actions/vault-action
12
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2026-05-14 04:20:33 +00:00
Code Activity Actions
vault-action/scripts/gen-tls-certs.sh
Srikrishna Iyer 136b822494
Refine e2e-enterprise pipeline and scripts
2026-05-11 17:03:26 +05:30

112 lines
3.9 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
# Copyright IBM Corp. 2019, 2025
# SPDX-License-Identifier: MIT
#
# Generates a PKI chain (CA, server cert, client cert) using cfssl.
# Outputs certs to .build/certs/ and writes .build/e2e-tls.env for local
# act usage (act --env-file .build/e2e-tls.env).
#
# Usage: ./scripts/gen-tls-certs.sh
# Requires: cfssl, cfssljson (brew install cfssl)
set -euo pipefail
pushd "$(git rev-parse --show-toplevel || echo .)" > /dev/null
OUTDIR=".build/certs"
ENVFILE=".build/e2e-tls.env"
if ! command -v cfssl &>/dev/null || ! command -v cfssljson &>/dev/null; then
echo "error: cfssl and cfssljson are required." >&2
popd > /dev/null
exit 1
fi
mkdir -p "$OUTDIR"
pushd "$OUTDIR" > /dev/null
# ── cfssl signing config ──────────────────────────────────────────────────────
cat > cfssl-config.json <<'EOF'
{
"signing": {
"default": { "expiry": "8760h" },
"profiles": {
"server": {
"usages": ["signing", "key encipherment", "server auth"],
"expiry": "8760h"
},
"client": {
"usages": ["signing", "key encipherment", "client auth"],
"expiry": "8760h"
}
}
}
}
EOF
# ── CA ────────────────────────────────────────────────────────────────────────
echo "Generating CA..."
cfssl gencert -initca - <<'EOF' | cfssljson -bare ca
{
"CN": "Vault Test CA",
"key": { "algo": "rsa", "size": 2048 },
"ca": { "expiry": "87600h" }
}
EOF
# ── Server cert ───────────────────────────────────────────────────────────────
echo "Generating server certificate..."
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=cfssl-config.json \
-profile=server - <<'EOF' | cfssljson -bare server
{
"CN": "vault-tls",
"hosts": ["localhost", "127.0.0.1", "vault-tls"],
"key": { "algo": "rsa", "size": 2048 }
}
EOF
# ── Client cert ───────────────────────────────────────────────────────────────
echo "Generating client certificate..."
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=cfssl-config.json \
-profile=client - <<'EOF' | cfssljson -bare client
{
"CN": "vault-client",
"key": { "algo": "rsa", "size": 2048 }
}
EOF
# ── Rename to names expected by vault config ──────────────────────────────────
mv ca.pem ca.crt
mv server.pem server.crt
mv server-key.pem server.key
mv client.pem client.crt
mv client-key.pem client.key
# ── Remove intermediates not needed at runtime ────────────────────────────────
rm -f ca.csr server.csr client.csr ca-key.pem cfssl-config.json
# Ensure files are readable by the vault container user
chmod 644 ./*.crt ./*.key
popd > /dev/null
# ── Copy vault server config ──────────────────────────────────────────────────
cp "integrationTests/e2e-tls/configs/config.hcl" "$OUTDIR/config.hcl"
# ── Write env file for local act usage ───────────────────────────────────────
{
printf 'VAULTCA=%s\n' "$(base64 < "$OUTDIR/ca.crt" | tr -d '\n')"
printf 'VAULT_CLIENT_CERT=%s\n' "$(base64 < "$OUTDIR/client.crt" | tr -d '\n')"
printf 'VAULT_CLIENT_KEY=%s\n' "$(base64 < "$OUTDIR/client.key" | tr -d '\n')"
} > "$ENVFILE"
echo "Certs generated in $OUTDIR"
echo "Env file written to $ENVFILE"
popd > /dev/null
View git blame Copy permalink