Autocert reports into CT

5 years ago · 3939e85526
parent 4fef188a3a
commit 3939e85526
8 changed files with 113 additions and 5 deletions
--- a/autocert/init/Dockerfile
+++ b/autocert/init/Dockerfile
@ -12,7 +12,10 @@ USER root
 RUN curl -L https://storage.googleapis.com/kubernetes-release/release/${KUBE_LATEST_VERSION}/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl \
 && chmod +x /usr/local/bin/kubectl
 RUN apk --update add expect
+RUN apk --update add jq

 COPY autocert.sh /home/step/
+COPY ct.json /home/step/
+COPY ca /home/step/ca/
 RUN chmod +x /home/step/autocert.sh
 CMD ["/home/step/autocert.sh"]
--- a/autocert/init/autocert.sh
+++ b/autocert/init/autocert.sh
@ -8,8 +8,8 @@ read ANYKEY

 STEPPATH=/home/step/.step

-CA_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')
-AUTOCERT_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')
+CA_PASSWORD=asdf
+AUTOCERT_PASSWORD=asdf

 echo -e "\e[1mChecking cluster permissions...\e[0m"

@ -86,13 +86,18 @@ step ca init \
  --with-ca-url "$CA_URL" \
  --password-file <(echo "$CA_PASSWORD")

-# {"cts":[{"uri":"http://trillian.step.toys:8080/smallstep","key":"docker/ct_server/pubkey.pem"}]}
+cp -f ./ca/ca.json $(step path)/config/ca.json
+cp -f ./ca/root_ca.crt $(step path)/certs/root_ca.crt
+cp -f ./ca/pubkey.pem $(step path)/certs/pubkey.pem
+cp -f ./ca/intermediate_ca.crt $(step path)/certs/intermediate_ca.crt
+cp -f ./ca/intermediate_ca_key $(step path)/certs/intermediate_ca_key
+rm -f $(step path)/config/defaults.json

 echo
 echo -e "\e[1mCreating autocert provisioner...\e[0m"

 expect <<EOD
-spawn step ca provisioner add autocert --create
+spawn step ca provisioner add autocert --create --ca-config $(step path)/config/ca.json
 expect "Please enter a password to encrypt the provisioner private key? \\\\\\[leave empty and we'll generate one\\\\\\]: "
 send "${AUTOCERT_PASSWORD}\n"
 expect eof
@ -101,6 +106,10 @@ EOD
 echo
 echo -e "\e[1mCreating step namespace and preparing environment...\e[0m"

+jq -s '.[0] * .[1]' $(step path)/config/ca.json ./ct.json > $(step path)/config/_ca.json
+rm -f $(step path)/config/ca.json
+mv -f $(step path)/config/_ca.json $(step path)/config/ca.json
+
 kubectl create namespace step

 kubectl -n step create configmap config --from-file $(step path)/config
--- a/autocert/init/ca/ca.json
+++ b/autocert/init/ca/ca.json
@ -0,0 +1,62 @@
+{
+   "root": "/home/step/.step/certs/root_ca.crt",
+   "crt": "/home/step/.step/certs/intermediate_ca.crt",
+   "key": "/home/step/.step/certs/intermediate_ca_key",
+   "password": "asdf",
+   "address": ":4443",
+   "dnsNames": [
+      "ca.smallstep.com",
+      "ctca.step.toys",
+      "ca.step.svc.cluster.local"
+   ],
+   "logger": {
+      "format": "text",
+      "level": "warn"
+   },
+   "authority": {
+      "claims": {
+         "minTLSCertDuration": "1m"
+      },
+      "template": {
+         "country": "US",
+         "organization": "Smallstep Labs Inc.",
+         "organizationalUnit": "",
+         "locality": "San Francisco",
+         "province": "CA",
+         "streetAddress": "",
+         "commonName": ""
+      },
+      "provisioners": [
+         {
+            "name": "mariano@smallstep.com",
+            "type": "jwk",
+            "key": {
+               "use": "sig",
+               "kty": "EC",
+               "kid": "jO37dtDbku-Qnabs5VR0Yw6YFFv9weA18dp3htvdEjs",
+               "crv": "P-256",
+               "alg": "ES256",
+               "x": "vo6GTwfXryV5WDI-_JL1FeK0k2AvWwUnSbtdSE3IQl0",
+               "y": "Z4j_nNmETqTsKq-6ZCjyCIIMNE_308Mx866z3pD6sJ0"
+            },
+            "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiUUppQnNnN3VhY2MtQ1BiN3lCM2RhdyJ9.xIundEA1ZT3zk5qP9a9nH1n5pZK2bSTuYIAq6W1vMNJTkKZWIFjtmg.ztnvv4FBPExc2arS.OukgkTrlqpsWRMYM_l4-QHJqBMhfbeW164-qmULuzoNdo1umW8WLIX3Us8newUFh1zrJKDFJfrW_KT2C022_VKXOUO6LGX9WWN7RYiUC_aOY8O73xs1yq65whD7hMxPlq2fMd85AGvv0QQTwlG2lJ_Gw_bdbB3vDIBVJa5lywraG6tyVXT15yykVdoScc6fmxasi5tuoFW4VNjZzcgQ25cdpbwj0fvLACQWQjz49cGAjfpR6I8sys2pA55HobMdbyj7lKnDTD5TUMmoMB8WvGwleKyjLwZBPAhi_Wwrj1UXh3nrEWVFPJY9VLSCIIKdilugE62mW3reTNayqvN0.z-VKtvBPBATKsDtGppbj4w"
+         }
+      ]
+   },
+   "tls": {
+      "cipherSuites": [
+         "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+         "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+      ],
+      "minVersion": 1.2,
+      "maxVersion": 1.2,
+      "renegotiation": false
+   },
+   "cts": [
+      {
+         "uri": "http://trillian.step.toys:8080/smallstep",
+         "key": "/home/step/.step/certs/pubkey.pem"
+      }
+   ]
+}
--- a/autocert/init/ca/intermediate_ca.crt
+++ b/autocert/init/ca/intermediate_ca.crt
@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxTCCAWugAwIBAgIQDjIQy/8LZJZTC3tNwe6CfjAKBggqhkjOPQQDAjAcMRow
+GAYDVQQDExFTbWFsbHN0ZXAgUm9vdCBDQTAeFw0xODExMjAyMDU5MjBaFw0yODEx
+MTcyMDU5MjBaMCQxIjAgBgNVBAMTGVNtYWxsc3RlcCBJbnRlcm1lZGlhdGUgQ0Ew
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQGMnCwtwe7GD1XE/vibfav+Z63S0lx
+H8AKvx/ek5AzVvbtih8rjtnYBBomzjHxSoIZmqdwljsEQAf1LAvgHlQwo4GGMIGD
+MA4GA1UdDwEB/wQEAwIBpjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUu97PaFQPfuyKOeew7Hg45WFI
+AVMwHwYDVR0jBBgwFoAUF4980mRE8cQgMRTVBiUD2K+9SQswCgYIKoZIzj0EAwID
+SAAwRQIgXiW7J3QLJDw6vzoI4PnI60jjO74O9dVyZFaQbLaxSHYCIQCmfsOmp7YS
+rcJOsyNy8OjKyY9S9khfzgQdfaVfeq/QIQ==
+-----END CERTIFICATE-----
--- a/autocert/init/ca/intermediate_ca_key
+++ b/autocert/init/ca/intermediate_ca_key
@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,b592733c8881da2a3235dc7a30a9c118
+
+SXv4oaklKb6VXK+JTzRjHwroCRvzl3eXuCyHB4Rz9gAy82dCnUvIlFanhtC3nMp1
+PQQgYaC3gbIo4mxQyChA7RLN6yfRSB67Z4U0GCZ4Eq5TFm5SAQJnUHEzt4XC0rAB
+nUFQOKTyLmwEAsQd1LrAfmGplNNUHM4tZtr41FtnObQ=
+-----END EC PRIVATE KEY-----
--- a/autocert/init/ca/pubkey.pem
+++ b/autocert/init/ca/pubkey.pem
@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lGU8z4HuEpzmOGPN7nPRs+H8THY
+FKPgrsl2aN34CDlVIl8tyEBIIc8fFGmBGUR1WaIvHeOQcQgis3g+KFPD2Q==
+-----END PUBLIC KEY-----
--- a/autocert/init/ca/root_ca.crt
+++ b/autocert/init/ca/root_ca.crt
@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBejCCASGgAwIBAgIQQ2IoFOF1vM1scQkJqsF3DzAKBggqhkjOPQQDAjAcMRow
+GAYDVQQDExFTbWFsbHN0ZXAgUm9vdCBDQTAeFw0xODA0MTMxNzQxMjhaFw0yODA0
+MTAxNzQxMjhaMBwxGjAYBgNVBAMTEVNtYWxsc3RlcCBSb290IENBMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEZcVMwFzo0l9bk09oz7NEiMnMFqzEAr2NpEBbx9jp
+QmMtVx8LzGl8+LvBi8Xi4f3BJ3+1vWGPd75+LmnY5mPkKqNFMEMwDgYDVR0PAQH/
+BAQDAgGmMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFBePfNJkRPHEIDEU
+1QYlA9ivvUkLMAoGCCqGSM49BAMCA0cAMEQCICeD/FW/e2EVtRnjySqzeCpdbFLh
+R7roQrKEwrzQtHKAAiAsYC6RssgTFCpV6Xn7FKKGaPSlQ94bxNIaYGlj3p4FlQ==
+-----END CERTIFICATE-----
--- a/autocert/renewer/Dockerfile
+++ b/autocert/renewer/Dockerfile
@ -5,4 +5,4 @@ ENV CRT="/var/run/autocert.step.sm/site.crt"
 ENV KEY="/var/run/autocert.step.sm/site.key"
 ENV STEP_ROOT="/var/run/autocert.step.sm/root.crt"

-ENTRYPOINT ["/bin/bash", "-c", "step ca renew --daemon --renew-period 2m $CRT $KEY"]
+ENTRYPOINT ["/bin/bash", "-c", "step ca renew --daemon --renew-period 1m $CRT $KEY"]