Loading services/register/Dockerfile +1 −1 Original line number Diff line number Diff line Loading @@ -15,7 +15,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ libxslt1-dev && \ rm -rf /var/lib/apt/lists/* RUN pip3 install --no-cache-dir -r requirements.txt RUN apt-get update && apt-get install -y --no-install-recommends openssl curl redis RUN apt-get update && apt-get install -y --no-install-recommends openssl curl redis jq COPY . /usr/src/app Loading services/register/register_prepare.sh +55 −38 Original line number Diff line number Diff line Loading @@ -2,15 +2,9 @@ CERTS_FOLDER="/usr/src/app/register_service/certs" cd $CERTS_FOLDER openssl req -x509 \ -sha256 -days 356 \ -nodes \ -newkey rsa:2048 \ -subj "/CN=register/C=ES/L=Madrid" \ -keyout /usr/src/app/register_service/certs/registerCA.key -out /usr/src/app/register_service/certs/registerCA.crt openssl genrsa -out /usr/src/app/register_service/certs/register_key.key 2048 # === CONFIGURATION === VAULT_ADDR="http://$VAULT_HOSTNAME:$VAULT_PORT" VAULT_TOKEN=$VAULT_ACCESS_TOKEN COUNTRY="ES" # 2 letter country-code STATE="Madrid" # state or province name Loading @@ -19,28 +13,51 @@ ORGNAME="Telefonica I+D" # Organization Name (eg, company) ORGUNIT="Innovation" # Organizational Unit Name (eg. section) COMMONNAME=${REGISTER_HOSTNAME:-register} EMAIL="inno@tid.es" # certificate's email address # optional extra details CHALLENGE="" # challenge password COMPANY="" # company name # DAYS="-days 365" # create the certificate request cat <<__EOF__ | openssl req -new $DAYS -key /usr/src/app/register_service/certs/register_key.key -out /usr/src/app/register_service/certs/register.csr $COUNTRY $STATE $LOCALITY $ORGNAME $ORGUNIT $COMMONNAME $EMAIL $CHALLENGE $COMPANY __EOF__ openssl x509 -req -in /usr/src/app/register_service/certs/register.csr -CA /usr/src/app/register_service/certs/registerCA.crt -CAkey /usr/src/app/register_service/certs/registerCA.key -CAcreateserial -out /usr/src/app/register_service/certs/register_cert.crt -days 365 -sha256 TTL="4300h" echo "Generating private key for Register." openssl genrsa -out register_key.key 2048 echo "Creating CSR for CN=${COMMONNAME}." openssl req -new -key register_key.key \ -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCALITY}/O=${ORGNAME}/OU=${ORGUNIT}/CN=${COMMONNAME}/emailAddress=${EMAIL}" \ -out register.csr echo "Downloading CA chain from Vault." curl -s -H "X-Vault-Token: ${VAULT_TOKEN}" \ "${VAULT_ADDR}/v1/secret/data/ca" | jq -r '.data.data.ca' > ca_root.crt if [ ! -s ca_root.crt ]; then echo "ERROR: could not retrieve CA from Vault." exit 1 fi echo "CA chain retrieved successfully." echo "Requesting certificate signature from Vault..." CSR_CONTENT=$(awk '{printf "%s\\n", $0}' register.csr) curl -s -X POST \ -H "X-Vault-Token: ${VAULT_TOKEN}" \ -d "{\"csr\": \"${CSR_CONTENT}\", \"common_name\": \"${COMMONNAME}\", \"format\": \"pem_bundle\", \"ttl\": \"${TTL}\"}" \ "${VAULT_ADDR}/v1/pki_int/sign/my-ca" \ | jq -r '.data.certificate' | awk '{gsub("\\\\n","\n")}1' > register_cert.crt if [ ! -s register_cert.crt ]; then echo "ERROR: could not retrieve signed certificate from Vault." exit 1 fi echo "Certificate signed successfully by Vault intermediate CA." echo "Verifying certificate chain." openssl verify -CAfile ca_root.crt register_cert.crt || { echo "WARNING: certificate verification failed" } echo "Starting Register service with signed certificate." gunicorn --certfile=/usr/src/app/register_service/certs/register_cert.crt \ --keyfile=/usr/src/app/register_service/certs/register_key.key \ --ca-certs=/usr/src/app/register_service/certs/ca_root.crt \ --bind 0.0.0.0:8080 \ --chdir /usr/src/app/register_service wsgi:app No newline at end of file Loading
services/register/Dockerfile +1 −1 Original line number Diff line number Diff line Loading @@ -15,7 +15,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ libxslt1-dev && \ rm -rf /var/lib/apt/lists/* RUN pip3 install --no-cache-dir -r requirements.txt RUN apt-get update && apt-get install -y --no-install-recommends openssl curl redis RUN apt-get update && apt-get install -y --no-install-recommends openssl curl redis jq COPY . /usr/src/app Loading
services/register/register_prepare.sh +55 −38 Original line number Diff line number Diff line Loading @@ -2,15 +2,9 @@ CERTS_FOLDER="/usr/src/app/register_service/certs" cd $CERTS_FOLDER openssl req -x509 \ -sha256 -days 356 \ -nodes \ -newkey rsa:2048 \ -subj "/CN=register/C=ES/L=Madrid" \ -keyout /usr/src/app/register_service/certs/registerCA.key -out /usr/src/app/register_service/certs/registerCA.crt openssl genrsa -out /usr/src/app/register_service/certs/register_key.key 2048 # === CONFIGURATION === VAULT_ADDR="http://$VAULT_HOSTNAME:$VAULT_PORT" VAULT_TOKEN=$VAULT_ACCESS_TOKEN COUNTRY="ES" # 2 letter country-code STATE="Madrid" # state or province name Loading @@ -19,28 +13,51 @@ ORGNAME="Telefonica I+D" # Organization Name (eg, company) ORGUNIT="Innovation" # Organizational Unit Name (eg. section) COMMONNAME=${REGISTER_HOSTNAME:-register} EMAIL="inno@tid.es" # certificate's email address # optional extra details CHALLENGE="" # challenge password COMPANY="" # company name # DAYS="-days 365" # create the certificate request cat <<__EOF__ | openssl req -new $DAYS -key /usr/src/app/register_service/certs/register_key.key -out /usr/src/app/register_service/certs/register.csr $COUNTRY $STATE $LOCALITY $ORGNAME $ORGUNIT $COMMONNAME $EMAIL $CHALLENGE $COMPANY __EOF__ openssl x509 -req -in /usr/src/app/register_service/certs/register.csr -CA /usr/src/app/register_service/certs/registerCA.crt -CAkey /usr/src/app/register_service/certs/registerCA.key -CAcreateserial -out /usr/src/app/register_service/certs/register_cert.crt -days 365 -sha256 TTL="4300h" echo "Generating private key for Register." openssl genrsa -out register_key.key 2048 echo "Creating CSR for CN=${COMMONNAME}." openssl req -new -key register_key.key \ -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCALITY}/O=${ORGNAME}/OU=${ORGUNIT}/CN=${COMMONNAME}/emailAddress=${EMAIL}" \ -out register.csr echo "Downloading CA chain from Vault." curl -s -H "X-Vault-Token: ${VAULT_TOKEN}" \ "${VAULT_ADDR}/v1/secret/data/ca" | jq -r '.data.data.ca' > ca_root.crt if [ ! -s ca_root.crt ]; then echo "ERROR: could not retrieve CA from Vault." exit 1 fi echo "CA chain retrieved successfully." echo "Requesting certificate signature from Vault..." CSR_CONTENT=$(awk '{printf "%s\\n", $0}' register.csr) curl -s -X POST \ -H "X-Vault-Token: ${VAULT_TOKEN}" \ -d "{\"csr\": \"${CSR_CONTENT}\", \"common_name\": \"${COMMONNAME}\", \"format\": \"pem_bundle\", \"ttl\": \"${TTL}\"}" \ "${VAULT_ADDR}/v1/pki_int/sign/my-ca" \ | jq -r '.data.certificate' | awk '{gsub("\\\\n","\n")}1' > register_cert.crt if [ ! -s register_cert.crt ]; then echo "ERROR: could not retrieve signed certificate from Vault." exit 1 fi echo "Certificate signed successfully by Vault intermediate CA." echo "Verifying certificate chain." openssl verify -CAfile ca_root.crt register_cert.crt || { echo "WARNING: certificate verification failed" } echo "Starting Register service with signed certificate." gunicorn --certfile=/usr/src/app/register_service/certs/register_cert.crt \ --keyfile=/usr/src/app/register_service/certs/register_key.key \ --ca-certs=/usr/src/app/register_service/certs/ca_root.crt \ --bind 0.0.0.0:8080 \ --chdir /usr/src/app/register_service wsgi:app No newline at end of file
