Steve Dillon stvdilln
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am stvdilln on github. | |
| * I am stvdilln (https://keybase.io/stvdilln) on keybase. | |
| * I have a public key ASCrq7bs-dXWBRph3H7VZSzmRPbuHbpR1AtSJAMDpNZjBAo | |
| To claim this, I am signing this object: |
stvdilln
/ root_ca.tf
Created
January 31, 2020 15:02
Creating a Root Certificate Authority in Vault with Terraform
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource tls_self_signed_cert ca_cert { | |
| private_key_pem = tls_private_key.ca_key.private_key_pem | |
| key_algorithm = "RSA" | |
| subject { | |
| common_name = "${var.server_cert_domain} Root CA" | |
| organization = "Acme Inc" | |
| organizational_unit = "Development" | |
| street_address = ["1234 Main Street"] | |
| locality = "Beverly Hills" | |
| province = "CA" |
stvdilln
/ root_ca.tf
Created
January 31, 2020 15:05
Creating the Root CA Certificate with Terraforms PKI
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Create a Self Signed Certificate , to use as the Root Certificate Authority | |
| # | |
| resource tls_self_signed_cert ca_cert { | |
| private_key_pem = tls_private_key.ca_key.private_key_pem | |
| key_algorithm = "RSA" | |
| subject { | |
| common_name = "${var.server_cert_domain} Root CA" | |
| organization = "Acme Inc" | |
| organizational_unit = "Development" |
stvdilln
/ root_ca.tf
Created
January 31, 2020 15:13
Installing a Self Signed Certificate into Vault using Terraform
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Take the Root CA certificate that we have created and store it in | |
| # the mount point pki-root-ca. The ca_pem_bundle in this case is | |
| # the Certificate we generated and the key for it. | |
| resource "vault_pki_secret_backend_config_ca" "ca_config" { | |
| depends_on = [ vault_mount.root, tls_private_key.ca_key] | |
| backend = vault_mount.root.path | |
| pem_bundle = local_file.ca_pem_bundle.sensitive_content | |
| } | |
stvdilln
/ intermediate_csr.tf
Created
January 31, 2020 15:16
Create a Certificate Signing Request in Terraform
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create a CSR (Certificate Signing Request) | |
| # Behind the scenes this creates a new private key, that has signed the | |
| # CSR. Later on, when we store the signed Intermediate Cert, that | |
| # certificate must match the Private Key generated here. | |
| # I don't see an obvious way to use these APIs to put an intermediate cert | |
| # into vault that was generated outside of vault. | |
| resource "vault_pki_secret_backend_intermediate_cert_request" "intermediate" { | |
| depends_on = [ vault_mount.pki_int ] | |
| backend = vault_mount.pki_int.path |
stvdilln
/ root_sign_cert.tf
Created
January 31, 2020 15:18
Asking a Vault Certificate to sign a Certificate Signing Request.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Have the Root CA Sign our CSR | |
| resource "vault_pki_secret_backend_root_sign_intermediate" "intermediate" { | |
| depends_on = [ vault_pki_secret_backend_intermediate_cert_request.intermediate, vault_pki_secret_backend_config_ca.ca_config ] | |
| backend = vault_mount.root.path | |
| csr = vault_pki_secret_backend_intermediate_cert_request.intermediate.csr | |
| common_name = "${var.server_cert_domain} Intermediate Certificate" | |
| exclude_cn_from_sans = true | |
| ou = "Development" | |
| organization = "mydomain.com" |
stvdilln
/ itermedaite_install.tf
Created
January 31, 2020 15:20
Installing the intermediate cert into Vault
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Now that CSR is processed and we have a signed cert | |
| # Put the Certificate, and The Root CA into the backend | |
| # mount point. IF you do not put the CA in here, the | |
| # chained_ca output of a generated cert will only be | |
| # the intermedaite cert and not the whole chain. | |
| resource "vault_pki_secret_backend_intermediate_set_signed" "intermediate" { | |
| backend = vault_mount.pki_int.path | |
| certificate = "${vault_pki_secret_backend_root_sign_intermediate.intermediate.certificate}\n${tls_self_signed_cert.ca_cert.cert_pem}" | |
| } |
stvdilln
/ server_cert_role.tf
Created
January 31, 2020 15:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Role for server certs | |
| # This creates certs of machinename.mydomain.com | |
| # | |
| # | |
| resource "vault_pki_secret_backend_role" "role-server-cer" { | |
| backend = vault_mount.pki_int.path | |
| name = "server-cert-for-${var.server_cert_domain}" | |
| allowed_domains = [ var.server_cert_domain ] |
stvdilln
/ certificate_role_client.tf
Created
January 31, 2020 15:28
Create a Certificate Role in Vault to Generate Email based certificates for Clients
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Role for creating client certs | |
| # This creates certs of format Joe.User@mydomain.com | |
| # | |
| resource "vault_pki_secret_backend_role" "vault-client-cert" { | |
| backend = vault_mount.pki_int.path | |
| name = "client-cert-for-${var.client_cert_domain}" | |
| allowed_domains = [ var.client_cert_domain ] | |
| allow_subdomains = false | |
| allow_glob_domains = false |
stvdilln
/ values-standalone.yaml
Last active
February 5, 2020 21:02
consul-helm overrides to vaules.yaml to enable connect-inject
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # These are the setting necessary to run a self-contained consul | |
| # ecosystem within a single kubernetes cluster. It is possbile to | |
| # connect this cluster to an outside (of kubernetes) and have | |
| # resources exposed in the cluster availabe to the World through | |
| # mesh gateways. When I wrote this, there were issues with mesh | |
| # gateways and inter cluster communications, so this config file | |
| # is just for a single cluster environment. | |
| # Be Careful of typos in this file, if you mistype a key name | |
| # then the default value will be used and you get no waring. |
OlderNewer