generate tls certificate and key for internal usage
This commit is contained in:
J Cole Morrison
parent
009418074f
commit
6b71f8b09f
|
|
@ -27,6 +27,7 @@ useradd --system --shell /sbin/nologin vault
|
||||||
mkdir -p "/opt/vault"
|
mkdir -p "/opt/vault"
|
||||||
mkdir -p "/opt/vault/bin"
|
mkdir -p "/opt/vault/bin"
|
||||||
mkdir -p "/opt/vault/config"
|
mkdir -p "/opt/vault/config"
|
||||||
|
mkdir -p "/opt/vault/tls"
|
||||||
|
|
||||||
# Give corret permissions
|
# Give corret permissions
|
||||||
chmod 755 "/opt/vault"
|
chmod 755 "/opt/vault"
|
||||||
|
|
@ -61,6 +62,32 @@ Content-Type: text/x-shellscript; charset="us-ascii"
|
||||||
# Run Order: 2
|
# Run Order: 2
|
||||||
# Run Frequency: only once, on first boot
|
# Run Frequency: only once, on first boot
|
||||||
|
|
||||||
|
# Tasks:
|
||||||
|
# - Fetch needed data
|
||||||
|
# - Create Self-Signed Certificate and Key
|
||||||
|
|
||||||
|
INSTANCE_IP_ADDR=$(curl http://169.254.169.254/latest/meta-data/local-ipv4)
|
||||||
|
INSTANCE_DNS_NAME=$(curl http://169.254.169.254/latest/meta-data/local-hostname)
|
||||||
|
|
||||||
|
# Used for encryption between the load balancer and vault instances.
|
||||||
|
# Th other alternatives are either creating an entire, private CA and hoping AWS
|
||||||
|
# eventually adds the ability to add trusted CAs to load balancers...
|
||||||
|
# ...or paying $400/month base for the ACM private CA.
|
||||||
|
openssl req -x509 -sha256 -nodes \
|
||||||
|
-newkey rsa:4096 -days 3650 \
|
||||||
|
-keyout /opt/vault/tls/vault.pem -out /opt/vault/tls/vault.crt \
|
||||||
|
-subj "/CN=$INSTANCE_DNS_NAME" \
|
||||||
|
-extensions san \
|
||||||
|
-config <(cat /etc/pki/tls/openssl.cnf <(echo -e "\n[san]\nsubjectAltName=DNS:$INSTANCE_DNS_NAME,IP:$INSTANCE_IP_ADDR"))
|
||||||
|
|
||||||
|
--==BOUNDARY==
|
||||||
|
Content-Type: text/x-shellscript; charset="us-ascii"
|
||||||
|
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Run Order: 3
|
||||||
|
# Run Frequency: only once, on first boot
|
||||||
|
|
||||||
# Tasks:
|
# Tasks:
|
||||||
# - Make the vault config file
|
# - Make the vault config file
|
||||||
# - Make the systemd service file
|
# - Make the systemd service file
|
||||||
|
|
@ -77,7 +104,7 @@ ui = "true"
|
||||||
api_addr = "https://${VAULT_DNS}"
|
api_addr = "https://${VAULT_DNS}"
|
||||||
|
|
||||||
# For forwarding between vault servers. Set to own ip.
|
# For forwarding between vault servers. Set to own ip.
|
||||||
cluster_addr = "http://INSTANCE_IP_ADDR:8201"
|
cluster_addr = "https://INSTANCE_IP_ADDR:8201"
|
||||||
|
|
||||||
# Auto unseal the vault
|
# Auto unseal the vault
|
||||||
seal "awskms" {
|
seal "awskms" {
|
||||||
|
|
@ -96,8 +123,9 @@ listener "tcp" {
|
||||||
address = "INSTANCE_IP_ADDR:8200"
|
address = "INSTANCE_IP_ADDR:8200"
|
||||||
cluster_address = "INSTANCE_IP_ADDR:8201"
|
cluster_address = "INSTANCE_IP_ADDR:8201"
|
||||||
|
|
||||||
# off, because they all talk in a private subnet
|
tls_disable = "false"
|
||||||
tls_disable = "true"
|
tls_cert_file = "/opt/vault/tls/vault.crt"
|
||||||
|
tls_key_file = "/opt/vault/tls/vault.key"
|
||||||
}
|
}
|
||||||
|
|
||||||
storage "dynamodb" {
|
storage "dynamodb" {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue