chore: update headings

doc/vault/setup.md

@@ -1,4 +1,5 @@
-# root ca
+# PKI
+## root ca
     vault secrets enable -path=pki_root pki
     vault secrets tune -max-lease-ttl=87600h pki_root
 
@@ -15,7 +16,7 @@
          issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
          crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
 
-# intermediate
+## intermediate
     vault secrets enable -path=pki_int pki
     vault secrets tune -max-lease-ttl=43800h pki_int
 
@@ -32,7 +33,7 @@
 
     vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
 
-# create role
+## create role
     vault write pki_int/roles/servers_default \
         issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
         allow_ip_sans=true \
@@ -46,18 +47,20 @@
         key_bits=4096 \
         country="Australia"
 
-# test generating a domain cert
+## test generating a domain cert
     vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
     vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
     vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
 
-# remove expired certificates
+## remove expired certificates
     vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
 
-# enable approles
+# AUTH
+## enable approles
     vault auth enable approle
 
-# create certmanager policy and token, limit to puppetmaster
+# CERTMANAGER
+## create certmanager policy and token, limit to puppetmaster
     cat <<EOF > certmanager.hcl
     path "pki_int/issue/*" {
       capabilities = ["create", "update", "read"]
@@ -79,5 +82,5 @@
         token_max_ttl=30s \
         token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
 
-# get the certmanager approle id
+## get the certmanager approle id
     vault read -field=role_id auth/approle/role/certmanager/role-id