-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #321 from TIBCOSoftware/feature-cert-manager
Add certificate manager support
- Loading branch information
Showing
12 changed files
with
286 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
#!/bin/bash | ||
|
||
# | ||
# Copyright (c) 2023. TIBCO Software Inc. | ||
# This file is subject to the license terms contained in the license file that is distributed with this file. | ||
# | ||
|
||
SECRETS_PATH=/opt/tibco/certs | ||
|
||
if ! [ -d $CERTS_PATH ]; then | ||
echo "INFO: Creating trustfolder directory: $CERTS_PATH" | ||
mkdir -p $CERTS_PATH | ||
fi | ||
|
||
generate_key_store_certs() | ||
{ | ||
|
||
oIFS="$IFS"; IFS=','; declare -a CNCF_KEYSTORE_CERTs=($CNCF_KEYSTORE_CERT); IFS="$oIFS"; unset oIFS | ||
|
||
#Remove duplicate k8s secret names list | ||
CNCF_SRVR_CERT=( `for i in ${CNCF_KEYSTORE_CERTs[@]}; do echo $i; done | sort -u` ) | ||
|
||
for (( i=0; i < "${#CNCF_SRVR_CERT[@]}"; i++ )); | ||
do | ||
echo "INFO: Adding "${CNCF_SRVR_CERT[$i]}" Private keypair to keystore.jks" | ||
P12CERT=$SECRETS_PATH/${CNCF_SRVR_CERT[$i]}.p12 | ||
|
||
# Convert the crt files to p12 and add it to cert_keystore | ||
openssl pkcs12 -inkey $SECRETS_PATH/${CNCF_SRVR_CERT[$i]}/tls.key -in $SECRETS_PATH/${CNCF_SRVR_CERT[$i]}/tls.crt -export -out $P12CERT -name ${CNCF_SRVR_CERT[$i]} -passin pass:$KEYSTORE_PASSPHRASE -passout pass:$KEYSTORE_PASSPHRASE -password pass:$KEYSTORE_PASSPHRASE | ||
keytool -importkeystore -srckeystore $P12CERT -srcstoretype PKCS12 -destkeystore $CERT_KEYSTORE -deststoretype PKCS12 -srcstorepass $KEYSTORE_PASSPHRASE -deststorepass $KEYSTORE_PASSPHRASE -srcalias ${CNCF_SRVR_CERT[$i]} -destalias ${CNCF_SRVR_CERT[$i]} -srckeypass $KEYSTORE_PASSPHRASE -destkeypass $KEYSTORE_PASSPHRASE -noprompt | ||
|
||
# Add ca root certificate to cert_keystore | ||
keytool -keystore $CERT_KEYSTORE -alias CA-${CNCF_SRVR_CERT[$i]} -import -file $SECRETS_PATH/${CNCF_SRVR_CERT[$i]}/ca.crt -storepass $KEYSTORE_PASSPHRASE -keypass $KEYSTORE_PASSPHRASE -noprompt | ||
|
||
# Copy ca.crt file to certs_path | ||
cp $SECRETS_PATH/${CNCF_SRVR_CERT[$i]}/ca.crt $CERTS_PATH/ca-cncf-server-$i.crt | ||
|
||
# Delete download private and public certs | ||
rm -rf $P12CERT | ||
done | ||
} | ||
|
||
generate_trust_store_certs() | ||
{ | ||
|
||
oIFS="$IFS"; IFS=','; declare -a CNCF_TRUSTSTORE_CERTs=($CNCF_TRUSTSTORE_CERT); IFS="$oIFS"; unset oIFS | ||
|
||
#Remove duplicate k8s secret names list | ||
CNCF_CLNT_CERT=( `for i in ${CNCF_TRUSTSTORE_CERTs[@]}; do echo $i; done | sort -u` ) | ||
|
||
for (( i=0; i < "${#CNCF_CLNT_CERT[@]}"; i++ )); | ||
do | ||
echo "INFO: Adding "${CNCF_CLNT_CERT[$i]}" to truststore.jks" | ||
#Convert convert certs to p12 and jks, generate truststore jks | ||
keytool -keystore $CERT_TRUSTSTORE -alias localhost-$i -import -file $SECRETS_PATH/${CNCF_CLNT_CERT[$i]}/tls.crt -storepass $TRUSTSTORE_PASSPHRASE -keypass $TRUSTSTORE_PASSPHRASE -noprompt | ||
|
||
# Add ca.crt to truststore jks | ||
keytool -keystore $CERT_TRUSTSTORE -alias CARoot-$i -import -file $SECRETS_PATH/${CNCF_CLNT_CERT[$i]}/ca.crt -storepass $TRUSTSTORE_PASSPHRASE -keypass $TRUSTSTORE_PASSPHRASE -noprompt | ||
# Copy ca.crt file to certs_path | ||
cp $SECRETS_PATH/${CNCF_CLNT_CERT[$i]}/ca.crt $CERTS_PATH/ca-cncf-client-$i.crt | ||
done | ||
} | ||
|
||
if [[ -z "$CNCF_KEYSTORE_CERT" ]]; then | ||
echo "WARN: Config Provider[cmcnf] is configured but env variable CNCF_KEYSTORE_CERT is empty OR not supplied." | ||
echo "WARN: Skip converting certificates to JKS" | ||
else | ||
generate_key_store_certs | ||
fi | ||
|
||
if [[ -z "$CNCF_TRUSTSTORE_CERT" ]]; then | ||
echo "WARN: Config Provider[cmcnf] is configured but env variable CNCF_TRUSTSTORE_CERT is empty OR not supplied." | ||
echo "WARN: Skip converting certificates to JKS" | ||
else | ||
generate_trust_store_certs | ||
fi | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
#!/bin/bash | ||
|
||
# | ||
# Copyright (c) 2023. TIBCO Software Inc. | ||
# This file is subject to the license terms contained in the license file that is distributed with this file. | ||
# | ||
|
||
source /home/tibco/be/configproviders/cputils.sh | ||
|
||
echo "INFO: Check for openssl and keytool utilites" | ||
|
||
if ! [ -x $(command -v openssl) ] ; then | ||
REQUIRED_PKGS="openssl" | ||
fi | ||
|
||
if ! [ -x $(command -v keytool) ] ; then | ||
echo "ERROR: keytool utility is required and it doesnot exists, exiting the build" | ||
exit 1; | ||
fi | ||
|
||
# fill this variable with packages used only during build time. Multiple packages can be represented in a space separated format ex: "curl unzip". | ||
INSTALL_PKGS_LIST=$( getInstallPkgs "$REQUIRED_PKGS" ) | ||
CLEANUP_PKGS_LIST=$( getCleanupPkgs "$BUILD_PKGS" "$INSTALL_PKGS_LIST" ) | ||
|
||
# installing required packages | ||
if [ "$INSTALL_PKGS_LIST" != "" ]; then | ||
package-manager install -y $INSTALL_PKGS_LIST | ||
fi | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
#!/bin/bash | ||
|
||
# | ||
# Copyright (c) 2023. TIBCO Software Inc. | ||
# This file is subject to the license terms contained in the license file that is distributed with this file. | ||
# | ||
|
||
if [[ -z "$AZ_CLIENT_ID" ]]; then | ||
echo "ERROR: Cannot read certificates from Azure Key Vault." | ||
echo "ERROR: Specify env variable AZ_CLIENT_ID" | ||
exit 1 | ||
fi | ||
|
||
if [[ -z "$AZ_CLIENT_PASSWORD" ]]; then | ||
echo "ERROR: Cannot read certificates from Azure Key Vault." | ||
echo "ERROR: Specify env variable AZ_CLIENT_PASSWORD" | ||
exit 1 | ||
fi | ||
|
||
if [[ -z "$AZ_TENANT_ID" ]]; then | ||
echo "ERROR: Cannot read certificates from Azure Key Vault." | ||
echo "ERROR: Specify env variable AZ_TENANT_ID" | ||
exit 1 | ||
fi | ||
|
||
if [[ -z "$AZ_KV_NAME" ]]; then | ||
echo "ERROR: Cannot read certificates from Azure Key Vault." | ||
echo "ERROR: Specify env variable AZ_KV_NAME" | ||
exit 1 | ||
fi | ||
|
||
#Login to Azure using service principal | ||
az login --service-principal -u $AZ_CLIENT_ID -p $AZ_CLIENT_PASSWORD --tenant $AZ_TENANT_ID | ||
|
||
if ! [ -d $CERTS_PATH ]; then | ||
echo "INFO: Creating $CERTS_PATH directory" | ||
mkdir -p $CERTS_PATH | ||
fi | ||
|
||
generate_key_store_certs(){ | ||
|
||
oIFS="$IFS"; IFS=','; declare -a AZ_KV_KEYSTORE_CERTs=($AZ_KV_KEYSTORE_CERT); IFS="$oIFS"; unset oIFS | ||
|
||
#Remove duplicate cert names's | ||
KEYSTORE_CERT=( `for i in ${AZ_KV_KEYSTORE_CERTs[@]}; do echo $i; done | sort -u` ) | ||
|
||
for (( i=0; i < "${#KEYSTORE_CERT[@]}"; i++ )); | ||
do | ||
FULL_CERT=$SECRETS_PATH/fullcertificate-$i.pfx | ||
P12CERT=$SECRETS_PATH/client-$i.p12 | ||
|
||
#Download azure client private cert, certificate body and ceritifate chain | ||
echo "INFO: Downloading certs : ${KEYSTORE_CERT[$i]}" | ||
az keyvault secret download --file $FULL_CERT --name ${KEYSTORE_CERT[$i]} --vault-name $AZ_KV_NAME | ||
|
||
# Convert downloaded azure certs to p12 and jks, generate client jks keystore using CAcert and azure certs | ||
openssl pkcs12 -in $FULL_CERT -export -out $P12CERT -name azure-$i -passin pass:$KEYSTORE_PASSPHRASE -passout pass:$KEYSTORE_PASSPHRASE -password pass:$KEYSTORE_PASSPHRASE | ||
keytool -importkeystore -srckeystore $P12CERT -srcstoretype PKCS12 -destkeystore $CERT_KEYSTORE -deststoretype PKCS12 -srcstorepass $KEYSTORE_PASSPHRASE -deststorepass $KEYSTORE_PASSPHRASE -srcalias azure-$i -destalias azure-$i -srckeypass $KEYSTORE_PASSPHRASE -destkeypass $KEYSTORE_PASSPHRASE -noprompt | ||
|
||
# # Delete download private and public certs except CAroot cert | ||
rm -rf $P12CERT $FULL_CERT | ||
done | ||
|
||
} | ||
|
||
generate_trust_store_certs(){ | ||
|
||
oIFS="$IFS"; IFS=','; declare -a AZ_KV_TRUSTSTORE_CERTs=($AZ_KV_TRUSTSTORE_CERT); IFS="$oIFS"; unset oIFS | ||
|
||
#Remove duplicate cert names's | ||
TRUSTSTORE_CERT=( `for i in ${AZ_KV_TRUSTSTORE_CERTs[@]}; do echo $i; done | sort -u` ) | ||
|
||
for (( i=0; i < "${#TRUSTSTORE_CERT[@]}"; i++ )); | ||
do | ||
PUBLIC_CERT=$SECRETS_PATH/certificate-$i.pem | ||
|
||
#Download azure client private cert, certificate body and ceritifate chain | ||
echo "INFO: Downloading certs : ${TRUSTSTORE_CERT[$i]}" | ||
az keyvault certificate download --file $PUBLIC_CERT --name ${TRUSTSTORE_CERT[$i]} --vault-name $AZ_KV_NAME | ||
|
||
# Convert downloaded azure certs to p12 and jks, generate client jks keystore using CAcert and azure certs | ||
keytool -keystore $CERT_TRUSTSTORE -alias azure-$i -import -file $PUBLIC_CERT -storepass $TRUSTSTORE_PASSPHRASE -keypass $TRUSTSTORE_PASSPHRASE -noprompt | ||
cp $PUBLIC_CERT $CERTS_PATH/ca-certificate-$i.pem | ||
|
||
# Delete download private and public certs except CAroot cert | ||
rm -rf $PUBLIC_CERT | ||
done | ||
|
||
} | ||
|
||
if [[ -z "$AZ_KV_KEYSTORE_CERT" ]]; then | ||
echo "WARN: Config Provider[custom/cmazure] is configured but env variable AZ_KV_KEYSTORE_CERT is empty OR not supplied." | ||
echo "WARN: Skip fetching certificates from Azure Key Vault." | ||
else | ||
generate_key_store_certs | ||
fi | ||
|
||
if [[ -z "$AZ_KV_TRUSTSTORE_CERT" ]]; then | ||
echo "WARN: Config Provider[custom/cmazure] is configured but env variable AZ_KV_TRUSTSTORE_CERT is empty OR not supplied." | ||
echo "WARN: Skip fetching certificates from Azure Key Vault." | ||
else | ||
generate_trust_store_certs | ||
fi | ||
|
||
# Safe to logout | ||
az logout | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
#!/bin/bash | ||
|
||
# | ||
# Copyright (c) 2023. TIBCO Software Inc. | ||
# This file is subject to the license terms contained in the license file that is distributed with this file. | ||
# | ||
|
||
source /home/tibco/be/configproviders/cputils.sh | ||
|
||
|
||
# fill this variable with required packages to be installed. Multiple packages can be represented in a space separated format ex: "curl unzip". | ||
REQUIRED_PKGS="curl" | ||
|
||
# fill this variable with packages used only during build time. Multiple packages can be represented in a space separated format ex: "curl unzip". | ||
# BUILD_PKGS="unzip" | ||
|
||
echo "INFO: Check for openssl and keytool utilites" | ||
|
||
if ! [ -x $(command -v openssl) ] ; then | ||
REQUIRED_PKGS="$REQUIRED_PKGS openssl" | ||
fi | ||
|
||
if ! [ -x $(command -v keytool) ] ; then | ||
echo "ERROR: keytool utility is required and it doesnot exists, exiting the build" | ||
exit 1; | ||
fi | ||
|
||
INSTALL_PKGS_LIST=$( getInstallPkgs "$REQUIRED_PKGS" ) | ||
CLEANUP_PKGS_LIST=$( getCleanupPkgs "$BUILD_PKGS" "$INSTALL_PKGS_LIST" ) | ||
|
||
# installing required packages | ||
if [ "$INSTALL_PKGS_LIST" != "" ]; then | ||
package-manager install -y $INSTALL_PKGS_LIST | ||
fi | ||
|
||
# install az cli | ||
curl -sL https://aka.ms/InstallAzureCLIDeb | bash | ||
|
||
az version | ||
|
||
if [ "$CLEANUP_PKGS_LIST" != "" ]; then | ||
package-manager remove -y $CLEANUP_PKGS_LIST | ||
fi | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters