Commit 77f71dfd authored by Stavros-Anastasios Charismiadis's avatar Stavros-Anastasios Charismiadis
Browse files

Manage two-way interconnection (each CCF needed its own crt and key on nginx)

parent 2e62893d

services/helper/helper_service/app.py

+4 −1
Original line number Diff line number Diff line
@@ -46,6 +46,7 @@ req.get_subject().OU = 'helper' 
req.get_subject().L = 'Madrid'

req.get_subject().ST = 'Madrid'

req.get_subject().C = 'ES'

# req.get_subject().CN = "superadmin{}".format(os.getenv("CAPIF_HOSTNAME"))

req.get_subject().emailAddress = 'helper@tid.es'

req.set_pubkey(key)

req.sign(key, 'sha256')
@@ -66,7 +67,9 @@ data = { 
    'format':'pem_bundle',

    'ttl': ttl_superadmin_cert,

    'csr': csr_request,

    'common_name': "superadmin"

    # 'common_name': "superadmin{}".format(os.getenv("CAPIF_HOSTNAME")),

    'common_name': "superadmin",

    'alt_names': "{}".format(os.getenv("CAPIF_HOSTNAME"))

}



response = requests.request("POST", url, headers=headers, data=data, verify = config["ca_factory"].get("verify", False))

services/nginx/nginx_prepare.sh

+105 −60
Original line number Diff line number Diff line
@@ -44,7 +44,51 @@ if [ "$SUCCES_OPERATION" = false ]; then 
    exit 1  # Exit with failure

fi



# Setup inital value to ATTEMPT and SUCCESS_OPERATION



if [ "$VAULT_HOSTNAME" != "vault" ] ; then

  # Setup variables (Replace these or ensure they are in your environment)

  TTL="8760h"



  echo "--- Generating Private Key and CSR ---"

  # Generate Private Key

  openssl genrsa -out "$CERTS_FOLDER/server.key" 2048



  # Generate CSR

  # Note: We pass the Subject information here.

  # OpenSSL's -subj format: /C=/ST=/L=/O=/OU=/CN=/emailAddress=

  SUBJ="/C=ES/ST=Madrid/L=Madrid/O=OCF helper/OU=helper/CN=${CAPIF_HOSTNAME}/emailAddress=helper@tid.es"



  openssl req -new \

      -key "$CERTS_FOLDER/server.key" \

      -out "$CERTS_FOLDER/server.csr" \

      -subj "$SUBJ"



  echo "--- Requesting Certificate from Vault ---"



  # Prepare the CSR (Safe for JSON)

  ESC_CSR=$(awk '{printf "%s\\n", $0}' "$CERTS_FOLDER/server.csr")



  # Request and Extract Certificate in one pipeline

  # This prevents the "parse error" by passing the raw stream to jq

  curl -s --request POST \

      --header "X-Vault-Token: $VAULT_TOKEN" \

      --header "Content-Type: application/json" \

      --data "{

          \"format\": \"pem_bundle\",

          \"ttl\": \"$TTL\",

          \"csr\": \"$ESC_CSR\",

          \"common_name\": \"superadmin${CAPIF_HOSTNAME}\",

          \"alt_names\": \"${CAPIF_HOSTNAME}\"

      }" \

      "$VAULT_ADDR/v1/pki_int/sign/my-ca" | jq -r '.data.certificate' > "$CERTS_FOLDER/server.crt"



  # Validation Check

  if [ ! -s "$CERTS_FOLDER/server.crt" ] || [ "$(cat $CERTS_FOLDER/server.crt)" == "null" ]; then

      echo "ERROR: Failed to generate server.crt. Check Vault Token and Connectivity."

      exit 1

  fi

else

  # Setup initial value to ATTEMPT and SUCCESS_OPERATION

  ATTEMPT=0

  SUCCES_OPERATION=false
@@ -106,6 +150,7 @@ while [ $ATTEMPT -lt $MAX_RETRIES ]; do 
          sleep $RETRY_DELAY

      fi

  done

fi



if [ "$SUCCES_OPERATION" = false ]; then

    echo "Error: Failed to retrieve a valid response after $MAX_RETRIES attempts."

services/run.sh

+4 −4
Original line number Diff line number Diff line
@@ -22,10 +22,10 @@ help() { 
docker_version=$(docker compose version --short | cut -d',' -f1)

IFS='.' read -ra version_components <<< "$docker_version"



if [ "${version_components[0]}" -ge 2 ] && [ "${version_components[1]}" -ge 10 ]; then

  echo "Docker compose version it greater than 2.10"

if [ "${version_components[0]}" -gt 2 ] || { [ "${version_components[0]}" -eq 2 ] && [ "${version_components[1]}" -ge 10 ]; }; then

 echo "Docker compose version is greater than or equal to 2.10"

else

  echo "Docker compose version is not valid. Should be greater than 2.10"

 echo "Docker compose version is not valid. Should be >= 2.10"

 exit 1

fi