Loading helm/vault-job/vault-job.yaml +13 −113 Original line number Diff line number Diff line Loading @@ -42,11 +42,11 @@ data: vault write -field=certificate pki/root/generate/internal \ common_name="capif" \ issuer_name="root-2023" \ ttl=87600h > root_2023_ca.crt issuer_name="root-2026" \ ttl=87600h > root_2026_ca.crt echo "# check root_2023_ca.crt #" cat root_2023_ca.crt echo "# check root_2026_ca.crt #" cat root_2026_ca.crt vault write pki/config/urls \ issuing_certificates="$VAULT_ADDR/v1/pki/ca" \ Loading @@ -67,7 +67,7 @@ data: # Firmar la CA intermedia con la CA raíz vault write -format=json pki/root/sign-intermediate \ issuer_ref="root-2023" \ issuer_ref="root-2026" \ csr=@pki_intermediate.csr \ format=pem_bundle ttl="43800h" \ | jq -r '.data.certificate' > capif_intermediate.cert.pem Loading @@ -92,118 +92,18 @@ data: # | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json #Create CSR openssl genrsa -out ./server.key 2048 cat > ./foo.cnf <<EOF [ req ] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = \$ENV::COUNTRY countryName_default = \$ENV::COUNTRY stateOrProvinceName = \$ENV::STATE stateOrProvinceName_default = \$ENV::STATE localityName = \$ENV::LOCALITY localityName_default = \$ENV::LOCALITY organizationName = \$ENV::ORGNAME organizationName_default = \$ENV::ORGNAME organizationalUnitName = \$ENV::ORGUNIT organizationalUnitName_default = \$ENV::ORGUNIT commonName = capif commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 emailAddress_default = \$ENV::EMAIL [ v3_req ] subjectAltName = @alt_names [alt_names] DNS.1 = \$ENV::DOMAIN1 DNS.2 = \$ENV::DOMAIN2 DNS.3 = \$ENV::DOMAIN3 EOF export COUNTRY=ES # 2 letter country-code export STATE=Madrid # state or province name export LOCALITY=Madrid # Locality Name (e.g. city) export ORGNAME="Telefonica I+D" # Organization Name (eg, company) export ORGUNIT=Innovation # Organizational Unit Name (eg. section) export COMMONNAME="nginx.mon.svc.cluster.local" export EMAIL=inno@tid.es # certificate's email address # optional extra details CHALLENGE="" # challenge password COMPANY="" # company name # DAYS="-days 365" # create the certificate request openssl req -new $DAYS -batch -key ./server.key -out ./server.csr -config ./foo.cnf -extensions v3_req echo "### verify the Subject Alternative Name (SAN) ###" openssl req -text -noout -verify -in ./server.csr | grep 'DNS' #cat <<__EOF__ | openssl req -new $DAYS -nodes -keyout client.key -out client.csr #cat <<__EOF__ | openssl req -new $DAYS -key ./server.key -out ./server.csr #$COUNTRY #$STATE #$LOCALITY #$ORGNAME #$ORGUNIT #$COMMONNAME #$EMAIL #$CHALLENGE #$COMPANY #__EOF__ # vault write -format=json pki_int/issue/my-ca \ # csr=@server.csr \ # format=pem_bundle ttl="438h" \ # | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json vault write -format=json pki_int/sign/my-ca format=pem_bundle ttl="43000h" csr=@server.csr | jq -r '.data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$issuing_ca, $certificate]' > cert_data.json jq -r '.[0]' cert_data.json > root_ca.crt.pem echo "### content root_ca.crt.pem ###" cat root_ca.crt.pem echo "### content server_certificate.crt.pem ###" jq -r '.[1]' cert_data.json > server_certificate.crt.pem openssl x509 -pubkey -noout -in server_certificate.crt.pem > server_certificate_pub.pem #vault kv put secret/ca ca=@root_helm.pem root_2023_ca.crt #cat root_2023_ca.crt root_2023_ca.crt > ca.crt cat > certificados_concatenados.crt << EOF $(cat "root_2023_ca.crt") $(cat "root_ca.crt.pem") EOF echo "### content of root_2023_ca.crt ###" cat root_2023_ca.crt echo "### content of root_ca.crt.pem ###" cat root_ca.crt.pem echo "### content of certificados_concatenados.crt ###" cat certificados_concatenados.crt # vault kv put secret/ca ca=@root_2023_ca.crt ############################################################ # 4) CA BUNDLE (KV v2) ############################################################ echo "### enable secrets kv ###" vault secrets enable -path=secret -version=2 kv vault kv put secret/ca ca=@certificados_concatenados.crt vault kv put secret/server_cert cert=@server_certificate.crt.pem # Store CA bundle at secret/ca (same as docker script) vault kv put secret/ca ca=@capif_intermediate.cert.pem vault kv put secret/server_cert/pub pub_key=@server_certificate_pub.pem echo "[INFO] CA bundle stored at secret/ca" vault kv put secret/server_cert/private key=@server.key #POLICY_NAME="my-policy" #POLICY_FILE="my-policy.hcl" Loading Loading
helm/vault-job/vault-job.yaml +13 −113 Original line number Diff line number Diff line Loading @@ -42,11 +42,11 @@ data: vault write -field=certificate pki/root/generate/internal \ common_name="capif" \ issuer_name="root-2023" \ ttl=87600h > root_2023_ca.crt issuer_name="root-2026" \ ttl=87600h > root_2026_ca.crt echo "# check root_2023_ca.crt #" cat root_2023_ca.crt echo "# check root_2026_ca.crt #" cat root_2026_ca.crt vault write pki/config/urls \ issuing_certificates="$VAULT_ADDR/v1/pki/ca" \ Loading @@ -67,7 +67,7 @@ data: # Firmar la CA intermedia con la CA raíz vault write -format=json pki/root/sign-intermediate \ issuer_ref="root-2023" \ issuer_ref="root-2026" \ csr=@pki_intermediate.csr \ format=pem_bundle ttl="43800h" \ | jq -r '.data.certificate' > capif_intermediate.cert.pem Loading @@ -92,118 +92,18 @@ data: # | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json #Create CSR openssl genrsa -out ./server.key 2048 cat > ./foo.cnf <<EOF [ req ] distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = \$ENV::COUNTRY countryName_default = \$ENV::COUNTRY stateOrProvinceName = \$ENV::STATE stateOrProvinceName_default = \$ENV::STATE localityName = \$ENV::LOCALITY localityName_default = \$ENV::LOCALITY organizationName = \$ENV::ORGNAME organizationName_default = \$ENV::ORGNAME organizationalUnitName = \$ENV::ORGUNIT organizationalUnitName_default = \$ENV::ORGUNIT commonName = capif commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 emailAddress_default = \$ENV::EMAIL [ v3_req ] subjectAltName = @alt_names [alt_names] DNS.1 = \$ENV::DOMAIN1 DNS.2 = \$ENV::DOMAIN2 DNS.3 = \$ENV::DOMAIN3 EOF export COUNTRY=ES # 2 letter country-code export STATE=Madrid # state or province name export LOCALITY=Madrid # Locality Name (e.g. city) export ORGNAME="Telefonica I+D" # Organization Name (eg, company) export ORGUNIT=Innovation # Organizational Unit Name (eg. section) export COMMONNAME="nginx.mon.svc.cluster.local" export EMAIL=inno@tid.es # certificate's email address # optional extra details CHALLENGE="" # challenge password COMPANY="" # company name # DAYS="-days 365" # create the certificate request openssl req -new $DAYS -batch -key ./server.key -out ./server.csr -config ./foo.cnf -extensions v3_req echo "### verify the Subject Alternative Name (SAN) ###" openssl req -text -noout -verify -in ./server.csr | grep 'DNS' #cat <<__EOF__ | openssl req -new $DAYS -nodes -keyout client.key -out client.csr #cat <<__EOF__ | openssl req -new $DAYS -key ./server.key -out ./server.csr #$COUNTRY #$STATE #$LOCALITY #$ORGNAME #$ORGUNIT #$COMMONNAME #$EMAIL #$CHALLENGE #$COMPANY #__EOF__ # vault write -format=json pki_int/issue/my-ca \ # csr=@server.csr \ # format=pem_bundle ttl="438h" \ # | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json vault write -format=json pki_int/sign/my-ca format=pem_bundle ttl="43000h" csr=@server.csr | jq -r '.data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$issuing_ca, $certificate]' > cert_data.json jq -r '.[0]' cert_data.json > root_ca.crt.pem echo "### content root_ca.crt.pem ###" cat root_ca.crt.pem echo "### content server_certificate.crt.pem ###" jq -r '.[1]' cert_data.json > server_certificate.crt.pem openssl x509 -pubkey -noout -in server_certificate.crt.pem > server_certificate_pub.pem #vault kv put secret/ca ca=@root_helm.pem root_2023_ca.crt #cat root_2023_ca.crt root_2023_ca.crt > ca.crt cat > certificados_concatenados.crt << EOF $(cat "root_2023_ca.crt") $(cat "root_ca.crt.pem") EOF echo "### content of root_2023_ca.crt ###" cat root_2023_ca.crt echo "### content of root_ca.crt.pem ###" cat root_ca.crt.pem echo "### content of certificados_concatenados.crt ###" cat certificados_concatenados.crt # vault kv put secret/ca ca=@root_2023_ca.crt ############################################################ # 4) CA BUNDLE (KV v2) ############################################################ echo "### enable secrets kv ###" vault secrets enable -path=secret -version=2 kv vault kv put secret/ca ca=@certificados_concatenados.crt vault kv put secret/server_cert cert=@server_certificate.crt.pem # Store CA bundle at secret/ca (same as docker script) vault kv put secret/ca ca=@capif_intermediate.cert.pem vault kv put secret/server_cert/pub pub_key=@server_certificate_pub.pem echo "[INFO] CA bundle stored at secret/ca" vault kv put secret/server_cert/private key=@server.key #POLICY_NAME="my-policy" #POLICY_FILE="my-policy.hcl" Loading
