ct_random_pki_renewa_v.0.19.1

#!/usr/bin/env bash

set -euxo pipefail

ADDR=127.0.0.1:8300
VAULT_ADDR=http://$ADDR
VAULT_TOKEN=123
CT_VERSION=0.19.1

if ! [[ -e vault_0.8.1_linux_amd64.zip ]]; then
  curl -LO https://releases.hashicorp.com/vault/0.8.1/vault_0.8.1_linux_amd64.zip
fi

if ! [[ -e vault ]]; then
  unzip vault_0.8.1_linux_amd64.zip
fi

if ! [[ -e consul-template ]]; then
  curl -L https://releases.hashicorp.com/consul-template/$CT_VERSION/consul-template_${CT_VERSION}_linux_amd64.tgz|tar -xz
fi

./vault server -dev -dev-root-token-id=123 -dev-listen-address=$ADDR &

sleep 1s

./vault mount pki
./vault mount-tune -max-lease-ttl=87600h pki
./vault write pki/root/generate/internal common_name=myvault.com ttl=87600h

./vault write pki/roles/example-dot-com \
    allowed_domains="example.com" \
    allow_subdomains="true" max_ttl="30m"

echo 'path "pki/issue/example-dot-com" { policy="write"}'|./vault policy-write issue -
./vault auth-enable approle
./vault write /auth/approle/role/test bind_secret_id=false \
  bound_cidr_list=0.0.0.0/0 \
  policies=issue
./vault write /auth/approle/role/test/role-id role_id=e5a7b66e-5d08-da9c-7075-71984634b882
TOKEN=$(./vault write -field=token /auth/approle/login role_id=e5a7b66e-5d08-da9c-7075-71984634b882)

cat <<EOF > cert-template.tmpl
{{- with secret "pki/issue/example-dot-com" "common_name=foo.example.com" -}}
{{ .Data.certificate }}{{ end }}
EOF
cat <<EOF > key-template.tmpl
{{- with secret "pki/issue/example-dot-com" "common_name=foo.example.com" -}}
{{ .Data.private_key}}{{ end }}
EOF

cat <<EOF >consul-template.hcl
vault {
  address = "$VAULT_ADDR"
  token = "$TOKEN"
}
template {
  source      = "$(pwd)/cert-template.tmpl"
  destination = "$(pwd)/cert.pem"
  command     = "echo cert rendered"
}
template {
  source      = "$(pwd)/key-template.tmpl"
  destination = "$(pwd)/key.pem"
  command     = "echo key rendered"
}
EOF

./consul-template -config=consul-template.hcl -log-level debug -dry
#kill $(ps x|grep 'vault server -dev'|grep -v grep|awk '{ print $1 }')