This simplifies the stand-up of a sandbox:

Only 2 main Vagrant calls are now needed (`vagrant up` and `vagrant up machine1`).
This PR only updates the Vagrant Virtualbox setup. The Vagrant Libvirt and Terraform
still need to be updated.

This uses docker-compose as the entry point for standing up the stack and makes the stand-up
of the sandbox more portal. Vagrant and Terraform are only responsible for standing up infrastructure
and then running docker-compose, not for running any glue scripts.

The docker-compose calls out to single-shot services to do all the glue required to get the fully
functional Tinkerbell stack up and running. All the single-shot services are idempotent.
This increases portability and the development iteration loop. This also simplifies the required
steps needed to get a fully functioning sandbox up and running.

This is intended to help people looking to get started by getting them to a provisioned
machine quicker and more easily.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>

deploy/tls/.gitignore

@@ -1 +0,0 @@
-*/

deploy/tls/Dockerfile

@@ -1,7 +0,0 @@
-FROM alpine:3.11
-ENTRYPOINT [ "/entrypoint.sh" ]
-
-RUN apk add --no-cache --update --upgrade ca-certificates postgresql-client
-RUN apk add --no-cache --update --upgrade --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing cfssl
-
-COPY . .

deploy/tls/ca.in.json

@@ -1,12 +0,0 @@
-{
-  "CN": "Autogenerated CA",
-  "key": {
-    "algo": "rsa",
-    "size": 2048
-  },
-  "names": [
-    {
-      "L": "@FACILITY@"
-    }
-  ]
-}

deploy/tls/csr.json

@@ -4,8 +4,10 @@
     "tinkerbell.registry",
     "tinkerbell.tinkerbell",
     "tinkerbell",
-    "localhost",
-    "127.0.0.1"
+    "tink-server",
+    "192.168.50.4",
+    "127.0.0.1",
+    "localhost"
   ],
   "key": {
     "algo": "rsa",

deploy/tls/entrypoint.sh

@@ -1,13 +0,0 @@
-#!/usr/bin/env sh
-
-# set -o errexit -o nounset -o pipefail
-
-if [ -z "${TINKERBELL_TLS_CERT:-}" ]; then
-	(
-		echo "creating directory"
-		mkdir -p "certs"
-		./gencerts.sh
-	)
-fi
-
-"$@"

deploy/tls/gencerts.sh

@@ -1,30 +0,0 @@
-#!/usr/bin/env sh
-
-set -eux
-
-cd /certs
-
-if [ ! -f ca-key.pem ]; then
-	cfssl gencert \
-		-initca ca.json | cfssljson -bare ca
-fi
-
-if [ ! -f server.pem ]; then
-	cfssl gencert \
-		-ca=ca.pem \
-		-ca-key=ca-key.pem \
-		-config=/ca-config.json \
-		-profile=server \
-		server-csr.json |
-		cfssljson -bare server
-fi
-
-cat server.pem ca.pem >bundle.pem.tmp
-
-# only "modify" the file if truly necessary since workflow will serve it with
-# modtime info for client caching purposes
-if ! cmp -s bundle.pem.tmp bundle.pem; then
-	mv bundle.pem.tmp bundle.pem
-else
-	rm bundle.pem.tmp
-fi

deploy/tls/generate.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+set -xo pipefail
+
+# update_csr will add the sans_ip to the csr
+update_csr() {
+	local sans_ip="$1"
+	local csr_file="$2"
+	sed -i "/\"hosts\".*/a \    \"${sans_ip}\"," "${csr_file}"
+}
+
+# cleanup will remove unneeded files
+cleanup() {
+	rm -rf ca-key.pem ca.csr ca.pem server.csr server.pem
+}
+
+# gen will generate the key and bundle
+gen() {
+	local bundle_destination="$1"
+	local key_destination="$2"
+	cfssl gencert -initca /code/tls/csr.json | cfssljson -bare ca -
+	cfssl gencert -config /code/tls/ca-config.json -ca ca.pem -ca-key ca-key.pem -profile server /code/tls/csr.json | cfssljson -bare server
+	cat server.pem ca.pem >"${bundle_destination}"
+	mv server-key.pem "${key_destination}"
+}
+
+# main orchestrates the process
+main() {
+	local sans_ip="$1"
+	local csr_file="/code/tls/csr.json"
+	local bundle_file="/certs/${FACILITY:-onprem}/bundle.pem"
+	local server_key_file="/certs/${FACILITY:-onprem}/server-key.pem"
+
+	if ! grep -q "${sans_ip}" "${csr_file}"; then
+		update_csr "${sans_ip}" "${csr_file}"
+	else
+		echo "IP ${sans_ip} already in ${csr_file}"
+	fi
+	if [ ! -f "${bundle_file}" ] && [ ! -f "${server_key_file}" ]; then
+		gen "${bundle_file}" "${server_key_file}"
+	else
+		echo "Files [${bundle_file}, ${server_key_file}] already exist"
+	fi
+	cleanup
+}
+
+main "$1"