Eldelshell/00-Istio-Certificates.md

## 00-Istio-Certificates.md

      
    Raw
  

              00-Istio-Certificates.md
            
          
    Certificate Wizard

Generates a bunch of files needed for securing SSL/TLS servers.
Istio

To add this files to Istio:
$ oc create -n istio-system secret tls ingressgateway-EXAMPLE-certs --key EXAMPLE-root.key --cert EXAMPLE-root.crt
$ oc -n istio-system patch --type=json deploy istio-ingressgateway -p "$(cat istio-gateway-patch.json)"
$ oc exec -it -n istio-system $(oc -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-EXAMPLE-certs


## ca.cfg
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = California
L = Los Angeles
O = Acme
CN = Acme CA

[v3_req]
keyUsage = keyCertSign
basicConstraints = CA:TRUE
subjectAltName = @alt_names

[alt_names]
DNS.1 = ca.example.com

## gen-certs.sh
#!/usr/bin/env bash

readonly project_name="example"
readonly longevity="36500"

printf "Generate key (${project_name}-root.key) and cert root (${project_name}-root.crt).\n"
openssl req -newkey rsa:2056 -nodes -keyout "${project_name}-root.key" -x509 -days "${longevity}" -out "${project_name}-root.crt" > /dev/null 2>&1 <<EOF
US
California
Los Angeles
Acme
IT
Acme CA
testrootca@example.com

EOF

printf "Generate private key ${project_name}-key.pem\n"
openssl genrsa -out "${project_name}-key.pem" 2056 > /dev/null 2>&1

printf "Generate CSR ${project_name}-cert.csr\n"
openssl req -new -key "${project_name}-key.pem" -out "${project_name}-cert.csr" -config ca.cfg -batch -sha256 > /dev/null 2>&1

printf "Sign the cert to ${project_name}-cert.pem\n"
openssl x509 -req -days "${longevity}" -in "${project_name}-cert.csr" -sha256 -CA "${project_name}-root.crt" -CAkey "${project_name}-root.key" -CAcreateserial -out "${project_name}-cert.pem" -extensions v3_req -extfile ca.cfg > /dev/null 2>&1

printf "Tranform ${project_name}-key.pem to pkcs8 ${project_name}-private-key.pem\n"
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "${project_name}-key.pem" -out "${project_name}-private-key.pem" > /dev/null 2>&1

printf "Generate PKCS12 ${project_name}-private-key-pkcs12.pem\n"
openssl pkcs12 -export -name "testrootca@${project_name}.com" -in "${project_name}-root.crt" -inkey "${project_name}-root.key" -out "${project_name}-private-key-pkcs12.pem"

printf "Generate public key ${project_name}-public-key.pem\n"
openssl rsa -in $"{project_name}-private-key.pem" -outform PEM -pubout -out "${project_name}-public-key.pem" > /dev/null 2>&1

rm ./*csr
rm ./*srl

printf "Generate cert chain file ${project_name}-cert-chain.pem\n"
cp "${project_name}-cert.pem" "${project_name}-cert-chain.pem"

printf "Generate Java keystore at ${project_name}.jks\n"
keytool -importkeystore -srckeystore "${project_name}-private-key-pkcs12.pem" -srcstoretype PKCS12 -destkeystore "${project_name}.jks" -deststoretype JKS -alias "${project_name}"

printf "Done\n"
exit 0

## https.route.yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: https-route
  namespace: istio-system
spec:
  # depends on what you used on the aliases used on ca.cfg
  # you can use the root domain but all ingress microservices
  # will be bound to https
  host: ca.example.com
  to:
    kind: Service
    name: istio-ingressgateway
    weight: 100
  port:
    targetPort: https
  tls:
    termination: passthrough
    insecureEdgeTerminationPolicy: None
  wildcardPolicy: None

## istio-gateway-patch.json
[{
  "op": "add",
  "path": "/spec/template/spec/containers/0/volumeMounts/0",
  "value": {
    "mountPath": "/etc/istio/ingressgateway-EXAMPLE-certs",
    "name": "ingressgateway-EXAMPLE-certs",
    "readOnly": true
  }
},
{
  "op": "add",
  "path": "/spec/template/spec/volumes/0",
  "value": {
  "name": "ingressgateway-EXAMPLE-certs",
    "secret": {
      "secretName": "ingressgateway-EXAMPLE-certs",
      "optional": true
    }
  }
}]
	[req]
	distinguished_name = req_distinguished_name
	x509_extensions = v3_req
	prompt = no

	[req_distinguished_name]
	C = US
	ST = California
	L = Los Angeles
	O = Acme
	CN = Acme CA

	[v3_req]
	keyUsage = keyCertSign
	basicConstraints = CA:TRUE
	subjectAltName = @alt_names

	[alt_names]
	DNS.1 = ca.example.com
	#!/usr/bin/env bash

	readonly project_name="example"
	readonly longevity="36500"

	printf "Generate key (${project_name}-root.key) and cert root (${project_name}-root.crt).\n"
	openssl req -newkey rsa:2056 -nodes -keyout "${project_name}-root.key" -x509 -days "${longevity}" -out "${project_name}-root.crt" > /dev/null 2>&1 <<EOF
	US
	California
	Los Angeles
	Acme
	IT
	Acme CA
	testrootca@example.com

	EOF

	printf "Generate private key ${project_name}-key.pem\n"
	openssl genrsa -out "${project_name}-key.pem" 2056 > /dev/null 2>&1

	printf "Generate CSR ${project_name}-cert.csr\n"
	openssl req -new -key "${project_name}-key.pem" -out "${project_name}-cert.csr" -config ca.cfg -batch -sha256 > /dev/null 2>&1

	printf "Sign the cert to ${project_name}-cert.pem\n"
	openssl x509 -req -days "${longevity}" -in "${project_name}-cert.csr" -sha256 -CA "${project_name}-root.crt" -CAkey "${project_name}-root.key" -CAcreateserial -out "${project_name}-cert.pem" -extensions v3_req -extfile ca.cfg > /dev/null 2>&1

	printf "Tranform ${project_name}-key.pem to pkcs8 ${project_name}-private-key.pem\n"
	openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in "${project_name}-key.pem" -out "${project_name}-private-key.pem" > /dev/null 2>&1

	printf "Generate PKCS12 ${project_name}-private-key-pkcs12.pem\n"
	openssl pkcs12 -export -name "testrootca@${project_name}.com" -in "${project_name}-root.crt" -inkey "${project_name}-root.key" -out "${project_name}-private-key-pkcs12.pem"

	printf "Generate public key ${project_name}-public-key.pem\n"
	openssl rsa -in $"{project_name}-private-key.pem" -outform PEM -pubout -out "${project_name}-public-key.pem" > /dev/null 2>&1

	rm ./*csr
	rm ./*srl

	printf "Generate cert chain file ${project_name}-cert-chain.pem\n"
	cp "${project_name}-cert.pem" "${project_name}-cert-chain.pem"

	printf "Generate Java keystore at ${project_name}.jks\n"
	keytool -importkeystore -srckeystore "${project_name}-private-key-pkcs12.pem" -srcstoretype PKCS12 -destkeystore "${project_name}.jks" -deststoretype JKS -alias "${project_name}"

	printf "Done\n"
	exit 0
	apiVersion: route.openshift.io/v1
	kind: Route
	metadata:
	name: https-route
	namespace: istio-system
	spec:
	# depends on what you used on the aliases used on ca.cfg
	# you can use the root domain but all ingress microservices
	# will be bound to https
	host: ca.example.com
	to:
	kind: Service
	name: istio-ingressgateway
	weight: 100
	port:
	targetPort: https
	tls:
	termination: passthrough
	insecureEdgeTerminationPolicy: None
	wildcardPolicy: None
	[{
	"op": "add",
	"path": "/spec/template/spec/containers/0/volumeMounts/0",
	"value": {
	"mountPath": "/etc/istio/ingressgateway-EXAMPLE-certs",
	"name": "ingressgateway-EXAMPLE-certs",
	"readOnly": true
	}
	},
	{
	"op": "add",
	"path": "/spec/template/spec/volumes/0",
	"value": {
	"name": "ingressgateway-EXAMPLE-certs",
	"secret": {
	"secretName": "ingressgateway-EXAMPLE-certs",
	"optional": true
	}
	}
	}]