M artifacts/vault-write-certs.sh => artifacts/vault-write-certs.sh +1 -1
@@ 24,7 24,7 @@ DATA="$(jq --null-input --compact-output --arg cert "${CERT}" --arg key "${KEY}"
URL="https://vault.service.consul:8200/v1/secret/data/fabio/certs/${DOMAIN}"
echo "[vault-write-certs.sh] Saving cert and key to ${URL}"
-curl --cacert /etc/ssl/vault/ca.pem \
+curl --cacert /etc/ssl/vault-server/ca.crt \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--header "Content-Type: application/json" \
--request POST \
M ca/consul-agent-ca.crt => ca/consul-agent-ca.crt +15 -17
@@ 1,19 1,17 @@
-----BEGIN CERTIFICATE-----
-MIIDFTCCAf2gAwIBAgIUQI6dda+SDRrfeGUTY1Igs1nJ+54wDQYJKoZIhvcNAQEL
-BQAwGjEYMBYGA1UEAwwPY29uc3VsLWFnZW50IENBMB4XDTIxMDYyOTIxMDgxNVoX
-DTIyMDYyOTIxMDgxNVowGjEYMBYGA1UEAwwPY29uc3VsLWFnZW50IENBMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo8jKPl0tC5055xxoSpxSfo9xFwn5
-b8O47zmXJtUHnfljzYr+kh6mYeLRrkDk8qyhZZ8jEQwIMwJua+5OHnhRsv6DSwwv
-U4wZjAn5s/vj1VDKa3mIfO2sLLPFshaYvWONxMwoZ5yRVZ55Y7APo3qWBHHccv/D
-MVc32QagIiJLY++12VJa+oDKfeysHHZVTmbHosxwJGzc5cA/qUD6Bxjy8b8wV7jn
-zhSEiAl+46kXA/TGVEmEdVpILJm4JzT5XNl292mbzW9afXjY3h9K5I04d+qOEBrI
-h8HKVO6KTsCnyuZMv+9+sLQuA/w92VGSuV03LuX4VbnKYXyNc6rw4dhjhQIDAQAB
-o1MwUTAdBgNVHQ4EFgQURjwfuVDSeUNtjMGPqyZYIsM0uB8wHwYDVR0jBBgwFoAU
-RjwfuVDSeUNtjMGPqyZYIsM0uB8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
-AQsFAAOCAQEAdY7Homhv6tedRKDM2b2Bu9gqQODMILuAxymG9BefmnS0IKHfqpHy
-y9fHy7pRpTAfmWJSuAC/FHOnEpykN/gFEck5ym75n22YIM3JfwLftV7vhrRmYIqc
-wdTGybHtvS0+VxL4S8INQgJgCfutj+b2QZp/S8p8Y9s5zQXMWNYd+oruum3jhsuS
-lrtiTB7NRcKtOJyhQ6/XeXIk9VVnmeNJLPQP1t/aPcNkkIBq0zAvWYrOfQ5AENWC
-BwGAASpWg+UycKqIHSGAORE7UnK/ESqOp4M6RKCLEjzZ7ELYYoxrwXrqBvV1Q+c0
-4swJOtMEWu+lTjz8LRx97BN9j0fwQjk+FQ==
+MIICuzCCAaMCFBoV9BmFOqzGBgJ5Pezkxf2J1O6hMA0GCSqGSIb3DQEBCwUAMBox
+GDAWBgNVBAMMD2NvbnN1bC1hZ2VudCBDQTAeFw0yMjA3MjgwMTU0NTRaFw0zMjA3
+MjUwMTU0NTRaMBoxGDAWBgNVBAMMD2NvbnN1bC1hZ2VudCBDQTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAKPIyj5dLQudOeccaEqcUn6PcRcJ+W/DuO85
+lybVB535Y82K/pIepmHi0a5A5PKsoWWfIxEMCDMCbmvuTh54UbL+g0sML1OMGYwJ
++bP749VQymt5iHztrCyzxbIWmL1jjcTMKGeckVWeeWOwD6N6lgRx3HL/wzFXN9kG
+oCIiS2PvtdlSWvqAyn3srBx2VU5mx6LMcCRs3OXAP6lA+gcY8vG/MFe4584UhIgJ
+fuOpFwP0xlRJhHVaSCyZuCc0+VzZdvdpm81vWn142N4fSuSNOHfqjhAayIfBylTu
+ik7Ap8rmTL/vfrC0LgP8PdlRkrldNy7l+FW5ymF8jXOq8OHYY4UCAwEAATANBgkq
+hkiG9w0BAQsFAAOCAQEAaPPnbqPcVA5DEAErerKIuS9ud5WFT40HT9k/+fjeQpy4
+ZfDJMGlO89nPQO++bul7rE9f9n3XcxeBYUP7YBTgP/v0+Ge3v50gAr//HkFSfBCU
+5pDMhZJomOT+92WjAmrF8bCPZJNs0xA649Vi12ZPN0ptEJcfEQwGvry/crtXDaA6
+3hpnYQYgrnNFbvLEBCOfyOMRcJM4dAGVqceTaW91qf5m1Ak/FXcFpuQHu6pNRSzp
+E+m36dTMX1Cu0URyjnh1pcjQfUPjgUpBTVpmntkMwgurjn05S7bAHaizSqfYu+kD
+bcWIPAbz8/cBQ8HafP/DsCGWr7ZIMzZxn78RpHaBnw==
-----END CERTIFICATE-----
M ca/nomad-agent-ca.crt => ca/nomad-agent-ca.crt +15 -17
@@ 1,19 1,17 @@
-----BEGIN CERTIFICATE-----
-MIIDEzCCAfugAwIBAgIUXebAuVRMeSR4Xuq5RO2x43cMGu0wDQYJKoZIhvcNAQEL
-BQAwGTEXMBUGA1UEAwwObm9tYWQtYWdlbnQgQ0EwHhcNMjEwNjMwMTIyMzE2WhcN
-MjIwNjMwMTIyMzE2WjAZMRcwFQYDVQQDDA5ub21hZC1hZ2VudCBDQTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBALoJG71NMFJEehyiPZsm0j7RqeYWSOd5
-bGTN6j/ZT+UFY9Oiq1YjtO8bAnlykQIqQ4U1sXnZkptXvvrTKUjFJABhyzR3bc6N
-vFYjjXa5wyw6S0GPD6lcpIJ1KJguKXrzU836+FiGd44e0tXo3m5asEU7OC6Cc3PQ
-pvdpY+Hfr//L///vriitud3G3m93Ujo2w660oEtUWbasDksh+dyP12AQs/RP8l0S
-usfNTfDd3vcWNuSbDJbaIHg8171ie5jsEggBqhjJJigFcrsw/5mhOyruvptc9i4y
-9Zp36wlmhspyzslb8N13UngdUHcKQOvtEkbBwtbdinu2/l6QM/NCRrMCAwEAAaNT
-MFEwHQYDVR0OBBYEFPOHlXY/PngXhHzFuqlPtyTmDpX8MB8GA1UdIwQYMBaAFPOH
-lXY/PngXhHzFuqlPtyTmDpX8MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
-BQADggEBABpz6ml+m9Cyt2zKbA+SpEGSOaRbeJpE7BWnb/oEwLyb09e9CygZZlKa
-UMegdXPN8+F9TSnisxa4t9ez+7jZoskApFIGYNFFxr6nuNfif136YvBO9TGXtCFL
-lZGOSFJkDIb1d4Q19MJfmbsoX5dV8/xjzy6q/3uR88ySBG8Gr4X792qZtLjj8h2G
-7a9SdiCj0zSZ2HiZdcKEiu2W9MBVVBbOLhdpwJ2U2iLWN/ML0Fu+gGS1EtlK76rm
-sBOEUI1IUcCaJPO7iAb67cesLlw9fkqDlUY+vJhhx0a1h3e83HwROpMnLFGDRwus
-Vm4pEOKLyafXucX6JD9FhDHxm5Ji+NQ=
+MIICuTCCAaECFCZlcSv6w5ouXGqq+ymhzdQTOePpMA0GCSqGSIb3DQEBCwUAMBkx
+FzAVBgNVBAMMDm5vbWFkLWFnZW50IENBMB4XDTIyMDcyODAxNTUxMFoXDTMyMDcy
+NTAxNTUxMFowGTEXMBUGA1UEAwwObm9tYWQtYWdlbnQgQ0EwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6CRu9TTBSRHocoj2bJtI+0anmFkjneWxkzeo/
+2U/lBWPToqtWI7TvGwJ5cpECKkOFNbF52ZKbV7760ylIxSQAYcs0d23OjbxWI412
+ucMsOktBjw+pXKSCdSiYLil681PN+vhYhneOHtLV6N5uWrBFOzgugnNz0Kb3aWPh
+36//y///764orbndxt5vd1I6NsOutKBLVFm2rA5LIfncj9dgELP0T/JdErrHzU3w
+3d73FjbkmwyW2iB4PNe9YnuY7BIIAaoYySYoBXK7MP+ZoTsq7r6bXPYuMvWad+sJ
+ZobKcs7JW/Ddd1J4HVB3CkDr7RJGwcLW3Yp7tv5ekDPzQkazAgMBAAEwDQYJKoZI
+hvcNAQELBQADggEBABEUlQdqxPTMai8LmFWP7jZwmAs5qaQXexHKiJzuNCdy1luE
+KXSGSHoYHH60KsAAz/jakqM/m9FR/zk++r1pMlKzBBXM7oQbu9pyNk3okHwek2XJ
+qvd1XRa9/cfVWYMsSOnKUmfsfzVz9djEav+mQ9h300ZvuYrWZJ22Jn/PqJiTLRL/
+litoolm0LEkmMdLnzuFQsiAyXKzuoSRA4MG0IyZrLnQIWmJBcGjUfTsSCe0YCOvY
+OgLUqc7MfEVjhh2bjPnbGOJlj1WJoAbRTSpA+7GzYJZrflEIxiVHpTji/YcbinA6
+7S16pf6/UC8m7jouvCEC71bvNvsvHTsT9LOhsU0=
-----END CERTIFICATE-----
A ca/renew-cert => ca/renew-cert +21 -0
@@ 0,0 1,21 @@
+#!/usr/bin/env bash
+#
+# This script is used to renew a certificate, likely a certificate authority.
+#
+# $ ./renew-cert vault-server-ca
+#
+#
+
+set -eu -o pipefail
+
+if [[ $# -ne 1 ]]; then
+ echo "usage: $0 <name>"
+ exit 1
+fi
+
+name="$1"
+
+csr="$(mktemp)"
+openssl x509 -x509toreq -in "${name}.crt" -signkey "${name}.key" -out "${csr}"
+openssl x509 -req -days 3650 -in "${csr}" -signkey "${name}.key" -out "${name}.crt"
+rm "${csr}"
M ca/vault-server-ca.crt => ca/vault-server-ca.crt +15 -17
@@ 1,19 1,17 @@
-----BEGIN CERTIFICATE-----
-MIIDFTCCAf2gAwIBAgIUG7nY07/pNKsNw3U57J+LtsLRz/cwDQYJKoZIhvcNAQEL
-BQAwGjEYMBYGA1UEAwwPdmF1bHQtc2VydmVyIENBMB4XDTIxMDYzMDEyMjMzMVoX
-DTIyMDYzMDEyMjMzMVowGjEYMBYGA1UEAwwPdmF1bHQtc2VydmVyIENBMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxdFrL9VNyKYYsnb87egzHbOiw4az
-Osq1OQt1qAq+aIlLOjT5XHmcnV/HhZzYqUVZ7CjlsNJBLgRdOwfmj34ABtsy9IP4
-cx3aXh/YQ9bH9lxeK7jzXFOarDiIVBtKnDwGR8+ANgpHkps62OimayK7zFec5tvT
-jfMaMLnHZ3XrJIFd6uA13r/v/JeUpoizsS7DFbbWxzy4w3aJRCiNPyvLoDvEg54W
-MRJflTGbjAX4XUOn4FTkvnWX2cA3zkuk7qEMAO5VMGkrA6IGsDmPSrraQN2Fw4Mf
-5NNXoAVfwCJiGMzBiwV/cmxoisFMIvVMNTIHFBg1bIKF1ziIUYWCCC6s5wIDAQAB
-o1MwUTAdBgNVHQ4EFgQUrz82qwwUuZG+/FYBwaI0QVcpWewwHwYDVR0jBBgwFoAU
-rz82qwwUuZG+/FYBwaI0QVcpWewwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
-AQsFAAOCAQEAguEF/gVGimJhqqMifhfP7Oxxmz6v0clsIp/gR4qn9OZ1/F+Xfjkp
-cbyfC0urizQYYgfp2ttKV0Q0kzB2Hx+5eGuZQ9UERVDhiCNlQIHnI5ZG3cJD+Xly
-TQq+wokOWw7T1ojeqBFUGED5Fc3R9OfF66srfvOmUx5dGHAJk8dJEL6DnJjZ7abm
-gYxAgaS4WoWOPlbMl4KFr65Q8VEO/5LnlSu4vDWUj+N4IoD88J7933v7Uhc09sM/
-Ik2e/+0mq3+PwDn5bsPzVPFnZxdKTJJktef0wBlSpHvD9/iGhIVguaKanRgQY/Ps
-ZjDbq8a5Vp2p1gPZ3ctNBJlgvv0JfDcxtA==
+MIICuzCCAaMCFG59Q0rc+VogCE3vsr/y1Q/CYe11MA0GCSqGSIb3DQEBCwUAMBox
+GDAWBgNVBAMMD3ZhdWx0LXNlcnZlciBDQTAeFw0yMjA3MjgwMTU1MDVaFw0zMjA3
+MjUwMTU1MDVaMBoxGDAWBgNVBAMMD3ZhdWx0LXNlcnZlciBDQTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAMXRay/VTcimGLJ2/O3oMx2zosOGszrKtTkL
+dagKvmiJSzo0+Vx5nJ1fx4Wc2KlFWewo5bDSQS4EXTsH5o9+AAbbMvSD+HMd2l4f
+2EPWx/ZcXiu481xTmqw4iFQbSpw8BkfPgDYKR5KbOtjopmsiu8xXnObb043zGjC5
+x2d16ySBXergNd6/7/yXlKaIs7EuwxW21sc8uMN2iUQojT8ry6A7xIOeFjESX5Ux
+m4wF+F1Dp+BU5L51l9nAN85LpO6hDADuVTBpKwOiBrA5j0q62kDdhcODH+TTV6AF
+X8AiYhjMwYsFf3JsaIrBTCL1TDUyBxQYNWyChdc4iFGFgggurOcCAwEAATANBgkq
+hkiG9w0BAQsFAAOCAQEACekZF1N7LE8ioac8guASW0OaUbgn8/5PupiylOf/Xo1n
+Sr8wQEbpNsT6EX2qbjSa1CrX8y8sS58pVpYIk7WgIP/5Rgh/EhH7Px80LCxA3yuO
++hZrw8cw42NLOfrYNMBWbBKNMtEevocycvlX8Qk1U/WfPTDi8iBejQ3FyIaYM6Rx
+NKa+d/bq4hiXQcepfGkX0sLXYTBFCW7y8wJEA4ZXb4HPqHsQm6/IdfQw+KKltHmJ
+50xqsoR60Z7LNKfZmi/6IsryL6bINewqqv4I8cEIgH5q+mmuKnpI/nIFngKPOhpS
+fF7Qosderl72hakDMmUS6NFykIKed6uGNiYpqs8G/A==
-----END CERTIFICATE-----
M jobs/acme-renewer.nomad.erb => jobs/acme-renewer.nomad.erb +1 -1
@@ 74,7 74,7 @@ job "acme-renewer" {
env {
LINODE_V4_API_KEY = "<%= secret('linode/acme-renewer', 'api_key') %>"
- VAULT_CAPATH = "/etc/ssl/vault/ca.pem"
+ VAULT_CAPATH = "/etc/ssl/vault-server/ca.crt"
VAULT_ADDR = "https://vault.service.consul:8200"
}
}
R jobs/damienradtkecom.nomad.erb => jobs/damienradtkecom.nomad +6 -2
@@ 1,4 1,8 @@
-// TODO: use variables: https://www.nomadproject.io/docs/job-specification/hcl2/variables
+variable "ref" {
+ type = string
+ default = "master"
+}
+
job "damienradtkecom" {
region = "global"
@@ 61,7 65,7 @@ job "damienradtkecom" {
source = "github.com/dradtke/blog"
destination = "local/blog/"
options {
- ref = "<%= ENV['REF'] || 'master' %>"
+ ref = var.ref
}
}
M jobs/fabio.nomad.erb => jobs/fabio.nomad.erb +4 -5
@@ 1,7 1,6 @@
<%
- @fabio_version = "1.5.15"
- @golang_version = "1.15.5"
- @fabio_checksum = "sha256:14c7a02ca95fb00a4f3010eab4e3c0e354a3f4953d2a793cb800332012f42066"
+ @fabio_version = "1.6.1"
+ @fabio_checksum = "sha256:74db83e1db2a561012b3acfbdf98f4c499387be623af62a372e880c78eff98ab"
%>
job "fabio" {
@@ 35,7 34,7 @@ job "fabio" {
driver = "exec"
user = "fabio"
config {
- command = "fabio-<%= @fabio_version %>-go<%= @golang_version %>-linux_amd64"
+ command = "fabio-<%= @fabio_version %>-linux_amd64"
// TODO: this currently fails because consul-key.pem is not readable
// Need to figure out a way to get fabio a client cert
args = [
@@ 49,7 48,7 @@ job "fabio" {
}
artifact {
- source = "https://github.com/fabiolb/fabio/releases/download/v<%= @fabio_version %>/fabio-<%= @fabio_version %>-go<%= @golang_version %>-linux_amd64"
+ source = "https://github.com/fabiolb/fabio/releases/download/v<%= @fabio_version %>/fabio-<%= @fabio_version %>-linux_amd64"
options {
checksum = "<%= @fabio_checksum %>"
}