unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

Doc: add certmanager documentation

Browse Source
This commit is contained in:
Ben Vincent 2024-04-27 22:11:06 +10:00
parent f351cc8413
commit c5d63bd6f8
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
doc/vault/setup.md
View File

@ -52,3 +52,31 @@
# remove expired certificates # remove expired certificates
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
# enable approles
vault auth enable approle
# create certmanager policy and token, limit to puppetmaster
cat <<EOF > certmanager.hcl
path "pki_int/issue/*" {
capabilities = ["create", "update", "read"]
}
path "pki_int/renew/*" {
capabilities = ["update"]
}
path "pki_int/cert/*" {
capabilities = ["read"]
}
EOF
vault policy write certmanager certmanager.hcl
vault write auth/approle/role/certmanager \
bind_secret_id=false \
token_policies="certmanager" \
token_ttl=30s \
token_max_ttl=30s \
token_bound_cidrs="198.18.17.3/32"
# get the certmanager approle id
vault read -field=role_id auth/approle/role/certmanager/role-id