
	capabilities = ["list", "read"]
	}
	path "kv2/data/secret" {
	capabilities = ["list", "read"]
	}' \| vault policy write user -
	```

	## Write some secrets
	## remembering we are still logged in as root
	vault secrets enable -version=1 -path=kv1 kv
	vault kv put kv1/mysecret username=bart password=simpson
	vault secrets enable -version=1 -path=kv1-very-secret kv
	vault kv put kv1-very-secret/mysecret admin_user=root admin_password=P@55w3rd
	vault secrets enable -version=1 -path=kv1-super-secret kv
	vault kv put kv1-super-secret/sensitive key=value password=35616164316lasfdasfasdfasdfasdfasf
	vault secrets enable -version=2 -path=kv2 kv
	vault kv put kv2/secret username=admin password=qwertyasdf
	vault kv put kv2/othersecrets username=root password=QWERTYUIOSDFGHJ


	## Enable the userpass authentcation mode
	vault auth enable userpass

	## Create an administrative user, and a normal user
	## These users will correlate to the policies created in previous steps
	vault write auth/userpass/users/vault password=vault policies=vault-admin
	vault write auth/userpass/users/test password=test policies=user


	## Login with normal user
	vault login -method=userpass username=test password=test

	## Read secret paths as normal user
	## The 'user' policy does not allow the last operation (read kv1-super-secret deny by default)
	vault kv get kv1/mysecret
	vault kv get kv1-very-secret/mysecret
	vault kv get kv1-super-secret/sensitive

	## Write secret paths as normal user to versioned kv path
	## neither operation is allowed due to policy
	vault kv put kv2/secret username=moe password=syzslak
	vault kv put kv2/othersecrets admin_user=root admin_password=passw3rD

	## Read secret paths as normal user from versioned kv path
	## Second operation fails due to policy
	vault kv get kv2/secret
	vault kv get kv2/othersecrets

	## Create template file for consul-template
	echo -n 'this is my fake config file
	[config]{{ with $secret := secret "kv1/mysecret" }}
	username={{$secret.Data.username}}
	password={{$secret.Data.password}}{{ end }}
	'> file.tpl

	## Execute consul template to render file to stdout
	## This assumes you have consul-template installed
	consul-template -log-level=err -template=file.tpl -once -dry

	## Enable PKI backend for certificate issuance
	vault login root
	mkdir -p /tmp/certs/

	## Enable PKI secret engine for root CA
	vault secrets enable -path vault-ca-root -max-lease-ttl=87600h pki

	## Generate root CA certificate
	vault write -format=json vault-ca-root/root/generate/internal \
	common_name="vault-ca-root" ttl=87600h \| tee \
	>(jq -r .data.certificate > /tmp/certs/ca.pem) \
	>(jq -r .data.issuing_ca > /tmp/certs/issuing_ca.pem) \
	>(jq -r .data.private_key > /tmp/certs/ca-key.pem)

	## Enable & configure PKI secret engine for intermediate
	vault secrets enable -path vault-ca-intermediate pki
	vault secrets tune -max-lease-ttl=87600h vault-ca-intermediate

	## Generate intermediate
	vault write -format=json vault-ca-intermediate/intermediate/generate/internal \
	common_name="vault-ca-intermediate" ttl=43800h \| tee \
	>(jq -r .data.csr > /tmp/certs/vault-ca-intermediate.csr) \
	>(jq -r .data.private_key > /tmp/certs/vault-ca-intermediate.pem)

	## Sign the intermediate by the root CA
	vault write -format=json vault-ca-root/root/sign-intermediate \
	csr=@/tmp/certs/vault-ca-intermediate.csr \
	common_name="vault-ca-intermediate" ttl=43800h \| tee \
	>(jq -r .data.certificate > /tmp/certs/vault-ca-intermediate.pem) \
	>(jq -r .data.issuing_ca > /tmp/certs/vault-ca-intermediate_issuing_ca.pem)
	vault write vault-ca-intermediate/intermediate/set-signed certificate=@/tmp/certs/vault-ca-intermediate.pem

	## Create a role
	vault write vault-ca-intermediate/roles/example-dot-com allow_any_name=true max_ttl="1m"

	## Generate a certificate
	vault write vault-ca-intermediate/issue/example-dot-com common_name=foo.example.com

	## Create template for use with Consul-template
	echo -n '{{ with secret "vault-ca-intermediate/issue/example-dot-com" "common_name=foo.example.com" }}
	{{ .Data.certificate }}
	{{ .Data.private_key }}
	{{ end }}' > cert.tpl

	## Use consul-template to render template to stdout
	consul-template -log-level=err -template=cert.tpl -once -dry

	## Use consul-template to render template to file
	consul-template -log-level=err -template=cert.tpl:file.crt -once

	## verify cert with openssl
	openssl x509 -in file.crt -text -noout