diff --git a/README.md b/README.md index d98d82a51a0b54a2759ac050ee999b5c1b40be6c..fd3e247e92396ca6b9a7f4030139abcb0e87b392 100644 --- a/README.md +++ b/README.md @@ -1,91 +1,53 @@ # vault-secrets-shuffle -1. [configuration](#configuration) 1. [usage](#usage) 1. [compatibility](#compatibility) 1. [build](#build) -1. [notes](#notes) -Fetches nodes definitions from PuppetDB, generate random secrets for each host and store them to Vault. +Fetches and stores a given Certificate, Full Chain, CA and Private Keynodes -It is meant to be used in conjunction with [hiera_vault](https://github.com/petems/petems-hiera_vault) +It is meant to be used in conjunction with Geant ACME infrastructure -## configuration - -you have: - -- a kv v2 store on Vault -- puppet Hiera connected to Vault through [hiera_vault](https://github.com/petems/petems-hiera_vault) and your lookups include certnames/fqdn -- a configuration file with one `vault` section as following (beware of file permissions): - -```ini -[vault] -# Vault parameters -vault_token = xxxxxxxxxxx -vault_ssl = true -vault_host = vault.yourdomain.org -vault_port = 443 -vault_path = test/toast -vault_keyname = vault_root_password +## usage -# PuppetDB parameters -puppetdb_host = puppetdb.yourdomain.org -puppetdb_port = 8080 +you can run the tool as following: -# Password properties -pass_lenght = 10 -min_digits = 2 -max_digits = 6 -min_symbols = 0 -max_symbols = 0 +```bash +acme-downloader --vault-token=<VAULT-TOKEN> --redis-token=<REDIS_TOKEN> --cert-name=foo-ev-cert.geant.org --team-name=swd ``` -## usage - -you can run the tool with `--help` to check all options: + or check all the option using `--help`: ```bash -vault-secrets-shuffle --help -Vault Secrets Shuffler: - - iterates all VMs registered in PuppetDB - - generate generate random secrets different for each host - - upload the secrets to vault. +ACME Downloader: + - fetches and stores a given Certificate, Full Chain, CA and Private Key Usage: - vault-secrets-shuffle --config=CONFIG [--kv=kv] [--write=WRITE] [--debug] - vault-secrets-shuffle -v | --version - vault-secrets-shuffle -b | --build - vault-secrets-shuffle -h | --help + acme-downloader --redis-token=REDISTOKEN --vault-token=VAULTTOKEN --cert-name=CERTNAME --team-name=TEAMNAME [--days=DAYS] [--type=TYPE] [--cert-destination=CERTDESTINATION] [--fullchain-destination=FULLCHAINDESTINATION] [--key-destination=KEYDESTINATION] [--ca-destination=CADESTINATION] + acme-downloader -v | --version + acme-downloader -b | --build + acme-downloader -h | --help Options: - -h --help Show this screen - -c --config=CONFIG Config file - -w --write=WRITE Output file (OPTIONAL) - -k --kv=kv Keystore Version. [default: 2] - -d --debug Print password and full key path (OPTIONAL) - -v --version Print version exit - -b --build Print version and build information and exit -``` - -or you can simply run: - -```bash -vault-secrets-shuffle --config /path/to/file.conf -``` + -h --help Show this screen + -v --version Print version exit + -b --build Print version and build information and exit + --redis-token=REDISTOKEN Redis access token + --vault-token=VAULTTOKEN Vault access token + --cert-name=CERTNAME Certificate name + --team-name=TEAMNAME Team name: swd, dream_team, it, ne, ti... + --days=DAYS Days before expiration [default: 30] + --type=TYPE Type, EV or OV [default: EV] + --cert-destination=CERTDESTINATION Cert Destination [default: /etc/ssl/certs/<cert-name>.crt] + --fullchain-destination=FULLCHAINDESTINATION Full Chain Destination[default: /etc/ssl/certs/<cert-name>_fullchain.crt] + --key-destination=KEYDESTINATION Key Destination [default: /etc/ssl/private/<cert-name>.key] + --ca-destination=CADESTINATION CA Destination [default: /etc/ssl/certs/COMODO_<type>.crt]``` ## compatibility -tested against: +Debian/RedHat/Arch OS families -- puppetdb 6.2 -- vault 1.0.2 ## build you can use `build.sh` from this repo - -## notes - -Some change is already in the work on [petems/petems-hiera_vault#43](https://github.com/petems/petems-hiera_vault/pull/43) - -These changes will allow to use Kv v2, which is safer to use (as it has password history)