From 4e358308f8dbe27de54dd99b40c01018ac593ac3 Mon Sep 17 00:00:00 2001 From: stephan48 Date: Sat, 20 Sep 2025 00:59:17 +0200 Subject: [PATCH] --- ...ep-ca-intermediate-with-existing-root.mdwn | 123 ++++++++++++++++++ 1 file changed, 123 insertions(+) diff --git a/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn b/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn index 6cc81d1..2e413d4 100644 --- a/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn +++ b/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn @@ -167,8 +167,131 @@ If this works the cmd "kubectl get stepclusterissuers.certmanager.step.sm step-c With this you can annotate your resources properly and will get certificates. +finaggle-step-configs.sh: +``` +#!/bin/bash + +EXTERNAL_DNS_NAME=$1 +CLUSTER_DNS_NAME=$2 +ISSUER_NAME=$3 + + +# atleast the provisioner pw causes issues when it has a newline, this avoids that issue +echo -n "$(pwgen -s 50 1)" > provisioner-pw +echo -n "$(pwgen -s 50 1)" > useless-pw + +rm test1.yaml +# we use the useless-pw here as if we use the actual files, step ca init will overwrite them +step ca init --password-file=useless-pw --provisioner-password-file=provisioner-pw --name=$EXTERNAL_DNS_NAME --deployment-type=standalone --dns $EXTERNAL_DNS_NAME --dns $CLUSTER_DNS_NAME --address=:9000 --provisioner=$ISSUER_NAME --helm > test1.yaml + +rm useless-pw + +# overwrite various fields with our own values, according to our needs +cat ./test1.yaml | yq -o json | jq --arg fingerprint "$(openssl x509 -in pki/ca.crt -noout -fingerprint -sha256 | sed 's/.*=//; s/://g')" --rawfile root_ca_crt pki/ca.crt --rawfile intermediate_ca_pw ./intermediate-pw --rawfile intermediate_ca_key pki/private/${EXTERNAL_DNS_NAME}.key --rawfile intermediate_ca_crt pki/issued/${EXTERNAL_DNS_NAME}.crt --rawfile provisioner_pw provisioner-pw '.inject.certificates.root_ca = $root_ca_crt | .inject.secrets.x509.root_ca_key = "" | .inject.certificates.intermediate_ca = $intermediate_ca_crt | .inject.secrets.x509.intermediate_ca_key = $intermediate_ca_key | .inject.secrets.ca_password = ($intermediate_ca_pw | @base64) | .inject.secrets.provisioner_password = ($provisioner_pw | @base64) | .inject.config.files["defaults.json"].fingerprint = $fingerprint' > test2.json + +cat test-cluster.issuer.yaml | yq -o json | jq --slurpfile ca_helm test2.json '.spec.provisioner.kid = $ca_helm[0].inject.config.files["ca.json"].authority.provisioners[0].key.kid | .spec.provisioner.name = $ca_helm[0].inject.config.files["ca.json"].authority.provisioners[0].name | .spec.caBundle = ($ca_helm[0].inject.certificates.root_ca | @base64) | .spec.url = "https://\( $ca_helm[0].inject.config.files["ca.json"].dnsNames[1])/"' | yq -o yaml -P | tee test-cluster.issuer-filled.yaml +yq -o yaml -P < test2.json > test2.yaml +``` + +test1.yaml: +``` +# Helm template +inject: + enabled: true + # Config contains the configuration files ca.json and defaults.json + config: + files: + ca.json: + root: /home/step/certs/root_ca.crt + federateRoots: [] + crt: /home/step/certs/intermediate_ca.crt + key: /home/step/secrets/intermediate_ca_key + address: :9000 + dnsNames: + - ca.s02-k3s-vault.XXXX + - step-certificates.step-ca.svc.cluster.local + logger: + format: json + db: + type: badgerv2 + dataSource: /home/step/db + authority: + enableAdmin: false + provisioners: + - {"type":"JWK","name":"step-ca-issuer","key":{"use":"sig","kty":"EC","kid":"xx","crv":"P-256","alg":"ES256","x":"xxx","y":"sxx"},"encryptedKey":"xxx","options":{"x509":{},"ssh":{}}} + tls: + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + minVersion: 1.2 + maxVersion: 1.3 + renegotiation: false + + defaults.json: + ca-url: https://ca.s02-k3s-vault.xxx + ca-config: /home/step/config/ca.json + fingerprint: xx + root: /home/step/certs/root_ca.crt + + # Certificates contains the root and intermediate certificate and + # optionally the SSH host and user public keys + certificates: + # intermediate_ca contains the text of the intermediate CA Certificate + intermediate_ca: | + -----BEGIN CERTIFICATE----- + -----END CERTIFICATE----- + + + # root_ca contains the text of the root CA Certificate + root_ca: | + -----BEGIN CERTIFICATE----- + -----END CERTIFICATE----- + + + # Secrets contains the root and intermediate keys and optionally the SSH + # private keys + secrets: + # ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key + # This value must be base64 encoded. + ca_password: + provisioner_password: + + x509: + # intermediate_ca_key contains the contents of your encrypted intermediate CA key + intermediate_ca_key: | + -----BEGIN EC PRIVATE KEY----- + -----END EC PRIVATE KEY----- + + + # root_ca_key contains the contents of your encrypted root CA key + # Note that this value can be omitted without impacting the functionality of step-certificates + # If supplied, this should be encrypted using a unique password that is not used for encrypting + # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. + root_ca_key: | + -----BEGIN EC PRIVATE KEY----- + -----END EC PRIVATE KEY----- + +``` + +test-cluster.issuer.yaml: +``` +apiVersion: certmanager.step.sm/v1beta1 +kind: StepClusterIssuer +metadata: + name: step-cluster-issuer +spec: + caBundle: XXXXX + provisioner: + kid: XXXX + name: XXXX + passwordRef: + key: password + name: step-certificates-provisioner-password + namespace: step-ca + url: https://step-certificates.step-ca.svc.cluster.local/ +``` TODOs: * [!] put finaggle-step-configs.sh and its deps somewhere -- 2.30.2