Simple Demo for showcasing the possibility of filling your vault with terraform by creating a Vault PKi for a kubernetes CA. Please note, that the configs are not extensively tested but rather serve to showcase the terraforming of vault.
export VAULT_TOKEN="token234"
export VAULT_ADDR='http://127.0.0.1:8200'
vault server -dev -dev-root-token-id=${VAULT_TOKEN} &>/dev/null &Apply the terraform from the root directory:
export TF_VAR_vault_address=${VAULT_ADDR}
terraform init
terraform apply --auto-approveAfter applying you should see an AppRole role_id in your output such as
...
Apply complete! Resources: 15 added, 0 changed, 0 destroyed.
Outputs:
approles = {
"qa-cluster_master" = "<totally-secret-token>"
}This role_id can be used to login to your vault and get a client token:
APPROLE_ID=$(terraform output -json approles | jq -r '."qa-cluster_master"')
CLIENT_TOKEN=$(curl -sf ${VAULT_ADDR}/v1/auth/approle/login -XPOST --data "{\"role_id\": \"${APPROLE_ID}\"}" | jq -er ".auth.client_token")With this client_token we can then issue a certificate, in this case for kube-apiserver:
# issue a certificate
CERT_JSON=$(curl -fs --header "X-Vault-Token: ${CLIENT_TOKEN}" -XPOST --data @example-issue/apiserver.json ${VAULT_ADDR}/v1/clusters/qa-cluster/pkis/k8s/issue/master)
# get cert and private key from json response
jq -er ".data.certificate" <<< "$CERT_JSON" > apiserver_node1_cert.pem
jq -er ".data.private_key" <<< "$CERT_JSON" > apiserver_node1_key.pem
# you can retrieve the ca directly from vault
curl -fs -o ca.pem ${VAULT_ADDR}/v1/clusters/qa-cluster/pkis/k8s/ca/pemand validate the certificates:
$ openssl verify -CAfile ca.pem apiserver_node1_cert.pem
apiserver_node1_cert.pem: OK
$ diff <(openssl pkey -in apiserver_node1_key.pem -pubout -outform pem | sha256sum) <(openssl x509 -in apiserver_node1_cert.pem -pubkey -noout -outform pem | sha256sum)
# no output when both matchkill $!
# you can safely remove the state after stopping the dev-vault server
rm terraform.tfstate