From 0592ac55d679110e76e253ea1b87e4620b498d42 Mon Sep 17 00:00:00 2001 From: Rahul Date: Sun, 3 Feb 2019 11:49:43 -0800 Subject: [PATCH 1/5] add file backend to quick start guide (#727) * add file backend to quick start guide * add formatting to file backend debug call * fix my poorly exec'ed fork update [storage-backend][vault PKI] Add storage backend - vaultpki initial commit initial commit --- .vscode/confd.go | 0 .vscode/launch.json | 17 +++++++++++++++++ backends/client.go | 16 ++++++++++++++++ backends/vaultpki/client.go | 37 ++++++++++++++++++++++++++++++++++++ integration/vault/test.sh | 1 + integration/vaultpki/test.sh | 28 +++++++++++++++++++++++++++ 6 files changed, 99 insertions(+) create mode 100644 .vscode/confd.go create mode 100644 .vscode/launch.json create mode 100644 backends/vaultpki/client.go create mode 100755 integration/vaultpki/test.sh diff --git a/.vscode/confd.go b/.vscode/confd.go new file mode 100644 index 000000000..e69de29bb diff --git a/.vscode/launch.json b/.vscode/launch.json new file mode 100644 index 000000000..e0fff1f89 --- /dev/null +++ b/.vscode/launch.json @@ -0,0 +1,17 @@ +{ + // Use IntelliSense to learn about possible attributes. + // Hover to view descriptions of existing attributes. + // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 + "version": "0.2.0", + "configurations": [ + { + "name": "Launch", + "type": "go", + "request": "launch", + "mode": "auto", + "program": "confd.go", + "env": {}, + "args": [] + } + ] +} \ No newline at end of file diff --git a/backends/client.go b/backends/client.go index 1e1bff119..fffb88b06 100644 --- a/backends/client.go +++ b/backends/client.go @@ -14,6 +14,7 @@ import ( "github.com/kelseyhightower/confd/backends/redis" "github.com/kelseyhightower/confd/backends/ssm" "github.com/kelseyhightower/confd/backends/vault" + "github.com/kelseyhightower/confd/backends/vaultpki" "github.com/kelseyhightower/confd/backends/zookeeper" "github.com/kelseyhightower/confd/log" ) @@ -79,6 +80,21 @@ func New(config Config) (StoreClient, error) { "path": config.Path, } return vault.New(backendNodes[0], config.AuthType, vaultConfig) + case "vaultpki": + vaultPkiConfig := map[string]string{ + "app-id": config.AppID, + "user-id": config.UserID, + "role-id": config.RoleID, + "secret-id": config.SecretID, + "username": config.Username, + "password": config.Password, + "token": config.AuthToken, + "cert": config.ClientCert, + "key": config.ClientKey, + "caCert": config.ClientCaKeys, + "path": config.Path, + } + return vaultpki.New(backendNodes[0], config.AuthType, vaultPkiConfig) case "dynamodb": table := config.Table log.Info("DynamoDB table set to " + table) diff --git a/backends/vaultpki/client.go b/backends/vaultpki/client.go new file mode 100644 index 000000000..57c9a8c2c --- /dev/null +++ b/backends/vaultpki/client.go @@ -0,0 +1,37 @@ +package vaultpki + +import ( + "errors" + + vaultclient "github.com/kelseyhightower/confd/backends/vault" + "github.com/kelseyhightower/confd/log" +) + +// Client is a wrapper around vault client +type Client struct { + client *vaultapi.Client +} + +func + +// New Connect to the vault instance and return a *vault.Client connection +func New(address, authType string, params map[string]string) (*Client, error) { + if authType == "" { + return nil, errors.New("You have to set the auth type when using the vault backend") + } + log.Info("Vault authentication backend set to %s", authType) + conf, err := getConfig + + return nil, nil +} + +//GetValues queries vault and gets the cert +func (c *Client) GetValues(keys []string) (map[string]string, error) { + return nil, nil +} + +// WatchPrefix not yet implemented +func (c *Client) WatchPrefix(prefix string, keys []string, waitIndex uint64, stopChan chan bool) (uint64, error) { + <-stopChan + return 0, nil +} diff --git a/integration/vault/test.sh b/integration/vault/test.sh index 913440d0c..ed54b3b48 100755 --- a/integration/vault/test.sh +++ b/integration/vault/test.sh @@ -1,6 +1,7 @@ #!/bin/bash export HOSTNAME="localhost" +export VAULT_ADDR="http://127.0.0.1:8200/" export ROOT_TOKEN="$(vault read -field id auth/token/lookup-self)" vault secrets enable -path database kv diff --git a/integration/vaultpki/test.sh b/integration/vaultpki/test.sh new file mode 100755 index 000000000..1adb15611 --- /dev/null +++ b/integration/vaultpki/test.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +export HOSTNAME="localhost" +export VAULT_ADDR="http://127.0.0.1:8200/" +export ROOT_TOKEN="$(vault read -field id auth/token/lookup-self)" + +# vault secrets enable -path database kv +# vault secrets enable -path key kv +# vault secrets enable -path upstream kv +# vault secrets enable -path nested kv + +# vault write key value=foobar +# vault write database/host value=127.0.0.1 +# vault write database/port value=3306 +# vault write database/username value=confd +# vault write database/password value=p@sSw0rd +# vault write upstream app1=10.0.1.10:8080 app2=10.0.1.11:8080 +# vault write nested/east/app1 value=10.0.1.10:8080 +# vault write nested/west/app2 value=10.0.1.11:8080 + +# Run confd +confd --onetime --log-level debug \ + --backend vaultpki \ + --auth-type token \ + --auth-token $ROOT_TOKEN \ + --node http://127.0.0.1:8200 + +# --confdir ./integration/confdir \ \ No newline at end of file From dc1e2b6d77d30a99bf23d3a0c29fbfdb3506796f Mon Sep 17 00:00:00 2001 From: Rahul Date: Mon, 18 Feb 2019 15:48:52 -0800 Subject: [PATCH 2/5] [storage-backend][vault PKI] Add storage backend - vaultpki removed unused files [vaultpki] Fix test [vaultpki] add other key values test removing the test file test removing the test files try zookeeper fix tests --- .gitignore | 1 + .vscode/launch.json | 17 -- backends/client.go | 2 +- backends/vault/client.go | 28 +-- backends/vaultpki/client.go | 178 ++++++++++++++++-- integration/confdir/conf.d/cert.toml | 8 + .../confdir/templates/certkey.pem.tmpl | 6 + integration/vaultpki/test.sh | 42 +++-- integration/zookeeper/test.json | 10 + integration/zookeeper/test.sh | 0 10 files changed, 235 insertions(+), 57 deletions(-) delete mode 100644 .vscode/launch.json create mode 100644 integration/confdir/conf.d/cert.toml create mode 100644 integration/confdir/templates/certkey.pem.tmpl mode change 100644 => 100755 integration/zookeeper/test.sh diff --git a/.gitignore b/.gitignore index e660fd93d..b497ff128 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ bin/ +.vscode/ \ No newline at end of file diff --git a/.vscode/launch.json b/.vscode/launch.json deleted file mode 100644 index e0fff1f89..000000000 --- a/.vscode/launch.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - // Use IntelliSense to learn about possible attributes. - // Hover to view descriptions of existing attributes. - // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 - "version": "0.2.0", - "configurations": [ - { - "name": "Launch", - "type": "go", - "request": "launch", - "mode": "auto", - "program": "confd.go", - "env": {}, - "args": [] - } - ] -} \ No newline at end of file diff --git a/backends/client.go b/backends/client.go index fffb88b06..9a8f940e1 100644 --- a/backends/client.go +++ b/backends/client.go @@ -94,7 +94,7 @@ func New(config Config) (StoreClient, error) { "caCert": config.ClientCaKeys, "path": config.Path, } - return vaultpki.New(backendNodes[0], config.AuthType, vaultPkiConfig) + return vaultpki.NewClient(backendNodes[0], config.AuthType, vaultPkiConfig) case "dynamodb": table := config.Table log.Info("DynamoDB table set to " + table) diff --git a/backends/vault/client.go b/backends/vault/client.go index 7e54e5f5b..e137b2d36 100644 --- a/backends/vault/client.go +++ b/backends/vault/client.go @@ -43,8 +43,8 @@ func panicToError(err *error) { } } -// authenticate with the remote client -func authenticate(c *vaultapi.Client, authType string, params map[string]string) (err error) { +// Authenticate with the remote client +func Authenticate(c *vaultapi.Client, authType string, params map[string]string) (err error) { var secret *vaultapi.Secret // handle panics gracefully by creating an error @@ -116,7 +116,8 @@ func authenticate(c *vaultapi.Client, authType string, params map[string]string) return nil } -func getConfig(address, cert, key, caCert string) (*vaultapi.Config, error) { +// GetConfig methot in vault backedn to Get Config +func GetConfig(address, cert, key, caCert string) (*vaultapi.Config, error) { conf := vaultapi.DefaultConfig() conf.Address = address @@ -154,7 +155,7 @@ func New(address, authType string, params map[string]string) (*Client, error) { return nil, errors.New("you have to set the auth type when using the vault backend") } log.Info("Vault authentication backend set to %s", authType) - conf, err := getConfig(address, params["cert"], params["key"], params["caCert"]) + conf, err := GetConfig(address, params["cert"], params["key"], params["caCert"]) if err != nil { return nil, err @@ -165,7 +166,7 @@ func New(address, authType string, params map[string]string) (*Client, error) { return nil, err } - if err := authenticate(c, authType, params); err != nil { + if err := Authenticate(c, authType, params); err != nil { return nil, err } return &Client{c}, nil @@ -173,6 +174,7 @@ func New(address, authType string, params map[string]string) (*Client, error) { // GetValues queries etcd for keys prefixed by prefix. func (c *Client) GetValues(keys []string) (map[string]string, error) { + log.Debug("%+v : keys", keys) branches := make(map[string]bool) for _, key := range keys { walkTree(c, key, branches) @@ -192,22 +194,22 @@ func (c *Client) GetValues(keys []string) (map[string]string, error) { // if the key has only one string value // treat it as a string and not a map of values - if val, ok := isKV(resp.Data); ok { + if val, ok := IsKV(resp.Data); ok { vars[key] = val } else { // save the json encoded response - // and flatten it to allow usage of gets & getvs + // and Flatten it to allow usage of gets & getvs js, _ := json.Marshal(resp.Data) vars[key] = string(js) - flatten(key, resp.Data, vars) + Flatten(key, resp.Data, vars) } } return vars, nil } -// isKV checks if a given map has only one key of type string +// IsKV checks if a given map has only one key of type string // if so, returns the value of that key -func isKV(data map[string]interface{}) (string, bool) { +func IsKV(data map[string]interface{}) (string, bool) { if len(data) == 1 { if value, ok := data["value"]; ok { if text, ok := value.(string); ok { @@ -218,8 +220,8 @@ func isKV(data map[string]interface{}) (string, bool) { return "", false } -// recursively walks on all the values of a specific key and set them in the variables map -func flatten(key string, value interface{}, vars map[string]string) { +// Flatten recursively walks on all the values of a specific key and set them in the variables map +func Flatten(key string, value interface{}, vars map[string]string) { switch value.(type) { case string: log.Debug("setting key %s to: %s", key, value) @@ -228,7 +230,7 @@ func flatten(key string, value interface{}, vars map[string]string) { inner := value.(map[string]interface{}) for innerKey, innerValue := range inner { innerKey = path.Join(key, "/", innerKey) - flatten(innerKey, innerValue, vars) + Flatten(innerKey, innerValue, vars) } default: // we don't know how to handle non string or maps of strings log.Warning("type of '%s' is not supported (%T)", key, value) diff --git a/backends/vaultpki/client.go b/backends/vaultpki/client.go index 57c9a8c2c..04b4a5d11 100644 --- a/backends/vaultpki/client.go +++ b/backends/vaultpki/client.go @@ -1,36 +1,188 @@ package vaultpki import ( + "encoding/json" "errors" + "path" + "strings" - vaultclient "github.com/kelseyhightower/confd/backends/vault" + vaultapi "github.com/hashicorp/vault/api" + vaultbackend "github.com/kelseyhightower/confd/backends/vault" "github.com/kelseyhightower/confd/log" ) -// Client is a wrapper around vault client +// Client Embed from vault client into vault pki client type Client struct { - client *vaultapi.Client + *vaultapi.Client } -func - -// New Connect to the vault instance and return a *vault.Client connection -func New(address, authType string, params map[string]string) (*Client, error) { +// NewClient "inherit" the new method from the vault client +func NewClient(address, authType string, params map[string]string) (*Client, error) { if authType == "" { - return nil, errors.New("You have to set the auth type when using the vault backend") + return nil, errors.New("you have to set the auth type when using the vault backend") } log.Info("Vault authentication backend set to %s", authType) - conf, err := getConfig + conf, err := vaultbackend.GetConfig(address, params["cert"], params["key"], params["caCert"]) + + if err != nil { + return nil, err + } + + c, err := vaultapi.NewClient(conf) + if err != nil { + return nil, err + } + + if err := vaultbackend.Authenticate(c, authType, params); err != nil { + return nil, err + } + + return &Client{c}, err +} - return nil, nil +// request this is the struct that will be sent to vault to issue a cert +type request struct { + mountPath string + role string + commonName string } -//GetValues queries vault and gets the cert +// parseCommonName this function parses the key return a request struct +func parseCommonName(key string) *request { + // The key must be of the format /mountpath/issue/rolename/commonname + if strings.Contains(key, "issue") { + splitKeyList := strings.Split(key, "issue") + splitRoleList := strings.Split(splitKeyList[1], "/") + log.Debug("getCommonName path: %s, role: %s, commonName: %s", splitKeyList[0], splitRoleList[1], splitRoleList[2]) + k := request{splitKeyList[0], splitRoleList[1], splitRoleList[2]} + return &k + } + + return &request{} + +} + +func issueCert(c *Client, r *request) (map[string]string, error) { + log.Debug("issueCert path: %s, role: %s, commonName: %s", r.mountPath, r.role, r.commonName) + writePath := r.mountPath + "issue" + "/my-role" + + payload := map[string]interface{}{ + "common_name": r.commonName, + } + resp, err := c.Logical().Write(writePath, payload) + vars := make(map[string]string) + + if err != nil { + log.Debug("there was an error issuing a cert for role %s", r.role) + return nil, err + } + + // save the json encoded response + // and flatten it to allow usage of gets & getvs + js, _ := json.Marshal(resp.Data) + vars[writePath] = string(js) + vaultbackend.Flatten(writePath+"/"+r.commonName, resp.Data, vars) + + return vars, nil +} + +func walkTree(c *Client, key string, branches map[string]bool) error { + log.Debug("listing %s from vault", key) + + // strip trailing slash as long as it's not the only character + if last := len(key) - 1; last > 0 && key[last] == '/' { + key = key[:last] + } + if branches[key] { + // already processed this branch + return nil + } + branches[key] = true + + resp, err := c.Logical().List(key) + + if err != nil { + log.Debug("there was an error extracting %s", key) + return err + } + if resp == nil || resp.Data == nil || resp.Data["keys"] == nil { + return nil + } + + switch resp.Data["keys"].(type) { + case []interface{}: + // expected + default: + log.Warning("key list type of '%s' is not supported (%T)", key, resp.Data["keys"]) + return nil + } + + keyList := resp.Data["keys"].([]interface{}) + for _, innerKey := range keyList { + switch innerKey.(type) { + + case string: + innerKey = path.Join(key, "/", innerKey.(string)) + walkTree(c, innerKey.(string), branches) + + default: // we don't know how to handle other data types + log.Warning("type of '%s' is not supported (%T)", key, keyList) + } + } + return nil +} + +func (c *Client) getKvVault(keys []string) (map[string]string, error) { + branches := make(map[string]bool) + for _, key := range keys { + walkTree(c, key, branches) + } + vars := make(map[string]string) + for key := range branches { + log.Debug("getting %s from vault", key) + resp, err := c.Logical().Read(key) + + if err != nil { + log.Debug("there was an error extracting %s", key) + return nil, err + } + if resp == nil || resp.Data == nil { + continue + } + + // if the key has only one string value + // treat it as a string and not a map of values + if val, ok := vaultbackend.IsKV(resp.Data); ok { + vars[key] = val + } else { + // save the json encoded response + // and Flatten it to allow usage of gets & getvs + js, _ := json.Marshal(resp.Data) + vars[key] = string(js) + vaultbackend.Flatten(key, resp.Data, vars) + } + } + return vars, nil +} + +// GetValues to be exported func (c *Client) GetValues(keys []string) (map[string]string, error) { - return nil, nil + vars := make(map[string]string) + var err error + for _, key := range keys { + log.Debug("key: %+v", key) + k := parseCommonName(key) + if (request{}) == *k { + vars, err = c.getKvVault(keys) + break + } + vars, err = issueCert(c, k) + } + + return vars, err } -// WatchPrefix not yet implemented +// WatchPrefix - not implemented at the moment func (c *Client) WatchPrefix(prefix string, keys []string, waitIndex uint64, stopChan chan bool) (uint64, error) { <-stopChan return 0, nil diff --git a/integration/confdir/conf.d/cert.toml b/integration/confdir/conf.d/cert.toml new file mode 100644 index 000000000..3752279c7 --- /dev/null +++ b/integration/confdir/conf.d/cert.toml @@ -0,0 +1,8 @@ +[template] +mode = "0644" +src = "certkey.pem.tmpl" +dest = "/tmp/certkey.pem" +keys = [ + "/pki/issue/my-role/www.example.com", +] +reload_cmd = "/tmp/split.sh" diff --git a/integration/confdir/templates/certkey.pem.tmpl b/integration/confdir/templates/certkey.pem.tmpl new file mode 100644 index 000000000..1a97e50fa --- /dev/null +++ b/integration/confdir/templates/certkey.pem.tmpl @@ -0,0 +1,6 @@ +{{- $certificate := getv "/pki/issue/my-role/www.example.com/certificate" -}} +{{- $private_key := getv "/pki/issue/my-role/www.example.com/private_key" -}} +{ + "certificate": "{{ replace $certificate "\n" "\\n" -1 }}", + "key": "{{ replace $private_key "\n" "\\n" -1 }}" +} \ No newline at end of file diff --git a/integration/vaultpki/test.sh b/integration/vaultpki/test.sh index 1adb15611..ee6157166 100755 --- a/integration/vaultpki/test.sh +++ b/integration/vaultpki/test.sh @@ -4,25 +4,41 @@ export HOSTNAME="localhost" export VAULT_ADDR="http://127.0.0.1:8200/" export ROOT_TOKEN="$(vault read -field id auth/token/lookup-self)" -# vault secrets enable -path database kv -# vault secrets enable -path key kv -# vault secrets enable -path upstream kv -# vault secrets enable -path nested kv +vault secrets enable -path database kv +vault secrets enable -path key kv +vault secrets enable -path upstream kv +vault secrets enable -path nested kv + +vault write key value=foobar +vault write database/host value=127.0.0.1 +vault write database/port value=3306 +vault write database/username value=confd +vault write database/password value=p@sSw0rd +vault write upstream app1=10.0.1.10:8080 app2=10.0.1.11:8080 +vault write nested/east/app1 value=10.0.1.10:8080 +vault write nested/west/app2 value=10.0.1.11:8080 + +vault secrets enable pki +vault secrets tune -max-lease-ttl=10h pki +vault write pki/root/generate/internal \ + common_name=example.com \ + ttl=8760h +vault write pki/config/urls \ + issuing_certificates="${VAULT_ADDR}/v1/pki/ca" \ + crl_distribution_points="${VAULT_ADDR}/v1/pki/crl" +vault write pki/roles/my-role \ + allowed_domains=example.com \ + allow_subdomains=true \ + max_ttl=8h -# vault write key value=foobar -# vault write database/host value=127.0.0.1 -# vault write database/port value=3306 -# vault write database/username value=confd -# vault write database/password value=p@sSw0rd -# vault write upstream app1=10.0.1.10:8080 app2=10.0.1.11:8080 -# vault write nested/east/app1 value=10.0.1.10:8080 -# vault write nested/west/app2 value=10.0.1.11:8080 # Run confd confd --onetime --log-level debug \ + --confdir ./integration/confdir \ --backend vaultpki \ --auth-type token \ --auth-token $ROOT_TOKEN \ --node http://127.0.0.1:8200 -# --confdir ./integration/confdir \ \ No newline at end of file +vault delete pki/root +vault secrets disable pki/ diff --git a/integration/zookeeper/test.json b/integration/zookeeper/test.json index e85dcb735..5b7f4a6d3 100644 --- a/integration/zookeeper/test.json +++ b/integration/zookeeper/test.json @@ -17,6 +17,16 @@ "west": { "app2": "10.0.1.11:8080" } + }, + "pki": { + "issue": { + "my-role": { + "www.example.com": { + "certificate": "-----BEGIN CERTIFICATE-----\nMIIDwDCCAqigAwIBAgIUfU+/v4dE7TV6U5Jm/C9mbjC/ySkwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTkwMjE5MDUxNDUyWhcNMTkw\nMjE5MTMxNTIyWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAm3/jVUMkMSrQMwtASFgK8T01sagq98lt\nWWT0A15PGeTSbnWQ3eKbnHzXldGggQz0yxqc8m1oBUvgCZ8I6Kbk1/ooxc/8wO43\nlZ7a341gATrZgzY0cobHIZTjliJN1z1O0Owgko9ddmzVkkHENu07YpIns+WgU4ua\nXA94GmO2+2S78F2Kdh+HckauRNdoYqNQpMRis0F3HvWD+Qju9tGvIrNdD/HMCRXs\nVOMdw4e8rpaHuNZ9OiA148mqSvAWhLr1qCM2DGIOS9q2q4kNkscg5YOXVpY3IppV\nCfl6WxoEj65zS3o+SdjHx8cr9rQakmbvahzt04ShtoG8CHCGLCYTAgMBAAGjggEA\nMIH9MA4GA1UdDwEB/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH\nAwIwHQYDVR0OBBYEFDlhtX2jLH/SyC+2jeLLQkN2VUsOMB8GA1UdIwQYMBaAFNtj\nRIJq7XalG/c3tG7dIW3J+M9rMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAoYg\naHR0cDovLzEyNy4wLjAuMTo4MjAwLy92MS9wa2kvY2EwGgYDVR0RBBMwEYIPd3d3\nLmV4YW1wbGUuY29tMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly8xMjcuMC4wLjE6\nODIwMC8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEALE7GKP8PXJ5CKH3J\n016Ug+1yEan7CLpaD31YmD0uIfTHM8QmbTG/MzGXg2zkxm6h98Ns6uA+WGCiwVqX\nfi+4y5q13IqA0y2ljBfYaJirxdoIYAG10phzXgLCLbMMgGC+8X3Hg6Te07vqINE1\nQNgs0E+oggVFmc8eXzqrQh2u2wovPguiM3JHp6esmA/j4hvMqQGenCLhWC+jQ1bO\nIhV/HxPfHN3Ogm9GQ++ZyxgLRlB8PxJZHAPztHXnNHXB47a9Wfi+9VdiM9jgiuir\nRfThdllPvBksR6G0FzCBN1vbmGlEnt9Rm726hjbKJC3ESQpGC9Lv81C9OvMdqiWw\n72ZTzw==\n-----END CERTIFICATE-----", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEAwJt/41VDJDEq0DMLQEhYCvE9NbGoKvfJbVlk9ANeTxnk0m51\nkN3im5x815XRoIEM9MsanPJtaAVL4AmfCOim5Nf6KMXP/MDuN5We2t+NYAE62YM2\nNHKGxyGU45YiTdc9TtDsIJKPXXZs1ZJBxDbtO2KSJ7PloFOLmlwPeBpjtvtku/Bd\ninYfh3JGrkTXaGKjUKTEYrNBdx71g/kI7vbRryKzXQ/xzAkV7FTjHcOHvK6Wh7jW\nfTogNePJqkrwFoS69agjNgxiDkvatquJDZLHIOWDl1aWNyKaVQn5elsaBI+uc0t6\nPknYx8fHK/a0GpJm72oc7dOEobaBvAhwhiwmEwIDAQABAoIBAQCx6DBF1QCyknPA\nYhW3Z9tjKBdo3FPAdKZqydLVDbN0Dy/sK7mOeVWSdQZfv/QkdG96QYywgcEK/zFp\nnJl4iiV2ZgSc2rLV/YNMdniIJUwZ7KjmNyu/YDYcA2namlfPXMw1XAdvwtCH/RZk\nY7c5vZ59ZvwnjiTBZcoiZ3ymbIHEhnA94OoQVQQ27/ep9vH5NUEbPTJggSU6+kM3\nsWSpPjykOuEZblbzD2S0uqcMuf/V47oocrd0G477MKQBoVr5LlLUemTAw/GzNnNt\nNMoRmXk5eHgFUq3mc4wK0ZYbwJFq7l6p5B5mQ4olkj9q0UIeKs8fOHXRdwN0kbmr\nftdWEPdJAoGBAOvLL/uJZrWrO2dgBDTITJ5BljtQNpz4nNTstZZZZNClfgKV37uj\n228mFvwhHSiedjsfzQsqBtzuCjlxduUgD2QlHKM+vBzx5rl0DvQW++fltYqK5DWx\n926eS522Rb34bAeEEbdZssDpXE0EhMbjVhQG61z5YqXQ6wf4EMqGggrHAoGBANEc\n5Z1lA/nhvrvGNWLw2HDJA/b0WnTvTiPQQ1T4bDOug/lTFatDeYywjMpLylhNKuvk\nTKvwO+6KtywykE0CIhz4xiilVzhsYpkqUdEk1tPInQ+cahvE+1J96YT/Mnq9NOda\nZICNOF33sumr45Awh2DRLawMqS3mHdESSAMVKt5VAoGBAOYWZOEQJ/CYgaQTVqdm\n2RUIrR9923z7QJap0VxAKRdMlhTRyPuiHktsoLsxWPG9B2QUWRJO1Vma0tFQ/hMB\nYON5L2PAoPGhv2IydTEMiI22Ypspgx0+Z1NDFkh0h8OjeU8wOdVvqvWCAfaJtUMa\nrXFnex5DoFZr8hzZnRDzhkwbAoGAcJbUclgvOd136nYfzHPMtX0lq1OJWKh4NAQw\nHJHdAD6YRCed5SZhTYTJaSpBeiWiVHwJZBHm0trRIPTgiPX7FApF9yB+w5xnwfvt\nLWReXo0HM56N6wG2J4YvszIMJdW1pFMhBa4DiWSSagnobnwSh+hYZOg0NshNiYIE\nT9SXzjkCgYEA3duQFwdgBZaihBQYtWSbblz/LdQC8hn4COYkE+sYPPBKsNkO305E\nB4Uj2gOIR2AsPg3PVvli0BfCeiO1MGS1mIyNBL2/rTZt2HjgJrbSpH04WCvbSrnw\nLE/mjwGTFQiCDzeR/TybB+eFDkzxCdDLiR/SzpPB1NQ/eZCw2TwHvIE=\n-----END RSA PRIVATE KEY-----" + } + } + } }, "prefix": { "database": { diff --git a/integration/zookeeper/test.sh b/integration/zookeeper/test.sh old mode 100644 new mode 100755 From 50f4c11b388ab64aad5fad0ea15331b6d8d3c3eb Mon Sep 17 00:00:00 2001 From: Rahul Date: Mon, 18 Feb 2019 23:09:57 -0800 Subject: [PATCH 3/5] [vaultpki] add script to split certs --- integration/confdir/conf.d/split.sh.toml | 5 +++++ integration/confdir/templates/split.sh.tmpl | 3 +++ 2 files changed, 8 insertions(+) create mode 100644 integration/confdir/conf.d/split.sh.toml create mode 100644 integration/confdir/templates/split.sh.tmpl diff --git a/integration/confdir/conf.d/split.sh.toml b/integration/confdir/conf.d/split.sh.toml new file mode 100644 index 000000000..45211cde8 --- /dev/null +++ b/integration/confdir/conf.d/split.sh.toml @@ -0,0 +1,5 @@ +[template] +mode = "0744" +src = "split.sh.tmpl" +dest = "/tmp/split.sh" +keys = [] \ No newline at end of file diff --git a/integration/confdir/templates/split.sh.tmpl b/integration/confdir/templates/split.sh.tmpl new file mode 100644 index 000000000..ba5b0b2af --- /dev/null +++ b/integration/confdir/templates/split.sh.tmpl @@ -0,0 +1,3 @@ +#!/bin/bash +cat /tmp/certkey.pem | jq -r .certificate > /tmp/certificate.pem && chmod 644 /tmp/certificate.pem +cat /tmp/certkey.pem | jq -r .key > /tmp/key.pem && chmod 600 /tmp/key.pem \ No newline at end of file From 03f9b2d268d787fcb0677270b76946b452c1066f Mon Sep 17 00:00:00 2001 From: Rahul Date: Mon, 18 Feb 2019 23:16:35 -0800 Subject: [PATCH 4/5] rename to make sure script loads first fix tests so it returns zero --- .../conf.d/{split.sh.toml => 01-cert-split.sh.toml} | 0 integration/consul/test.sh | 5 +++++ integration/etcd/test.sh | 4 ++++ integration/file/test.sh | 9 +++++++++ integration/rancher/test.sh | 10 ++++++++++ integration/vault-path/test.sh | 5 ++++- integration/vault/test.sh | 4 ++++ 7 files changed, 36 insertions(+), 1 deletion(-) rename integration/confdir/conf.d/{split.sh.toml => 01-cert-split.sh.toml} (100%) mode change 100644 => 100755 integration/etcd/test.sh mode change 100644 => 100755 integration/file/test.sh diff --git a/integration/confdir/conf.d/split.sh.toml b/integration/confdir/conf.d/01-cert-split.sh.toml similarity index 100% rename from integration/confdir/conf.d/split.sh.toml rename to integration/confdir/conf.d/01-cert-split.sh.toml diff --git a/integration/consul/test.sh b/integration/consul/test.sh index f51c36b58..699ebd529 100755 --- a/integration/consul/test.sh +++ b/integration/consul/test.sh @@ -2,6 +2,7 @@ export HOSTNAME="localhost" + # Configure consul curl -X PUT http://127.0.0.1:8500/v1/kv/key -d 'foobar' curl -X PUT http://127.0.0.1:8500/v1/kv/database/host -d '127.0.0.1' @@ -12,6 +13,8 @@ curl -X PUT http://127.0.0.1:8500/v1/kv/upstream/app1 -d '10.0.1.10:8080' curl -X PUT http://127.0.0.1:8500/v1/kv/upstream/app2 -d '10.0.1.11:8080' curl -X PUT http://127.0.0.1:8500/v1/kv/nested/east/app1 -d '10.0.1.10:8080' curl -X PUT http://127.0.0.1:8500/v1/kv/nested/west/app2 -d '10.0.1.11:8080' +curl -X PUT http://127.0.0.1:8500/v1/kv/pki/issue/my-role/www.example.com/certificate -d "-----BEGIN CERTIFICATE-----\nMIIDwDCCAqigAwIBAgIUfU+/v4dE7TV6U5Jm/C9mbjC/ySkwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTkwMjE5MDUxNDUyWhcNMTkw\nMjE5MTMxNTIyWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAm3/jVUMkMSrQMwtASFgK8T01sagq98lt\nWWT0A15PGeTSbnWQ3eKbnHzXldGggQz0yxqc8m1oBUvgCZ8I6Kbk1/ooxc/8wO43\nlZ7a341gATrZgzY0cobHIZTjliJN1z1O0Owgko9ddmzVkkHENu07YpIns+WgU4ua\nXA94GmO2+2S78F2Kdh+HckauRNdoYqNQpMRis0F3HvWD+Qju9tGvIrNdD/HMCRXs\nVOMdw4e8rpaHuNZ9OiA148mqSvAWhLr1qCM2DGIOS9q2q4kNkscg5YOXVpY3IppV\nCfl6WxoEj65zS3o+SdjHx8cr9rQakmbvahzt04ShtoG8CHCGLCYTAgMBAAGjggEA\nMIH9MA4GA1UdDwEB/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH\nAwIwHQYDVR0OBBYEFDlhtX2jLH/SyC+2jeLLQkN2VUsOMB8GA1UdIwQYMBaAFNtj\nRIJq7XalG/c3tG7dIW3J+M9rMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAoYg\naHR0cDovLzEyNy4wLjAuMTo4MjAwLy92MS9wa2kvY2EwGgYDVR0RBBMwEYIPd3d3\nLmV4YW1wbGUuY29tMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly8xMjcuMC4wLjE6\nODIwMC8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEALE7GKP8PXJ5CKH3J\n016Ug+1yEan7CLpaD31YmD0uIfTHM8QmbTG/MzGXg2zkxm6h98Ns6uA+WGCiwVqX\nfi+4y5q13IqA0y2ljBfYaJirxdoIYAG10phzXgLCLbMMgGC+8X3Hg6Te07vqINE1\nQNgs0E+oggVFmc8eXzqrQh2u2wovPguiM3JHp6esmA/j4hvMqQGenCLhWC+jQ1bO\nIhV/HxPfHN3Ogm9GQ++ZyxgLRlB8PxJZHAPztHXnNHXB47a9Wfi+9VdiM9jgiuir\nRfThdllPvBksR6G0FzCBN1vbmGlEnt9Rm726hjbKJC3ESQpGC9Lv81C9OvMdqiWw\n72ZTzw==\n-----END CERTIFICATE-----" +curl -X PUT http://127.0.0.1:8500/v1/kv/pki/issue/my-role/www.example.com/private_key -d "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEAwJt/41VDJDEq0DMLQEhYCvE9NbGoKvfJbVlk9ANeTxnk0m51\nkN3im5x815XRoIEM9MsanPJtaAVL4AmfCOim5Nf6KMXP/MDuN5We2t+NYAE62YM2\nNHKGxyGU45YiTdc9TtDsIJKPXXZs1ZJBxDbtO2KSJ7PloFOLmlwPeBpjtvtku/Bd\ninYfh3JGrkTXaGKjUKTEYrNBdx71g/kI7vbRryKzXQ/xzAkV7FTjHcOHvK6Wh7jW\nfTogNePJqkrwFoS69agjNgxiDkvatquJDZLHIOWDl1aWNyKaVQn5elsaBI+uc0t6\nPknYx8fHK/a0GpJm72oc7dOEobaBvAhwhiwmEwIDAQABAoIBAQCx6DBF1QCyknPA\nYhW3Z9tjKBdo3FPAdKZqydLVDbN0Dy/sK7mOeVWSdQZfv/QkdG96QYywgcEK/zFp\nnJl4iiV2ZgSc2rLV/YNMdniIJUwZ7KjmNyu/YDYcA2namlfPXMw1XAdvwtCH/RZk\nY7c5vZ59ZvwnjiTBZcoiZ3ymbIHEhnA94OoQVQQ27/ep9vH5NUEbPTJggSU6+kM3\nsWSpPjykOuEZblbzD2S0uqcMuf/V47oocrd0G477MKQBoVr5LlLUemTAw/GzNnNt\nNMoRmXk5eHgFUq3mc4wK0ZYbwJFq7l6p5B5mQ4olkj9q0UIeKs8fOHXRdwN0kbmr\nftdWEPdJAoGBAOvLL/uJZrWrO2dgBDTITJ5BljtQNpz4nNTstZZZZNClfgKV37uj\n228mFvwhHSiedjsfzQsqBtzuCjlxduUgD2QlHKM+vBzx5rl0DvQW++fltYqK5DWx\n926eS522Rb34bAeEEbdZssDpXE0EhMbjVhQG61z5YqXQ6wf4EMqGggrHAoGBANEc\n5Z1lA/nhvrvGNWLw2HDJA/b0WnTvTiPQQ1T4bDOug/lTFatDeYywjMpLylhNKuvk\nTKvwO+6KtywykE0CIhz4xiilVzhsYpkqUdEk1tPInQ+cahvE+1J96YT/Mnq9NOda\nZICNOF33sumr45Awh2DRLawMqS3mHdESSAMVKt5VAoGBAOYWZOEQJ/CYgaQTVqdm\n2RUIrR9923z7QJap0VxAKRdMlhTRyPuiHktsoLsxWPG9B2QUWRJO1Vma0tFQ/hMB\nYON5L2PAoPGhv2IydTEMiI22Ypspgx0+Z1NDFkh0h8OjeU8wOdVvqvWCAfaJtUMa\nrXFnex5DoFZr8hzZnRDzhkwbAoGAcJbUclgvOd136nYfzHPMtX0lq1OJWKh4NAQw\nHJHdAD6YRCed5SZhTYTJaSpBeiWiVHwJZBHm0trRIPTgiPX7FApF9yB+w5xnwfvt\nLWReXo0HM56N6wG2J4YvszIMJdW1pFMhBa4DiWSSagnobnwSh+hYZOg0NshNiYIE\nT9SXzjkCgYEA3duQFwdgBZaihBQYtWSbblz/LdQC8hn4COYkE+sYPPBKsNkO305E\nB4Uj2gOIR2AsPg3PVvli0BfCeiO1MGS1mIyNBL2/rTZt2HjgJrbSpH04WCvbSrnw\nLE/mjwGTFQiCDzeR/TybB+eFDkzxCdDLiR/SzpPB1NQ/eZCw2TwHvIE=\n-----END RSA PRIVATE KEY-----" curl -X PUT http://127.0.0.1:8500/v1/kv/prefix/database/host -d '127.0.0.1' curl -X PUT http://127.0.0.1:8500/v1/kv/prefix/database/password -d 'p@sSw0rd' curl -X PUT http://127.0.0.1:8500/v1/kv/prefix/database/port -d '3306' @@ -20,6 +23,8 @@ curl -X PUT http://127.0.0.1:8500/v1/kv/prefix/upstream/app1 -d '10.0.1.10:8080' curl -X PUT http://127.0.0.1:8500/v1/kv/prefix/upstream/app2 -d '10.0.1.11:8080' curl -X PUT http://127.0.0.1:8500/v1/kv/prefix/nested/east/app1 -d '10.0.1.10:8080' curl -X PUT http://127.0.0.1:8500/v1/kv/prefix/nested/west/app2 -d '10.0.1.11:8080' +curl -X PUT http://127.0.0.1:8500/v1/kv/prefix/pki/issue/my-role/www.example.com/certificate -d "-----BEGIN CERTIFICATE-----\nMIIDwDCCAqigAwIBAgIUfU+/v4dE7TV6U5Jm/C9mbjC/ySkwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTkwMjE5MDUxNDUyWhcNMTkw\nMjE5MTMxNTIyWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAm3/jVUMkMSrQMwtASFgK8T01sagq98lt\nWWT0A15PGeTSbnWQ3eKbnHzXldGggQz0yxqc8m1oBUvgCZ8I6Kbk1/ooxc/8wO43\nlZ7a341gATrZgzY0cobHIZTjliJN1z1O0Owgko9ddmzVkkHENu07YpIns+WgU4ua\nXA94GmO2+2S78F2Kdh+HckauRNdoYqNQpMRis0F3HvWD+Qju9tGvIrNdD/HMCRXs\nVOMdw4e8rpaHuNZ9OiA148mqSvAWhLr1qCM2DGIOS9q2q4kNkscg5YOXVpY3IppV\nCfl6WxoEj65zS3o+SdjHx8cr9rQakmbvahzt04ShtoG8CHCGLCYTAgMBAAGjggEA\nMIH9MA4GA1UdDwEB/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH\nAwIwHQYDVR0OBBYEFDlhtX2jLH/SyC+2jeLLQkN2VUsOMB8GA1UdIwQYMBaAFNtj\nRIJq7XalG/c3tG7dIW3J+M9rMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAoYg\naHR0cDovLzEyNy4wLjAuMTo4MjAwLy92MS9wa2kvY2EwGgYDVR0RBBMwEYIPd3d3\nLmV4YW1wbGUuY29tMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly8xMjcuMC4wLjE6\nODIwMC8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEALE7GKP8PXJ5CKH3J\n016Ug+1yEan7CLpaD31YmD0uIfTHM8QmbTG/MzGXg2zkxm6h98Ns6uA+WGCiwVqX\nfi+4y5q13IqA0y2ljBfYaJirxdoIYAG10phzXgLCLbMMgGC+8X3Hg6Te07vqINE1\nQNgs0E+oggVFmc8eXzqrQh2u2wovPguiM3JHp6esmA/j4hvMqQGenCLhWC+jQ1bO\nIhV/HxPfHN3Ogm9GQ++ZyxgLRlB8PxJZHAPztHXnNHXB47a9Wfi+9VdiM9jgiuir\nRfThdllPvBksR6G0FzCBN1vbmGlEnt9Rm726hjbKJC3ESQpGC9Lv81C9OvMdqiWw\n72ZTzw==\n-----END CERTIFICATE-----" +curl -X PUT http://127.0.0.1:8500/v1/kv/prefix/pki/issue/my-role/www.example.com/private_key -d "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEAwJt/41VDJDEq0DMLQEhYCvE9NbGoKvfJbVlk9ANeTxnk0m51\nkN3im5x815XRoIEM9MsanPJtaAVL4AmfCOim5Nf6KMXP/MDuN5We2t+NYAE62YM2\nNHKGxyGU45YiTdc9TtDsIJKPXXZs1ZJBxDbtO2KSJ7PloFOLmlwPeBpjtvtku/Bd\ninYfh3JGrkTXaGKjUKTEYrNBdx71g/kI7vbRryKzXQ/xzAkV7FTjHcOHvK6Wh7jW\nfTogNePJqkrwFoS69agjNgxiDkvatquJDZLHIOWDl1aWNyKaVQn5elsaBI+uc0t6\nPknYx8fHK/a0GpJm72oc7dOEobaBvAhwhiwmEwIDAQABAoIBAQCx6DBF1QCyknPA\nYhW3Z9tjKBdo3FPAdKZqydLVDbN0Dy/sK7mOeVWSdQZfv/QkdG96QYywgcEK/zFp\nnJl4iiV2ZgSc2rLV/YNMdniIJUwZ7KjmNyu/YDYcA2namlfPXMw1XAdvwtCH/RZk\nY7c5vZ59ZvwnjiTBZcoiZ3ymbIHEhnA94OoQVQQ27/ep9vH5NUEbPTJggSU6+kM3\nsWSpPjykOuEZblbzD2S0uqcMuf/V47oocrd0G477MKQBoVr5LlLUemTAw/GzNnNt\nNMoRmXk5eHgFUq3mc4wK0ZYbwJFq7l6p5B5mQ4olkj9q0UIeKs8fOHXRdwN0kbmr\nftdWEPdJAoGBAOvLL/uJZrWrO2dgBDTITJ5BljtQNpz4nNTstZZZZNClfgKV37uj\n228mFvwhHSiedjsfzQsqBtzuCjlxduUgD2QlHKM+vBzx5rl0DvQW++fltYqK5DWx\n926eS522Rb34bAeEEbdZssDpXE0EhMbjVhQG61z5YqXQ6wf4EMqGggrHAoGBANEc\n5Z1lA/nhvrvGNWLw2HDJA/b0WnTvTiPQQ1T4bDOug/lTFatDeYywjMpLylhNKuvk\nTKvwO+6KtywykE0CIhz4xiilVzhsYpkqUdEk1tPInQ+cahvE+1J96YT/Mnq9NOda\nZICNOF33sumr45Awh2DRLawMqS3mHdESSAMVKt5VAoGBAOYWZOEQJ/CYgaQTVqdm\n2RUIrR9923z7QJap0VxAKRdMlhTRyPuiHktsoLsxWPG9B2QUWRJO1Vma0tFQ/hMB\nYON5L2PAoPGhv2IydTEMiI22Ypspgx0+Z1NDFkh0h8OjeU8wOdVvqvWCAfaJtUMa\nrXFnex5DoFZr8hzZnRDzhkwbAoGAcJbUclgvOd136nYfzHPMtX0lq1OJWKh4NAQw\nHJHdAD6YRCed5SZhTYTJaSpBeiWiVHwJZBHm0trRIPTgiPX7FApF9yB+w5xnwfvt\nLWReXo0HM56N6wG2J4YvszIMJdW1pFMhBa4DiWSSagnobnwSh+hYZOg0NshNiYIE\nT9SXzjkCgYEA3duQFwdgBZaihBQYtWSbblz/LdQC8hn4COYkE+sYPPBKsNkO305E\nB4Uj2gOIR2AsPg3PVvli0BfCeiO1MGS1mIyNBL2/rTZt2HjgJrbSpH04WCvbSrnw\nLE/mjwGTFQiCDzeR/TybB+eFDkzxCdDLiR/SzpPB1NQ/eZCw2TwHvIE=\n-----END RSA PRIVATE KEY-----" # Run confd confd --onetime --log-level debug --confdir ./integration/confdir --backend consul --node 127.0.0.1:8500 diff --git a/integration/etcd/test.sh b/integration/etcd/test.sh old mode 100644 new mode 100755 index bbfb780ed..02641cb21 --- a/integration/etcd/test.sh +++ b/integration/etcd/test.sh @@ -11,6 +11,8 @@ curl -L -X PUT http://127.0.0.1:2379/v2/keys/upstream/app1 -d value=10.0.1.10:80 curl -L -X PUT http://127.0.0.1:2379/v2/keys/upstream/app2 -d value=10.0.1.11:8080 curl -L -X PUT http://127.0.0.1:2379/v2/keys/nested/east/app1 -d value=10.0.1.10:8080 curl -L -X PUT http://127.0.0.1:2379/v2/keys/nested/west/app2 -d value=10.0.1.11:8080 +curl -L -X PUT http://127.0.0.1:2379/v2/keys/pki/issue/my-role/www.example.com/certificate -d value="-----BEGIN CERTIFICATE-----\nMIIDwDCCAqigAwIBAgIUfU+/v4dE7TV6U5Jm/C9mbjC/ySkwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTkwMjE5MDUxNDUyWhcNMTkw\nMjE5MTMxNTIyWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAm3/jVUMkMSrQMwtASFgK8T01sagq98lt\nWWT0A15PGeTSbnWQ3eKbnHzXldGggQz0yxqc8m1oBUvgCZ8I6Kbk1/ooxc/8wO43\nlZ7a341gATrZgzY0cobHIZTjliJN1z1O0Owgko9ddmzVkkHENu07YpIns+WgU4ua\nXA94GmO2+2S78F2Kdh+HckauRNdoYqNQpMRis0F3HvWD+Qju9tGvIrNdD/HMCRXs\nVOMdw4e8rpaHuNZ9OiA148mqSvAWhLr1qCM2DGIOS9q2q4kNkscg5YOXVpY3IppV\nCfl6WxoEj65zS3o+SdjHx8cr9rQakmbvahzt04ShtoG8CHCGLCYTAgMBAAGjggEA\nMIH9MA4GA1UdDwEB/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH\nAwIwHQYDVR0OBBYEFDlhtX2jLH/SyC+2jeLLQkN2VUsOMB8GA1UdIwQYMBaAFNtj\nRIJq7XalG/c3tG7dIW3J+M9rMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAoYg\naHR0cDovLzEyNy4wLjAuMTo4MjAwLy92MS9wa2kvY2EwGgYDVR0RBBMwEYIPd3d3\nLmV4YW1wbGUuY29tMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly8xMjcuMC4wLjE6\nODIwMC8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEALE7GKP8PXJ5CKH3J\n016Ug+1yEan7CLpaD31YmD0uIfTHM8QmbTG/MzGXg2zkxm6h98Ns6uA+WGCiwVqX\nfi+4y5q13IqA0y2ljBfYaJirxdoIYAG10phzXgLCLbMMgGC+8X3Hg6Te07vqINE1\nQNgs0E+oggVFmc8eXzqrQh2u2wovPguiM3JHp6esmA/j4hvMqQGenCLhWC+jQ1bO\nIhV/HxPfHN3Ogm9GQ++ZyxgLRlB8PxJZHAPztHXnNHXB47a9Wfi+9VdiM9jgiuir\nRfThdllPvBksR6G0FzCBN1vbmGlEnt9Rm726hjbKJC3ESQpGC9Lv81C9OvMdqiWw\n72ZTzw==\n-----END CERTIFICATE-----" +curl -L -X PUT http://127.0.0.1:2379/v2/keys/pki/issue/my-role/www.example.com/private_key -d value="-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEAwJt/41VDJDEq0DMLQEhYCvE9NbGoKvfJbVlk9ANeTxnk0m51\nkN3im5x815XRoIEM9MsanPJtaAVL4AmfCOim5Nf6KMXP/MDuN5We2t+NYAE62YM2\nNHKGxyGU45YiTdc9TtDsIJKPXXZs1ZJBxDbtO2KSJ7PloFOLmlwPeBpjtvtku/Bd\ninYfh3JGrkTXaGKjUKTEYrNBdx71g/kI7vbRryKzXQ/xzAkV7FTjHcOHvK6Wh7jW\nfTogNePJqkrwFoS69agjNgxiDkvatquJDZLHIOWDl1aWNyKaVQn5elsaBI+uc0t6\nPknYx8fHK/a0GpJm72oc7dOEobaBvAhwhiwmEwIDAQABAoIBAQCx6DBF1QCyknPA\nYhW3Z9tjKBdo3FPAdKZqydLVDbN0Dy/sK7mOeVWSdQZfv/QkdG96QYywgcEK/zFp\nnJl4iiV2ZgSc2rLV/YNMdniIJUwZ7KjmNyu/YDYcA2namlfPXMw1XAdvwtCH/RZk\nY7c5vZ59ZvwnjiTBZcoiZ3ymbIHEhnA94OoQVQQ27/ep9vH5NUEbPTJggSU6+kM3\nsWSpPjykOuEZblbzD2S0uqcMuf/V47oocrd0G477MKQBoVr5LlLUemTAw/GzNnNt\nNMoRmXk5eHgFUq3mc4wK0ZYbwJFq7l6p5B5mQ4olkj9q0UIeKs8fOHXRdwN0kbmr\nftdWEPdJAoGBAOvLL/uJZrWrO2dgBDTITJ5BljtQNpz4nNTstZZZZNClfgKV37uj\n228mFvwhHSiedjsfzQsqBtzuCjlxduUgD2QlHKM+vBzx5rl0DvQW++fltYqK5DWx\n926eS522Rb34bAeEEbdZssDpXE0EhMbjVhQG61z5YqXQ6wf4EMqGggrHAoGBANEc\n5Z1lA/nhvrvGNWLw2HDJA/b0WnTvTiPQQ1T4bDOug/lTFatDeYywjMpLylhNKuvk\nTKvwO+6KtywykE0CIhz4xiilVzhsYpkqUdEk1tPInQ+cahvE+1J96YT/Mnq9NOda\nZICNOF33sumr45Awh2DRLawMqS3mHdESSAMVKt5VAoGBAOYWZOEQJ/CYgaQTVqdm\n2RUIrR9923z7QJap0VxAKRdMlhTRyPuiHktsoLsxWPG9B2QUWRJO1Vma0tFQ/hMB\nYON5L2PAoPGhv2IydTEMiI22Ypspgx0+Z1NDFkh0h8OjeU8wOdVvqvWCAfaJtUMa\nrXFnex5DoFZr8hzZnRDzhkwbAoGAcJbUclgvOd136nYfzHPMtX0lq1OJWKh4NAQw\nHJHdAD6YRCed5SZhTYTJaSpBeiWiVHwJZBHm0trRIPTgiPX7FApF9yB+w5xnwfvt\nLWReXo0HM56N6wG2J4YvszIMJdW1pFMhBa4DiWSSagnobnwSh+hYZOg0NshNiYIE\nT9SXzjkCgYEA3duQFwdgBZaihBQYtWSbblz/LdQC8hn4COYkE+sYPPBKsNkO305E\nB4Uj2gOIR2AsPg3PVvli0BfCeiO1MGS1mIyNBL2/rTZt2HjgJrbSpH04WCvbSrnw\nLE/mjwGTFQiCDzeR/TybB+eFDkzxCdDLiR/SzpPB1NQ/eZCw2TwHvIE=\n-----END RSA PRIVATE KEY-----" curl -L -X PUT http://127.0.0.1:2379/v2/keys/prefix/database/host -d value=127.0.0.1 curl -L -X PUT http://127.0.0.1:2379/v2/keys/prefix/database/password -d value=p@sSw0rd curl -L -X PUT http://127.0.0.1:2379/v2/keys/prefix/database/port -d value=3306 @@ -19,6 +21,8 @@ curl -L -X PUT http://127.0.0.1:2379/v2/keys/prefix/upstream/app1 -d value=10.0. curl -L -X PUT http://127.0.0.1:2379/v2/keys/prefix/upstream/app2 -d value=10.0.1.11:8080 curl -L -X PUT http://127.0.0.1:2379/v2/keys/prefix/nested/east/app1 -d value=10.0.1.10:8080 curl -L -X PUT http://127.0.0.1:2379/v2/keys/prefix/nested/west/app2 -d value=10.0.1.11:8080 +curl -L -X PUT http://127.0.0.1:2379/v2/keys/prefix/pki/issue/my-role/www.example.com/certificate -d value="-----BEGIN CERTIFICATE-----\nMIIDwDCCAqigAwIBAgIUfU+/v4dE7TV6U5Jm/C9mbjC/ySkwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTkwMjE5MDUxNDUyWhcNMTkw\nMjE5MTMxNTIyWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAm3/jVUMkMSrQMwtASFgK8T01sagq98lt\nWWT0A15PGeTSbnWQ3eKbnHzXldGggQz0yxqc8m1oBUvgCZ8I6Kbk1/ooxc/8wO43\nlZ7a341gATrZgzY0cobHIZTjliJN1z1O0Owgko9ddmzVkkHENu07YpIns+WgU4ua\nXA94GmO2+2S78F2Kdh+HckauRNdoYqNQpMRis0F3HvWD+Qju9tGvIrNdD/HMCRXs\nVOMdw4e8rpaHuNZ9OiA148mqSvAWhLr1qCM2DGIOS9q2q4kNkscg5YOXVpY3IppV\nCfl6WxoEj65zS3o+SdjHx8cr9rQakmbvahzt04ShtoG8CHCGLCYTAgMBAAGjggEA\nMIH9MA4GA1UdDwEB/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH\nAwIwHQYDVR0OBBYEFDlhtX2jLH/SyC+2jeLLQkN2VUsOMB8GA1UdIwQYMBaAFNtj\nRIJq7XalG/c3tG7dIW3J+M9rMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAoYg\naHR0cDovLzEyNy4wLjAuMTo4MjAwLy92MS9wa2kvY2EwGgYDVR0RBBMwEYIPd3d3\nLmV4YW1wbGUuY29tMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly8xMjcuMC4wLjE6\nODIwMC8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEALE7GKP8PXJ5CKH3J\n016Ug+1yEan7CLpaD31YmD0uIfTHM8QmbTG/MzGXg2zkxm6h98Ns6uA+WGCiwVqX\nfi+4y5q13IqA0y2ljBfYaJirxdoIYAG10phzXgLCLbMMgGC+8X3Hg6Te07vqINE1\nQNgs0E+oggVFmc8eXzqrQh2u2wovPguiM3JHp6esmA/j4hvMqQGenCLhWC+jQ1bO\nIhV/HxPfHN3Ogm9GQ++ZyxgLRlB8PxJZHAPztHXnNHXB47a9Wfi+9VdiM9jgiuir\nRfThdllPvBksR6G0FzCBN1vbmGlEnt9Rm726hjbKJC3ESQpGC9Lv81C9OvMdqiWw\n72ZTzw==\n-----END CERTIFICATE-----" +curl -L -X PUT http://127.0.0.1:2379/v2/keys/prefix/pki/issue/my-role/www.example.com/private_key -d value="-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEAwJt/41VDJDEq0DMLQEhYCvE9NbGoKvfJbVlk9ANeTxnk0m51\nkN3im5x815XRoIEM9MsanPJtaAVL4AmfCOim5Nf6KMXP/MDuN5We2t+NYAE62YM2\nNHKGxyGU45YiTdc9TtDsIJKPXXZs1ZJBxDbtO2KSJ7PloFOLmlwPeBpjtvtku/Bd\ninYfh3JGrkTXaGKjUKTEYrNBdx71g/kI7vbRryKzXQ/xzAkV7FTjHcOHvK6Wh7jW\nfTogNePJqkrwFoS69agjNgxiDkvatquJDZLHIOWDl1aWNyKaVQn5elsaBI+uc0t6\nPknYx8fHK/a0GpJm72oc7dOEobaBvAhwhiwmEwIDAQABAoIBAQCx6DBF1QCyknPA\nYhW3Z9tjKBdo3FPAdKZqydLVDbN0Dy/sK7mOeVWSdQZfv/QkdG96QYywgcEK/zFp\nnJl4iiV2ZgSc2rLV/YNMdniIJUwZ7KjmNyu/YDYcA2namlfPXMw1XAdvwtCH/RZk\nY7c5vZ59ZvwnjiTBZcoiZ3ymbIHEhnA94OoQVQQ27/ep9vH5NUEbPTJggSU6+kM3\nsWSpPjykOuEZblbzD2S0uqcMuf/V47oocrd0G477MKQBoVr5LlLUemTAw/GzNnNt\nNMoRmXk5eHgFUq3mc4wK0ZYbwJFq7l6p5B5mQ4olkj9q0UIeKs8fOHXRdwN0kbmr\nftdWEPdJAoGBAOvLL/uJZrWrO2dgBDTITJ5BljtQNpz4nNTstZZZZNClfgKV37uj\n228mFvwhHSiedjsfzQsqBtzuCjlxduUgD2QlHKM+vBzx5rl0DvQW++fltYqK5DWx\n926eS522Rb34bAeEEbdZssDpXE0EhMbjVhQG61z5YqXQ6wf4EMqGggrHAoGBANEc\n5Z1lA/nhvrvGNWLw2HDJA/b0WnTvTiPQQ1T4bDOug/lTFatDeYywjMpLylhNKuvk\nTKvwO+6KtywykE0CIhz4xiilVzhsYpkqUdEk1tPInQ+cahvE+1J96YT/Mnq9NOda\nZICNOF33sumr45Awh2DRLawMqS3mHdESSAMVKt5VAoGBAOYWZOEQJ/CYgaQTVqdm\n2RUIrR9923z7QJap0VxAKRdMlhTRyPuiHktsoLsxWPG9B2QUWRJO1Vma0tFQ/hMB\nYON5L2PAoPGhv2IydTEMiI22Ypspgx0+Z1NDFkh0h8OjeU8wOdVvqvWCAfaJtUMa\nrXFnex5DoFZr8hzZnRDzhkwbAoGAcJbUclgvOd136nYfzHPMtX0lq1OJWKh4NAQw\nHJHdAD6YRCed5SZhTYTJaSpBeiWiVHwJZBHm0trRIPTgiPX7FApF9yB+w5xnwfvt\nLWReXo0HM56N6wG2J4YvszIMJdW1pFMhBa4DiWSSagnobnwSh+hYZOg0NshNiYIE\nT9SXzjkCgYEA3duQFwdgBZaihBQYtWSbblz/LdQC8hn4COYkE+sYPPBKsNkO305E\nB4Uj2gOIR2AsPg3PVvli0BfCeiO1MGS1mIyNBL2/rTZt2HjgJrbSpH04WCvbSrnw\nLE/mjwGTFQiCDzeR/TybB+eFDkzxCdDLiR/SzpPB1NQ/eZCw2TwHvIE=\n-----END RSA PRIVATE KEY-----" # Run confd confd --onetime --log-level debug --confdir ./integration/confdir --backend etcd --node http://127.0.0.1:2379 --watch diff --git a/integration/file/test.sh b/integration/file/test.sh old mode 100644 new mode 100755 index 2467eb0f1..6c3842040 --- a/integration/file/test.sh +++ b/integration/file/test.sh @@ -35,5 +35,14 @@ prefix: app2: 10.0.1.11:8080 EOT +cat <> backends2/3.yaml +pki: + issue: + my-role: + www.example.com: + certificate: -----BEGIN CERTIFICATE-----\nMIIDwDCCAqigAwIBAgIUfU+/v4dE7TV6U5Jm/C9mbjC/ySkwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTkwMjE5MDUxNDUyWhcNMTkw\nMjE5MTMxNTIyWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAm3/jVUMkMSrQMwtASFgK8T01sagq98lt\nWWT0A15PGeTSbnWQ3eKbnHzXldGggQz0yxqc8m1oBUvgCZ8I6Kbk1/ooxc/8wO43\nlZ7a341gATrZgzY0cobHIZTjliJN1z1O0Owgko9ddmzVkkHENu07YpIns+WgU4ua\nXA94GmO2+2S78F2Kdh+HckauRNdoYqNQpMRis0F3HvWD+Qju9tGvIrNdD/HMCRXs\nVOMdw4e8rpaHuNZ9OiA148mqSvAWhLr1qCM2DGIOS9q2q4kNkscg5YOXVpY3IppV\nCfl6WxoEj65zS3o+SdjHx8cr9rQakmbvahzt04ShtoG8CHCGLCYTAgMBAAGjggEA\nMIH9MA4GA1UdDwEB/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH\nAwIwHQYDVR0OBBYEFDlhtX2jLH/SyC+2jeLLQkN2VUsOMB8GA1UdIwQYMBaAFNtj\nRIJq7XalG/c3tG7dIW3J+M9rMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAoYg\naHR0cDovLzEyNy4wLjAuMTo4MjAwLy92MS9wa2kvY2EwGgYDVR0RBBMwEYIPd3d3\nLmV4YW1wbGUuY29tMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly8xMjcuMC4wLjE6\nODIwMC8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEALE7GKP8PXJ5CKH3J\n016Ug+1yEan7CLpaD31YmD0uIfTHM8QmbTG/MzGXg2zkxm6h98Ns6uA+WGCiwVqX\nfi+4y5q13IqA0y2ljBfYaJirxdoIYAG10phzXgLCLbMMgGC+8X3Hg6Te07vqINE1\nQNgs0E+oggVFmc8eXzqrQh2u2wovPguiM3JHp6esmA/j4hvMqQGenCLhWC+jQ1bO\nIhV/HxPfHN3Ogm9GQ++ZyxgLRlB8PxJZHAPztHXnNHXB47a9Wfi+9VdiM9jgiuir\nRfThdllPvBksR6G0FzCBN1vbmGlEnt9Rm726hjbKJC3ESQpGC9Lv81C9OvMdqiWw\n72ZTzw==\n-----END CERTIFICATE----- + private_key: -----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEAwJt/41VDJDEq0DMLQEhYCvE9NbGoKvfJbVlk9ANeTxnk0m51\nkN3im5x815XRoIEM9MsanPJtaAVL4AmfCOim5Nf6KMXP/MDuN5We2t+NYAE62YM2\nNHKGxyGU45YiTdc9TtDsIJKPXXZs1ZJBxDbtO2KSJ7PloFOLmlwPeBpjtvtku/Bd\ninYfh3JGrkTXaGKjUKTEYrNBdx71g/kI7vbRryKzXQ/xzAkV7FTjHcOHvK6Wh7jW\nfTogNePJqkrwFoS69agjNgxiDkvatquJDZLHIOWDl1aWNyKaVQn5elsaBI+uc0t6\nPknYx8fHK/a0GpJm72oc7dOEobaBvAhwhiwmEwIDAQABAoIBAQCx6DBF1QCyknPA\nYhW3Z9tjKBdo3FPAdKZqydLVDbN0Dy/sK7mOeVWSdQZfv/QkdG96QYywgcEK/zFp\nnJl4iiV2ZgSc2rLV/YNMdniIJUwZ7KjmNyu/YDYcA2namlfPXMw1XAdvwtCH/RZk\nY7c5vZ59ZvwnjiTBZcoiZ3ymbIHEhnA94OoQVQQ27/ep9vH5NUEbPTJggSU6+kM3\nsWSpPjykOuEZblbzD2S0uqcMuf/V47oocrd0G477MKQBoVr5LlLUemTAw/GzNnNt\nNMoRmXk5eHgFUq3mc4wK0ZYbwJFq7l6p5B5mQ4olkj9q0UIeKs8fOHXRdwN0kbmr\nftdWEPdJAoGBAOvLL/uJZrWrO2dgBDTITJ5BljtQNpz4nNTstZZZZNClfgKV37uj\n228mFvwhHSiedjsfzQsqBtzuCjlxduUgD2QlHKM+vBzx5rl0DvQW++fltYqK5DWx\n926eS522Rb34bAeEEbdZssDpXE0EhMbjVhQG61z5YqXQ6wf4EMqGggrHAoGBANEc\n5Z1lA/nhvrvGNWLw2HDJA/b0WnTvTiPQQ1T4bDOug/lTFatDeYywjMpLylhNKuvk\nTKvwO+6KtywykE0CIhz4xiilVzhsYpkqUdEk1tPInQ+cahvE+1J96YT/Mnq9NOda\nZICNOF33sumr45Awh2DRLawMqS3mHdESSAMVKt5VAoGBAOYWZOEQJ/CYgaQTVqdm\n2RUIrR9923z7QJap0VxAKRdMlhTRyPuiHktsoLsxWPG9B2QUWRJO1Vma0tFQ/hMB\nYON5L2PAoPGhv2IydTEMiI22Ypspgx0+Z1NDFkh0h8OjeU8wOdVvqvWCAfaJtUMa\nrXFnex5DoFZr8hzZnRDzhkwbAoGAcJbUclgvOd136nYfzHPMtX0lq1OJWKh4NAQw\nHJHdAD6YRCed5SZhTYTJaSpBeiWiVHwJZBHm0trRIPTgiPX7FApF9yB+w5xnwfvt\nLWReXo0HM56N6wG2J4YvszIMJdW1pFMhBa4DiWSSagnobnwSh+hYZOg0NshNiYIE\nT9SXzjkCgYEA3duQFwdgBZaihBQYtWSbblz/LdQC8hn4COYkE+sYPPBKsNkO305E\nB4Uj2gOIR2AsPg3PVvli0BfCeiO1MGS1mIyNBL2/rTZt2HjgJrbSpH04WCvbSrnw\nLE/mjwGTFQiCDzeR/TybB+eFDkzxCdDLiR/SzpPB1NQ/eZCw2TwHvIE=\n-----END RSA PRIVATE KEY----- +EOT + # Run confd confd --onetime --log-level debug --confdir ./integration/confdir --backend file --file backends1/ --file backends2/ --watch diff --git a/integration/rancher/test.sh b/integration/rancher/test.sh index 463bd2596..d2fb5fc20 100755 --- a/integration/rancher/test.sh +++ b/integration/rancher/test.sh @@ -24,6 +24,16 @@ cat > ./rancher-answers.json< my-policy.hcl vault write sys/policy/my-policy policy=@my-policy.hcl diff --git a/integration/vault/test.sh b/integration/vault/test.sh index ed54b3b48..a025ea6f8 100755 --- a/integration/vault/test.sh +++ b/integration/vault/test.sh @@ -8,6 +8,7 @@ vault secrets enable -path database kv vault secrets enable -path key kv vault secrets enable -path upstream kv vault secrets enable -path nested kv +vault secrets enable -path pki kv vault write key value=foobar vault write database/host value=127.0.0.1 @@ -17,6 +18,9 @@ vault write database/password value=p@sSw0rd vault write upstream app1=10.0.1.10:8080 app2=10.0.1.11:8080 vault write nested/east/app1 value=10.0.1.10:8080 vault write nested/west/app2 value=10.0.1.11:8080 +vault write pki/issue/my-role/www.example.com/certificate value="-----BEGIN CERTIFICATE-----\nMIIDwDCCAqigAwIBAgIUfU+/v4dE7TV6U5Jm/C9mbjC/ySkwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTkwMjE5MDUxNDUyWhcNMTkw\nMjE5MTMxNTIyWjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAm3/jVUMkMSrQMwtASFgK8T01sagq98lt\nWWT0A15PGeTSbnWQ3eKbnHzXldGggQz0yxqc8m1oBUvgCZ8I6Kbk1/ooxc/8wO43\nlZ7a341gATrZgzY0cobHIZTjliJN1z1O0Owgko9ddmzVkkHENu07YpIns+WgU4ua\nXA94GmO2+2S78F2Kdh+HckauRNdoYqNQpMRis0F3HvWD+Qju9tGvIrNdD/HMCRXs\nVOMdw4e8rpaHuNZ9OiA148mqSvAWhLr1qCM2DGIOS9q2q4kNkscg5YOXVpY3IppV\nCfl6WxoEj65zS3o+SdjHx8cr9rQakmbvahzt04ShtoG8CHCGLCYTAgMBAAGjggEA\nMIH9MA4GA1UdDwEB/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH\nAwIwHQYDVR0OBBYEFDlhtX2jLH/SyC+2jeLLQkN2VUsOMB8GA1UdIwQYMBaAFNtj\nRIJq7XalG/c3tG7dIW3J+M9rMDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAoYg\naHR0cDovLzEyNy4wLjAuMTo4MjAwLy92MS9wa2kvY2EwGgYDVR0RBBMwEYIPd3d3\nLmV4YW1wbGUuY29tMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly8xMjcuMC4wLjE6\nODIwMC8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEALE7GKP8PXJ5CKH3J\n016Ug+1yEan7CLpaD31YmD0uIfTHM8QmbTG/MzGXg2zkxm6h98Ns6uA+WGCiwVqX\nfi+4y5q13IqA0y2ljBfYaJirxdoIYAG10phzXgLCLbMMgGC+8X3Hg6Te07vqINE1\nQNgs0E+oggVFmc8eXzqrQh2u2wovPguiM3JHp6esmA/j4hvMqQGenCLhWC+jQ1bO\nIhV/HxPfHN3Ogm9GQ++ZyxgLRlB8PxJZHAPztHXnNHXB47a9Wfi+9VdiM9jgiuir\nRfThdllPvBksR6G0FzCBN1vbmGlEnt9Rm726hjbKJC3ESQpGC9Lv81C9OvMdqiWw\n72ZTzw==\n-----END CERTIFICATE-----" +vault write pki/issue/my-role/www.example.com/private_key value="-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEAwJt/41VDJDEq0DMLQEhYCvE9NbGoKvfJbVlk9ANeTxnk0m51\nkN3im5x815XRoIEM9MsanPJtaAVL4AmfCOim5Nf6KMXP/MDuN5We2t+NYAE62YM2\nNHKGxyGU45YiTdc9TtDsIJKPXXZs1ZJBxDbtO2KSJ7PloFOLmlwPeBpjtvtku/Bd\ninYfh3JGrkTXaGKjUKTEYrNBdx71g/kI7vbRryKzXQ/xzAkV7FTjHcOHvK6Wh7jW\nfTogNePJqkrwFoS69agjNgxiDkvatquJDZLHIOWDl1aWNyKaVQn5elsaBI+uc0t6\nPknYx8fHK/a0GpJm72oc7dOEobaBvAhwhiwmEwIDAQABAoIBAQCx6DBF1QCyknPA\nYhW3Z9tjKBdo3FPAdKZqydLVDbN0Dy/sK7mOeVWSdQZfv/QkdG96QYywgcEK/zFp\nnJl4iiV2ZgSc2rLV/YNMdniIJUwZ7KjmNyu/YDYcA2namlfPXMw1XAdvwtCH/RZk\nY7c5vZ59ZvwnjiTBZcoiZ3ymbIHEhnA94OoQVQQ27/ep9vH5NUEbPTJggSU6+kM3\nsWSpPjykOuEZblbzD2S0uqcMuf/V47oocrd0G477MKQBoVr5LlLUemTAw/GzNnNt\nNMoRmXk5eHgFUq3mc4wK0ZYbwJFq7l6p5B5mQ4olkj9q0UIeKs8fOHXRdwN0kbmr\nftdWEPdJAoGBAOvLL/uJZrWrO2dgBDTITJ5BljtQNpz4nNTstZZZZNClfgKV37uj\n228mFvwhHSiedjsfzQsqBtzuCjlxduUgD2QlHKM+vBzx5rl0DvQW++fltYqK5DWx\n926eS522Rb34bAeEEbdZssDpXE0EhMbjVhQG61z5YqXQ6wf4EMqGggrHAoGBANEc\n5Z1lA/nhvrvGNWLw2HDJA/b0WnTvTiPQQ1T4bDOug/lTFatDeYywjMpLylhNKuvk\nTKvwO+6KtywykE0CIhz4xiilVzhsYpkqUdEk1tPInQ+cahvE+1J96YT/Mnq9NOda\nZICNOF33sumr45Awh2DRLawMqS3mHdESSAMVKt5VAoGBAOYWZOEQJ/CYgaQTVqdm\n2RUIrR9923z7QJap0VxAKRdMlhTRyPuiHktsoLsxWPG9B2QUWRJO1Vma0tFQ/hMB\nYON5L2PAoPGhv2IydTEMiI22Ypspgx0+Z1NDFkh0h8OjeU8wOdVvqvWCAfaJtUMa\nrXFnex5DoFZr8hzZnRDzhkwbAoGAcJbUclgvOd136nYfzHPMtX0lq1OJWKh4NAQw\nHJHdAD6YRCed5SZhTYTJaSpBeiWiVHwJZBHm0trRIPTgiPX7FApF9yB+w5xnwfvt\nLWReXo0HM56N6wG2J4YvszIMJdW1pFMhBa4DiWSSagnobnwSh+hYZOg0NshNiYIE\nT9SXzjkCgYEA3duQFwdgBZaihBQYtWSbblz/LdQC8hn4COYkE+sYPPBKsNkO305E\nB4Uj2gOIR2AsPg3PVvli0BfCeiO1MGS1mIyNBL2/rTZt2HjgJrbSpH04WCvbSrnw\nLE/mjwGTFQiCDzeR/TybB+eFDkzxCdDLiR/SzpPB1NQ/eZCw2TwHvIE=\n-----END RSA PRIVATE KEY-----" + # Run confd confd --onetime --log-level debug \ From 625cdf7dc5fdd513a1173c19f50ae378ba7d317f Mon Sep 17 00:00:00 2001 From: Rahul Date: Tue, 19 Feb 2019 22:24:10 -0800 Subject: [PATCH 5/5] add if condition --- integration/confdir/templates/certkey.pem.tmpl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/integration/confdir/templates/certkey.pem.tmpl b/integration/confdir/templates/certkey.pem.tmpl index 1a97e50fa..0c71ac2ca 100644 --- a/integration/confdir/templates/certkey.pem.tmpl +++ b/integration/confdir/templates/certkey.pem.tmpl @@ -1,6 +1,8 @@ +{{if exists "/pki/issue/my-role/www.example.com/certificate"}} {{- $certificate := getv "/pki/issue/my-role/www.example.com/certificate" -}} {{- $private_key := getv "/pki/issue/my-role/www.example.com/private_key" -}} { "certificate": "{{ replace $certificate "\n" "\\n" -1 }}", "key": "{{ replace $private_key "\n" "\\n" -1 }}" -} \ No newline at end of file +} +{{end}} \ No newline at end of file