diff --git a/app/lib/clients/vault.rb b/app/lib/clients/vault.rb index 5cc2929..21d2cc1 100644 --- a/app/lib/clients/vault.rb +++ b/app/lib/clients/vault.rb @@ -28,7 +28,7 @@ def kv_delete(path) def client ::Vault::Client.new( - address: Rails.configuration.astral[:vault_addr], + address: vault_address, token: Rails.configuration.astral[:vault_token] ) end @@ -48,11 +48,11 @@ def intermediate_ca_mount def cert_path "#{intermediate_ca_mount}/issue/astral" end - + def root_ca_ref Rails.configuration.astral[:vault_root_ca_ref] end - + def root_ca_mount Rails.configuration.astral[:vault_root_ca_mount] end @@ -63,15 +63,15 @@ def enable_engine(mount, type) def enable_ca # if mount exists, assume configuration is done - if client.sys.mounts.key?(intermediate_ca_mount.to_sym) - return - end - - # create the mount - enable_engine(intermediate_ca_mount, "pki") + # if client.sys.mounts.key?(intermediate_ca_mount.to_sym) + # return + # end + + # # create the mount + # enable_engine(intermediate_ca_mount, "pki") # Generate intermediate CSR - intermediate_csr = Vault.logical.write("#{intermediate_ca_mount}/intermediate/generate/internal", + intermediate_csr = client.logical.write("#{intermediate_ca_mount}/intermediate/generate/internal", common_name: "astral.internal Intermediate Authority", issuer_name: "astral-intermediate").data[:csr] @@ -79,7 +79,7 @@ def enable_ca File.write("tmp/pki_intermediate.csr", intermediate_csr) # Sign the intermediate certificate with the root CA - intermediate_cert = Vault.logical.write("#{root_ca_mount}/root/sign-intermediate", + intermediate_cert = client.logical.write("#{root_ca_mount}/root/sign-intermediate", issuer_ref: root_ca_ref, csr: intermediate_csr, format: "pem_bundle", @@ -89,28 +89,30 @@ def enable_ca File.write("tmp/intermediate.cert.pem", intermediate_cert) # Set the signed intermediate certificate - Vault.logical.write("#{intermediate_ca_mount}/intermediate/set-signed", certificate: intermediate_cert) + client.logical.write("#{intermediate_ca_mount}/intermediate/set-signed", certificate: intermediate_cert) # Configure the intermediate CA - Vault.logical.write("#{intermediate_ca_mount}/config/cluster", - path: "#{vault_address}/v1/#{pki_mount}", - aia_path: "#{vault_address}/v1/#{pki_mount}") + client.logical.write("#{intermediate_ca_mount}/config/cluster", + path: "#{vault_address}/v1/#{intermediate_ca_mount}", + aia_path: "#{vault_address}/v1/#{intermediate_ca_mount}") - issuer_ref = Vault.logical.read("#{intermediate_ca_mount}/config/issuers").data[:default] - Vault.logical.write("#{intermediate_ca_mount}/roles/astral", + issuer_ref = client.logical.read("#{intermediate_ca_mount}/config/issuers").data[:default] + client.logical.write("#{intermediate_ca_mount}/roles/astral", issuer_ref: issuer_ref, allow_any_name: true, max_ttl: "720h", no_store: false) - Vault.logical.write("#{intermediate_ca_mount}/config/urls", + client.logical.write("#{intermediate_ca_mount}/config/urls", issuing_certificates: "{{cluster_aia_path}}/issuer/{{issuer_id}}/der", crl_distribution_points: "{{cluster_aia_path}}/issuer/{{issuer_id}}/crl/der", ocsp_servers: "{{cluster_path}}/ocsp", enable_templating: true) - rescue Vault::HTTPError => e + rescue ::Vault::HTTPError => e Rails.logger.error "Unable to configure intermediate_cert: #{e}" end + + end end end