mcfearsome · April 12, 2022 11:40
diff --git a/certificates.sh b/certificates.sh
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: certificate-vault-sg-07dc26eb8f2031520-1
  namespace: vault-server
  annotations:
    cfn-client-token: dcd3b6e6-5814-9767-5f03-6fa6ad673274

 spec:

  template:
    spec:
      containers:
        - name: certificate-vault-sg-07dc26eb8f2031520-1
          image: amazonlinux
          command:
            - /bin/bash
            - '-c'
          args:
            - >
              sleep 15; yum install -y awscli 2>&1 > /dev/null; export
              AWS_REGION=us-west-2; export RELEASE_NAME=sg-07dc26eb8f2031520;
              export NAMESPACE=vault-server; aws sts get-caller-identity; aws s3
              cp ${S3_SCRIPT_URL} ./script.sh && sed -i
              's/certificates.k8s.io\/v1beta/certificates.k8s.io\/v/g'
              ./script.sh && chmod +x ./script.sh && ./script.sh
          env:
            - name: S3_SCRIPT_URL
              value: >-
                s3://aws-quickstart/quickstart-eks-hashicorp-vault/scripts/certificates.sh
            - name: NAME_SPACE
              value: vault-server
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: Always
      restartPolicy: Never
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      serviceAccountName: boot-vault-sg-07dc26eb8f2031520
      serviceAccount: boot-vault-sg-07dc26eb8f2031520
      securityContext: {}
      schedulerName: default-scheduler
  completionMode: NonIndexed
  suspend: false
diff --git a/certs.sh b/certs.sh
 #!/bin/bash -e
 # SERVICE is the name of the Vault service in Kubernetes.
 # It does not have to match the actual running service, though it may help for consistency.
 SERVICE=vault-${RELEASE_NAME}
 # NAMESPACE where the Vault service is running.
 # NAMESPACE=vault-namespace
 # Exported by executor
 # SECRET_NAME to create in the Kubernetes secrets store.
 SECRET_NAME=vault-server-tls
 # TMPDIR is a temporary working directory.
 TMPDIR=/tmp
 # Sleep timer
 SLEEP_TIME=15
 # Name of the CSR
 echo "Name the CSR: vault-csr-${RELEASE_NAME}"
 export CSR_NAME=vault-csr-${RELEASE_NAME}

 # Install OpenSSL
 echo "Install openssl"
 yum install -y openssl 2>&1

 # Install Kubernetes cli
 echo "Install Kubernetes cli"
 curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/kubectl
 chmod +x ./kubectl
 mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
 kubectl version --short --client

 # Create a private key
 echo "Generate certificate Private key"
 openssl genrsa -out ${TMPDIR}/vault.key 2048

 # Create CSR
 echo "Create CSR file"
 cat <<EOF >${TMPDIR}/csr.conf
 [req]
 req_extensions = v3_req
 distinguished_name = req_distinguished_name
 [req_distinguished_name]
 [ v3_req ]
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth
 subjectAltName = @alt_names
 [alt_names]
 DNS.1 = ${SERVICE}
 DNS.2 = ${SERVICE}.${NAMESPACE}
 DNS.3 = ${SERVICE}.${NAMESPACE}.svc
 DNS.4 = ${SERVICE}.${NAMESPACE}.svc.cluster.local
 DNS.5 = vault-${RELEASE_NAME}-0.vault-${RELEASE_NAME}-internal
 DNS.6 = vault-${RELEASE_NAME}-1.vault-${RELEASE_NAME}-internal
 DNS.7 = vault-${RELEASE_NAME}-2.vault-${RELEASE_NAME}-internal
 IP.1 = 127.0.0.1
 EOF

 # Sign the CSR
 echo "Sign the CSR"
 openssl req -new -key ${TMPDIR}/vault.key -subj "/CN=${SERVICE}.${NAMESPACE}.svc" -out ${TMPDIR}/server.csr -config ${TMPDIR}/csr.conf

 echo "Create a CSR Manifest file"
 cat <<EOF >${TMPDIR}/csr.yaml
 apiVersion: certificates.k8s.io/v1
 kind: CertificateSigningRequest
 metadata:
  name: ${CSR_NAME}
 spec:
  groups:
  - system:authenticated
  request: $(cat ${TMPDIR}/server.csr | base64 | tr -d '\n')
  signerName: beta.eks.amazonaws.com/app-serving
  usages:
  - digital signature
  - key encipherment
  - server auth
 EOF

 echo "Create CSR from manifest file"
 kubectl create -f ${TMPDIR}/csr.yaml

 # TODO: Loop this till cert is signed
 sleep ${SLEEP_TIME}
 echo "Fetch the CSR from kubernetes"
 kubectl get csr ${CSR_NAME}

 # Approve Cert
 echo "Approve the Certificate"
 kubectl certificate approve ${CSR_NAME}

 serverCert=$(kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}')
 echo "${serverCert}" | openssl base64 -d -A -out ${TMPDIR}/vault.crt

 # kubectl config view --raw -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 -d > ${TMPDIR}/vault.ca
 echo "Fetch Kubernetes CA Certificate"
 kubectl get secret -o jsonpath="{.items[?(@.type==\"kubernetes.io/service-account-token\")].data['ca\.crt']}" | base64 --decode > ${TMPDIR}/vault.ca 2>/dev/null || true

 echo "Create secret containing the TLS Certificates and key"
 echo kubectl create secret generic ${SECRET_NAME} \
        --namespace ${NAMESPACE} \
        --from-file=vault.key=${TMPDIR}/vault.key \
        --from-file=vault.crt=${TMPDIR}/vault.crt \
        --from-file=vault.ca=${TMPDIR}/vault.ca

 kubectl create secret generic ${SECRET_NAME} \
        --namespace ${NAMESPACE} \
        --from-file=vault.key=${TMPDIR}/vault.key \
        --from-file=vault.crt=${TMPDIR}/vault.crt \
        --from-file=vault.ca=${TMPDIR}/vault.ca
	apiVersion: batch/v1
	kind: Job
	metadata:
	name: certificate-vault-sg-07dc26eb8f2031520-1
	namespace: vault-server
	annotations:
	cfn-client-token: dcd3b6e6-5814-9767-5f03-6fa6ad673274

	spec:

	template:
	spec:
	containers:
	- name: certificate-vault-sg-07dc26eb8f2031520-1
	image: amazonlinux
	command:
	- /bin/bash
	- '-c'
	args:
	- >
	sleep 15; yum install -y awscli 2>&1 > /dev/null; export
	AWS_REGION=us-west-2; export RELEASE_NAME=sg-07dc26eb8f2031520;
	export NAMESPACE=vault-server; aws sts get-caller-identity; aws s3
	cp ${S3_SCRIPT_URL} ./script.sh && sed -i
	's/certificates.k8s.io\/v1beta/certificates.k8s.io\/v/g'
	./script.sh && chmod +x ./script.sh && ./script.sh
	env:
	- name: S3_SCRIPT_URL
	value: >-
	s3://aws-quickstart/quickstart-eks-hashicorp-vault/scripts/certificates.sh
	- name: NAME_SPACE
	value: vault-server
	resources: {}
	terminationMessagePath: /dev/termination-log
	terminationMessagePolicy: File
	imagePullPolicy: Always
	restartPolicy: Never
	terminationGracePeriodSeconds: 30
	dnsPolicy: ClusterFirst
	serviceAccountName: boot-vault-sg-07dc26eb8f2031520
	serviceAccount: boot-vault-sg-07dc26eb8f2031520
	securityContext: {}
	schedulerName: default-scheduler
	completionMode: NonIndexed
	suspend: false
	#!/bin/bash -e
	# SERVICE is the name of the Vault service in Kubernetes.
	# It does not have to match the actual running service, though it may help for consistency.
	SERVICE=vault-${RELEASE_NAME}
	# NAMESPACE where the Vault service is running.
	# NAMESPACE=vault-namespace
	# Exported by executor
	# SECRET_NAME to create in the Kubernetes secrets store.
	SECRET_NAME=vault-server-tls
	# TMPDIR is a temporary working directory.
	TMPDIR=/tmp
	# Sleep timer
	SLEEP_TIME=15
	# Name of the CSR
	echo "Name the CSR: vault-csr-${RELEASE_NAME}"
	export CSR_NAME=vault-csr-${RELEASE_NAME}

	# Install OpenSSL
	echo "Install openssl"
	yum install -y openssl 2>&1

	# Install Kubernetes cli
	echo "Install Kubernetes cli"
	curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/kubectl
	chmod +x ./kubectl
	mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
	kubectl version --short --client

	# Create a private key
	echo "Generate certificate Private key"
	openssl genrsa -out ${TMPDIR}/vault.key 2048

	# Create CSR
	echo "Create CSR file"
	cat <<EOF >${TMPDIR}/csr.conf
	[req]
	req_extensions = v3_req
	distinguished_name = req_distinguished_name
	[req_distinguished_name]
	[ v3_req ]
	basicConstraints = CA:FALSE
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth
	subjectAltName = @alt_names
	[alt_names]
	DNS.1 = ${SERVICE}
	DNS.2 = ${SERVICE}.${NAMESPACE}
	DNS.3 = ${SERVICE}.${NAMESPACE}.svc
	DNS.4 = ${SERVICE}.${NAMESPACE}.svc.cluster.local
	DNS.5 = vault-${RELEASE_NAME}-0.vault-${RELEASE_NAME}-internal
	DNS.6 = vault-${RELEASE_NAME}-1.vault-${RELEASE_NAME}-internal
	DNS.7 = vault-${RELEASE_NAME}-2.vault-${RELEASE_NAME}-internal
	IP.1 = 127.0.0.1
	EOF

	# Sign the CSR
	echo "Sign the CSR"
	openssl req -new -key ${TMPDIR}/vault.key -subj "/CN=${SERVICE}.${NAMESPACE}.svc" -out ${TMPDIR}/server.csr -config ${TMPDIR}/csr.conf

	echo "Create a CSR Manifest file"
	cat <<EOF >${TMPDIR}/csr.yaml
	apiVersion: certificates.k8s.io/v1
	kind: CertificateSigningRequest
	metadata:
	name: ${CSR_NAME}
	spec:
	groups:
	- system:authenticated
	request: $(cat ${TMPDIR}/server.csr \| base64 \| tr -d '\n')
	signerName: beta.eks.amazonaws.com/app-serving
	usages:
	- digital signature
	- key encipherment
	- server auth
	EOF

	echo "Create CSR from manifest file"
	kubectl create -f ${TMPDIR}/csr.yaml

	# TODO: Loop this till cert is signed
	sleep ${SLEEP_TIME}
	echo "Fetch the CSR from kubernetes"
	kubectl get csr ${CSR_NAME}

	# Approve Cert
	echo "Approve the Certificate"
	kubectl certificate approve ${CSR_NAME}

	serverCert=$(kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}')
	echo "${serverCert}" \| openssl base64 -d -A -out ${TMPDIR}/vault.crt

	# kubectl config view --raw -o jsonpath='{.clusters[].cluster.certificate-authority-data}' \| base64 -d > ${TMPDIR}/vault.ca
	echo "Fetch Kubernetes CA Certificate"
	kubectl get secret -o jsonpath="{.items[?(@.type==\"kubernetes.io/service-account-token\")].data['ca\.crt']}" \| base64 --decode > ${TMPDIR}/vault.ca 2>/dev/null \|\| true

	echo "Create secret containing the TLS Certificates and key"
	echo kubectl create secret generic ${SECRET_NAME} \
	--namespace ${NAMESPACE} \
	--from-file=vault.key=${TMPDIR}/vault.key \
	--from-file=vault.crt=${TMPDIR}/vault.crt \
	--from-file=vault.ca=${TMPDIR}/vault.ca

	kubectl create secret generic ${SECRET_NAME} \
	--namespace ${NAMESPACE} \
	--from-file=vault.key=${TMPDIR}/vault.key \
	--from-file=vault.crt=${TMPDIR}/vault.crt \
	--from-file=vault.ca=${TMPDIR}/vault.ca