Reorg directory structure:

This makes the deploy directory cleaner by moving all compose related file/directories into the compose directory. Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
2021-08-08 11:39:08 -06:00
parent 9b1cf3b509
commit d6af9a49af
12 changed files with 17 additions and 17 deletions
--- a/deploy/compose/tls/ca-config.json
+++ b/deploy/compose/tls/ca-config.json
@@ -0,0 +1,24 @@
+{
+  "signing": {
+    "default": {
+      "expiry": "168h"
+    },
+    "profiles": {
+      "server": {
+        "expiry": "8760h",
+        "usages": [
+          "signing",
+          "key encipherment",
+          "server auth"
+        ]
+      },
+      "signing": {
+        "expiry": "8760h",
+        "usages": [
+          "signing",
+          "key encipherment"
+        ]
+      }
+    }
+  }
+}
--- a/deploy/compose/tls/csr.json
+++ b/deploy/compose/tls/csr.json
@@ -0,0 +1,21 @@
+{
+  "CN": "tinkerbell",
+  "hosts": [
+    "tinkerbell.registry",
+    "tinkerbell.tinkerbell",
+    "tinkerbell",
+    "tink-server",
+    "192.168.50.4",
+    "127.0.0.1",
+    "localhost"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "L": "@FACILITY@"
+    }
+  ]
+}
--- a/deploy/compose/tls/generate.sh
+++ b/deploy/compose/tls/generate.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+set -xo pipefail
+
+# update_csr will add the sans_ip to the csr
+update_csr() {
+	local sans_ip="$1"
+	local csr_file="$2"
+	sed -i "/\"hosts\".*/a \    \"${sans_ip}\"," "${csr_file}"
+}
+
+# cleanup will remove unneeded files
+cleanup() {
+	rm -rf ca-key.pem ca.csr ca.pem server.csr server.pem
+}
+
+# gen will generate the key and bundle
+gen() {
+	local bundle_destination="$1"
+	local key_destination="$2"
+	cfssl gencert -initca /code/tls/csr.json | cfssljson -bare ca -
+	cfssl gencert -config /code/tls/ca-config.json -ca ca.pem -ca-key ca-key.pem -profile server /code/tls/csr.json | cfssljson -bare server
+	cat server.pem ca.pem >"${bundle_destination}"
+	mv server-key.pem "${key_destination}"
+}
+
+# main orchestrates the process
+main() {
+	local sans_ip="$1"
+	local csr_file="/code/tls/csr.json"
+	local bundle_file="/certs/${FACILITY:-onprem}/bundle.pem"
+	local server_key_file="/certs/${FACILITY:-onprem}/server-key.pem"
+
+	if ! grep -q "${sans_ip}" "${csr_file}"; then
+		update_csr "${sans_ip}" "${csr_file}"
+	else
+		echo "IP ${sans_ip} already in ${csr_file}"
+	fi
+	if [ ! -f "${bundle_file}" ] && [ ! -f "${server_key_file}" ]; then
+		gen "${bundle_file}" "${server_key_file}"
+	else
+		echo "Files [${bundle_file}, ${server_key_file}] already exist"
+	fi
+	cleanup
+}
+
+main "$1"