[mirror_acme.sh.git] / deploy / vault.sh

#!/usr/bin/env sh

# Here is a script to deploy cert to hashicorp vault using curl
# (https://www.vaultproject.io/)
#
# it requires following environment variables:
#
# VAULT_PREFIX - this contains the prefix path in vault
# VAULT_ADDR - vault requires this to find your vault server
#
# additionally, you need to ensure that VAULT_TOKEN is avialable
# to access the vault server

#returns 0 means success, otherwise error.

########  Public functions #####################

#domain keyfile certfile cafile fullchain
vault_deploy() {

  _cdomain="$1"
  _ckey="$2"
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"

  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
  _debug _ccert "$_ccert"
  _debug _cca "$_cca"
  _debug _cfullchain "$_cfullchain"

  # validate required env vars
  _getdeployconf VAULT_PREFIX
  if [ -z "$VAULT_PREFIX" ]; then
    _err "VAULT_PREFIX needs to be defined (contains prefix path in vault)"
    return 1
  fi
  _savedeployconf VAULT_PREFIX "$VAULT_PREFIX"

  _getdeployconf VAULT_ADDR
  if [ -z "$VAULT_ADDR" ]; then
    _err "VAULT_ADDR needs to be defined (contains vault connection address)"
    return 1
  fi
  _savedeployconf VAULT_ADDR "$VAULT_ADDR"

  # JSON does not allow multiline strings.
  # So replacing new-lines with "\n" here
  _ckey=$(sed -z 's/\n/\\n/g' <"$2")
  _ccert=$(sed -z 's/\n/\\n/g' <"$3")
  _cca=$(sed -z 's/\n/\\n/g' <"$4")
  _cfullchain=$(sed -z 's/\n/\\n/g' <"$5")

  URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain"
  export _H1="X-Vault-Token: $VAULT_TOKEN"

  if [ -n "$FABIO" ]; then
    if [ -n "$VAULT_KV_V2" ]; then
      _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL"
    else
      _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL"
    fi
  else
    if [ -n "$VAULT_KV_V2" ]; then
      _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem"
      _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key"
      _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem"
      _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem"
    else
      _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem"
      _post "{\"value\": \"$_ckey\"}" "$URL/cert.key"
      _post "{\"value\": \"$_cca\"}" "$URL/chain.pem"
      _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem"
    fi
  fi

}
Commit	Line	Data
de692d3d SP	1	#!/usr/bin/env sh
	2
	3	# Here is a script to deploy cert to hashicorp vault using curl
	4	# (https://www.vaultproject.io/)
	5	#
	6	# it requires following environment variables:
	7	#
	8	# VAULT_PREFIX - this contains the prefix path in vault
	9	# VAULT_ADDR - vault requires this to find your vault server
	10	#
	11	# additionally, you need to ensure that VAULT_TOKEN is avialable
	12	# to access the vault server
	13
	14	#returns 0 means success, otherwise error.
	15
	16	######## Public functions #####################
	17
	18	#domain keyfile certfile cafile fullchain
	19	vault_deploy() {
	20
	21	_cdomain="$1"
	22	_ckey="$2"
	23	_ccert="$3"
	24	_cca="$4"
	25	_cfullchain="$5"
	26
	27	_debug _cdomain "$_cdomain"
	28	_debug _ckey "$_ckey"
	29	_debug _ccert "$_ccert"
	30	_debug _cca "$_cca"
	31	_debug _cfullchain "$_cfullchain"
	32
	33	# validate required env vars
9fcd1040	34	_getdeployconf VAULT_PREFIX
de692d3d SP	35	if [ -z "$VAULT_PREFIX" ]; then
	36	_err "VAULT_PREFIX needs to be defined (contains prefix path in vault)"
	37	return 1
	38	fi
e203e983	39	_savedeployconf VAULT_PREFIX "$VAULT_PREFIX"
de692d3d	40
9fcd1040	41	_getdeployconf VAULT_ADDR
de692d3d SP	42	if [ -z "$VAULT_ADDR" ]; then
	43	_err "VAULT_ADDR needs to be defined (contains vault connection address)"
	44	return 1
	45	fi
e203e983	46	_savedeployconf VAULT_ADDR "$VAULT_ADDR"
de692d3d SP	47
	48	# JSON does not allow multiline strings.
	49	# So replacing new-lines with "\n" here
	50	_ckey=$(sed -z 's/\n/\\n/g' <"$2")
	51	_ccert=$(sed -z 's/\n/\\n/g' <"$3")
	52	_cca=$(sed -z 's/\n/\\n/g' <"$4")
	53	_cfullchain=$(sed -z 's/\n/\\n/g' <"$5")
	54
	55	URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain"
f511a527	56	export _H1="X-Vault-Token: $VAULT_TOKEN"
de692d3d SP	57
de692d3d SP	58	if [ -n "$FABIO" ]; then
7e7291ac SP	59	if [ -n "$VAULT_KV_V2" ]; then
	60	_post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL"
	61	else
	62	_post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL"
	63	fi
de692d3d	64	else
7e7291ac SP	65	if [ -n "$VAULT_KV_V2" ]; then
	66	_post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem"
	67	_post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key"
	68	_post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem"
	69	_post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem"
	70	else
	71	_post "{\"value\": \"$_ccert\"}" "$URL/cert.pem"
	72	_post "{\"value\": \"$_ckey\"}" "$URL/cert.key"
	73	_post "{\"value\": \"$_cca\"}" "$URL/chain.pem"
	74	_post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem"
	75	fi
de692d3d SP	76	fi
	77
	78	}