#!/bin/bash # Setup TLS for Vault Cluster # Prepares structure for Let's Encrypt or custom certificates set -euo pipefail # Load IP configuration SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)" source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' log_info() { echo -e "${BLUE}[INFO]${NC} $1"; } log_success() { echo -e "${GREEN}[✓]${NC} $1"; } log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; } log_error() { echo -e "${RED}[✗]${NC} $1"; } PROXMOX_HOST_1="${PROXMOX_HOST_1:-192.168.11.11}" PROXMOX_HOST_2="${PROXMOX_HOST_2:-192.168.11.12}" VAULT_NODES=(8640 8641 8642) echo "═══════════════════════════════════════════════════════════" echo " Vault TLS Configuration Setup" echo "═══════════════════════════════════════════════════════════" echo "" # Create TLS directories on all nodes log_info "Creating TLS directories on all nodes..." for vmid in "${VAULT_NODES[@]}"; do if [ "$vmid" = "8641" ]; then host="$PROXMOX_HOST_2" else host="$PROXMOX_HOST_1" fi log_info "Setting up TLS directory for VMID $vmid on $host..." ssh root@"$host" "pct exec $vmid -- bash" << 'TLS_EOF' mkdir -p /opt/vault/tls chown vault:vault /opt/vault/tls chmod 700 /opt/vault/tls TLS_EOF log_success "TLS directory created for VMID $vmid" done echo "" # Create TLS configuration template log_info "Creating TLS configuration template..." cat > /home/intlc/projects/proxmox/docs/04-configuration/VAULT_TLS_CONFIGURATION.md << 'TLS_DOC_EOF' # Vault TLS Configuration Guide ## Overview This guide explains how to configure TLS for the Phoenix Vault cluster. TLS can be configured using: - Let's Encrypt (recommended for production) - Custom certificates - Self-signed certificates (development only) ## TLS Directory Structure TLS certificates are stored in `/opt/vault/tls/` on each node: - `vault.crt` - Certificate file - `vault.key` - Private key file - `ca.crt` - CA certificate (if using custom CA) ## Let's Encrypt Setup (Recommended) ### Prerequisites - Domain name pointing to Vault nodes (or use DNS challenge) - Certbot installed on a management node - Port 80 or 443 accessible for ACME challenge ### Steps 1. **Install Certbot** (on management node): ```bash apt-get update apt-get install -y certbot ``` 2. **Obtain Certificates**: ```bash # For each Vault node certbot certonly --standalone -d vault-phoenix-1.example.com certbot certonly --standalone -d vault-phoenix-2.example.com certbot certonly --standalone -d vault-phoenix-3.example.com ``` 3. **Copy Certificates to Vault Nodes**: ```bash # Node 1 scp /etc/letsencrypt/live/vault-phoenix-1.example.com/fullchain.pem root@${PROXMOX_HOST_R630_01:-192.168.11.11}:/tmp/vault.crt scp /etc/letsencrypt/live/vault-phoenix-1.example.com/privkey.pem root@${PROXMOX_HOST_R630_01:-192.168.11.11}:/tmp/vault.key ssh root@${PROXMOX_HOST_R630_01:-192.168.11.11} "pct push 8640 /tmp/vault.crt /opt/vault/tls/vault.crt && pct push 8640 /tmp/vault.key /opt/vault/tls/vault.key && pct exec 8640 -- chown vault:vault /opt/vault/tls/* && pct exec 8640 -- chmod 600 /opt/vault/tls/vault.key && pct exec 8640 -- chmod 644 /opt/vault/tls/vault.crt" # Repeat for nodes 2 and 3 ``` 4. **Update Vault Configuration**: Update `/etc/vault.d/vault.hcl` on each node: ```hcl listener "tcp" { address = "0.0.0.0:8200" cluster_address = "10.160.0.40:8201" tls_cert_file = "/opt/vault/tls/vault.crt" tls_key_file = "/opt/vault/tls/vault.key" tls_min_version = "1.2" tls_cipher_suites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" } ``` 5. **Restart Vault Services**: ```bash ssh root@${PROXMOX_HOST_R630_01:-192.168.11.11} "pct exec 8640 -- systemctl restart vault" ssh root@${PROXMOX_HOST_R630_02:-192.168.11.12} "pct exec 8641 -- systemctl restart vault" ssh root@${PROXMOX_HOST_R630_01:-192.168.11.11} "pct exec 8642 -- systemctl restart vault" ``` 6. **Set Up Auto-Renewal**: ```bash # Add to crontab on management node 0 2 * * * certbot renew --quiet --deploy-hook "/path/to/renew-vault-certs.sh" ``` ## Custom Certificates 1. **Generate Certificate Signing Request (CSR)**: ```bash openssl genrsa -out vault.key 2048 openssl req -new -key vault.key -out vault.csr ``` 2. **Sign Certificate with CA**: ```bash openssl x509 -req -in vault.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out vault.crt -days 365 ``` 3. **Copy to Vault Nodes** (same as Let's Encrypt step 3) 4. **Update Configuration** (same as Let's Encrypt step 4) ## Self-Signed Certificates (Development Only) ```bash # Generate self-signed certificate openssl req -x509 -newkey rsa:2048 -keyout vault.key -out vault.crt -days 365 -nodes \ -subj "/CN=vault-phoenix-1/O=Sankofa/C=US" # Copy to all nodes # Update configuration ``` ## Verification After enabling TLS: ```bash # Test HTTPS connection curl -k https://10.160.0.40:8200/v1/sys/health # Check certificate openssl s_client -connect 10.160.0.40:8200 -showcerts ``` ## Important Notes - **Never commit private keys to Git** - **Use strong TLS cipher suites** - **Set minimum TLS version to 1.2 or higher** - **Regularly renew certificates** - **Monitor certificate expiration** - **Use separate certificates for each node in production** TLS_DOC_EOF log_success "TLS configuration guide created" echo "" log_info "TLS setup structure prepared" log_warn "TLS is currently disabled. Enable TLS in production using the guide:" log_info " docs/04-configuration/VAULT_TLS_CONFIGURATION.md" echo ""