improve vault and vault_api deployhooks

deploy/vault.sh

@@ -7,13 +7,16 @@
 #
 # VAULT_PREFIX - this contains the prefix path in vault
 # VAULT_ADDR - vault requires this to find your vault server
+# VAULT_SAVE_TOKEN - set to anything if you want to save the token
+# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying
+# VAULT_KV_V2 - set to anything if you are using v2 of the kv engine
 #
 # additionally, you need to ensure that VAULT_TOKEN is avialable
 # to access the vault server
 
 #returns 0 means success, otherwise error.
 
-########  Public functions #####################
+######## Public functions #####################
 
 #domain keyfile certfile cafile fullchain
 vault_deploy() {
@@ -45,6 +48,24 @@ vault_deploy() {
   fi
   _savedeployconf VAULT_ADDR "$VAULT_ADDR"
 
+  _getdeployconf VAULT_SAVE_TOKEN
+  _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN"
+
+  _getdeployconf VAULT_RENEW_TOKEN
+  _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN"
+
+  _getdeployconf VAULT_KV_V2
+  _savedeployconf VAULT_KV_V2 "$VAULT_KV_V2"
+
+  _getdeployconf VAULT_TOKEN
+  if [ -z "$VAULT_TOKEN" ]; then
+    _err "VAULT_TOKEN needs to be defined"
+    return 1
+  fi
+  if [ -n "$VAULT_SAVE_TOKEN" ]; then
+    _savedeployconf VAULT_TOKEN "$VAULT_TOKEN"
+  fi
+
   # JSON does not allow multiline strings.
   # So replacing new-lines with "\n" here
   _ckey=$(sed -z 's/\n/\\n/g' <"$2")
@@ -52,26 +73,56 @@ vault_deploy() {
   _cca=$(sed -z 's/\n/\\n/g' <"$4")
   _cfullchain=$(sed -z 's/\n/\\n/g' <"$5")
 
-  URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain"
   export _H1="X-Vault-Token: $VAULT_TOKEN"
 
+  if [ -n "$VAULT_RENEW_TOKEN" ]; then
+    URL="$VAULT_ADDR/v1/auth/token/renew-self"
+    _info "Renew the token to default TTL"
+    if ! _post "" "$URL" >/dev/null; then
+      _err "Failed to renew the token"
+      return 1
+    fi
+  fi
+
+  URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain"
+
   if [ -n "$FABIO" ]; then
+    _info "Writing certificate and key to $URL in Fabio mode"
     if [ -n "$VAULT_KV_V2" ]; then
-      _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL"
+      _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1
     else
-      _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL"
+      _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" >/dev/null || return 1
     fi
   else
     if [ -n "$VAULT_KV_V2" ]; then
-      _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem"
-      _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key"
-      _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem"
-      _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem"
+      _info "Writing certificate to $URL/cert.pem"
+      _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" >/dev/null || return 1
+      _info "Writing key to $URL/cert.key"
+      _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" >/dev/null || return 1
+      _info "Writing CA certificate to $URL/ca.pem"
+      _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/ca.pem" >/dev/null || return 1
+      _info "Writing full-chain certificate to $URL/fullchain.pem"
+      _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" >/dev/null || return 1
     else
-      _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem"
-      _post "{\"value\": \"$_ckey\"}" "$URL/cert.key"
-      _post "{\"value\": \"$_cca\"}" "$URL/chain.pem"
-      _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem"
+      _info "Writing certificate to $URL/cert.pem"
+      _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" >/dev/null || return 1
+      _info "Writing key to $URL/cert.key"
+      _post "{\"value\": \"$_ckey\"}" "$URL/cert.key" >/dev/null || return 1
+      _info "Writing CA certificate to $URL/ca.pem"
+      _post "{\"value\": \"$_cca\"}" "$URL/ca.pem" >/dev/null || return 1
+      _info "Writing full-chain certificate to $URL/fullchain.pem"
+      _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" >/dev/null || return 1
+    fi
+
+    # To make it compatible with the wrong ca path `chain.pem` which was used in former versions
+    if _get "$URL/chain.pem" >/dev/null; then
+      _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning"
+      _info "Updating CA certificate to $URL/chain.pem for backward compatibility"
+      if [ -n "$VAULT_KV_V2" ]; then
+        _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" >/dev/null || return 1
+      else
+        _post "{\"value\": \"$_cca\"}" "$URL/chain.pem" >/dev/null || return 1
+      fi
     fi
   fi
 

deploy/vault_cli.sh

@@ -8,6 +8,8 @@
 #
 # VAULT_PREFIX - this contains the prefix path in vault
 # VAULT_ADDR - vault requires this to find your vault server
+# VAULT_SAVE_TOKEN - set to anything if you want to save the token
+# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying
 #
 # additionally, you need to ensure that VAULT_TOKEN is avialable or
 # `vault auth` has applied the appropriate authorization for the vault binary
@@ -33,15 +35,34 @@ vault_cli_deploy() {
   _debug _cfullchain "$_cfullchain"
 
   # validate required env vars
+  _getdeployconf VAULT_PREFIX
   if [ -z "$VAULT_PREFIX" ]; then
     _err "VAULT_PREFIX needs to be defined (contains prefix path in vault)"
     return 1
   fi
+  _savedeployconf VAULT_PREFIX "$VAULT_PREFIX"
 
+  _getdeployconf VAULT_ADDR
   if [ -z "$VAULT_ADDR" ]; then
     _err "VAULT_ADDR needs to be defined (contains vault connection address)"
     return 1
   fi
+  _savedeployconf VAULT_ADDR "$VAULT_ADDR"
+
+  _getdeployconf VAULT_SAVE_TOKEN
+  _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN"
+
+  _getdeployconf VAULT_RENEW_TOKEN
+  _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN"
+
+  _getdeployconf VAULT_TOKEN
+  if [ -z "$VAULT_TOKEN" ]; then
+    _err "VAULT_TOKEN needs to be defined"
+    return 1
+  fi
+  if [ -n "$VAULT_SAVE_TOKEN" ]; then
+    _savedeployconf VAULT_TOKEN "$VAULT_TOKEN"
+  fi
 
   VAULT_CMD=$(command -v vault)
   if [ ! $? ]; then
@@ -49,13 +70,33 @@ vault_cli_deploy() {
     return 1
   fi
 
+  if [ -n "$VAULT_RENEW_TOKEN" ]; then
+    _info "Renew the token to default TTL"
+    if ! $VAULT_CMD token renew; then
+      _err "Failed to renew the token"
+      return 1
+    fi
+  fi
+
   if [ -n "$FABIO" ]; then
+    _info "Writing certificate and key to $URL in Fabio mode"
     $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
   else
+    _info "Writing certificate to $URL/cert.pem"
     $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
+    _info "Writing key to $URL/cert.key"
     $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
-    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
+    _info "Writing CA certificate to $URL/ca.pem"
+    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/ca.pem" value=@"$_cca" || return 1
+    _info "Writing full-chain certificate to $URL/fullchain.pem"
     $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
+
+    # To make it compatible with the wrong ca path `chain.pem` which was used in former versions
+    if $VAULT_CMD kv get "${VAULT_PREFIX}/${_cdomain}/chain.pem" >/dev/null; then
+      _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning"
+      _info "Updating CA certificate to $URL/chain.pem for backward compatibility"
+      $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
+    fi
   fi
 
 }