diff --git a/acme.yaml b/acme.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..218a35f47971bc6983c345161d93ba4523bc746c
--- /dev/null
+++ b/acme.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: chepia-ch
+spec:
+ acme:
+ server: http://10.152.183.192:8200/v1/pki_int/acme/directory
+ caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURwRENDQW95Z0F3SUJBZ0lVZG5nQ0ZoNEFaYWdlOWZmSGZoYis2UEFPV0Jzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUtZMmhsY0dsaExtTnZiVEFlRncweU5EQTBNVEV3T0RVNE1URmFGdzB5TkRBMApNalV3T0RVNE5ERmFNQlV4RXpBUkJnTlZCQU1UQ21Ob1pYQnBZUzVqYjIwd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDdGxFbjJtTGlFaGVveUQzNVg2Yi9EZGVmY21OejdKWTZmNkxzYUVPb0QKdHNXTGd3amFIZm5tSEFIbWsxOWJVVlozeE1hNDFoOXg1Y2d3S0k1YndCQ01NTGxZQ0hKVGc4dC95cG1YdWpTbwpPSEYwTDFUV1Q5QkZURWROVERUYUJ6U3IyM1REbHc5cEg5bFdqUlBPL1JVYSsxaGEyazJtY21DN2tZZGdCYjRDCkZsSUR5RXRDRHFuUEc3MWxGeVhsSm5nNWQwUDlPOUUzcmhxWTlpNWhkYTYxaFZWRmVjWGJxOXdZZHBDM0hUSDYKUlRUT0RnWW1wbEJQMjNwRkUvbkZZaDdTNnNBZGVtKytuWG1qZDhkOXVldVc2Zmo1Sit5K2pKdkRaaHMvTU9VZwpFbzN6VW1RMGJlUFRQQ3pZejR5cExlaXp4S1RCVWc4RDAwVC9ibVNKamd6ZkFnTUJBQUdqZ2Vzd2dlZ3dEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSWxZOFh1Ukc5VnQKTldOaGJPQWthSmxhNG9rZE1COEdBMVVkSXdRWU1CYUFGSWxZOFh1Ukc5VnROV05oYk9Ba2FKbGE0b2tkTURzRwpDQ3NHQVFVRkJ3RUJCQzh3TFRBckJnZ3JCZ0VGQlFjd0FvWWZhSFIwY0Rvdkx6RXlOeTR3TGpBdU1UbzRNakF3CkwzWXhMM0JyYVM5allUQVZCZ05WSFJFRURqQU1nZ3BqYUdWd2FXRXVZMjl0TURFR0ExVWRId1FxTUNnd0pxQWsKb0NLR0lHaDBkSEE2THk4eE1qY3VNQzR3TGpFNk9ESXdNQzkyTVM5d2Eya3ZZM0pzTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQjAvbWxvc1hJV3JYYldNZ2toSWdFckpZd0ZmUUdPN3p4M2drMCtmbFdxelcxaEFVR1p5MzF2CmRpV1JvcFpUT21zREk3YlBCaGR3QmZLdnlydWVKeEwzNmxPZm5kbFlUNWdBcVQ0czVFWHp0SUExa0h2d2lkQUEKWGo4Q0lWN3BnQlVpc1c1bEwxWm55MEZmRzZENS94RGxVSDJncG1pRGhiKzRmNVY0VGhRNm01Z3l3OVVrYVRVZgo2WVJaT1l1NTdpN1lHQVhDUkNKc3pYV2JpSlMvUVlNTjVwOHZWd2FsQ1FndzVOUzFrL05tS3E1dEpEbnovRjRuCm1FVmZhR0h2STh4N2ExcnlrMUpWK2ZrQVpsdVNIUkFRQWI0dm9MWXB2Mk1tUEorbDVjQ1FQTzV0bXdIakQ2R20KNnNhamNNWWFjVmFFWDdldzVFVW9zU3hwZ1VWZnV0MmUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
+ privateKeySecretRef:
+ name: issuer-token-lmzpj
+ solvers:
+ - selector: {}
+ http01:
+ ingress:
+ ingressClassName: nginx
+
\ No newline at end of file
diff --git a/atelier_secu.md b/atelier_secu.md
index b509f0d8a8db39b263fcb7b3311ed6773c362ef1..cccc8e1d1d20182508c07a02ecb59a6f469b3325 100644
--- a/atelier_secu.md
+++ b/atelier_secu.md
@@ -72,8 +72,22 @@ Initial Root Token: hvs.zWAYhaUkch0hfgfi18fduTvl
--> Pour déverrouiller Vault, il faut que 3 des 5 tokens créés soit renseignés. On doit ensuite se logger avec le token root
+### Install tools on pod
+
+- jq (json parsing)
+
+```
+microk8s kubectl exec -ti vault-0 -- sh
+cd vault
+wget https://github.com/stedolan/jq/releases/download/jq-1.7.1/jq-linux64 -O jq
+chmod +x jq
+```
+
+
### Configurer le PKI :
+- https://developer.hashicorp.com/vault/tutorials/secrets-management/pki-engine?variants=vault-deploy%3Aselfhosted
+
#### Root CA :
Commandes :
@@ -99,4 +113,218 @@ vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=240h pki_int
```
-→ TTL 10 jours
\ No newline at end of file
+→ TTL 10 jours
+
+- **ADD GUI STEPS**
+
+
+#### Create a role :
+
+- **ADD GUI STEPS**
+
+
+#### Request certificates
+
+- **ADD GUI STEPS**
+
+### Configurer cert-manager
+
+- https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-cert-manager
+
+### Delete expired certs
+
+```
+vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
+```
+
+### Root certificate rotation
+
+```
+ vault write pki/root/rotate/internal \
+ common_name="chepia.com" \
+ issuer_name="root-2"
+```
+
+```
+vault write pki/roles/chepia-servers allow_any_name=true
+```
+
+
+#### Root bridge
+
+```
+ cd vault
+
+ vault write -format=json pki_int/intermediate/cross-sign \
+ common_name="chepia.com" \
+ key_ref="$(vault read pki_int/issuer/root-2 \
+ | grep -i key_id | awk '{print $2}')" \
+ | ./jq -r '.data.csr' \
+ | tee cross-signed-intermediate.csr
+
+ vault write -format=json pki_int/issuer/root/sign-intermediate \
+ common_name="chepia.com" \
+ csr=@cross-signed-intermediate.csr \
+ | ./jq -r '.data.certificate' | tee cross-signed-intermediate.crt
+
+ vault write pki/intermediate/set-signed \
+ certificate=@cross-signed-intermediate.crt
+
+```
+
+#### Set default issuer
+
+```
+vault write pki/root/replace default=root-2
+```
+
+### cross-sign intermediate
+
+```bash
+cd vault
+
+vault write -format=json pki_int/intermediate/cross-sign \
+ common_name="chepia.com Intermediate Authority" \
+ key_ref="$(vault read pki_int/issuer/$(vault read -field=default pki_int/config/issuers) \
+ | grep -i key_id | awk '{print $2}')" \
+ | ./jq -r '.data.csr' \
+ | tee cross-signed-intermediate.csr
+
+vault write -format=json pki/issuer/root-2/sign-intermediate \
+ common_name="chepia.com Intermediate Authority" \
+ csr=@cross-signed-intermediate.csr \
+ | ./jq -r '.data.certificate' | tee cross-signed-intermediate.crt
+
+vault write pki_int/intermediate/set-signed certificate=@cross-signed-intermediate.crt
+```
+
+### ACME setup
+
+#### terminal :
+```bash
+vault write /sys/mounts/pki_int/tune \
+ passthrough_request_headers="If-Modified-Since" \
+ allowed_response_headers="Last-Modified,Location,Replay-Nonce,Link"
+```
+
+#### GUI :
+- go to the intermediate certificate configuration page
+- add url `http://127.0.0.1:8200/v1/pki_int` to AIA path and Mount's API path
+- Tick "Enable ACME"
+- save
+
+### Add ACME to cert-manager
+
+https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-cert-manager
+
+#### add issuer
+
+- Création du fichier de configuration acme.yaml
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: chepia-ch
+spec:
+ acme:
+ server: http://127.0.0.1:8200/v1/pki_int
+ caBundle: <root cert in PEM format encoded in base64>
+ privateKeySecretRef:
+ name: issuer-token-lmzpj
+```
+
+- Activation de la config avec `microk8s kubectl apply -f acme.yaml `
+
+### Add ingress to the k8s cluster
+
+- Activer l'addon `ingress`qui permet d'exposer des services gérés par le cluster kubernetes :
+
+`microk8s enable ingress`
+
+- On peut maintenant créer des règles pour exposer des services en https.
+
+### Create certificate
+
+```
+apiVersion: cert-manager.io/v1
+
+kind: Certificate
+
+metadata:
+
+ name: chepia-cert
+
+ namespace: default
+
+spec:
+
+ issuerRef:
+
+ name: chepia-ch
+
+ kind: ClusterIssuer
+
+ secretName: chepia-cert
+
+ dnsNames:
+
+\- www.chepia.ch
+```
+
+### Expose https service
+
+- Nous allons utiliser un simple serveur web Nginx pour représenter la page d'accueil de l'intranet de notre entreprise :
+
+1. Créer le fichier de config de la page d'accueil :
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: nginx-configmap
+ namespace: default
+data:
+ index.html: |
+ <html>
+ <h1> Bienvenue sur l'intranet de CHEPIA </h1>
+ <h3> Certificats gratos !! </h3>
+ </html>
+```
+
+2. Créer le fichier de config du serveur :
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nginx-configmap
+ labels:
+ app: nginx
+spec:
+ selector:
+ matchLabels:
+ app: nginx
+ template:
+ metadata:
+ labels:
+ app: nginx
+ spec:
+ containers:
+ - name: nginx
+ image: nginx:latest
+ ports:
+ - containerPort: 80
+ volumeMounts:
+ - name: nginx-index
+ mountPath: /usr/share/nginx/index.html
+ subPath: index.html
+ volumes:
+ - name: nginx-index
+ configMap:
+ name: nginx-configmap
+```
+
+3. Appliquer les configs : `microk8s kubectl apply -f nginx-configmap.yaml`, `microk8s kubectl apply -f nginx.yaml`
+
+https://cert-manager.io/docs/usage/ingress/
\ No newline at end of file
diff --git a/cert.yaml b/cert.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..7c25c91d4bf573e21bc3674bb2463ac397db820a
--- /dev/null
+++ b/cert.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: chepia-cert
+ namespace: default
+spec:
+ issuerRef:
+ name: chepia-ch
+ kind: ClusterIssuer
+ secretName: chepia-cert
+ dnsNames:
+ - www.chepia.ch
\ No newline at end of file
diff --git a/certs/3d-3a-0e-ad-b9-0e-e3-0c-5c-9b-34-0d-76-89-26-47-3c-83-c0-22.pem b/certs/3d-3a-0e-ad-b9-0e-e3-0c-5c-9b-34-0d-76-89-26-47-3c-83-c0-22.pem
new file mode 100644
index 0000000000000000000000000000000000000000..99c56138025c5bd622c1bfaee72bc4a386c2f154
--- /dev/null
+++ b/certs/3d-3a-0e-ad-b9-0e-e3-0c-5c-9b-34-0d-76-89-26-47-3c-83-c0-22.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTDCCAjSgAwIBAgIUPToOrbkO4wxcmzQNdokmRzyDwCIwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAxMKY2hlcGlhLmNvbTAeFw0yNDAzMjEwODUyMDRaFw0yNDAz
+MjIwODUyMzRaMBoxGDAWBgNVBAMTD3ZhdWx0LmNoZXBpYS5jaDCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAOZjmkzMckLx5B6950AoKrG15CrhADQh3j0J
+n/jSm6EKnQs1UHVSPCKJ6SG3Z0yLMxMOKvceZztUezKgsoGnvquUxQtMaGOH+7HI
+OWdBetEd/h7lo/Kt7ZlOWXUAylVe8rLGwDmPfJlrTJ3Qgl4HnruF8DB45i/KmqyM
++5pWkgZAZK4MooPM79ZvGKXAnOnECDSuolfS9uByjBY1GrOsg/ZO8Ih++b1oE2Ii
+XmNmDEsAzStrGHNqnm5o6cUEs7fCtNl4blvEHtylk41Q/WFU8u1pfX+RMc28ixbq
+nLP2uExDDUAgJNmgbp3hscw4tr037wrt0Tu6T9pCoEmlGPN78GUCAwEAAaOBjjCB
+izAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
+MB0GA1UdDgQWBBS41PXCPrKtRZi+mPfMDJeqiivO/jAfBgNVHSMEGDAWgBSIU1YV
+In5I8XnLzPPnvLF4HAF7tTAaBgNVHREEEzARgg92YXVsdC5jaGVwaWEuY2gwDQYJ
+KoZIhvcNAQELBQADggEBABOrgz2LqTJ+24l4ytPSGVPOlQjN0PjYwHxGxKbyzrn8
++iUDn03yJWbyvb6fs1WNlHwOmY+pkEJ+CEdfZkAgCK4XtQZc7QQhbbQryuVAyjSr
+pos+OdrrricQEHCq+EcTsNEL2WTmheQmAjLi2H/3VSd70MqVgD0llhtYoWjjzIx5
+Nt1wLPEAa2IrdJ1w32jhUx0PcSKCrLpBKCgnzswcYyS9AlKsvvuB4D4wNN6530vM
+gRrO9INT0CLQEU0BavmDYS4YtTLLTquhDfheY3FiFqnrXgvCNnFq560WPJ23B31C
+tzBm7PGs1iVU8ZO4DleCZIts/n4GClcrPCAoChEtGNQ=
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/cross-signed-intermediate.csr b/cross-signed-intermediate.csr
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/example-com-cert.yaml b/example-com-cert.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a412d85d65b1dbf2320edbf8ca12f85bdc50d359
--- /dev/null
+++ b/example-com-cert.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: chepia-ch
+ namespace: default
+spec:
+ secretName: chepia-ch-tls
+ issuerRef:
+ name: vault-issuer
+ commonName: www.chepia.ch
+ dnsNames:
+ - www.chepia.ch
diff --git a/images/ca-expired.png b/images/ca-expired.png
new file mode 100644
index 0000000000000000000000000000000000000000..22d33933feac051987075ce00509d431e1d5c20c
Binary files /dev/null and b/images/ca-expired.png differ
diff --git a/images/cert-expired.png b/images/cert-expired.png
new file mode 100644
index 0000000000000000000000000000000000000000..0e918f5002a11bbaf9c2074455481633bb685052
Binary files /dev/null and b/images/cert-expired.png differ
diff --git a/images/cert-manager.png b/images/cert-manager.png
new file mode 100644
index 0000000000000000000000000000000000000000..218f741b69b37326e48e59f580bd05435abbd60e
Binary files /dev/null and b/images/cert-manager.png differ
diff --git a/images/error-ttl.png b/images/error-ttl.png
new file mode 100644
index 0000000000000000000000000000000000000000..c4382cc1ec354f828924911440154917999cbef4
Binary files /dev/null and b/images/error-ttl.png differ
diff --git a/images/vault-seal.md b/images/vault-seal.png
similarity index 100%
rename from images/vault-seal.md
rename to images/vault-seal.png
diff --git a/issuer-secret.yaml b/issuer-secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..386fdac06fe7aab31d083d6ce81be6c0ed36ebcd
--- /dev/null
+++ b/issuer-secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: issuer-token-lmzpj
+ annotations:
+ kubernetes.io/service-account.name: issuer
+type: kubernetes.io/service-account-token
diff --git a/keys/priv_vault.key b/keys/priv_vault.key
new file mode 100644
index 0000000000000000000000000000000000000000..d703c7e20fb5363694bca7742d29c1ec5d2c41f3
--- /dev/null
+++ b/keys/priv_vault.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA5mOaTMxyQvHkHr3nQCgqsbXkKuEANCHePQmf+NKboQqdCzVQ
+dVI8IonpIbdnTIszEw4q9x5nO1R7MqCygae+q5TFC0xoY4f7scg5Z0F60R3+HuWj
+8q3tmU5ZdQDKVV7yssbAOY98mWtMndCCXgeeu4XwMHjmL8qarIz7mlaSBkBkrgyi
+g8zv1m8YpcCc6cQINK6iV9L24HKMFjUas6yD9k7wiH75vWgTYiJeY2YMSwDNK2sY
+c2qebmjpxQSzt8K02XhuW8Qe3KWTjVD9YVTy7Wl9f5ExzbyLFuqcs/a4TEMNQCAk
+2aBuneGxzDi2vTfvCu3RO7pP2kKgSaUY83vwZQIDAQABAoIBAQDAzWfqj0mr5nxu
+kaP+F98q2zo3/BXMiu9OC0j51V5yVcx4/cP4erpieSFFmxNyhidW8gtYxPPFPfzf
+sIXSZUv2kUiZHPdbHAixjgsj8zNR35SzzJ/4Tj/BhUTt2px49z2KCTQCt6ahSZ9T
+jpQbFqtq6TrJhdO0+QuaDV3dmkcXvKMnDemH42dbNc8Z0aoPIDmBz3mSn4m3hKqD
+A62FELtoXZcYxR1Eq9kA9D2Ffq3JosGXRvXR9pbCHnQo2w3yaYxjB5HMw5IO4Iy5
+gsAQIbh6f+XHfhIRl8KdaZ+jp44qgYc+onLEHgkeJKvzjbHopRdkJCpZ7fGkjVpm
+a2HRGtVhAoGBAOyfdWiYrWsejOAmPJseBLLwS3X6RpfmxpOyvYzYVrolZae3IpQZ
+lVCP7hWvVBaqEMkyU1oKRJNwH2y/TRt4e6g/cyqnfwlksGHg/Sc6VqnES9E/kuu6
+SZw4FRAG/+3BrI2xjMpzYr34ZR8klnz5ymqb2U3o+HtJ9MXxMCwNPzE9AoGBAPlB
+dYI7PDNHL5rj6g/qqjfWTfAqZ2C9SeIRsCIslHWXdOESY+0Eqw3uFB8PNfI13zq6
+ylbANWkKG/7j6teh4pLA2MELW6rCGfMJeVDDlhhfbqMxXFgMVg/5FFzNaupA4IKu
+/CCKZKs8WP/4pxGMsI8v7G3cWaiZ2X32ppkTFN5JAoGBAI443dnrgriS2TvU37Kg
+XVSsJ78Wmh2tIQgfc9zXH3GtDqe65Ha91chhaknwYwtoVsSHkh/ZchRoXQsBBLiR
+N0oOMQufNzUPJxD9qUtNvk815Bg2LPmws5PJBafnfSaLtUpJQIViyyPBzA3m8OjX
+PrnLSNaSQ9/euNfMuxaPM79FAoGBAOWO+fB1KZ54Y0mduoXqM9a1EpasFwWrj44b
+iEIRGLGsScK4MzupXvi3WeS5F4/5OZxXR97ZqtcQrnPz6OereoZ6AabZFRWRKmEB
+Sq+tUmEkEztNTKTyx5hyZ+SIc31HPv5ctmwpyUlDjRxCH2w0TK+zDWao2BJFj19J
+eGnmfwOxAoGAD0oQiYv5IvshFF2k3cQTy9AoIKMHR4qS1Cn2pVdU2HyAb++uCu8b
+dyxCglt28ZuJRq5nGEoxXNjYjuBWiXonRbQ1thD7AxQGWeX0BzKI4Gs5ynqfAvTK
+bfsGgol94RyiPYFooWKltIiwhn0RATHRQwK3PGf7qraQFXYQdu1b+eo=
+-----END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/nginx-configmap.yaml b/nginx-configmap.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c61c5b3418e08992082e6704c8df288650f3e861
--- /dev/null
+++ b/nginx-configmap.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: nginx-configmap
+ namespace: default
+data:
+ index.html: |
+ <html>
+ <h1> Bienvenue sur l'intranet de CHEPIA </h1>
+ <h3> Certificats gratos !! </h3>
+ </html>
\ No newline at end of file
diff --git a/nginx-service.yaml b/nginx-service.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..1bdaa7f5851ce15c0d9d9be90bea9b9295120b0e
--- /dev/null
+++ b/nginx-service.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: nginx
+spec:
+ ports:
+ - port: 443
+ targetPort: 80
+ protocol: TCP
+ selector:
+ app: nginx
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: nginx
+ annotations:
+ cert-manager.io/cluster-issuer: chepia-ch
+spec:
+ ingressClassName: nginx
+ tls:
+ - hosts:
+ - chepia.ch
+ secretName: tls-secret
+ rules:
+ - http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: nginx
+ port:
+ number: 80
\ No newline at end of file
diff --git a/nginx.yaml b/nginx.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..2f74c63e6e429383c5cc0dbe73346488094939a2
--- /dev/null
+++ b/nginx.yaml
@@ -0,0 +1,28 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nginx
+ labels:
+ app: nginx
+spec:
+ selector:
+ matchLabels:
+ app: nginx
+ template:
+ metadata:
+ labels:
+ app: nginx
+ spec:
+ containers:
+ - name: nginx
+ image: nginx:latest
+ ports:
+ - containerPort: 80
+ volumeMounts:
+ - name: nginx-index
+ mountPath: /usr/share/nginx/index.html
+ subPath: index.html
+ volumes:
+ - name: nginx-index
+ configMap:
+ name: nginx-configmap
diff --git a/pki-script.sh b/pki-script.sh
new file mode 100644
index 0000000000000000000000000000000000000000..845215ac4a5e868cfdf0b10ffe9316c6fd86886f
--- /dev/null
+++ b/pki-script.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+vault secrets enable pki
+vault secrets tune -max-lease-ttl=87600h pki
+vault write -field=certificate pki/root/generate/internal \
+ common_name="chepia" \
+ issuer_name="root" \
+ ttl=87600h > root_ca.crt
+vault write pki/config/cluster \
+ path=http://10.1.1.100:8200/v1/pki \
+ aia_path=http://10.1.1.100:8200/v1/pki
+vault write pki/roles/2023-servers \
+ allow_any_name=true \
+ no_store=false
+vault write pki/config/urls \
+ issuing_certificates={{cluster_aia_path}}/issuer/{{issuer_id}}/der \
+ crl_distribution_points={{cluster_aia_path}}/issuer/{{issuer_id}}/crl/der \
+ ocsp_servers={{cluster_path}}/ocsp \
+ enable_templating=true
+vault secrets enable -path=pki_int pki
+vault secrets tune -max-lease-ttl=43800h pki_int
+vault write -format=json pki_int/intermediate/generate/internal \
+ common_name="chepia Intermediate Authority" \
+ issuer_name="chepia-intermediate" \
+ | jq -r '.data.csr' > pki_intermediate.csr
+vault write -format=json pki/root/sign-intermediate \
+ issuer_ref="root" \
+ csr=@pki_intermediate.csr \
+ format=pem_bundle ttl="43800h" \
+ | jq -r '.data.certificate' > intermediate.cert.pem
+vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
+vault write pki_int/config/cluster \
+ path=http://10.1.1.100:8200/v1/pki_int \
+ aia_path=http://10.1.1.100:8200/v1/pki_int
+vault write pki_int/roles/learn \
+ issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
+ allow_any_name=true \
+ max_ttl="720h" \
+ no_store=false
+vault write pki_int/config/urls \
+ issuing_certificates={{cluster_aia_path}}/issuer/{{issuer_id}}/der \
+ crl_distribution_points={{cluster_aia_path}}/issuer/{{issuer_id}}/crl/der \
+ ocsp_servers={{cluster_path}}/ocsp \
+ enable_templating=true
\ No newline at end of file
diff --git a/root-ca.pem b/root-ca.pem
new file mode 100644
index 0000000000000000000000000000000000000000..7e663cbe9945b7d813f4a5fd706b6eae59d1df5b
--- /dev/null
+++ b/root-ca.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDpDCCAoygAwIBAgIUdngCFh4AZage9ffHfhb+6PAOWBswDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAxMKY2hlcGlhLmNvbTAeFw0yNDA0MTEwODU4MTFaFw0yNDA0
+MjUwODU4NDFaMBUxEzARBgNVBAMTCmNoZXBpYS5jb20wggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCtlEn2mLiEheoyD35X6b/DdefcmNz7JY6f6LsaEOoD
+tsWLgwjaHfnmHAHmk19bUVZ3xMa41h9x5cgwKI5bwBCMMLlYCHJTg8t/ypmXujSo
+OHF0L1TWT9BFTEdNTDTaBzSr23TDlw9pH9lWjRPO/RUa+1ha2k2mcmC7kYdgBb4C
+FlIDyEtCDqnPG71lFyXlJng5d0P9O9E3rhqY9i5hda61hVVFecXbq9wYdpC3HTH6
+RTTODgYmplBP23pFE/nFYh7S6sAdem++nXmjd8d9ueuW6fj5J+y+jJvDZhs/MOUg
+Eo3zUmQ0bePTPCzYz4ypLeizxKTBUg8D00T/bmSJjgzfAgMBAAGjgeswgegwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIlY8XuRG9Vt
+NWNhbOAkaJla4okdMB8GA1UdIwQYMBaAFIlY8XuRG9VtNWNhbOAkaJla4okdMDsG
+CCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAoYfaHR0cDovLzEyNy4wLjAuMTo4MjAw
+L3YxL3BraS9jYTAVBgNVHREEDjAMggpjaGVwaWEuY29tMDEGA1UdHwQqMCgwJqAk
+oCKGIGh0dHA6Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2kvY3JsMA0GCSqGSIb3DQEB
+CwUAA4IBAQB0/mlosXIWrXbWMgkhIgErJYwFfQGO7zx3gk0+flWqzW1hAUGZy31v
+diWRopZTOmsDI7bPBhdwBfKvyrueJxL36lOfndlYT5gAqT4s5EXztIA1kHvwidAA
+Xj8CIV7pgBUisW5lL1Zny0FfG6D5/xDlUH2gpmiDhb+4f5V4ThQ6m5gyw9UkaTUf
+6YRZOYu57i7YGAXCRCJszXWbiJS/QYMN5p8vVwalCQgw5NS1k/NmKq5tJDnz/F4n
+mEVfaGHvI8x7a1ryk1JV+fkAZluSHRAQAb4voLYpv2MmPJ+l5cCQPO5tmwHjD6Gm
+6sajcMYacVaEX7ew5EUosSxpgUVfut2e
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/vault-issuer.yaml b/vault-issuer.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..31eb9bdbd883c6f79c1264c1b65b73c6e2f2a413
--- /dev/null
+++ b/vault-issuer.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: vault-issuer
+ namespace: default
+spec:
+ vault:
+ server: http://vault.default:8200
+ path: pki_int/sign/chepia-dot-ch
+ auth:
+ kubernetes:
+ mountPath: /v1/auth/kubernetes
+ role: issuer
+ secretRef:
+ name: issuer-token-lmzpj
+ key: token