(no commit message)

diff --git a/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn b/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn
index 6cc81d13f8444030ed2c88d722e10995029db3b2..2e413d4f2bcc8bd7acd8d48a44ddcbded1fb5fc1 100644 (file)
--- a/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn
+++ b/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn
@@ -167,8 +167,131 @@ If this works the cmd "kubectl get stepclusterissuers.certmanager.step.sm step-c
 
 With this you can annotate your resources properly and will get certificates.
 
+finaggle-step-configs.sh:
+```
+#!/bin/bash
+
+EXTERNAL_DNS_NAME=$1
+CLUSTER_DNS_NAME=$2
+ISSUER_NAME=$3
+
+
+# atleast the provisioner pw causes issues when it has a newline, this avoids that issue
+echo -n "$(pwgen -s 50 1)" > provisioner-pw
+echo -n "$(pwgen -s 50 1)" > useless-pw
+
+rm test1.yaml
+# we use the useless-pw here as if we use the actual files, step ca init will overwrite them
+step ca init --password-file=useless-pw --provisioner-password-file=provisioner-pw --name=$EXTERNAL_DNS_NAME --deployment-type=standalone --dns $EXTERNAL_DNS_NAME --dns $CLUSTER_DNS_NAME --address=:9000 --provisioner=$ISSUER_NAME --helm > test1.yaml
+
+rm useless-pw
+
+# overwrite various fields with our own values, according to our needs
+cat ./test1.yaml  | yq -o json | jq --arg fingerprint "$(openssl x509 -in pki/ca.crt -noout -fingerprint -sha256 | sed 's/.*=//; s/://g')" --rawfile root_ca_crt pki/ca.crt --rawfile intermediate_ca_pw ./intermediate-pw --rawfile intermediate_ca_key pki/private/${EXTERNAL_DNS_NAME}.key --rawfile intermediate_ca_crt pki/issued/${EXTERNAL_DNS_NAME}.crt  --rawfile provisioner_pw provisioner-pw '.inject.certificates.root_ca = $root_ca_crt | .inject.secrets.x509.root_ca_key = "" | .inject.certificates.intermediate_ca = $intermediate_ca_crt | .inject.secrets.x509.intermediate_ca_key = $intermediate_ca_key | .inject.secrets.ca_password = ($intermediate_ca_pw | @base64) | .inject.secrets.provisioner_password = ($provisioner_pw | @base64) | .inject.config.files["defaults.json"].fingerprint = $fingerprint' > test2.json
+
+cat test-cluster.issuer.yaml | yq -o json | jq --slurpfile ca_helm test2.json '.spec.provisioner.kid = $ca_helm[0].inject.config.files["ca.json"].authority.provisioners[0].key.kid | .spec.provisioner.name = $ca_helm[0].inject.config.files["ca.json"].authority.provisioners[0].name | .spec.caBundle = ($ca_helm[0].inject.certificates.root_ca | @base64) | .spec.url = "https://\( $ca_helm[0].inject.config.files["ca.json"].dnsNames[1])/"' | yq -o yaml -P | tee test-cluster.issuer-filled.yaml
 
+yq -o yaml -P < test2.json > test2.yaml
+```
+
+test1.yaml:
+```
+# Helm template
+inject:
+  enabled: true
+  # Config contains the configuration files ca.json and defaults.json
+  config:
+    files:
+      ca.json:
+        root: /home/step/certs/root_ca.crt
+        federateRoots: []
+        crt: /home/step/certs/intermediate_ca.crt
+        key: /home/step/secrets/intermediate_ca_key
+        address: :9000
+        dnsNames:
+          - ca.s02-k3s-vault.XXXX
+          - step-certificates.step-ca.svc.cluster.local
+        logger:
+          format: json
+        db:
+          type: badgerv2
+          dataSource: /home/step/db
+        authority:
+          enableAdmin: false
+          provisioners:
+            - {"type":"JWK","name":"step-ca-issuer","key":{"use":"sig","kty":"EC","kid":"xx","crv":"P-256","alg":"ES256","x":"xxx","y":"sxx"},"encryptedKey":"xxx","options":{"x509":{},"ssh":{}}}
+        tls:
+          cipherSuites:
+            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+          minVersion: 1.2
+          maxVersion: 1.3
+          renegotiation: false
+
+      defaults.json:
+        ca-url: https://ca.s02-k3s-vault.xxx
+        ca-config: /home/step/config/ca.json
+        fingerprint: xx
+        root: /home/step/certs/root_ca.crt
+
+  # Certificates contains the root and intermediate certificate and
+  # optionally the SSH host and user public keys
+  certificates:
+    # intermediate_ca contains the text of the intermediate CA Certificate
+    intermediate_ca: |
+      -----BEGIN CERTIFICATE-----
+      -----END CERTIFICATE-----
+
+
+    # root_ca contains the text of the root CA Certificate
+    root_ca: |
+      -----BEGIN CERTIFICATE-----
+      -----END CERTIFICATE-----
+
+
+  # Secrets contains the root and intermediate keys and optionally the SSH
+  # private keys
+  secrets:
+    # ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
+    # This value must be base64 encoded.
+    ca_password:
+    provisioner_password:
+
+    x509:
+      # intermediate_ca_key contains the contents of your encrypted intermediate CA key
+      intermediate_ca_key: |
+        -----BEGIN EC PRIVATE KEY-----
+        -----END EC PRIVATE KEY-----
+
+
+      # root_ca_key contains the contents of your encrypted root CA key
+      # Note that this value can be omitted without impacting the functionality of step-certificates
+      # If supplied, this should be encrypted using a unique password that is not used for encrypting
+      # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
+      root_ca_key: |
+        -----BEGIN EC PRIVATE KEY-----
+        -----END EC PRIVATE KEY-----
+
+```
+
+test-cluster.issuer.yaml:
+```
+apiVersion: certmanager.step.sm/v1beta1
+kind: StepClusterIssuer
+metadata:
+  name: step-cluster-issuer
+spec:
+  caBundle: XXXXX
+  provisioner:
+    kid: XXXX
+    name: XXXX
+    passwordRef:
+      key: password
+      name: step-certificates-provisioner-password
+      namespace: step-ca
+  url: https://step-certificates.step-ca.svc.cluster.local/
 
+```
 
 TODOs:
 * [!] put finaggle-step-configs.sh and its deps somewhere