forked from TrueCloudLab/certificates
Autocert reports into CT
This commit is contained in:
Sebastian Tiedtke
parent
4fef188a3a
commit
3939e85526
8 changed files with 113 additions and 5 deletions
|
|
@ -12,7 +12,10 @@ USER root
|
|||
RUN curl -L https://storage.googleapis.com/kubernetes-release/release/${KUBE_LATEST_VERSION}/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl \
|
||||
&& chmod +x /usr/local/bin/kubectl
|
||||
RUN apk --update add expect
|
||||
RUN apk --update add jq
|
||||
|
||||
COPY autocert.sh /home/step/
|
||||
COPY ct.json /home/step/
|
||||
COPY ca /home/step/ca/
|
||||
RUN chmod +x /home/step/autocert.sh
|
||||
CMD ["/home/step/autocert.sh"]
|
||||
|
|
|
|||
|
|
@ -8,8 +8,8 @@ read ANYKEY
|
|||
|
||||
STEPPATH=/home/step/.step
|
||||
|
||||
CA_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')
|
||||
AUTOCERT_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')
|
||||
CA_PASSWORD=asdf
|
||||
AUTOCERT_PASSWORD=asdf
|
||||
|
||||
echo -e "\e[1mChecking cluster permissions...\e[0m"
|
||||
|
||||
|
|
@ -86,13 +86,18 @@ step ca init \
|
|||
--with-ca-url "$CA_URL" \
|
||||
--password-file <(echo "$CA_PASSWORD")
|
||||
|
||||
# {"cts":[{"uri":"http://trillian.step.toys:8080/smallstep","key":"docker/ct_server/pubkey.pem"}]}
|
||||
cp -f ./ca/ca.json $(step path)/config/ca.json
|
||||
cp -f ./ca/root_ca.crt $(step path)/certs/root_ca.crt
|
||||
cp -f ./ca/pubkey.pem $(step path)/certs/pubkey.pem
|
||||
cp -f ./ca/intermediate_ca.crt $(step path)/certs/intermediate_ca.crt
|
||||
cp -f ./ca/intermediate_ca_key $(step path)/certs/intermediate_ca_key
|
||||
rm -f $(step path)/config/defaults.json
|
||||
|
||||
echo
|
||||
echo -e "\e[1mCreating autocert provisioner...\e[0m"
|
||||
|
||||
expect <<EOD
|
||||
spawn step ca provisioner add autocert --create
|
||||
spawn step ca provisioner add autocert --create --ca-config $(step path)/config/ca.json
|
||||
expect "Please enter a password to encrypt the provisioner private key? \\\\\\[leave empty and we'll generate one\\\\\\]: "
|
||||
send "${AUTOCERT_PASSWORD}\n"
|
||||
expect eof
|
||||
|
|
@ -101,6 +106,10 @@ EOD
|
|||
echo
|
||||
echo -e "\e[1mCreating step namespace and preparing environment...\e[0m"
|
||||
|
||||
jq -s '.[0] * .[1]' $(step path)/config/ca.json ./ct.json > $(step path)/config/_ca.json
|
||||
rm -f $(step path)/config/ca.json
|
||||
mv -f $(step path)/config/_ca.json $(step path)/config/ca.json
|
||||
|
||||
kubectl create namespace step
|
||||
|
||||
kubectl -n step create configmap config --from-file $(step path)/config
|
||||
|
|
|
|||
62
autocert/init/ca/ca.json
Normal file
62
autocert/init/ca/ca.json
Normal file
|
|
@ -0,0 +1,62 @@
|
|||
{
|
||||
"root": "/home/step/.step/certs/root_ca.crt",
|
||||
"crt": "/home/step/.step/certs/intermediate_ca.crt",
|
||||
"key": "/home/step/.step/certs/intermediate_ca_key",
|
||||
"password": "asdf",
|
||||
"address": ":4443",
|
||||
"dnsNames": [
|
||||
"ca.smallstep.com",
|
||||
"ctca.step.toys",
|
||||
"ca.step.svc.cluster.local"
|
||||
],
|
||||
"logger": {
|
||||
"format": "text",
|
||||
"level": "warn"
|
||||
},
|
||||
"authority": {
|
||||
"claims": {
|
||||
"minTLSCertDuration": "1m"
|
||||
},
|
||||
"template": {
|
||||
"country": "US",
|
||||
"organization": "Smallstep Labs Inc.",
|
||||
"organizationalUnit": "",
|
||||
"locality": "San Francisco",
|
||||
"province": "CA",
|
||||
"streetAddress": "",
|
||||
"commonName": ""
|
||||
},
|
||||
"provisioners": [
|
||||
{
|
||||
"name": "mariano@smallstep.com",
|
||||
"type": "jwk",
|
||||
"key": {
|
||||
"use": "sig",
|
||||
"kty": "EC",
|
||||
"kid": "jO37dtDbku-Qnabs5VR0Yw6YFFv9weA18dp3htvdEjs",
|
||||
"crv": "P-256",
|
||||
"alg": "ES256",
|
||||
"x": "vo6GTwfXryV5WDI-_JL1FeK0k2AvWwUnSbtdSE3IQl0",
|
||||
"y": "Z4j_nNmETqTsKq-6ZCjyCIIMNE_308Mx866z3pD6sJ0"
|
||||
},
|
||||
"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiUUppQnNnN3VhY2MtQ1BiN3lCM2RhdyJ9.xIundEA1ZT3zk5qP9a9nH1n5pZK2bSTuYIAq6W1vMNJTkKZWIFjtmg.ztnvv4FBPExc2arS.OukgkTrlqpsWRMYM_l4-QHJqBMhfbeW164-qmULuzoNdo1umW8WLIX3Us8newUFh1zrJKDFJfrW_KT2C022_VKXOUO6LGX9WWN7RYiUC_aOY8O73xs1yq65whD7hMxPlq2fMd85AGvv0QQTwlG2lJ_Gw_bdbB3vDIBVJa5lywraG6tyVXT15yykVdoScc6fmxasi5tuoFW4VNjZzcgQ25cdpbwj0fvLACQWQjz49cGAjfpR6I8sys2pA55HobMdbyj7lKnDTD5TUMmoMB8WvGwleKyjLwZBPAhi_Wwrj1UXh3nrEWVFPJY9VLSCIIKdilugE62mW3reTNayqvN0.z-VKtvBPBATKsDtGppbj4w"
|
||||
}
|
||||
]
|
||||
},
|
||||
"tls": {
|
||||
"cipherSuites": [
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
|
||||
],
|
||||
"minVersion": 1.2,
|
||||
"maxVersion": 1.2,
|
||||
"renegotiation": false
|
||||
},
|
||||
"cts": [
|
||||
{
|
||||
"uri": "http://trillian.step.toys:8080/smallstep",
|
||||
"key": "/home/step/.step/certs/pubkey.pem"
|
||||
}
|
||||
]
|
||||
}
|
||||
12
autocert/init/ca/intermediate_ca.crt
Normal file
12
autocert/init/ca/intermediate_ca.crt
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBxTCCAWugAwIBAgIQDjIQy/8LZJZTC3tNwe6CfjAKBggqhkjOPQQDAjAcMRow
|
||||
GAYDVQQDExFTbWFsbHN0ZXAgUm9vdCBDQTAeFw0xODExMjAyMDU5MjBaFw0yODEx
|
||||
MTcyMDU5MjBaMCQxIjAgBgNVBAMTGVNtYWxsc3RlcCBJbnRlcm1lZGlhdGUgQ0Ew
|
||||
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQGMnCwtwe7GD1XE/vibfav+Z63S0lx
|
||||
H8AKvx/ek5AzVvbtih8rjtnYBBomzjHxSoIZmqdwljsEQAf1LAvgHlQwo4GGMIGD
|
||||
MA4GA1UdDwEB/wQEAwIBpjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
|
||||
EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUu97PaFQPfuyKOeew7Hg45WFI
|
||||
AVMwHwYDVR0jBBgwFoAUF4980mRE8cQgMRTVBiUD2K+9SQswCgYIKoZIzj0EAwID
|
||||
SAAwRQIgXiW7J3QLJDw6vzoI4PnI60jjO74O9dVyZFaQbLaxSHYCIQCmfsOmp7YS
|
||||
rcJOsyNy8OjKyY9S9khfzgQdfaVfeq/QIQ==
|
||||
-----END CERTIFICATE-----
|
||||
8
autocert/init/ca/intermediate_ca_key
Normal file
8
autocert/init/ca/intermediate_ca_key
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
-----BEGIN EC PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: AES-256-CBC,b592733c8881da2a3235dc7a30a9c118
|
||||
|
||||
SXv4oaklKb6VXK+JTzRjHwroCRvzl3eXuCyHB4Rz9gAy82dCnUvIlFanhtC3nMp1
|
||||
PQQgYaC3gbIo4mxQyChA7RLN6yfRSB67Z4U0GCZ4Eq5TFm5SAQJnUHEzt4XC0rAB
|
||||
nUFQOKTyLmwEAsQd1LrAfmGplNNUHM4tZtr41FtnObQ=
|
||||
-----END EC PRIVATE KEY-----
|
||||
4
autocert/init/ca/pubkey.pem
Normal file
4
autocert/init/ca/pubkey.pem
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lGU8z4HuEpzmOGPN7nPRs+H8THY
|
||||
FKPgrsl2aN34CDlVIl8tyEBIIc8fFGmBGUR1WaIvHeOQcQgis3g+KFPD2Q==
|
||||
-----END PUBLIC KEY-----
|
||||
10
autocert/init/ca/root_ca.crt
Normal file
10
autocert/init/ca/root_ca.crt
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIBejCCASGgAwIBAgIQQ2IoFOF1vM1scQkJqsF3DzAKBggqhkjOPQQDAjAcMRow
|
||||
GAYDVQQDExFTbWFsbHN0ZXAgUm9vdCBDQTAeFw0xODA0MTMxNzQxMjhaFw0yODA0
|
||||
MTAxNzQxMjhaMBwxGjAYBgNVBAMTEVNtYWxsc3RlcCBSb290IENBMFkwEwYHKoZI
|
||||
zj0CAQYIKoZIzj0DAQcDQgAEZcVMwFzo0l9bk09oz7NEiMnMFqzEAr2NpEBbx9jp
|
||||
QmMtVx8LzGl8+LvBi8Xi4f3BJ3+1vWGPd75+LmnY5mPkKqNFMEMwDgYDVR0PAQH/
|
||||
BAQDAgGmMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFBePfNJkRPHEIDEU
|
||||
1QYlA9ivvUkLMAoGCCqGSM49BAMCA0cAMEQCICeD/FW/e2EVtRnjySqzeCpdbFLh
|
||||
R7roQrKEwrzQtHKAAiAsYC6RssgTFCpV6Xn7FKKGaPSlQ94bxNIaYGlj3p4FlQ==
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -5,4 +5,4 @@ ENV CRT="/var/run/autocert.step.sm/site.crt"
|
|||
ENV KEY="/var/run/autocert.step.sm/site.key"
|
||||
ENV STEP_ROOT="/var/run/autocert.step.sm/root.crt"
|
||||
|
||||
ENTRYPOINT ["/bin/bash", "-c", "step ca renew --daemon --renew-period 2m $CRT $KEY"]
|
||||
ENTRYPOINT ["/bin/bash", "-c", "step ca renew --daemon --renew-period 1m $CRT $KEY"]
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue