deploy_pki


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

#!/usr/bin/env ./sshtool

PKI=cluster/$CLUSTER/secrets/pki
YEAR=$(date +%Y)

cmd mkdir -p /var/lib/nomad/pki /var/lib/consul/pki

for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key consul$YEAR-client.crt consul$YEAR-client.key; do
	if [ -f "$PKI/$file" ]; then
		copy_secret $PKI/$file /var/lib/consul/pki/$file
		cmd chown consul:root /var/lib/consul/pki/$file
	fi
done

cmd systemctl restart consul
cmd sleep 10

for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key; do
	if [ -f "$PKI/$file" ]; then
		copy_secret $PKI/$file /var/lib/nomad/pki/$file
	fi
done

cmd systemctl restart nomad

set_env CONSUL_HTTP_ADDR=https://localhost:8501
set_env CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt
set_env CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt
set_env CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key

cmd "consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt"
cmd "consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt"
cmd "consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key"