36 lines
1.4 KiB
Bash
Executable file
36 lines
1.4 KiB
Bash
Executable file
#!/usr/bin/env bash
|
||
# vault-env — setzt 4 Vault-Envvars (ADDR, CACERT, CLIENT_CERT, CLIENT_KEY)
|
||
# Nutzung (muss *gesourct* werden):
|
||
# source ~/.local/bin/vault-env
|
||
# Danach z.B.:
|
||
# vault status
|
||
# vault login -method=cert
|
||
|
||
set -Eeuo pipefail
|
||
|
||
# Minimal-Log
|
||
log(){ printf '[vault-env] %s\n' "$*"; }
|
||
|
||
# 1) Adresse (FQDN ⇒ kein SNI nötig)
|
||
export VAULT_ADDR="${VAULT_ADDR:-https://vault.test.privsec.ch:22300}"
|
||
|
||
# 2) CA-Bundle: erst die Proxy-Chain, sonst Agent-CA
|
||
CA_FILE="$HOME/nginx/ca/current-ca-chain.pem"
|
||
[[ -r "$CA_FILE" ]] || CA_FILE="$HOME/vault/ca/ca.pem"
|
||
export VAULT_CACERT="$CA_FILE"
|
||
|
||
# 3–4) mTLS Client-Zert & Key
|
||
export VAULT_CLIENT_CERT="${VAULT_CLIENT_CERT:-$HOME/vault/mtls/agent.crt}"
|
||
export VAULT_CLIENT_KEY="${VAULT_CLIENT_KEY:-$HOME/vault/mtls/agent.key}"
|
||
|
||
export VAULT_TOKEN="$(cat ~/.vault-token)"
|
||
# kleine Hinweise
|
||
[[ -r "$VAULT_CACERT" ]] && log "CA ok: $VAULT_CACERT" \
|
||
|| log "WARN: CA fehlt/unerreichbar → $VAULT_CACERT"
|
||
[[ -r "$VAULT_CLIENT_CERT" ]] && log "mTLS cert ok: $VAULT_CLIENT_CERT" \
|
||
|| log "WARN: mTLS cert fehlt → $VAULT_CLIENT_CERT"
|
||
[[ -r "$VAULT_CLIENT_KEY" ]] && log "mTLS key ok: $VAULT_CLIENT_KEY" \
|
||
|| log "WARN: mTLS key fehlt → $VAULT_CLIENT_KEY"
|
||
|
||
log "VAULT_ADDR=$VAULT_ADDR"
|
||
log "Fertig. (Hinweis: Script muss *gesourct* werden, sonst gelten die Exports nur im Sub-Shell.)"
|