Load XOS certificates from files rather than embedding in the values file
Change-Id: Iebcba439adfdb8e9358067a0e84ab790b39a17d4
diff --git a/scripts/pki/.gitignore b/scripts/pki/.gitignore
index 6ec615a..3c69f2e 100644
--- a/scripts/pki/.gitignore
+++ b/scripts/pki/.gitignore
@@ -2,4 +2,3 @@
*.key
*.csr
root_ca
-helm_xos_pki.yaml
diff --git a/scripts/pki/Makefile b/scripts/pki/Makefile
index 70fce4f..2b27fe7 100644
--- a/scripts/pki/Makefile
+++ b/scripts/pki/Makefile
@@ -25,7 +25,7 @@
# utility/validation targets
help:
- @echo "Usually you want to run 'make helm_xos_pki.yaml'"
+ @echo "Usually you want to run 'make all_certs'"
validate:
openssl verify -verbose -purpose sslserver -CAfile xos-CA.pem xos-core.crt
@@ -44,21 +44,8 @@
all_certs: xos-core.pem
-helm_xos_pki.yaml: xos-CA.pem xos-core.pem xos-core.key
- @echo "Creating helm compatible YAML file containing certs"
- @echo "---" > $@
- @echo "# Certificates can be regenerated with scripts/pki/Makefile" >> $@
- @echo "# Created on: `date -u`, good for $(EXPIRATION_DAYS) days" >> $@
- @echo "ca_cert_chain: |" >> $@
- @cat xos-CA.pem | base64 | sed 's/^/ /' >> $@
- @echo "secrets:" >> $@
- @echo " core_api_cert: |" >> $@
- @cat xos-core.pem | base64 | sed 's/^/ /' >> $@
- @echo " core_api_key: |" >> $@
- @cat xos-core.key | base64 | sed 's/^/ /' >> $@
-
clean:
- rm -rf root_ca *.pem *.key *.csr helm_xos_pki.yaml
+ rm -rf root_ca *.pem *.key *.csr
# CA creation
root_ca:
diff --git a/scripts/pki/README.md b/scripts/pki/README.md
index 302b3e1..2aeaea1 100644
--- a/scripts/pki/README.md
+++ b/scripts/pki/README.md
@@ -1,7 +1,12 @@
-# XOS certificate generation
+# XOS Certificate Generation
-Run `make` on a system with the `openssl` cli tool installed to see options.
+To create certificates for use with XOS, you'll need a system with `make` and
+the `openssl` cli tool.
-Most likely you'll want to run `make helm_xos_pki.yaml` to generate a helm
-values file with base64 encoded certificates in it.
+Most frequently you'll want to run `make all_certs`, then copy the files:
+- `xos-CA.pem`
+- `xos-core.pem`
+- `xos-core.key`
+
+into the `xos-core/pki` chart directory.
diff --git a/xos-core/pki/xos-CA.pem b/xos-core/pki/xos-CA.pem
new file mode 100644
index 0000000..655dc29
--- /dev/null
+++ b/xos-core/pki/xos-CA.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID1jCCAr6gAwIBAgIJAIWmwLL7nulVMA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQHDApNZW5sbyBQYXJr
+MQwwCgYDVQQKDANPTkYxFTATBgNVBAsMDFRlc3RpbmcgT25seTEaMBgGA1UEAwwR
+Q09SRCBUZXN0IFJvb3QgQ0EwHhcNMTgxMjE0MTgyNTE5WhcNMTkxMjE1MTgyNTE5
+WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTETMBEGA1UEBwwK
+TWVubG8gUGFyazEMMAoGA1UECgwDT05GMRUwEwYDVQQLDAxUZXN0aW5nIE9ubHkx
+GjAYBgNVBAMMEUNPUkQgVGVzdCBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAokxdd5vyy83NPQYQK/wsz6VLrunv/3FNSbUv9dC4MC5zZyMd
+oxrYCfM38rypbrB5PIVlFdndfDzoYORmlC9gxJnFUmAztyU2JIZrcxk1sQ+lBWj+
+Bytwh1TKT0OSfEWjB/LV1FGLAuspJGBn2T0E35bGhhzOL8Cgm0e8akeAfs2s9akO
+Xcj+4osnAkXynKl+HhCTBkcrmg1YsTB3+0ug0vM5xuHMU5tVVKpn9DinZ3enuHle
+ICyiMF8JyEibjGl0cjnGhw1lPzT7lsjxuoZhr3NaIlI/zUXBDTJbJ6T6gUa1Npa/
+lurbEn/9pUMQcUIOnIfzbmzVjPmd0AL9fEcAlQIDAQABo2MwYTAdBgNVHQ4EFgQU
+xYhJSu6N6DF7C39G1hAvF7JOC54wHwYDVR0jBBgwFoAUxYhJSu6N6DF7C39G1hAv
+F7JOC54wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcN
+AQELBQADggEBAJc7J+ZVhp7ti+YN2Smv/jtz79NyF1J6Eb3M/BC/A5Eo8Cp2hklC
+NI00+con2Dvvbmj6lOgKXPL6C8LgxiZ5gVDtSvK8zuoIzkIDod4IovxcwLrvlIH4
+BpG6Sm1d7EbwAHKFGc0qvVdRN48P884KnzW27eLtsdqrkUPuqz9Ph1JJmAzy3v5p
+pKtL6zfn706pcad5NuAcoz0782T+wszHmBv0SBboLdo9NyUciJBQCjIDaSEOpqze
+upzRp50aDMq3nxd7yZ3VGA52ECNQ4gWgWAHomDS22RdCHsedbUofnrl6TW88j+Aa
++4AJR9CmhoP1CnKHb5wVCBScw9T8gu3aLe0=
+-----END CERTIFICATE-----
diff --git a/xos-core/pki/xos-core.key b/xos-core/pki/xos-core.key
new file mode 100644
index 0000000..61d1b95
--- /dev/null
+++ b/xos-core/pki/xos-core.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEA2EuSUdVkDQBJsjf7ZK7NYOVlt6IR16TI3hXQYQr29ajvaHzJ
+KRel7hRpy6m1JPy7lXNIF5ad2ooK5e7xxi8tiUGXJrTxchgeAslI2AJaNqsWP/iy
+gGJ+UXnvqd1PGILpkucxumRlQEXEF77SVTSPvodffxsrp+Xt2LnNmn8a9RSJMV61
+uRSgFAvgpIlw2LEr6nS9QQLuN/E0uXihMFu5/MJNjjnWhmpVVfvraCAGLB1azU7p
+2XC7XfmanNaNT2nUDVooXWp07J0JDeS+zQNzlNNHgyd36JGI7BVHDl7NBUucTfds
+EQK1aYY5zgP+nt4zzZMmaVlS8oBJCBWq3j7g/wIDAQABAoIBAFITk0mUZSv90Plc
+/vt8zZiYVBnz2TtwX3zO4E0C4SXlXjvTJm5+d8u5WVAcbQ3FDdWvckrpL6tvOKV6
+H6rp2ii8iAP7I6f8+N5rzUWS1vLpxz6tO+c1+OMoF0bpIQuXGdVR/+/QCw/xqXCt
+S5ljoaxWKGnOQKmsua3FC/01gGBBIRtd5Vmn6m1R7IYQP6AZjNbE8trb7Q8TO66t
+QK3h5oTv36hL7qC2a2L6WiSOOyul7f9wzn2/x6fyNW43nYV3jvf79nKuiv8ZkVjK
+qYIlmLSlXwbq7N3eI6mcP6AqyeL9OFAkh0JBoiPsCND9sZV7KpiTieh8mUelxnQr
+8qG4c7ECgYEA7HqZTjfhb04s0rihlbHJX7JOP407tOCZCI2QlNL+M29UpBgbx5z3
+jfX0hlj5Vkq/GWvMm288gpBgfKSzh29mpO21GEmWNFqsNdls+f0/DgWs0TYRe9uQ
+w4CSfNpvx3LRmh2y0b7BaoDd6X5Rma533zmyiAuDcPZdHfbl+FVZ/+cCgYEA6iZw
+kyp4hPRQXyavufXyF6Ej88k5BjtU5CqURcXKmJbP+SfDoHOH4V+erFsgeOl1TAAc
+GTXGL4/d4xLBp78U0CgLm0k78kcuKXmKQ5AWeMkn4tPAbxEuqpi2ZrfLd0gE+T/q
+mUiphmRL00qIymJQpopn1beAMsowy96L2cybUykCgYBipPmSYUkOryOPeykcUp9X
+5f8yD24ak54CrVrkWedj+UrrcIsWB2pUs4afDDpmPqPcrNUa+ZnaNPOqyuGA232L
+ywTB7uBTUoeHpv0IgxVsef2O/+jnK74Fb3qrzkrWfhTlHwJa8CGqlbr8DY9odhjW
+6zCIA5V+56YMO9POdXwnfQKBgF2wedT45nZUh6A7C48+ENtRl+AhANc0gFg3jVKJ
+vPHnTlokhgs6jwEn0Iaog8q9pzh8xsFzmdRIHYGRbLlhJMPRcit1Vy4vOxJPVnqI
+OeWkn3gMQHBwkJqkNj/NhPU6dPsCjy08PNDQauKlbSyFwD2THc8O+JXZ/0JjztOc
+If5ZAoGAAefyJ6cAs6p8QMBG0nYYtJMeW5cXwGhFMLJTW3B2qMVsDsOL2sp1T3ou
+Emn2I02ogmtmmHNxOQY3kRQ5S0PPAraoXxywjB4BaH/VNJgdEntmWI1woPI8j2qq
+8RCyi2O5T9YpO2cWRJSXGd6rNFmRQjM+FuznUpqe1BYxLT15bJw=
+-----END RSA PRIVATE KEY-----
diff --git a/xos-core/pki/xos-core.pem b/xos-core/pki/xos-core.pem
new file mode 100644
index 0000000..92c26f2
--- /dev/null
+++ b/xos-core/pki/xos-core.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4096 (0x1000)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=California, L=Menlo Park, O=ONF, OU=Testing Only, CN=CORD Test Root CA
+ Validity
+ Not Before: Dec 14 18:25:19 2018 GMT
+ Not After : Dec 15 18:25:19 2019 GMT
+ Subject: C=US, ST=California, L=Menlo Park, O=ONF, OU=Testing Only, CN=xos-core
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:d8:4b:92:51:d5:64:0d:00:49:b2:37:fb:64:ae:
+ cd:60:e5:65:b7:a2:11:d7:a4:c8:de:15:d0:61:0a:
+ f6:f5:a8:ef:68:7c:c9:29:17:a5:ee:14:69:cb:a9:
+ b5:24:fc:bb:95:73:48:17:96:9d:da:8a:0a:e5:ee:
+ f1:c6:2f:2d:89:41:97:26:b4:f1:72:18:1e:02:c9:
+ 48:d8:02:5a:36:ab:16:3f:f8:b2:80:62:7e:51:79:
+ ef:a9:dd:4f:18:82:e9:92:e7:31:ba:64:65:40:45:
+ c4:17:be:d2:55:34:8f:be:87:5f:7f:1b:2b:a7:e5:
+ ed:d8:b9:cd:9a:7f:1a:f5:14:89:31:5e:b5:b9:14:
+ a0:14:0b:e0:a4:89:70:d8:b1:2b:ea:74:bd:41:02:
+ ee:37:f1:34:b9:78:a1:30:5b:b9:fc:c2:4d:8e:39:
+ d6:86:6a:55:55:fb:eb:68:20:06:2c:1d:5a:cd:4e:
+ e9:d9:70:bb:5d:f9:9a:9c:d6:8d:4f:69:d4:0d:5a:
+ 28:5d:6a:74:ec:9d:09:0d:e4:be:cd:03:73:94:d3:
+ 47:83:27:77:e8:91:88:ec:15:47:0e:5e:cd:05:4b:
+ 9c:4d:f7:6c:11:02:b5:69:86:39:ce:03:fe:9e:de:
+ 33:cd:93:26:69:59:52:f2:80:49:08:15:aa:de:3e:
+ e0:ff
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 30:AC:5D:59:D7:FD:7D:47:BB:F1:EF:2F:22:2B:4B:D6:8E:66:54:69
+ X509v3 Authority Key Identifier:
+ keyid:C5:88:49:4A:EE:8D:E8:31:7B:0B:7F:46:D6:10:2F:17:B2:4E:0B:9E
+ DirName:/C=US/ST=California/L=Menlo Park/O=ONF/OU=Testing Only/CN=CORD Test Root CA
+ serial:85:A6:C0:B2:FB:9E:E9:55
+
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication
+ X509v3 Subject Alternative Name:
+ DNS:xos-core, DNS:xos-core.default, DNS:xos-core.default.svc.cluster.local
+ Signature Algorithm: sha256WithRSAEncryption
+ 15:cd:7b:ba:21:f0:79:30:8a:be:b9:04:d1:39:d8:ad:de:0f:
+ 44:eb:64:39:dc:79:7e:57:b7:29:36:a1:dc:66:7b:38:6d:55:
+ 89:98:d8:3a:eb:cb:8a:08:46:81:69:6a:95:b7:24:02:b1:55:
+ 3a:cf:0a:18:d5:15:92:77:7d:01:c4:f3:72:65:d9:1a:ef:1c:
+ dd:87:ab:eb:a3:1b:2e:a3:2c:e8:d9:7f:a9:a7:49:47:83:84:
+ 99:f7:ea:10:48:6b:3a:4b:be:c4:08:d3:ac:3f:b8:a7:a7:b6:
+ d6:74:d1:ad:c6:b1:75:42:d8:2b:5e:ee:ed:30:39:0f:f1:2d:
+ 30:24:1d:3d:46:4b:4b:db:d2:3c:d4:d2:68:ff:d9:29:1e:b4:
+ 8b:06:e4:c9:02:bd:23:02:36:1f:8d:1e:1e:8f:16:19:e4:17:
+ 34:8c:e1:a7:a6:25:0b:e8:b0:bd:f7:51:b8:1b:6f:fd:6a:3d:
+ 6b:09:9d:05:18:ac:77:02:62:bb:91:5a:15:79:d9:11:22:8a:
+ e9:b7:c3:b4:83:ab:5b:71:25:df:d0:e1:6a:ad:43:dc:5d:cb:
+ f5:5d:49:2b:53:25:8b:64:f8:33:44:df:d2:44:ec:03:72:32:
+ da:77:75:cf:67:83:be:3c:6e:75:72:2f:f3:31:39:7f:e3:60:
+ cb:0e:57:f8
+-----BEGIN CERTIFICATE-----
+MIIEsDCCA5igAwIBAgICEAAwDQYJKoZIhvcNAQELBQAweDELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCkNhbGlmb3JuaWExEzARBgNVBAcMCk1lbmxvIFBhcmsxDDAKBgNV
+BAoMA09ORjEVMBMGA1UECwwMVGVzdGluZyBPbmx5MRowGAYDVQQDDBFDT1JEIFRl
+c3QgUm9vdCBDQTAeFw0xODEyMTQxODI1MTlaFw0xOTEyMTUxODI1MTlaMG8xCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQHDApNZW5sbyBQ
+YXJrMQwwCgYDVQQKDANPTkYxFTATBgNVBAsMDFRlc3RpbmcgT25seTERMA8GA1UE
+AwwIeG9zLWNvcmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYS5JR
+1WQNAEmyN/tkrs1g5WW3ohHXpMjeFdBhCvb1qO9ofMkpF6XuFGnLqbUk/LuVc0gX
+lp3aigrl7vHGLy2JQZcmtPFyGB4CyUjYAlo2qxY/+LKAYn5Ree+p3U8YgumS5zG6
+ZGVARcQXvtJVNI++h19/Gyun5e3Yuc2afxr1FIkxXrW5FKAUC+CkiXDYsSvqdL1B
+Au438TS5eKEwW7n8wk2OOdaGalVV++toIAYsHVrNTunZcLtd+Zqc1o1PadQNWihd
+anTsnQkN5L7NA3OU00eDJ3fokYjsFUcOXs0FS5xN92wRArVphjnOA/6e3jPNkyZp
+WVLygEkIFarePuD/AgMBAAGjggFLMIIBRzAdBgNVHQ4EFgQUMKxdWdf9fUe78e8v
+IitL1o5mVGkwgaoGA1UdIwSBojCBn4AUxYhJSu6N6DF7C39G1hAvF7JOC56hfKR6
+MHgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQHDApN
+ZW5sbyBQYXJrMQwwCgYDVQQKDANPTkYxFTATBgNVBAsMDFRlc3RpbmcgT25seTEa
+MBgGA1UEAwwRQ09SRCBUZXN0IFJvb3QgQ0GCCQCFpsCy+57pVTAJBgNVHRMEAjAA
+MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATBJBgNVHREEQjBA
+ggh4b3MtY29yZYIQeG9zLWNvcmUuZGVmYXVsdIIieG9zLWNvcmUuZGVmYXVsdC5z
+dmMuY2x1c3Rlci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAFc17uiHweTCKvrkE
+0TnYrd4PROtkOdx5fle3KTah3GZ7OG1ViZjYOuvLighGgWlqlbckArFVOs8KGNUV
+knd9AcTzcmXZGu8c3Yer66MbLqMs6Nl/qadJR4OEmffqEEhrOku+xAjTrD+4p6e2
+1nTRrcaxdULYK17u7TA5D/EtMCQdPUZLS9vSPNTSaP/ZKR60iwbkyQK9IwI2H40e
+Ho8WGeQXNIzhp6YlC+iwvfdRuBtv/Wo9awmdBRisdwJiu5FaFXnZESKK6bfDtIOr
+W3El39Dhaq1D3F3L9V1JK1Mli2T4M0Tf0kTsA3Iy2nd1z2eDvjxudXIv8zE5f+Ng
+yw5X+A==
+-----END CERTIFICATE-----
diff --git a/xos-core/templates/_core.tpl b/xos-core/templates/_core.tpl
index 6722475..bd13e16 100644
--- a/xos-core/templates/_core.tpl
+++ b/xos-core/templates/_core.tpl
@@ -69,6 +69,6 @@
{{- end }}
{{- define "xos-core.ca_cert_chain" }}
-{{ .Values.ca_cert_chain | b64dec }}
+{{ (.Files.Get "pki/xos-CA.pem")}}
{{- end }}
diff --git a/xos-core/templates/coreapi-cert-secret.yaml b/xos-core/templates/coreapi-cert-secret.yaml
index 048f552..b70cba6 100644
--- a/xos-core/templates/coreapi-cert-secret.yaml
+++ b/xos-core/templates/coreapi-cert-secret.yaml
@@ -20,5 +20,5 @@
namespace: default
type: kubernetes.io/tls
data:
- tls.crt: {{ .Values.secrets.core_api_cert }}
- tls.key: {{ .Values.secrets.core_api_key }}
+ tls.crt: {{ .Files.Get "pki/xos-core.pem" | b64enc }}
+ tls.key: {{ .Files.Get "pki/xos-core.key" | b64enc }}