This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Keybase proof | |
I hereby claim: | |
* I am stvdilln on github. | |
* I am stvdilln (https://keybase.io/stvdilln) on keybase. | |
* I have a public key ASCrq7bs-dXWBRph3H7VZSzmRPbuHbpR1AtSJAMDpNZjBAo | |
To claim this, I am signing this object: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource tls_self_signed_cert ca_cert { | |
private_key_pem = tls_private_key.ca_key.private_key_pem | |
key_algorithm = "RSA" | |
subject { | |
common_name = "${var.server_cert_domain} Root CA" | |
organization = "Acme Inc" | |
organizational_unit = "Development" | |
street_address = ["1234 Main Street"] | |
locality = "Beverly Hills" | |
province = "CA" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Create a Self Signed Certificate , to use as the Root Certificate Authority | |
# | |
resource tls_self_signed_cert ca_cert { | |
private_key_pem = tls_private_key.ca_key.private_key_pem | |
key_algorithm = "RSA" | |
subject { | |
common_name = "${var.server_cert_domain} Root CA" | |
organization = "Acme Inc" | |
organizational_unit = "Development" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Take the Root CA certificate that we have created and store it in | |
# the mount point pki-root-ca. The ca_pem_bundle in this case is | |
# the Certificate we generated and the key for it. | |
resource "vault_pki_secret_backend_config_ca" "ca_config" { | |
depends_on = [ vault_mount.root, tls_private_key.ca_key] | |
backend = vault_mount.root.path | |
pem_bundle = local_file.ca_pem_bundle.sensitive_content | |
} | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create a CSR (Certificate Signing Request) | |
# Behind the scenes this creates a new private key, that has signed the | |
# CSR. Later on, when we store the signed Intermediate Cert, that | |
# certificate must match the Private Key generated here. | |
# I don't see an obvious way to use these APIs to put an intermediate cert | |
# into vault that was generated outside of vault. | |
resource "vault_pki_secret_backend_intermediate_cert_request" "intermediate" { | |
depends_on = [ vault_mount.pki_int ] | |
backend = vault_mount.pki_int.path |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Have the Root CA Sign our CSR | |
resource "vault_pki_secret_backend_root_sign_intermediate" "intermediate" { | |
depends_on = [ vault_pki_secret_backend_intermediate_cert_request.intermediate, vault_pki_secret_backend_config_ca.ca_config ] | |
backend = vault_mount.root.path | |
csr = vault_pki_secret_backend_intermediate_cert_request.intermediate.csr | |
common_name = "${var.server_cert_domain} Intermediate Certificate" | |
exclude_cn_from_sans = true | |
ou = "Development" | |
organization = "mydomain.com" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Now that CSR is processed and we have a signed cert | |
# Put the Certificate, and The Root CA into the backend | |
# mount point. IF you do not put the CA in here, the | |
# chained_ca output of a generated cert will only be | |
# the intermedaite cert and not the whole chain. | |
resource "vault_pki_secret_backend_intermediate_set_signed" "intermediate" { | |
backend = vault_mount.pki_int.path | |
certificate = "${vault_pki_secret_backend_root_sign_intermediate.intermediate.certificate}\n${tls_self_signed_cert.ca_cert.cert_pem}" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Role for server certs | |
# This creates certs of machinename.mydomain.com | |
# | |
# | |
resource "vault_pki_secret_backend_role" "role-server-cer" { | |
backend = vault_mount.pki_int.path | |
name = "server-cert-for-${var.server_cert_domain}" | |
allowed_domains = [ var.server_cert_domain ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Role for creating client certs | |
# This creates certs of format Joe.User@mydomain.com | |
# | |
resource "vault_pki_secret_backend_role" "vault-client-cert" { | |
backend = vault_mount.pki_int.path | |
name = "client-cert-for-${var.client_cert_domain}" | |
allowed_domains = [ var.client_cert_domain ] | |
allow_subdomains = false | |
allow_glob_domains = false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# These are the setting necessary to run a self-contained consul | |
# ecosystem within a single kubernetes cluster. It is possbile to | |
# connect this cluster to an outside (of kubernetes) and have | |
# resources exposed in the cluster availabe to the World through | |
# mesh gateways. When I wrote this, there were issues with mesh | |
# gateways and inter cluster communications, so this config file | |
# is just for a single cluster environment. | |
# Be Careful of typos in this file, if you mistype a key name | |
# then the default value will be used and you get no waring. |
OlderNewer