#!/usr/bin/env bash
set -euo pipefail

# Demo / learning starter only.
# Assumes VAULT_ADDR and VAULT_TOKEN are already set.
# Use strong operational controls for production root handling.

vault secrets enable -path=pki-root pki || true
vault secrets tune -max-lease-ttl=87600h pki-root

vault write pki-root/root/generate/internal \
  common_name="internal-root-ca" \
  issuer_name="root-2026" \
  ttl=87600h

vault secrets enable -path=pki-int pki || true
vault secrets tune -max-lease-ttl=8760h pki-int

vault write -format=json pki-int/intermediate/generate/internal \
  common_name="internal-intermediate-ca" \
  issuer_name="int-2026" > /tmp/pki-int.json

jq -r '.data.csr' /tmp/pki-int.json > /tmp/pki-int.csr

vault write -format=json pki-root/root/sign-intermediate \
  issuer_ref="root-2026" \
  csr=@/tmp/pki-int.csr \
  format=pem_bundle \
  ttl=8760h > /tmp/pki-int-signed.json

jq -r '.data.certificate' /tmp/pki-int-signed.json > /tmp/pki-int.pem
vault write pki-int/intermediate/set-signed certificate=@/tmp/pki-int.pem

vault write pki-int/roles/microservice \
  allow_any_name=false \
  allow_subdomains=true \
  allowed_domains="svc.cluster.local,internal.example" \
  allow_glob_domains=true \
  client_flag=true \
  server_flag=true \
  max_ttl=24h

vault write pki-int/issue/microservice \
  common_name="payments-api.payments.svc.cluster.local" \
  alt_names="payments-api.payments,payments-api.internal.example" \
  ttl=12h