Skip to content
Snippets Groups Projects
Select Git revision
  • b23d25a7fd71252805d9ef2c84ad224741b29b83
  • main default protected
  • renovate/main-ghcr.io-renovatebot-base-image-11.x
  • chore/maintainers-rarkins
  • refactor/pin-new-value
  • fix/user-agent
  • feat/37517-base64-private-key
  • next
  • feat/gnupg
  • fix/36615b-branch-reuse-no-cache
  • chore/punycode
  • feat/36219--git-x509-signing
  • feat/structured-logger
  • hotfix/39.264.1
  • feat/skip-dangling
  • gh-readonly-queue/next/pr-36034-7a061c4ca1024a19e2c295d773d9642625d1c2be
  • hotfix/39.238.3
  • refactor/gitlab-auto-approve
  • feat/template-strings
  • gh-readonly-queue/next/pr-35654-137d934242c784e0c45d4b957362214f0eade1d7
  • fix/32307-global-extends-merging
  • 41.82.3
  • 41.82.2
  • 41.82.1
  • 41.82.0
  • 41.81.6
  • 41.81.5
  • 41.81.4
  • 41.81.3
  • 41.81.2
  • 41.81.1
  • 41.81.0
  • 41.80.0
  • 41.79.0
  • 41.78.1
  • 41.78.0
  • 41.77.0
  • 41.76.1
  • 41.76.0
  • 41.75.0
  • 41.74.5
41 results

result.ts

Blame
    • autocert.sh 5.42 KiB
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176 
    

    

    

    #!/bin/bash

#set -x

echo "Welcome to Autocert configuration. Press return to begin."
read ANYKEY


STEPPATH=/home/step/.step

CA_PASSWORD=asdf
AUTOCERT_PASSWORD=asdf

echo -e "\e[1mChecking cluster permissions...\e[0m"

function permission_error {
  # TODO: Figure out the actual service account instead of assuming default.
  echo
  echo -e "\033[0;31mPERMISSION ERROR\033[0m"
  echo "Set permissions by running the following command, then try again:"
  echo -e "\e[1m"
  echo "    kubectl create clusterrolebinding autocert-init-binding \\"
  echo "      --clusterrole cluster-admin \\"
  echo "      --user \"system:serviceaccount:default:default\""
  echo -e "\e[0m"
  echo "Once setup is complete you can remove this binding by running:"
  echo -e "\e[1m"
  echo "    kubectl delete clusterrolebinding autocert-init-binding"
  echo -e "\e[0m"

  exit 1
}

echo -n "Checking for permission to create step namespace: "
kubectl auth can-i create namespaces
if [ $? -ne 0 ]; then
    permission_error "create step namespace"
fi

echo -n "Checking for permission to create configmaps in step namespace: "
kubectl auth can-i create configmaps --namespace step
if [ $? -ne 0 ]; then
    permission_error "create configmaps"
fi

echo -n "Checking for permission to create secrets in step namespace: "
kubectl auth can-i create secrets --namespace step
if [ $? -ne 0 ]; then
    permission_error "create secrets"
fi

echo -n "Checking for permission to create deployments in step namespace: "
kubectl auth can-i create deployments --namespace step
if [ $? -ne 0 ]; then
    permission_error "create deployments"
fi

echo -n "Checking for permission to create services in step namespace: "
kubectl auth can-i create services --namespace step
if [ $? -ne 0 ]; then
    permission_error "create services"
fi

echo -n "Checking for permission to create cluster role: "
kubectl auth can-i create clusterrole
if [ $? -ne 0 ]; then
    permission_error "create cluster roles"
fi

echo -n "Checking for permission to create cluster role binding:"
kubectl auth can-i create clusterrolebinding
if [ $? -ne 0 ]; then
    permission_error "create cluster role bindings"
    exit 1
fi

# Setting this here on purpose, after the above section which explicitly checks
# for and handles exit errors.
set -e

step ca init \
  --name "$CA_NAME" \
  --dns "$CA_DNS" \
  --address "$CA_ADDRESS" \
  --provisioner "$CA_DEFAULT_PROVISIONER" \
  --with-ca-url "$CA_URL" \
  --password-file <(echo "$CA_PASSWORD")

cp -f ./ca/ca.json $(step path)/config/ca.json
cp -f ./ca/root_ca.crt $(step path)/certs/root_ca.crt
cp -f ./ca/pubkey.pem $(step path)/certs/pubkey.pem
cp -f ./ca/intermediate_ca.crt $(step path)/certs/intermediate_ca.crt
cp -f ./ca/intermediate_ca_key $(step path)/certs/intermediate_ca_key
rm -f $(step path)/config/defaults.json

echo
echo -e "\e[1mCreating autocert provisioner...\e[0m"

expect <<EOD
spawn step ca provisioner add autocert --create --ca-config $(step path)/config/ca.json
expect "Please enter a password to encrypt the provisioner private key? \\\\\\[leave empty and we'll generate one\\\\\\]: "
send "${AUTOCERT_PASSWORD}\n"
expect eof
EOD

echo
echo -e "\e[1mCreating step namespace and preparing environment...\e[0m"

jq -s '.[0] * .[1]' $(step path)/config/ca.json ./ct.json > $(step path)/config/_ca.json
rm -f $(step path)/config/ca.json
mv -f $(step path)/config/_ca.json $(step path)/config/ca.json

kubectl create namespace step

kubectl -n step create configmap config --from-file $(step path)/config
kubectl -n step create configmap certs --from-file $(step path)/certs
kubectl -n step create configmap secrets --from-file $(step path)/secrets

kubectl -n step create secret generic ca-password --from-literal "password=${CA_PASSWORD}"
kubectl -n step create secret generic autocert-password --from-literal "password=${AUTOCERT_PASSWORD}"

# Deploy CA and wait for rollout to complete
echo
echo -e "\e[1mDeploying certificate authority...\e[0m"

kubectl apply -f https://raw.githubusercontent.com/smallstep/certificates/seb/ct-local/autocert/install/01-step-ca.yaml
kubectl -n step rollout status deployment/ca

# Deploy autocert, setup RBAC, and wait for rollout to complete
echo
echo -e "\e[1mDeploying autocert...\e[0m"

kubectl apply -f https://raw.githubusercontent.com/smallstep/certificates/seb/ct-local/autocert/install/02-autocert.yaml
kubectl apply -f https://raw.githubusercontent.com/smallstep/certificates/seb/ct-local/autocert/install/03-rbac.yaml
kubectl -n step rollout status deployment/autocert

# Some `base64`s wrap lines... no thanks!
CA_BUNDLE=$(cat $(step path)/certs/root_ca.crt | base64 | tr -d '\n')

cat <<EOF | kubectl apply -f -
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  name: autocert-webhook-config
  labels: {app: autocert}
webhooks:
  - name: autocert.step.sm
    clientConfig:
      service:
        name: autocert
        namespace: step
        path: "/mutate"
      caBundle: $CA_BUNDLE
    rules:
      - operations: ["CREATE"]
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
    failurePolicy: Ignore
    namespaceSelector:
      matchLabels:
        autocert.step.sm: enabled
EOF

FINGERPRINT=$(step certificate fingerprint $(step path)/certs/root_ca.crt)

echo
echo -e "\e[1mAutocert installed!\e[0m"
echo
echo "Store this information somewhere safe:"
echo "  CA & admin provisioner password: ${CA_PASSWORD}"
echo "  Autocert password: ${AUTOCERT_PASSWORD}"
echo "  CA Fingerprint: ${FINGERPRINT}"
echo