Página Principal Explorar Ajuda
Registe-se Iniciar Sessão
Apq
/
acme.sh
mirror de https://github.com/acmesh-official/acme.sh.git
1
0
Fork 0
Ficheiros Problemas 0 Wiki
Árvore: b8d0d3c242
Ramos Etiquetas
acme.sh
/
deploy
/
vault.sh

vault.sh 4.5 KB
Histórico Em bruto

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129 
  1. #!/usr/bin/env sh
    2. 

  2. 

  3. # Here is a script to deploy cert to hashicorp vault using curl
    4. 

  4. # (https://www.vaultproject.io/)
    5. 

  5. #
    6. 

  6. # it requires following environment variables:
    7. 

  7. #
    8. 

  8. # VAULT_PREFIX - this contains the prefix path in vault
    9. 

  9. # VAULT_ADDR - vault requires this to find your vault server
    10. 

  10. # VAULT_SAVE_TOKEN - set to anything if you want to save the token
    11. 

  11. # VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying
    12. 

  12. # VAULT_KV_V2 - set to anything if you are using v2 of the kv engine
    13. 

  13. #
    14. 

  14. # additionally, you need to ensure that VAULT_TOKEN is avialable
    15. 

  15. # to access the vault server
    16. 

  16. 

  17. #returns 0 means success, otherwise error.
    18. 

  18. 

  19. ######## Public functions #####################
    20. 

  20. 

  21. #domain keyfile certfile cafile fullchain
    22. 

  22. vault_deploy() {
    23. 

  23. 

  24.   _cdomain="$1"
    25. 

  25.   _ckey="$2"
    26. 

  26.   _ccert="$3"
    27. 

  27.   _cca="$4"
    28. 

  28.   _cfullchain="$5"
    29. 

  29. 

  30.   _debug _cdomain "$_cdomain"
    31. 

  31.   _debug _ckey "$_ckey"
    32. 

  32.   _debug _ccert "$_ccert"
    33. 

  33.   _debug _cca "$_cca"
    34. 

  34.   _debug _cfullchain "$_cfullchain"
    35. 

  35. 

  36.   # validate required env vars
    37. 

  37.   _getdeployconf VAULT_PREFIX
    38. 

  38.   if [ -z "$VAULT_PREFIX" ]; then
    39. 

  39.     _err "VAULT_PREFIX needs to be defined (contains prefix path in vault)"
    40. 

  40.     return 1
    41. 

  41.   fi
    42. 

  42.   _savedeployconf VAULT_PREFIX "$VAULT_PREFIX"
    43. 

  43. 

  44.   _getdeployconf VAULT_ADDR
    45. 

  45.   if [ -z "$VAULT_ADDR" ]; then
    46. 

  46.     _err "VAULT_ADDR needs to be defined (contains vault connection address)"
    47. 

  47.     return 1
    48. 

  48.   fi
    49. 

  49.   _savedeployconf VAULT_ADDR "$VAULT_ADDR"
    50. 

  50. 

  51.   _getdeployconf VAULT_SAVE_TOKEN
    52. 

  52.   _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN"
    53. 

  53. 

  54.   _getdeployconf VAULT_RENEW_TOKEN
    55. 

  55.   _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN"
    56. 

  56. 

  57.   _getdeployconf VAULT_KV_V2
    58. 

  58.   _savedeployconf VAULT_KV_V2 "$VAULT_KV_V2"
    59. 

  59. 

  60.   _getdeployconf VAULT_TOKEN
    61. 

  61.   if [ -z "$VAULT_TOKEN" ]; then
    62. 

  62.     _err "VAULT_TOKEN needs to be defined"
    63. 

  63.     return 1
    64. 

  64.   fi
    65. 

  65.   if [ -n "$VAULT_SAVE_TOKEN" ]; then
    66. 

  66.     _savedeployconf VAULT_TOKEN "$VAULT_TOKEN"
    67. 

  67.   fi
    68. 

  68. 

  69.   # JSON does not allow multiline strings.
    70. 

  70.   # So replacing new-lines with "\n" here
    71. 

  71.   _ckey=$(sed -z 's/\n/\\n/g' <"$2")
    72. 

  72.   _ccert=$(sed -z 's/\n/\\n/g' <"$3")
    73. 

  73.   _cca=$(sed -z 's/\n/\\n/g' <"$4")
    74. 

  74.   _cfullchain=$(sed -z 's/\n/\\n/g' <"$5")
    75. 

  75. 

  76.   export _H1="X-Vault-Token: $VAULT_TOKEN"
    77. 

  77. 

  78.   if [ -n "$VAULT_RENEW_TOKEN" ]; then
    79. 

  79.     URL="$VAULT_ADDR/v1/auth/token/renew-self"
    80. 

  80.     _info "Renew the token to default TTL"
    81. 

  81.     if ! _post "" "$URL" >/dev/null; then
    82. 

  82.       _err "Failed to renew the token"
    83. 

  83.       return 1
    84. 

  84.     fi
    85. 

  85.   fi
    86. 

  86. 

  87.   URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain"
    88. 

  88. 

  89.   if [ -n "$FABIO" ]; then
    90. 

  90.     _info "Writing certificate and key to $URL in Fabio mode"
    91. 

  91.     if [ -n "$VAULT_KV_V2" ]; then
    92. 

  92.       _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1
    93. 

  93.     else
    94. 

  94.       _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" >/dev/null || return 1
    95. 

  95.     fi
    96. 

  96.   else
    97. 

  97.     if [ -n "$VAULT_KV_V2" ]; then
    98. 

  98.       _info "Writing certificate to $URL/cert.pem"
    99. 

  99.       _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" >/dev/null || return 1
    100. 

  100.       _info "Writing key to $URL/cert.key"
    101. 

  101.       _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" >/dev/null || return 1
    102. 

  102.       _info "Writing CA certificate to $URL/ca.pem"
    103. 

  103.       _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/ca.pem" >/dev/null || return 1
    104. 

  104.       _info "Writing full-chain certificate to $URL/fullchain.pem"
    105. 

  105.       _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" >/dev/null || return 1
    106. 

  106.     else
    107. 

  107.       _info "Writing certificate to $URL/cert.pem"
    108. 

  108.       _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" >/dev/null || return 1
    109. 

  109.       _info "Writing key to $URL/cert.key"
    110. 

  110.       _post "{\"value\": \"$_ckey\"}" "$URL/cert.key" >/dev/null || return 1
    111. 

  111.       _info "Writing CA certificate to $URL/ca.pem"
    112. 

  112.       _post "{\"value\": \"$_cca\"}" "$URL/ca.pem" >/dev/null || return 1
    113. 

  113.       _info "Writing full-chain certificate to $URL/fullchain.pem"
    114. 

  114.       _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" >/dev/null || return 1
    115. 

  115.     fi
    116. 

  116. 

  117.     # To make it compatible with the wrong ca path `chain.pem` which was used in former versions
    118. 

  118.     if _contains "$(_get "$URL/chain.pem")" "-----BEGIN CERTIFICATE-----"; then
    119. 

  119.       _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning"
    120. 

  120.       _info "Updating CA certificate to $URL/chain.pem for backward compatibility"
    121. 

  121.       if [ -n "$VAULT_KV_V2" ]; then
    122. 

  122.         _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" >/dev/null || return 1
    123. 

  123.       else
    124. 

  124.         _post "{\"value\": \"$_cca\"}" "$URL/chain.pem" >/dev/null || return 1
    125. 

  125.       fi
    126. 

  126.     fi
    127. 

  127.   fi
    128. 

  128. 

  129. }
    130.