unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

neoloc/doc_updates #70

Merged
unkinben merged 13 commits from neoloc/doc_updates into develop 2024-06-27 21:38:39 +10:00
Conversation 0 Commits 13 Files Changed 4 +28
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit c5d63bd6f8 - Show all commits

28
doc/vault/setup.md
View File

@ -52,3 +52,31 @@
# remove expired certificates
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
# enable approles
vault auth enable approle
# create certmanager policy and token, limit to puppetmaster
cat <<EOF > certmanager.hcl
path "pki_int/issue/*" {
capabilities = ["create", "update", "read"]
}
path "pki_int/renew/*" {
capabilities = ["update"]
}
path "pki_int/cert/*" {
capabilities = ["read"]
}
EOF
vault policy write certmanager certmanager.hcl
vault write auth/approle/role/certmanager \
bind_secret_id=false \
token_policies="certmanager" \
token_ttl=30s \
token_max_ttl=30s \
token_bound_cidrs="198.18.17.3/32"
# get the certmanager approle id
vault read -field=role_id auth/approle/role/certmanager/role-id