add Makefile build and deploy docker image for step-ca
parent
6c063d8d53
commit
f7154a9ba3
@ -0,0 +1,17 @@
|
||||
FROM smallstep/step-cli:0.0.2-rc.17
|
||||
|
||||
ARG BINPATH="bin/step-ca"
|
||||
|
||||
ENV PORT=9000
|
||||
ENV CONFIGPATH="/home/step/.step/config/ca.json"
|
||||
ENV PWDPATH="/home/step/secrets/password"
|
||||
|
||||
COPY $BINPATH "/usr/local/bin/step-ca"
|
||||
|
||||
EXPOSE $PORT
|
||||
VOLUME ["/home/step/.step/secrets"]
|
||||
VOLUME ["/home/step/.step/config"]
|
||||
VOLUME ["/home/step/secrets"]
|
||||
STOPSIGNAL SIGTERM
|
||||
|
||||
CMD exec /bin/sh -c "/usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH"
|
@ -0,0 +1,39 @@
|
||||
{
|
||||
"root": "/home/step/.step/secrets/root_ca.crt",
|
||||
"crt": "/home/step/.step/secrets/intermediate_ca.crt",
|
||||
"key": "/home/step/.step/secrets/intermediate_ca_key",
|
||||
"address": ":9000",
|
||||
"dnsNames": [
|
||||
"ca.smallstep.com"
|
||||
],
|
||||
"logger": {
|
||||
"format": "text"
|
||||
},
|
||||
"authority": {
|
||||
"provisioners": [
|
||||
{
|
||||
"name": "mariano@smallstep.com",
|
||||
"type": "jwk",
|
||||
"key": {
|
||||
"use": "sig",
|
||||
"kty": "EC",
|
||||
"kid": "DmAtZt2EhmZr_iTJJ387fr4Md2NbzMXGdXQNW1UWPXk",
|
||||
"crv": "P-256",
|
||||
"alg": "ES256",
|
||||
"x": "jXoO1j4CXxoTC32pNzkVC8l6k2LfP0k5ndhJZmcdVbk",
|
||||
"y": "c3JDL4GTFxJWHa8EaHdMh4QgwMh64P2_AGWrD0ADXcI"
|
||||
},
|
||||
"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiOTFVWjdzRGw3RlNXcldfX1I1NUh3USJ9.FcWtrBDNgrkA33G9Ll9sXh1cPF-3jVXeYe1FLmSDc_Q2PmfLOPvJOA.0ZoN32ayaRWnufJb.WrkffMmDLWiq1-2kn-w7-kVBGW12gjNCBHNHB1hyEdED0rWH1YWpKd8FjoOACdJyLhSn4kAS3Lw5AH7fvO27A48zzvoxZU5EgSm5HG9IjkIH-LBJ-v79ShkpmPylchgjkFhxa5epD11OIK4rFmI7s-0BCjmJokLR_DZBhDMw2khGnsr_MEOfAz9UnqXaQ4MIy8eT52xUpx68gpWFlz2YP3EqiYyNEv0PpjMtyP5lO2i8-p8BqvuJdus9H3fO5Dg-1KVto1wuqh4BQ2JKTauv60QAnM_4sdxRHku3F_nV64SCrZfDvnN2ve21raFROtyXaqHZhN6lyoPxDncy8v4.biaOblEe0N-gMpJyFZ-3-A"
|
||||
}
|
||||
]
|
||||
},
|
||||
"tls": {
|
||||
"cipherSuites": [
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
||||
],
|
||||
"minVersion": 1.2,
|
||||
"maxVersion": 1.2,
|
||||
"renegotiation": false
|
||||
}
|
||||
}
|
@ -0,0 +1,210 @@
|
||||
#!/bin/sh
|
||||
|
||||
CA_NAME="ca"
|
||||
CA_NAMESPACE="step"
|
||||
DEMO_NAMESPACE="step-demo"
|
||||
DEMO_ENVIRONMENT="staging"
|
||||
|
||||
|
||||
# The name of an image pull secret (e.g., for private docker hub images)
|
||||
# Set to "none" for no pull secret.
|
||||
IMAGE_PULL_SECRET="none"
|
||||
|
||||
while getopts "c:d:n:e:h:t:p:i:" opt; do
|
||||
case "$opt" in
|
||||
h)
|
||||
show_help
|
||||
exit 0
|
||||
;;
|
||||
c)
|
||||
CA_NAMESPACE=$OPTARG
|
||||
;;
|
||||
n)
|
||||
CA_NAME=$OPTARG
|
||||
;;
|
||||
e)
|
||||
DEMO_ENVIRONMENT=$OPTARG
|
||||
;;
|
||||
d)
|
||||
DEMO_NAMESPACE=$OPTARG
|
||||
;;
|
||||
t)
|
||||
INSTALL_TYPE=$OPTARG
|
||||
;;
|
||||
p)
|
||||
PROVISIONER_TYPE=$OPTARG
|
||||
;;
|
||||
i)
|
||||
IMAGE_PULL_SECRET=$OPTARG
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
shift $((OPTIND-1))
|
||||
|
||||
|
||||
# Various container images used throughout the script.
|
||||
STEP_CA_IMAGE="localhost:5000/smallstep/step-ca:latest"
|
||||
|
||||
DIR=`pwd`
|
||||
PKI="$(dirname "$DIR")/pki"
|
||||
SECRETS="$PKI/secrets"
|
||||
|
||||
##
|
||||
# Certificate Authority installation (prints yaml to stdout).
|
||||
##
|
||||
install_ca()
|
||||
{
|
||||
read -p "CA Private Key Password: " -s password
|
||||
(>&2 echo "")
|
||||
|
||||
tmp=$(mktemp -d /tmp/step.XXXXXX)
|
||||
(
|
||||
cd "$tmp"
|
||||
|
||||
# Bundle up certificates and private key into ConfigMap
|
||||
mkdir $tmp/certificates
|
||||
cp $SECRETS/root_ca.crt $tmp/certificates
|
||||
cp $SECRETS/intermediate_ca.crt $tmp/certificates/
|
||||
cp $SECRETS/intermediate_ca_key $tmp/certificates/
|
||||
|
||||
# ConfigMap for CA configuration
|
||||
mkdir $tmp/config
|
||||
cp $DIR/ca.json $tmp/config/ca.json
|
||||
|
||||
# Create the namespace
|
||||
echo "---" > $tmp/step-ca.yml
|
||||
echo "apiVersion: v1" >> $tmp/step-ca.yml
|
||||
echo "kind: Namespace" >> $tmp/step-ca.yml
|
||||
echo "metadata:" >> $tmp/step-ca.yml
|
||||
echo " name: $CA_NAMESPACE" >> $tmp/step-ca.yml
|
||||
echo "---" >> $tmp/step-ca.yml
|
||||
|
||||
# Create certificates configmap
|
||||
echo "apiVersion: v1" >> $tmp/step-ca.yml
|
||||
echo "kind: ConfigMap" >> $tmp/step-ca.yml
|
||||
kubectl create configmap ca-certificates -n $CA_NAMESPACE --from-file `pwd`/certificates --dry-run -o yaml >> $tmp/step-ca.yml
|
||||
echo "" >> $tmp/step-ca.yml
|
||||
echo "---" >> $tmp/step-ca.yml
|
||||
|
||||
# Create a CA configuration configmap
|
||||
echo "" >> $tmp/step-ca.yml
|
||||
echo "apiVersion: v1" >> $tmp/step-ca.yml
|
||||
echo "kind: ConfigMap" >> $tmp/step-ca.yml
|
||||
kubectl create configmap ca-config -n $CA_NAMESPACE --from-file `pwd`/config --dry-run -o yaml >> $tmp/step-ca.yml
|
||||
echo "" >> $tmp/step-ca.yml
|
||||
echo "---" >> $tmp/step-ca.yml
|
||||
|
||||
# Create a secret with the CA password in it
|
||||
echo "" >> $tmp/step-ca.yml
|
||||
echo "apiVersion: v1" >> $tmp/step-ca.yml
|
||||
echo "kind: Secret" >> $tmp/step-ca.yml
|
||||
kubectl create secret generic ca-certificate-password -n $CA_NAMESPACE --from-literal=password="$password" --dry-run -o yaml >> $tmp/step-ca.yml
|
||||
)
|
||||
|
||||
echo "" >> $tmp/step-ca.yml
|
||||
echo "---" >> $tmp/step-ca.yml
|
||||
echo "" >> $tmp/step-ca.yml
|
||||
|
||||
cat <<EOF >> $tmp/step-ca.yml
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
service: $CA_NAME
|
||||
name: $CA_NAME
|
||||
namespace: $CA_NAMESPACE
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: headless
|
||||
port: 443
|
||||
targetPort: 9000
|
||||
selector:
|
||||
service: $CA_NAME
|
||||
|
||||
---
|
||||
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: $CA_NAME
|
||||
spec:
|
||||
minAvailable: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
service: $CA_NAME
|
||||
|
||||
---
|
||||
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: $CA_NAME
|
||||
namespace: $CA_NAMESPACE
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: 25%
|
||||
maxUnavailable: 25%
|
||||
type: RollingUpdate
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
service: $CA_NAME
|
||||
spec:
|
||||
containers:
|
||||
- name: $CA_NAME
|
||||
image: $STEP_CA_IMAGE
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 20Mi
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /health
|
||||
port: 443
|
||||
scheme: HTTPS
|
||||
initialDelaySeconds: 3
|
||||
periodSeconds: 3
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /health
|
||||
port: 443
|
||||
scheme: HTTPS
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 3
|
||||
volumeMounts:
|
||||
- name: certificates
|
||||
mountPath: /home/step/.step/secrets
|
||||
readOnly: true
|
||||
- name: config
|
||||
mountPath: /home/step/.step/config
|
||||
readOnly: true
|
||||
- name: secrets
|
||||
mountPath: /home/step/secrets
|
||||
readOnly: true
|
||||
securityContext:
|
||||
runAsUser: 1000
|
||||
allowPrivilegeEscalation: false
|
||||
volumes:
|
||||
- name: certificates
|
||||
configMap:
|
||||
name: ca-certificates
|
||||
- name: config
|
||||
configMap:
|
||||
name: ca-config
|
||||
- name: secrets
|
||||
secret:
|
||||
secretName: ca-certificate-password
|
||||
EOF
|
||||
|
||||
cat $tmp/step-ca.yml
|
||||
|
||||
rm -rf "$tmp"
|
||||
|
||||
}
|
||||
|
||||
install_ca
|
Loading…
Reference in New Issue