greenbrian · June 23, 2019 20:06
diff --git a/vault_demo.sh b/vault_demo.sh
 #!/bin/bash

 ## The following command starts Vault in development mode
 ## specifiying a root token value of 'root'
 ##
 # VAULT_UI=true vault server -dev -dev-root-token-id="root"

 ## Login with root token
 ## Good for demo mode, should only be used on production cluster
 ## during initial configuration
 vault login root

 ## Create an administrative policy named 'vault-admin'
 echo '
 path "*" {
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
 }' | vault policy write vault-admin -


 ## Create a normal user policy named 'user'
 echo '
 path "sys/mounts" {
  capabilities = ["list","read"]
 }
 path "secret/*" {
  capabilities = ["list", "read"]
 }
 path "kv1/mysecret" {
  capabilities = ["create", "read", "update", "delete", "list"]
 }
 path "kv1-very-secret/*" {
  capabilities = ["list", "read"]
 }
 path "kv2/data/secret" {
  capabilities = ["list", "read"]
 }' | vault policy write user -
 ```

 ## Write some secrets
 ## remembering we are still logged in as root
 vault secrets enable -version=1 -path=kv1 kv
 vault kv put kv1/mysecret username=bart password=simpson
 vault secrets enable -version=1 -path=kv1-very-secret kv
 vault kv put kv1-very-secret/mysecret admin_user=root admin_password=P@55w3rd
 vault secrets enable -version=1 -path=kv1-super-secret kv
 vault kv put kv1-super-secret/sensitive key=value password=35616164316lasfdasfasdfasdfasdfasf
 vault secrets enable -version=2 -path=kv2 kv
 vault kv put kv2/secret username=admin password=qwertyasdf
 vault kv put kv2/othersecrets username=root password=QWERTYUIOSDFGHJ


 ## Enable the userpass authentcation mode 
 vault auth enable userpass

 ## Create an administrative user, and a normal user
 ## These users will correlate to the policies created in previous steps
 vault write auth/userpass/users/vault password=vault policies=vault-admin
 vault write auth/userpass/users/test password=test policies=user


 ## Login with normal user
 vault login -method=userpass username=test password=test

 ## Read secret paths as normal user
 ## The 'user' policy does not allow the last operation (read kv1-super-secret deny by default)
 vault kv get kv1/mysecret
 vault kv get kv1-very-secret/mysecret
 vault kv get kv1-super-secret/sensitive

 ## Write secret paths as normal user to versioned kv path
 ## neither operation is allowed due to policy
 vault kv put kv2/secret username=moe password=syzslak
 vault kv put kv2/othersecrets admin_user=root admin_password=passw3rD

 ## Read secret paths as normal user from versioned kv path
 ## Second operation fails due to policy
 vault kv get kv2/secret
 vault kv get kv2/othersecrets 

 ## Create template file for consul-template
 echo -n 'this is my fake config file 
 [config]{{ with $secret := secret "kv1/mysecret" }}
 username={{$secret.Data.username}}
 password={{$secret.Data.password}}{{ end }}
 '> file.tpl

 ## Execute consul template to render file to stdout
 ## This assumes you have consul-template installed
 consul-template -log-level=err -template=file.tpl -once -dry

 ## Enable PKI backend for certificate issuance
 vault login root
 mkdir -p /tmp/certs/

 ## Enable PKI secret engine for root CA
 vault secrets enable -path vault-ca-root -max-lease-ttl=87600h pki

 ## Generate root CA certificate
 vault write -format=json vault-ca-root/root/generate/internal \
  common_name="vault-ca-root" ttl=87600h | tee \
  >(jq -r .data.certificate > /tmp/certs/ca.pem) \
  >(jq -r .data.issuing_ca > /tmp/certs/issuing_ca.pem) \
  >(jq -r .data.private_key > /tmp/certs/ca-key.pem)

 ## Enable & configure PKI secret engine for intermediate
 vault secrets enable -path vault-ca-intermediate pki
 vault secrets tune -max-lease-ttl=87600h vault-ca-intermediate

 ## Generate intermediate
 vault write -format=json vault-ca-intermediate/intermediate/generate/internal \
  common_name="vault-ca-intermediate" ttl=43800h | tee \
  >(jq -r .data.csr > /tmp/certs/vault-ca-intermediate.csr) \
  >(jq -r .data.private_key > /tmp/certs/vault-ca-intermediate.pem)

 ## Sign the intermediate by the root CA
 vault write -format=json vault-ca-root/root/sign-intermediate \
  csr=@/tmp/certs/vault-ca-intermediate.csr \
  common_name="vault-ca-intermediate" ttl=43800h | tee \
  >(jq -r .data.certificate > /tmp/certs/vault-ca-intermediate.pem) \
  >(jq -r .data.issuing_ca > /tmp/certs/vault-ca-intermediate_issuing_ca.pem)
 vault write vault-ca-intermediate/intermediate/set-signed certificate=@/tmp/certs/vault-ca-intermediate.pem

 ## Create a role
 vault write vault-ca-intermediate/roles/example-dot-com allow_any_name=true max_ttl="1m"

 ## Generate a certificate
 vault write vault-ca-intermediate/issue/example-dot-com common_name=foo.example.com

 ## Create template for use with Consul-template
 echo -n '{{ with secret "vault-ca-intermediate/issue/example-dot-com" "common_name=foo.example.com" }}
 {{ .Data.certificate }}
 {{ .Data.private_key }}
 {{ end }}' > cert.tpl

 ## Use consul-template to render template to stdout
 consul-template -log-level=err -template=cert.tpl -once -dry

 ## Use consul-template to render template to file
 consul-template -log-level=err -template=cert.tpl:file.crt -once

 ## verify cert with openssl
 openssl x509 -in file.crt -text -noout
	#!/bin/bash

	## The following command starts Vault in development mode
	## specifiying a root token value of 'root'
	##
	# VAULT_UI=true vault server -dev -dev-root-token-id="root"

	## Login with root token
	## Good for demo mode, should only be used on production cluster
	## during initial configuration
	vault login root

	## Create an administrative policy named 'vault-admin'
	echo '
	path "*" {
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	}' \| vault policy write vault-admin -


	## Create a normal user policy named 'user'
	echo '
	path "sys/mounts" {
	capabilities = ["list","read"]
	}
	path "secret/*" {
	capabilities = ["list", "read"]
	}
	path "kv1/mysecret" {
	capabilities = ["create", "read", "update", "delete", "list"]
	}
	path "kv1-very-secret/*" {
	capabilities = ["list", "read"]
	}
	path "kv2/data/secret" {
	capabilities = ["list", "read"]
	}' \| vault policy write user -
	```

	## Write some secrets
	## remembering we are still logged in as root
	vault secrets enable -version=1 -path=kv1 kv
	vault kv put kv1/mysecret username=bart password=simpson
	vault secrets enable -version=1 -path=kv1-very-secret kv
	vault kv put kv1-very-secret/mysecret admin_user=root admin_password=P@55w3rd
	vault secrets enable -version=1 -path=kv1-super-secret kv
	vault kv put kv1-super-secret/sensitive key=value password=35616164316lasfdasfasdfasdfasdfasf
	vault secrets enable -version=2 -path=kv2 kv
	vault kv put kv2/secret username=admin password=qwertyasdf
	vault kv put kv2/othersecrets username=root password=QWERTYUIOSDFGHJ


	## Enable the userpass authentcation mode
	vault auth enable userpass

	## Create an administrative user, and a normal user
	## These users will correlate to the policies created in previous steps
	vault write auth/userpass/users/vault password=vault policies=vault-admin
	vault write auth/userpass/users/test password=test policies=user


	## Login with normal user
	vault login -method=userpass username=test password=test

	## Read secret paths as normal user
	## The 'user' policy does not allow the last operation (read kv1-super-secret deny by default)
	vault kv get kv1/mysecret
	vault kv get kv1-very-secret/mysecret
	vault kv get kv1-super-secret/sensitive

	## Write secret paths as normal user to versioned kv path
	## neither operation is allowed due to policy
	vault kv put kv2/secret username=moe password=syzslak
	vault kv put kv2/othersecrets admin_user=root admin_password=passw3rD

	## Read secret paths as normal user from versioned kv path
	## Second operation fails due to policy
	vault kv get kv2/secret
	vault kv get kv2/othersecrets

	## Create template file for consul-template
	echo -n 'this is my fake config file
	[config]{{ with $secret := secret "kv1/mysecret" }}
	username={{$secret.Data.username}}
	password={{$secret.Data.password}}{{ end }}
	'> file.tpl

	## Execute consul template to render file to stdout
	## This assumes you have consul-template installed
	consul-template -log-level=err -template=file.tpl -once -dry

	## Enable PKI backend for certificate issuance
	vault login root
	mkdir -p /tmp/certs/

	## Enable PKI secret engine for root CA
	vault secrets enable -path vault-ca-root -max-lease-ttl=87600h pki

	## Generate root CA certificate
	vault write -format=json vault-ca-root/root/generate/internal \
	common_name="vault-ca-root" ttl=87600h \| tee \
	>(jq -r .data.certificate > /tmp/certs/ca.pem) \
	>(jq -r .data.issuing_ca > /tmp/certs/issuing_ca.pem) \
	>(jq -r .data.private_key > /tmp/certs/ca-key.pem)

	## Enable & configure PKI secret engine for intermediate
	vault secrets enable -path vault-ca-intermediate pki
	vault secrets tune -max-lease-ttl=87600h vault-ca-intermediate

	## Generate intermediate
	vault write -format=json vault-ca-intermediate/intermediate/generate/internal \
	common_name="vault-ca-intermediate" ttl=43800h \| tee \
	>(jq -r .data.csr > /tmp/certs/vault-ca-intermediate.csr) \
	>(jq -r .data.private_key > /tmp/certs/vault-ca-intermediate.pem)

	## Sign the intermediate by the root CA
	vault write -format=json vault-ca-root/root/sign-intermediate \
	csr=@/tmp/certs/vault-ca-intermediate.csr \
	common_name="vault-ca-intermediate" ttl=43800h \| tee \
	>(jq -r .data.certificate > /tmp/certs/vault-ca-intermediate.pem) \
	>(jq -r .data.issuing_ca > /tmp/certs/vault-ca-intermediate_issuing_ca.pem)
	vault write vault-ca-intermediate/intermediate/set-signed certificate=@/tmp/certs/vault-ca-intermediate.pem

	## Create a role
	vault write vault-ca-intermediate/roles/example-dot-com allow_any_name=true max_ttl="1m"

	## Generate a certificate
	vault write vault-ca-intermediate/issue/example-dot-com common_name=foo.example.com

	## Create template for use with Consul-template
	echo -n '{{ with secret "vault-ca-intermediate/issue/example-dot-com" "common_name=foo.example.com" }}
	{{ .Data.certificate }}
	{{ .Data.private_key }}
	{{ end }}' > cert.tpl

	## Use consul-template to render template to stdout
	consul-template -log-level=err -template=cert.tpl -once -dry

	## Use consul-template to render template to file
	consul-template -log-level=err -template=cert.tpl:file.crt -once

	## verify cert with openssl
	openssl x509 -in file.crt -text -noout