Loading services/nginx/nginx_prepare.sh +99 −60 Original line number Diff line number Diff line Loading @@ -5,6 +5,11 @@ cd $CERTS_FOLDER VAULT_ADDR="http://$VAULT_HOSTNAME:$VAULT_PORT" VAULT_TOKEN=$VAULT_ACCESS_TOKEN CAPIF_HOSTNAME="${CAPIF_HOSTNAME:-capifcore}" HELPER_URL="http://$HELPER_HOST:8080/api/getCcfId" # Maximum number of retry attempts MAX_RETRIES=30 # Delay between retries (in seconds) Loading @@ -12,26 +17,19 @@ RETRY_DELAY=10 # Attempt counter ATTEMPT=0 # Success check SUCCES_OPERATION=false SUCCESS_OPERATION=false while [ $ATTEMPT -lt $MAX_RETRIES ]; do # Increment ATTEMPT using eval eval "ATTEMPT=\$((ATTEMPT + 1))" echo "Attempt $ATTEMPT of $MAX_RETRIES" # Make the request to Vault and store the response in a variable RESPONSE=$(curl -s -k --connect-timeout 5 --max-time 10 \ --header "X-Vault-Token: $VAULT_TOKEN" \ --request GET "$VAULT_ADDR/v1/secret/data/ca" | jq -r '.data.data.ca') echo "$RESPONSE" RESPONSE=$(curl -s --connect-timeout 5 --max-time 10 "$HELPER_URL") CCF_ID=$(echo "$RESPONSE" | jq -r '.ccf_id') # Check if the response is "null" or empty if [ -n "$RESPONSE" ] && [ "$RESPONSE" != "null" ]; then echo "$RESPONSE" > $CERTS_FOLDER/ca.crt openssl verify -CAfile $CERTS_FOLDER/ca.crt $CERTS_FOLDER/ca.crt echo "CA Root successfully saved." SUCCES_OPERATION=true if [ -n "$CCF_ID" ] && [ "$CCF_ID" != "null" ]; then echo "CCF ID retrieved successfully: $CCF_ID" SUCCESS_OPERATION=true break else echo "Invalid response ('null' or empty), retrying in $RETRY_DELAY seconds..." Loading @@ -39,79 +37,120 @@ while [ $ATTEMPT -lt $MAX_RETRIES ]; do fi done if [ "$SUCCES_OPERATION" = false ]; then echo "Error: Failed to retrieve a valid response after $MAX_RETRIES attempts." exit 1 # Exit with failure if [ "$SUCCESS_OPERATION" = false ]; then echo "Error: Failed to retrieve CCF ID after $MAX_RETRIES attempts." exit 1 fi # Setup inital value to ATTEMPT and SUCCESS_OPERATION ATTEMPT=0 SUCCES_OPERATION=false SUCCESS_OPERATION=false while [ $ATTEMPT -lt $MAX_RETRIES ]; do # Increment ATTEMPT using eval eval "ATTEMPT=\$((ATTEMPT + 1))" ATTEMPT=$((ATTEMPT + 1)) echo "Attempt $ATTEMPT of $MAX_RETRIES" # Make the request to Vault and store the response in a variable RESPONSE=$(curl -s -k --connect-timeout 5 --max-time 10 \ CA_RESPONSE=$(curl -s -k --connect-timeout 5 --max-time 10 \ --header "X-Vault-Token: $VAULT_TOKEN" \ --request GET "$VAULT_ADDR/v1/secret/data/server_cert" | jq -r '.data.data.cert') echo "$RESPONSE" --request GET "$VAULT_ADDR/v1/secret/data/ca" | jq -r '.data.data.ca') # Check if the response is "null" or empty if [ -n "$RESPONSE" ] && [ "$RESPONSE" != "null" ]; then echo "$RESPONSE" > $CERTS_FOLDER/server.crt echo "Server Certificate successfully saved." ATTEMPT=0 SUCCES_OPERATION=true if [ -n "$CA_RESPONSE" ] && [ "$CA_RESPONSE" != "null" ]; then echo "$CA_RESPONSE" > $CERTS_FOLDER/ca.crt echo "CA Root successfully saved." SUCCESS_OPERATION=true break else echo "Invalid response ('null' or empty), retrying in $RETRY_DELAY seconds..." echo "Invalid response retrieving CA. Retrying in $RETRY_DELAY seconds..." sleep $RETRY_DELAY fi done if [ "$SUCCES_OPERATION" = false ]; then echo "Error: Failed to retrieve a valid response after $MAX_RETRIES attempts." exit 1 # Exit with failure if [ "$SUCCESS_OPERATION" = false ]; then echo "Error: Failed to retrieve CA after $MAX_RETRIES attempts." exit 1 fi # Setup inital value to ATTEMPT and SUCCESS_OPERATION # Reset counters ATTEMPT=0 SUCCESS_OPERATION=false ############################################################### # 2) GENERATE SERVER KEY IF MISSING ############################################################### if [ ! -f server.key ]; then echo "server.key not found. Generating new private key..." openssl genrsa -out server.key 2048 else echo "server.key already exists. Skipping generation." fi ############################################################### # 3) IF NO SERVER CERT → GENERATE CSR + REQUEST SIGNING IN VAULT ############################################################### if [ ! -f server.crt ]; then SUCCESS_OPERATION=false echo "server.crt not found. Generating CSR..." openssl req -new -key server.key \ -subj "/CN=$CAPIF_HOSTNAME" \ -addext "subjectAltName=DNS:$CAPIF_HOSTNAME" \ -out server.csr CSR_CONTENT=$(sed ':a;N;$!ba;s/\n/\\n/g' server.csr) echo "Requesting certificate signing from Vault..." ATTEMPT=0 SUCCES_OPERATION=false SUCCESS_OPERATION=false while [ $ATTEMPT -lt $MAX_RETRIES ]; do # Increment ATTEMPT using eval eval "ATTEMPT=\$((ATTEMPT + 1))" ATTEMPT=$((ATTEMPT + 1)) echo "Attempt $ATTEMPT of $MAX_RETRIES" # Make the request to Vault and store the response in a variable RESPONSE=$(curl -s -k --connect-timeout 5 --max-time 10 \ --header "X-Vault-Token: $VAULT_TOKEN" \ --request GET "$VAULT_ADDR/v1/secret/data/server_cert/private" | jq -r '.data.data.key') SIGN_RESPONSE=$(curl -s -X POST \ -H "X-Vault-Token: $VAULT_TOKEN" \ -d "{\"csr\":\"$CSR_CONTENT\",\"format\":\"pem_bundle\",\"common_name\":\"$CAPIF_HOSTNAME\"}" \ "$VAULT_ADDR/v1/pki_int/sign/my-ca") echo "$RESPONSE" CERT=$(echo "$SIGN_RESPONSE" | jq -r '.data.certificate') # Check if the response is "null" or empty if [ -n "$RESPONSE" ] && [ "$RESPONSE" != "null" ]; then echo "$RESPONSE" > $CERTS_FOLDER/server.key echo "Server Key successfully saved." ATTEMPT=0 SUCCES_OPERATION=true if [ -n "$CERT" ] && [ "$CERT" != "null" ]; then echo "$CERT" > server.crt echo "Server certificate successfully signed and saved." SUCCESS_OPERATION=true break else echo "Invalid response ('null' or empty), retrying in $RETRY_DELAY seconds..." echo "Invalid certificate response. Retrying in $RETRY_DELAY seconds..." sleep $RETRY_DELAY fi done if [ "$SUCCES_OPERATION" = false ]; then echo "Error: Failed to retrieve a valid response after $MAX_RETRIES attempts." exit 1 # Exit with failure if [ "$SUCCESS_OPERATION" = false ]; then echo "Error: Failed to sign certificate after $MAX_RETRIES attempts." exit 1 fi else echo "server.crt already exists. Skipping signing." fi ############################################################### # 4) STORE CERTIFICATES IN VAULT UNDER capif/<ccf_id> ############################################################### echo "Storing CAPIF certificates in Vault..." vault kv put secret/capif/$CCF_ID/server crt=@server.crt vault kv put secret/capif/$CCF_ID/private key=@server.key vault kv put secret/capif/$CCF_ID/ca ca=@ca.crt echo "Certificates successfully stored in Vault namespace: secret/capif/$CCF_ID" ############################################################### # 5) START NGINX ############################################################### LOG_LEVEL=$(echo "${LOG_LEVEL}" | tr '[:upper:]' '[:lower:]') case "$LOG_LEVEL" in Loading Loading
services/nginx/nginx_prepare.sh +99 −60 Original line number Diff line number Diff line Loading @@ -5,6 +5,11 @@ cd $CERTS_FOLDER VAULT_ADDR="http://$VAULT_HOSTNAME:$VAULT_PORT" VAULT_TOKEN=$VAULT_ACCESS_TOKEN CAPIF_HOSTNAME="${CAPIF_HOSTNAME:-capifcore}" HELPER_URL="http://$HELPER_HOST:8080/api/getCcfId" # Maximum number of retry attempts MAX_RETRIES=30 # Delay between retries (in seconds) Loading @@ -12,26 +17,19 @@ RETRY_DELAY=10 # Attempt counter ATTEMPT=0 # Success check SUCCES_OPERATION=false SUCCESS_OPERATION=false while [ $ATTEMPT -lt $MAX_RETRIES ]; do # Increment ATTEMPT using eval eval "ATTEMPT=\$((ATTEMPT + 1))" echo "Attempt $ATTEMPT of $MAX_RETRIES" # Make the request to Vault and store the response in a variable RESPONSE=$(curl -s -k --connect-timeout 5 --max-time 10 \ --header "X-Vault-Token: $VAULT_TOKEN" \ --request GET "$VAULT_ADDR/v1/secret/data/ca" | jq -r '.data.data.ca') echo "$RESPONSE" RESPONSE=$(curl -s --connect-timeout 5 --max-time 10 "$HELPER_URL") CCF_ID=$(echo "$RESPONSE" | jq -r '.ccf_id') # Check if the response is "null" or empty if [ -n "$RESPONSE" ] && [ "$RESPONSE" != "null" ]; then echo "$RESPONSE" > $CERTS_FOLDER/ca.crt openssl verify -CAfile $CERTS_FOLDER/ca.crt $CERTS_FOLDER/ca.crt echo "CA Root successfully saved." SUCCES_OPERATION=true if [ -n "$CCF_ID" ] && [ "$CCF_ID" != "null" ]; then echo "CCF ID retrieved successfully: $CCF_ID" SUCCESS_OPERATION=true break else echo "Invalid response ('null' or empty), retrying in $RETRY_DELAY seconds..." Loading @@ -39,79 +37,120 @@ while [ $ATTEMPT -lt $MAX_RETRIES ]; do fi done if [ "$SUCCES_OPERATION" = false ]; then echo "Error: Failed to retrieve a valid response after $MAX_RETRIES attempts." exit 1 # Exit with failure if [ "$SUCCESS_OPERATION" = false ]; then echo "Error: Failed to retrieve CCF ID after $MAX_RETRIES attempts." exit 1 fi # Setup inital value to ATTEMPT and SUCCESS_OPERATION ATTEMPT=0 SUCCES_OPERATION=false SUCCESS_OPERATION=false while [ $ATTEMPT -lt $MAX_RETRIES ]; do # Increment ATTEMPT using eval eval "ATTEMPT=\$((ATTEMPT + 1))" ATTEMPT=$((ATTEMPT + 1)) echo "Attempt $ATTEMPT of $MAX_RETRIES" # Make the request to Vault and store the response in a variable RESPONSE=$(curl -s -k --connect-timeout 5 --max-time 10 \ CA_RESPONSE=$(curl -s -k --connect-timeout 5 --max-time 10 \ --header "X-Vault-Token: $VAULT_TOKEN" \ --request GET "$VAULT_ADDR/v1/secret/data/server_cert" | jq -r '.data.data.cert') echo "$RESPONSE" --request GET "$VAULT_ADDR/v1/secret/data/ca" | jq -r '.data.data.ca') # Check if the response is "null" or empty if [ -n "$RESPONSE" ] && [ "$RESPONSE" != "null" ]; then echo "$RESPONSE" > $CERTS_FOLDER/server.crt echo "Server Certificate successfully saved." ATTEMPT=0 SUCCES_OPERATION=true if [ -n "$CA_RESPONSE" ] && [ "$CA_RESPONSE" != "null" ]; then echo "$CA_RESPONSE" > $CERTS_FOLDER/ca.crt echo "CA Root successfully saved." SUCCESS_OPERATION=true break else echo "Invalid response ('null' or empty), retrying in $RETRY_DELAY seconds..." echo "Invalid response retrieving CA. Retrying in $RETRY_DELAY seconds..." sleep $RETRY_DELAY fi done if [ "$SUCCES_OPERATION" = false ]; then echo "Error: Failed to retrieve a valid response after $MAX_RETRIES attempts." exit 1 # Exit with failure if [ "$SUCCESS_OPERATION" = false ]; then echo "Error: Failed to retrieve CA after $MAX_RETRIES attempts." exit 1 fi # Setup inital value to ATTEMPT and SUCCESS_OPERATION # Reset counters ATTEMPT=0 SUCCESS_OPERATION=false ############################################################### # 2) GENERATE SERVER KEY IF MISSING ############################################################### if [ ! -f server.key ]; then echo "server.key not found. Generating new private key..." openssl genrsa -out server.key 2048 else echo "server.key already exists. Skipping generation." fi ############################################################### # 3) IF NO SERVER CERT → GENERATE CSR + REQUEST SIGNING IN VAULT ############################################################### if [ ! -f server.crt ]; then SUCCESS_OPERATION=false echo "server.crt not found. Generating CSR..." openssl req -new -key server.key \ -subj "/CN=$CAPIF_HOSTNAME" \ -addext "subjectAltName=DNS:$CAPIF_HOSTNAME" \ -out server.csr CSR_CONTENT=$(sed ':a;N;$!ba;s/\n/\\n/g' server.csr) echo "Requesting certificate signing from Vault..." ATTEMPT=0 SUCCES_OPERATION=false SUCCESS_OPERATION=false while [ $ATTEMPT -lt $MAX_RETRIES ]; do # Increment ATTEMPT using eval eval "ATTEMPT=\$((ATTEMPT + 1))" ATTEMPT=$((ATTEMPT + 1)) echo "Attempt $ATTEMPT of $MAX_RETRIES" # Make the request to Vault and store the response in a variable RESPONSE=$(curl -s -k --connect-timeout 5 --max-time 10 \ --header "X-Vault-Token: $VAULT_TOKEN" \ --request GET "$VAULT_ADDR/v1/secret/data/server_cert/private" | jq -r '.data.data.key') SIGN_RESPONSE=$(curl -s -X POST \ -H "X-Vault-Token: $VAULT_TOKEN" \ -d "{\"csr\":\"$CSR_CONTENT\",\"format\":\"pem_bundle\",\"common_name\":\"$CAPIF_HOSTNAME\"}" \ "$VAULT_ADDR/v1/pki_int/sign/my-ca") echo "$RESPONSE" CERT=$(echo "$SIGN_RESPONSE" | jq -r '.data.certificate') # Check if the response is "null" or empty if [ -n "$RESPONSE" ] && [ "$RESPONSE" != "null" ]; then echo "$RESPONSE" > $CERTS_FOLDER/server.key echo "Server Key successfully saved." ATTEMPT=0 SUCCES_OPERATION=true if [ -n "$CERT" ] && [ "$CERT" != "null" ]; then echo "$CERT" > server.crt echo "Server certificate successfully signed and saved." SUCCESS_OPERATION=true break else echo "Invalid response ('null' or empty), retrying in $RETRY_DELAY seconds..." echo "Invalid certificate response. Retrying in $RETRY_DELAY seconds..." sleep $RETRY_DELAY fi done if [ "$SUCCES_OPERATION" = false ]; then echo "Error: Failed to retrieve a valid response after $MAX_RETRIES attempts." exit 1 # Exit with failure if [ "$SUCCESS_OPERATION" = false ]; then echo "Error: Failed to sign certificate after $MAX_RETRIES attempts." exit 1 fi else echo "server.crt already exists. Skipping signing." fi ############################################################### # 4) STORE CERTIFICATES IN VAULT UNDER capif/<ccf_id> ############################################################### echo "Storing CAPIF certificates in Vault..." vault kv put secret/capif/$CCF_ID/server crt=@server.crt vault kv put secret/capif/$CCF_ID/private key=@server.key vault kv put secret/capif/$CCF_ID/ca ca=@ca.crt echo "Certificates successfully stored in Vault namespace: secret/capif/$CCF_ID" ############################################################### # 5) START NGINX ############################################################### LOG_LEVEL=$(echo "${LOG_LEVEL}" | tr '[:upper:]' '[:lower:]') case "$LOG_LEVEL" in Loading
