Loading helm/vault-job/vault-intermediate-cert.yaml 0 → 100644 +134 −0 Original line number Original line Diff line number Diff line --- apiVersion: v1 kind: ConfigMap metadata: name: vault-prepare-certs namespace: ocf-vault labels: io.kompose.service: api-invocation-logs app: capif app.kubernetes.io/name: capif app.kubernetes.io/instance: capif data: vault-prepare-certs.sh: |- #!/bin/sh echo "install dependencies" apk add --no-cache jq openssl # Setup environment variables of Vault export VAULT_ADDR='http://vault-internal:8200' # In standalone's mode. Please use the root's token # or the token with the sufficient permissions # to execute the next commands in vault # otherwise, if use the vault as dev's mode. Just # type the token's dev. export VAULT_TOKEN="hvs.uep34a8lgUyMd0YzaNHWv72O" cat > ca_intermediate.crt << EOF -----BEGIN CERTIFICATE----- INCLUDE_HERE_THE_CA_INTER -----END CERTIFICATE----- EOF cat > server_certificate.crt << EOF -----BEGIN CERTIFICATE----- INCLUDE_HERE_THE_SERVER_CERT -----END CERTIFICATE----- EOF cat > wildcard_etsi_org.key << EOF -----BEGIN RSA PRIVATE KEY----- INCLUDE_HERE_THE_PRIVATE_KEY -----END RSA PRIVATE KEY----- EOF export CA_INTER_FILE_PATH=ca_intermediate.crt export SERVER_CERT_FILE_PATH=server_certificate.crt export SERVER_KEY=wildcard_etsi_org.key # Check if the variables are set and not empty if [ -z "$CA_INTER_FILE_PATH" ] || [ -z "$SERVER_CERT_FILE_PATH" ] || [ -z "$SERVER_KEY" ]; then echo "Error: CA_INTER_FILE_PATH, SERVER_CERT_FILE_PATH, and SERVER_KEY must be set and not empty." exit 1 fi # Enable the PKI secrets engine vault secrets enable pki echo "# Generate the root certificate #" vault secrets tune -max-lease-ttl=87600h pki vault write -field=certificate pki/root/generate/internal \ common_name="capif" \ issuer_name="root-self-signed" \ ttl=87600h > root_ca.crt echo "# check root_ca.crt #" cat root_ca.crt # Configure the issuing URLs vault write pki/config/urls \ issuing_certificates="$VAULT_ADDR/v1/pki/ca" \ crl_distribution_points="$VAULT_ADDR/v1/pki/crl" # Enable the PKI secrets engine at the intermediate path vault secrets enable -path=pki_int pki # Import the existing intermediate CA certificate vault write pki_int/intermediate/set-signed certificate=@$CA_INTER_FILE_PATH cat > cert_chain.crt << EOF $(cat "$SERVER_CERT_FILE_PATH") $(cat "$CA_INTER_FILE_PATH") EOF echo "### content of cert_chain.crt ###" cat cert_chain.crt openssl x509 -pubkey -noout -in $SERVER_CERT_FILE_PATH > server_certificate_pub.pem echo "### enable secrets kv ###" vault secrets enable -path=secret -version=2 kv vault kv put secret/ca ca=@cert_chain.crt vault kv put secret/server_cert cert=@$SERVER_CERT_FILE_PATH vault kv put secret/server_cert/pub pub_key=@server_certificate_pub.pem vault kv put secret/server_cert/private key=@$SERVER_KEY --- apiVersion: batch/v1 kind: Job metadata: name: vault-pki namespace: ocf-vault labels: io.kompose.service: vault-pki app: capif app.kubernetes.io/name: capif app.kubernetes.io/instance: capif spec: template: spec: containers: - name: vault-pki image: docker.io/hashicorp/vault:1.15.1 command: ["./vault-prepare-certs.sh"] volumeMounts: - name: vault-prepare-certs mountPath: vault-prepare-certs.sh subPath: vault-prepare-certs.sh restartPolicy: Never volumes: - name: vault-prepare-certs configMap: name: vault-prepare-certs defaultMode: 0777 items: - key: "vault-prepare-certs.sh" path: "vault-prepare-certs.sh" backoffLimit: 4 helm/vault-job/vault-self-signed-cert.yaml 0 → 100644 +204 −0 Original line number Original line Diff line number Diff line --- apiVersion: v1 kind: ConfigMap metadata: name: vault-prepare-certs namespace: ocf-vault labels: io.kompose.service: api-invocation-logs app: capif app.kubernetes.io/name: capif app.kubernetes.io/instance: capif data: vault-prepare-certs.sh: |- #!/bin/sh echo "install dependencies" apk add --no-cache jq openssl # Setup environment variables of Vault export VAULT_ADDR='http://vault-internal:8200' # In standalone's mode. Please use the root's token # or the token with the sufficient permissions # to execute the next commands in vault # otherwise, if use the vault as dev's mode. Just # type the token's dev. export VAULT_TOKEN="" export DOMAIN1=*.ocf.pre-production export DOMAIN2=*.ocf.validation export DOMAIN3=*.ocf.develop export DOMAIN4=*etsi.org export NAMESPACE_OCF_CAPIF=ocf-capif # local domains # export DOMAIN4=*.pre-prod.svc.cluster.local # export DOMAIN5=*.staging.svc.cluster.local # export DOMAIN6=*.developer.svc.cluster.local # Enable the PKI secrets engine vault secrets enable pki echo "# Generate the root certificate #" vault secrets tune -max-lease-ttl=87600h pki vault write -field=certificate pki/root/generate/internal \ common_name="capif" \ issuer_name="root-self-signed" \ ttl=87600h > root_ca.crt echo "# check root_ca.crt #" cat root_ca.crt # Configure the issuing URLs vault write pki/config/urls \ issuing_certificates="$VAULT_ADDR/v1/pki/ca" \ crl_distribution_points="$VAULT_ADDR/v1/pki/crl" # Enable the PKI secrets engine at the intermediate path vault secrets enable -path=pki_int pki # Generate an intermediate and save the CSR vault secrets tune -max-lease-ttl=43800h pki_int vault write -format=json pki_int/intermediate/generate/internal \ common_name="capif Intermediate Authority" \ issuer_name="capif-intermediate" \ | jq -r '.data.csr' > pki_intermediate.csr echo "### content pki_intermediate.csr ###" cat pki_intermediate.csr # Sign the intermediate certificate with the root certificate vault write -format=json pki/root/sign-intermediate \ issuer_ref="root-2023" \ csr=@pki_intermediate.csr \ format=pem_bundle ttl="43800h" \ | jq -r '.data.certificate' > intermediate.cert.pem # Import the signed intermediate certificate back into Vault vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem #Create rol in Vault vault write pki_int/roles/my-ca use_csr_common_name=false require_cn=false allowed_domains="*" allow_any_name=true allow_bare_domains=true allow_glob_domains=true allow_subdomains=true max_ttl=4300h ttl=4300h #Create CSR openssl genrsa -out ./server.key 2048 cat > ./foo.cnf <<EOF [ req ] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = \$ENV::COUNTRY countryName_default = \$ENV::COUNTRY stateOrProvinceName = \$ENV::STATE stateOrProvinceName_default = \$ENV::STATE localityName = \$ENV::LOCALITY localityName_default = \$ENV::LOCALITY organizationName = \$ENV::ORGNAME organizationName_default = \$ENV::ORGNAME organizationalUnitName = \$ENV::ORGUNIT organizationalUnitName_default = \$ENV::ORGUNIT commonName = capif commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 emailAddress_default = \$ENV::EMAIL [ v3_req ] subjectAltName = @alt_names [alt_names] DNS.1 = \$ENV::DOMAIN1 DNS.2 = \$ENV::DOMAIN2 DNS.3 = \$ENV::DOMAIN3 DNS.4 = \$ENV::DOMAIN4 EOF export COUNTRY=ES # 2 letter country-code export STATE=Madrid # state or province name export LOCALITY=Madrid # Locality Name (e.g. city) export ORGNAME="Telefonica I+D" # Organization Name (eg, company) export ORGUNIT=Innovation # Organizational Unit Name (eg. section) export COMMONNAME="nginx.$NAMESPACE_OCF_CAPIF.svc.cluster.local" export EMAIL=inno@tid.es # certificate's email address # optional extra details CHALLENGE="" # challenge password COMPANY="" # company name # DAYS="-days 365" # create the certificate request openssl req -new $DAYS -batch -key ./server.key -out ./server.csr -config ./foo.cnf -extensions v3_req echo "### verify the Subject Alternative Name (SAN) ###" openssl req -text -noout -verify -in ./server.csr | grep 'DNS' vault write -format=json pki_int/sign/my-ca format=pem_bundle ttl="43000h" csr=@server.csr | jq -r '.data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$issuing_ca, $certificate]' > cert_data.json jq -r '.[0]' cert_data.json > root_ca.crt.pem echo "### content root_ca.crt.pem ###" cat root_ca.crt.pem echo "### content server_certificate.crt.pem ###" jq -r '.[1]' cert_data.json > server_certificate.crt.pem openssl x509 -pubkey -noout -in server_certificate.crt.pem > server_certificate_pub.pem cat > certifiacte_chain.crt << EOF $(cat "root_ca.crt") $(cat "root_ca.crt.pem") EOF echo "### content of root_ca.crt ###" cat root_ca.crt echo "### content of root_ca.crt.pem ###" cat root_ca.crt.pem echo "### content of certifiacte_chain.crt ###" cat certifiacte_chain.crt echo "### enable secrets kv ###" vault secrets enable -path=secret -version=2 kv vault kv put secret/ca ca=@certifiacte_chain.crt vault kv put secret/server_cert cert=@server_certificate.crt.pem vault kv put secret/server_cert/pub pub_key=@server_certificate_pub.pem vault kv put secret/server_cert/private key=@server.key --- apiVersion: batch/v1 kind: Job metadata: name: vault-pki namespace: ocf-vault labels: io.kompose.service: vault-pki app: capif app.kubernetes.io/name: capif app.kubernetes.io/instance: capif spec: template: spec: containers: - name: vault-pki image: docker.io/hashicorp/vault:1.15.1 command: ["./vault-prepare-certs.sh"] volumeMounts: - name: vault-prepare-certs mountPath: vault-prepare-certs.sh subPath: vault-prepare-certs.sh restartPolicy: Never volumes: - name: vault-prepare-certs configMap: name: vault-prepare-certs defaultMode: 0777 items: - key: "vault-prepare-certs.sh" path: "vault-prepare-certs.sh" backoffLimit: 4 Loading
helm/vault-job/vault-intermediate-cert.yaml 0 → 100644 +134 −0 Original line number Original line Diff line number Diff line --- apiVersion: v1 kind: ConfigMap metadata: name: vault-prepare-certs namespace: ocf-vault labels: io.kompose.service: api-invocation-logs app: capif app.kubernetes.io/name: capif app.kubernetes.io/instance: capif data: vault-prepare-certs.sh: |- #!/bin/sh echo "install dependencies" apk add --no-cache jq openssl # Setup environment variables of Vault export VAULT_ADDR='http://vault-internal:8200' # In standalone's mode. Please use the root's token # or the token with the sufficient permissions # to execute the next commands in vault # otherwise, if use the vault as dev's mode. Just # type the token's dev. export VAULT_TOKEN="hvs.uep34a8lgUyMd0YzaNHWv72O" cat > ca_intermediate.crt << EOF -----BEGIN CERTIFICATE----- INCLUDE_HERE_THE_CA_INTER -----END CERTIFICATE----- EOF cat > server_certificate.crt << EOF -----BEGIN CERTIFICATE----- INCLUDE_HERE_THE_SERVER_CERT -----END CERTIFICATE----- EOF cat > wildcard_etsi_org.key << EOF -----BEGIN RSA PRIVATE KEY----- INCLUDE_HERE_THE_PRIVATE_KEY -----END RSA PRIVATE KEY----- EOF export CA_INTER_FILE_PATH=ca_intermediate.crt export SERVER_CERT_FILE_PATH=server_certificate.crt export SERVER_KEY=wildcard_etsi_org.key # Check if the variables are set and not empty if [ -z "$CA_INTER_FILE_PATH" ] || [ -z "$SERVER_CERT_FILE_PATH" ] || [ -z "$SERVER_KEY" ]; then echo "Error: CA_INTER_FILE_PATH, SERVER_CERT_FILE_PATH, and SERVER_KEY must be set and not empty." exit 1 fi # Enable the PKI secrets engine vault secrets enable pki echo "# Generate the root certificate #" vault secrets tune -max-lease-ttl=87600h pki vault write -field=certificate pki/root/generate/internal \ common_name="capif" \ issuer_name="root-self-signed" \ ttl=87600h > root_ca.crt echo "# check root_ca.crt #" cat root_ca.crt # Configure the issuing URLs vault write pki/config/urls \ issuing_certificates="$VAULT_ADDR/v1/pki/ca" \ crl_distribution_points="$VAULT_ADDR/v1/pki/crl" # Enable the PKI secrets engine at the intermediate path vault secrets enable -path=pki_int pki # Import the existing intermediate CA certificate vault write pki_int/intermediate/set-signed certificate=@$CA_INTER_FILE_PATH cat > cert_chain.crt << EOF $(cat "$SERVER_CERT_FILE_PATH") $(cat "$CA_INTER_FILE_PATH") EOF echo "### content of cert_chain.crt ###" cat cert_chain.crt openssl x509 -pubkey -noout -in $SERVER_CERT_FILE_PATH > server_certificate_pub.pem echo "### enable secrets kv ###" vault secrets enable -path=secret -version=2 kv vault kv put secret/ca ca=@cert_chain.crt vault kv put secret/server_cert cert=@$SERVER_CERT_FILE_PATH vault kv put secret/server_cert/pub pub_key=@server_certificate_pub.pem vault kv put secret/server_cert/private key=@$SERVER_KEY --- apiVersion: batch/v1 kind: Job metadata: name: vault-pki namespace: ocf-vault labels: io.kompose.service: vault-pki app: capif app.kubernetes.io/name: capif app.kubernetes.io/instance: capif spec: template: spec: containers: - name: vault-pki image: docker.io/hashicorp/vault:1.15.1 command: ["./vault-prepare-certs.sh"] volumeMounts: - name: vault-prepare-certs mountPath: vault-prepare-certs.sh subPath: vault-prepare-certs.sh restartPolicy: Never volumes: - name: vault-prepare-certs configMap: name: vault-prepare-certs defaultMode: 0777 items: - key: "vault-prepare-certs.sh" path: "vault-prepare-certs.sh" backoffLimit: 4
helm/vault-job/vault-self-signed-cert.yaml 0 → 100644 +204 −0 Original line number Original line Diff line number Diff line --- apiVersion: v1 kind: ConfigMap metadata: name: vault-prepare-certs namespace: ocf-vault labels: io.kompose.service: api-invocation-logs app: capif app.kubernetes.io/name: capif app.kubernetes.io/instance: capif data: vault-prepare-certs.sh: |- #!/bin/sh echo "install dependencies" apk add --no-cache jq openssl # Setup environment variables of Vault export VAULT_ADDR='http://vault-internal:8200' # In standalone's mode. Please use the root's token # or the token with the sufficient permissions # to execute the next commands in vault # otherwise, if use the vault as dev's mode. Just # type the token's dev. export VAULT_TOKEN="" export DOMAIN1=*.ocf.pre-production export DOMAIN2=*.ocf.validation export DOMAIN3=*.ocf.develop export DOMAIN4=*etsi.org export NAMESPACE_OCF_CAPIF=ocf-capif # local domains # export DOMAIN4=*.pre-prod.svc.cluster.local # export DOMAIN5=*.staging.svc.cluster.local # export DOMAIN6=*.developer.svc.cluster.local # Enable the PKI secrets engine vault secrets enable pki echo "# Generate the root certificate #" vault secrets tune -max-lease-ttl=87600h pki vault write -field=certificate pki/root/generate/internal \ common_name="capif" \ issuer_name="root-self-signed" \ ttl=87600h > root_ca.crt echo "# check root_ca.crt #" cat root_ca.crt # Configure the issuing URLs vault write pki/config/urls \ issuing_certificates="$VAULT_ADDR/v1/pki/ca" \ crl_distribution_points="$VAULT_ADDR/v1/pki/crl" # Enable the PKI secrets engine at the intermediate path vault secrets enable -path=pki_int pki # Generate an intermediate and save the CSR vault secrets tune -max-lease-ttl=43800h pki_int vault write -format=json pki_int/intermediate/generate/internal \ common_name="capif Intermediate Authority" \ issuer_name="capif-intermediate" \ | jq -r '.data.csr' > pki_intermediate.csr echo "### content pki_intermediate.csr ###" cat pki_intermediate.csr # Sign the intermediate certificate with the root certificate vault write -format=json pki/root/sign-intermediate \ issuer_ref="root-2023" \ csr=@pki_intermediate.csr \ format=pem_bundle ttl="43800h" \ | jq -r '.data.certificate' > intermediate.cert.pem # Import the signed intermediate certificate back into Vault vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem #Create rol in Vault vault write pki_int/roles/my-ca use_csr_common_name=false require_cn=false allowed_domains="*" allow_any_name=true allow_bare_domains=true allow_glob_domains=true allow_subdomains=true max_ttl=4300h ttl=4300h #Create CSR openssl genrsa -out ./server.key 2048 cat > ./foo.cnf <<EOF [ req ] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = \$ENV::COUNTRY countryName_default = \$ENV::COUNTRY stateOrProvinceName = \$ENV::STATE stateOrProvinceName_default = \$ENV::STATE localityName = \$ENV::LOCALITY localityName_default = \$ENV::LOCALITY organizationName = \$ENV::ORGNAME organizationName_default = \$ENV::ORGNAME organizationalUnitName = \$ENV::ORGUNIT organizationalUnitName_default = \$ENV::ORGUNIT commonName = capif commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 emailAddress_default = \$ENV::EMAIL [ v3_req ] subjectAltName = @alt_names [alt_names] DNS.1 = \$ENV::DOMAIN1 DNS.2 = \$ENV::DOMAIN2 DNS.3 = \$ENV::DOMAIN3 DNS.4 = \$ENV::DOMAIN4 EOF export COUNTRY=ES # 2 letter country-code export STATE=Madrid # state or province name export LOCALITY=Madrid # Locality Name (e.g. city) export ORGNAME="Telefonica I+D" # Organization Name (eg, company) export ORGUNIT=Innovation # Organizational Unit Name (eg. section) export COMMONNAME="nginx.$NAMESPACE_OCF_CAPIF.svc.cluster.local" export EMAIL=inno@tid.es # certificate's email address # optional extra details CHALLENGE="" # challenge password COMPANY="" # company name # DAYS="-days 365" # create the certificate request openssl req -new $DAYS -batch -key ./server.key -out ./server.csr -config ./foo.cnf -extensions v3_req echo "### verify the Subject Alternative Name (SAN) ###" openssl req -text -noout -verify -in ./server.csr | grep 'DNS' vault write -format=json pki_int/sign/my-ca format=pem_bundle ttl="43000h" csr=@server.csr | jq -r '.data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$issuing_ca, $certificate]' > cert_data.json jq -r '.[0]' cert_data.json > root_ca.crt.pem echo "### content root_ca.crt.pem ###" cat root_ca.crt.pem echo "### content server_certificate.crt.pem ###" jq -r '.[1]' cert_data.json > server_certificate.crt.pem openssl x509 -pubkey -noout -in server_certificate.crt.pem > server_certificate_pub.pem cat > certifiacte_chain.crt << EOF $(cat "root_ca.crt") $(cat "root_ca.crt.pem") EOF echo "### content of root_ca.crt ###" cat root_ca.crt echo "### content of root_ca.crt.pem ###" cat root_ca.crt.pem echo "### content of certifiacte_chain.crt ###" cat certifiacte_chain.crt echo "### enable secrets kv ###" vault secrets enable -path=secret -version=2 kv vault kv put secret/ca ca=@certifiacte_chain.crt vault kv put secret/server_cert cert=@server_certificate.crt.pem vault kv put secret/server_cert/pub pub_key=@server_certificate_pub.pem vault kv put secret/server_cert/private key=@server.key --- apiVersion: batch/v1 kind: Job metadata: name: vault-pki namespace: ocf-vault labels: io.kompose.service: vault-pki app: capif app.kubernetes.io/name: capif app.kubernetes.io/instance: capif spec: template: spec: containers: - name: vault-pki image: docker.io/hashicorp/vault:1.15.1 command: ["./vault-prepare-certs.sh"] volumeMounts: - name: vault-prepare-certs mountPath: vault-prepare-certs.sh subPath: vault-prepare-certs.sh restartPolicy: Never volumes: - name: vault-prepare-certs configMap: name: vault-prepare-certs defaultMode: 0777 items: - key: "vault-prepare-certs.sh" path: "vault-prepare-certs.sh" backoffLimit: 4
