alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

add Makefile build and deploy docker image for step-ca

Browse source
This commit is contained in:
max furman 2018-11-14 17:53:17 -08:00
parent 6c063d8d53
commit f7154a9ba3
4 changed files with 332 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
Makefile
View file

@ -6,6 +6,7 @@ Q=$(if $V,,@)
PREFIX?=
SRC=$(shell find . -type f -name '*.go' -not -path "./vendor/*")
GOOS_OVERRIDE ?=
OUTPUT_ROOT=output/
# Set shell to bash for `echo -e`
SHELL := /bin/bash
@ -152,6 +153,70 @@ uninstall:
.PHONY: install uninstall
#########################################
# Building Docker Image
#
# Builds a dockerfile for step by building a linux version of the step-cli and
# then copying the specific binary when building the container.
#
# This ensures the container is as small as possible without having to deal
# with getting access to private repositories inside the container during build
# time.
#########################################
# XXX We put the output for the build in 'output' so we don't mess with how we
# do rule overriding from the base Makefile (if you name it 'build' it messes up
# the wildcarding).
DOCKER_OUTPUT=$(OUTPUT_ROOT)docker/
DOCKER_MAKE=V=$V GOOS_OVERRIDE='GOOS=linux GOARCH=amd64' PREFIX=$(1) make $(1)bin/$(2)
DOCKER_BUILD=$Q docker build -t smallstep/$(1):latest -f docker/$(2) --build-arg BINPATH=$(DOCKER_OUTPUT)bin/$(1) .
docker: docker-make docker/Dockerfile.step-ca
$(call DOCKER_BUILD,step-ca,Dockerfile.step-ca)
docker-make:
mkdir -p $(DOCKER_OUTPUT)
$(call DOCKER_MAKE,$(DOCKER_OUTPUT),step-ca)
.PHONY: docker docker-make
#################################################
# Releasing Docker Images
#
# Using the docker build infrastructure, this section is responsible for
# logging into docker hub and pushing the built docker containers up with the
# appropriate tags.
#################################################
DOCKER_TAG=docker tag smallstep/$(1):latest smallstep/$(1):$(2)
DOCKER_PUSH=docker push smallstep/$(1):$(2)
docker-tag:
$(call DOCKER_TAG,step-ca,$(VERSION))
docker-push-tag: docker-tag
$(call DOCKER_PUSH,step-ca,$(VERSION))
# Rely on DOCKER_USERNAME and DOCKER_PASSWORD being set inside the CI or
# equivalent environment
docker-login:
$Q docker login -u="$(DOCKER_USERNAME)" -p="$(DOCKER_PASSWORD)"
.PHONY: docker-login docker-tag docker-push-tag
#################################################
# Targets for pushing the docker images
#################################################
# For all builds on the master branch, we actually build the container
docker-master: docker
# For all builds on the master branch with an rc tag
docker-release: docker-master docker-login docker-push-tag
.PHONY: docker-master docker-release
#########################################
# Debian
#########################################
@ -177,7 +242,6 @@ distclean: clean
# Build statically compiled step binary for various operating systems
#################################################
OUTPUT_ROOT=output/
BINARY_OUTPUT=$(OUTPUT_ROOT)binary/
BUNDLE_MAKE=v=$v GOOS_OVERRIDE='GOOS=$(1) GOARCH=$(2)' PREFIX=$(3) make $(3)bin/$(BINNAME)
RELEASE=./.travis-releases
@ -234,7 +298,7 @@ artifacts-master:
artifacts-release: artifacts-tag
# This command is called by travis directly *after* a successful build
artifacts: artifacts-$(PUSHTYPE)
artifacts: artifacts-$(PUSHTYPE) docker-$(PUSHTYPE)
.PHONY: artifacts-master artifacts-release artifacts

17
docker/Dockerfile.step-ca Normal file
View file

@ -0,0 +1,17 @@
FROM smallstep/step-cli:0.0.2-rc.17
ARG BINPATH="bin/step-ca"
ENV PORT=9000
ENV CONFIGPATH="/home/step/.step/config/ca.json"
ENV PWDPATH="/home/step/secrets/password"
COPY $BINPATH "/usr/local/bin/step-ca"
EXPOSE $PORT
VOLUME ["/home/step/.step/secrets"]
VOLUME ["/home/step/.step/config"]
VOLUME ["/home/step/secrets"]
STOPSIGNAL SIGTERM
CMD exec /bin/sh -c "/usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH"

39
docker/ca.json Normal file
View file

@ -0,0 +1,39 @@
{
"root": "/home/step/.step/secrets/root_ca.crt",
"crt": "/home/step/.step/secrets/intermediate_ca.crt",
"key": "/home/step/.step/secrets/intermediate_ca_key",
"address": ":9000",
"dnsNames": [
"ca.smallstep.com"
],
"logger": {
"format": "text"
},
"authority": {
"provisioners": [
{
"name": "mariano@smallstep.com",
"type": "jwk",
"key": {
"use": "sig",
"kty": "EC",
"kid": "DmAtZt2EhmZr_iTJJ387fr4Md2NbzMXGdXQNW1UWPXk",
"crv": "P-256",
"alg": "ES256",
"x": "jXoO1j4CXxoTC32pNzkVC8l6k2LfP0k5ndhJZmcdVbk",
"y": "c3JDL4GTFxJWHa8EaHdMh4QgwMh64P2_AGWrD0ADXcI"
},
"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiOTFVWjdzRGw3RlNXcldfX1I1NUh3USJ9.FcWtrBDNgrkA33G9Ll9sXh1cPF-3jVXeYe1FLmSDc_Q2PmfLOPvJOA.0ZoN32ayaRWnufJb.WrkffMmDLWiq1-2kn-w7-kVBGW12gjNCBHNHB1hyEdED0rWH1YWpKd8FjoOACdJyLhSn4kAS3Lw5AH7fvO27A48zzvoxZU5EgSm5HG9IjkIH-LBJ-v79ShkpmPylchgjkFhxa5epD11OIK4rFmI7s-0BCjmJokLR_DZBhDMw2khGnsr_MEOfAz9UnqXaQ4MIy8eT52xUpx68gpWFlz2YP3EqiYyNEv0PpjMtyP5lO2i8-p8BqvuJdus9H3fO5Dg-1KVto1wuqh4BQ2JKTauv60QAnM_4sdxRHku3F_nV64SCrZfDvnN2ve21raFROtyXaqHZhN6lyoPxDncy8v4.biaOblEe0N-gMpJyFZ-3-A"
}
]
},
"tls": {
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
],
"minVersion": 1.2,
"maxVersion": 1.2,
"renegotiation": false
}
}

210
docker/k8s Executable file
View file

@ -0,0 +1,210 @@
#!/bin/sh
CA_NAME="ca"
CA_NAMESPACE="step"
DEMO_NAMESPACE="step-demo"
DEMO_ENVIRONMENT="staging"
# The name of an image pull secret (e.g., for private docker hub images)
# Set to "none" for no pull secret.
IMAGE_PULL_SECRET="none"
while getopts "c:d:n:e:h:t:p:i:" opt; do
case "$opt" in
h)
show_help
exit 0
;;
c)
CA_NAMESPACE=$OPTARG
;;
n)
CA_NAME=$OPTARG
;;
e)
DEMO_ENVIRONMENT=$OPTARG
;;
d)
DEMO_NAMESPACE=$OPTARG
;;
t)
INSTALL_TYPE=$OPTARG
;;
p)
PROVISIONER_TYPE=$OPTARG
;;
i)
IMAGE_PULL_SECRET=$OPTARG
;;
esac
done
shift $((OPTIND-1))
# Various container images used throughout the script.
STEP_CA_IMAGE="localhost:5000/smallstep/step-ca:latest"
DIR=`pwd`
PKI="$(dirname "$DIR")/pki"
SECRETS="$PKI/secrets"
##
# Certificate Authority installation (prints yaml to stdout).
##
install_ca()
{
read -p "CA Private Key Password: " -s password
(>&2 echo "")
tmp=$(mktemp -d /tmp/step.XXXXXX)
(
cd "$tmp"
# Bundle up certificates and private key into ConfigMap
mkdir $tmp/certificates
cp $SECRETS/root_ca.crt $tmp/certificates
cp $SECRETS/intermediate_ca.crt $tmp/certificates/
cp $SECRETS/intermediate_ca_key $tmp/certificates/
# ConfigMap for CA configuration
mkdir $tmp/config
cp $DIR/ca.json $tmp/config/ca.json
# Create the namespace
echo "---" > $tmp/step-ca.yml
echo "apiVersion: v1" >> $tmp/step-ca.yml
echo "kind: Namespace" >> $tmp/step-ca.yml
echo "metadata:" >> $tmp/step-ca.yml
echo " name: $CA_NAMESPACE" >> $tmp/step-ca.yml
echo "---" >> $tmp/step-ca.yml
# Create certificates configmap
echo "apiVersion: v1" >> $tmp/step-ca.yml
echo "kind: ConfigMap" >> $tmp/step-ca.yml
kubectl create configmap ca-certificates -n $CA_NAMESPACE --from-file `pwd`/certificates --dry-run -o yaml >> $tmp/step-ca.yml
echo "" >> $tmp/step-ca.yml
echo "---" >> $tmp/step-ca.yml
# Create a CA configuration configmap
echo "" >> $tmp/step-ca.yml
echo "apiVersion: v1" >> $tmp/step-ca.yml
echo "kind: ConfigMap" >> $tmp/step-ca.yml
kubectl create configmap ca-config -n $CA_NAMESPACE --from-file `pwd`/config --dry-run -o yaml >> $tmp/step-ca.yml
echo "" >> $tmp/step-ca.yml
echo "---" >> $tmp/step-ca.yml
# Create a secret with the CA password in it
echo "" >> $tmp/step-ca.yml
echo "apiVersion: v1" >> $tmp/step-ca.yml
echo "kind: Secret" >> $tmp/step-ca.yml
kubectl create secret generic ca-certificate-password -n $CA_NAMESPACE --from-literal=password="$password" --dry-run -o yaml >> $tmp/step-ca.yml
)
echo "" >> $tmp/step-ca.yml
echo "---" >> $tmp/step-ca.yml
echo "" >> $tmp/step-ca.yml
cat <<EOF >> $tmp/step-ca.yml
apiVersion: v1
kind: Service
metadata:
labels:
service: $CA_NAME
name: $CA_NAME
namespace: $CA_NAMESPACE
spec:
type: ClusterIP
ports:
- name: headless
port: 443
targetPort: 9000
selector:
service: $CA_NAME
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: $CA_NAME
spec:
minAvailable: 1
selector:
matchLabels:
service: $CA_NAME
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: $CA_NAME
namespace: $CA_NAMESPACE
spec:
replicas: 1
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
service: $CA_NAME
spec:
containers:
- name: $CA_NAME
image: $STEP_CA_IMAGE
resources:
requests:
cpu: 100m
memory: 20Mi
readinessProbe:
httpGet:
path: /health
port: 443
scheme: HTTPS
initialDelaySeconds: 3
periodSeconds: 3
livenessProbe:
httpGet:
path: /health
port: 443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 3
volumeMounts:
- name: certificates
mountPath: /home/step/.step/secrets
readOnly: true
- name: config
mountPath: /home/step/.step/config
readOnly: true
- name: secrets
mountPath: /home/step/secrets
readOnly: true
securityContext:
runAsUser: 1000
allowPrivilegeEscalation: false
volumes:
- name: certificates
configMap:
name: ca-certificates
- name: config
configMap:
name: ca-config
- name: secrets
secret:
secretName: ca-certificate-password
EOF
cat $tmp/step-ca.yml
rm -rf "$tmp"
}
install_ca