Last active
October 12, 2023 07:39
-
-
Save dalelane/bf91b3c32db03b56d0cc11cafd8f757e to your computer and use it in GitHub Desktop.
set up a truststore for Kafka clients connecting to the Event Gateway in Event Endpoint Management (using the keystore retrieved from the API Manager)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ------------------------------------------------------------------- | |
# update these to match your Event Endpoint Management instance | |
# ------------------------------------------------------------------- | |
NAMESPACE=eventendpointmanagement | |
INSTANCE=eem | |
echo "\n\033[1;33m getting SSL/TLS details for Event Gateway in...\033[0m" | |
echo "namespace : $NAMESPACE" | |
echo "instance : $INSTANCE" | |
# ------------------------------------------------------------------- | |
# verify dependencies are all available | |
# ------------------------------------------------------------------- | |
echo "\n\033[1;33m checking for script dependencies...\033[0m" | |
check_dependency () { | |
if hash $1 2>/dev/null; then | |
echo "verified $1" | |
else | |
echo "$1 could not be found" | |
exit | |
fi | |
} | |
check_dependency "apic" | |
check_dependency "curl" | |
check_dependency "jq" | |
check_dependency "keytool" | |
check_dependency "oc" | |
# ------------------------------------------------------------------- | |
# cleanup from previous runs | |
# ------------------------------------------------------------------- | |
rm my.p12 | |
# ------------------------------------------------------------------- | |
# log into apic CLI | |
# ------------------------------------------------------------------- | |
echo "\n\033[1;33m logging into apic CLI...\033[0m" | |
CP4I_NAMESPACE=$(oc get zenservice -A -o jsonpath='{..namespace}') | |
echo "creating IAM token" | |
CS_HOST=https://$(oc -n kube-public get cm ibmcloud-cluster-info -o jsonpath='{.data.cluster_address}') | |
IAM_PASSWORD=$(oc get secret -n ibm-common-services platform-auth-idp-credentials -o jsonpath='{..admin_password}' | base64 -d) | |
IAM_TOKEN=$(curl -k -s -X POST -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: application/json' -d "grant_type=password&username=admin&password=${IAM_PASSWORD}&scope=openid" "${CS_HOST}"/v1/auth/identitytoken | jq -r .access_token) | |
echo "creating Zen token" | |
ZEN_HOST=https://$(oc get route -n $CP4I_NAMESPACE cpd -o=jsonpath='{.spec.host}') | |
ZEN_TOKEN=$(curl -k -s "${ZEN_HOST}"/v1/preauth/validateAuth -H "username: admin" -H "iam-token: ${IAM_TOKEN}" | jq -r .accessToken) | |
echo "downloading apic config json file" | |
PLATFORM_API_URL=$(oc get eventendpointmanagers $INSTANCE -n $NAMESPACE -o=jsonpath='{.status.endpoints[?(@.name=="platformApi")].uri}') | |
TOOLKIT_CREDS_URL="$PLATFORM_API_URL/cloud/settings/toolkit-credentials" | |
curl -k $TOOLKIT_CREDS_URL -H "Authorization: Bearer ${ZEN_TOKEN}" -H "Accept: application/json" -H "Content-Type: application/json" -o creds.json | |
yes | apic client-creds:set creds.json | |
echo "creating apic API key" | |
APIC_APIKEY=$(curl -k -s -X POST "${PLATFORM_API_URL}"/cloud/api-keys -H "Authorization: Bearer ${ZEN_TOKEN}" -H "Accept: application/json" -H "Content-Type: application/json" -d '{"client_type":"toolkit","description":"Tookit API key"}' | jq -r .api_key) | |
echo "logging into API manager" | |
APIM_ENDPOINT=$(oc -n $NAMESPACE get mgmt $INSTANCE-mgmt -o jsonpath="https://{.status.zenRoute}") | |
yes n | apic login --context provider --server $APIM_ENDPOINT --sso --apiKey $APIC_APIKEY | |
rm creds.json | |
# ------------------------------------------------------------------- | |
# setting up truststore | |
# ------------------------------------------------------------------- | |
echo "\n\033[1;33m retrieving keystore from APIC and putting into a truststore...\033[0m" | |
apic keystores:get \ | |
--server $APIM_ENDPOINT \ | |
--org admin \ | |
--format json \ | |
tls-server-for-gateway-services-default-keystore \ | |
--output - | jq -r .public_certificate_entry.pem > gateway.pem | |
keytool -import -noprompt \ | |
-alias gatewayca \ | |
-file gateway.pem \ | |
-keystore my.p12 -storetype pkcs12 \ | |
-storepass password | |
rm gateway.pem | |
# ------------------------------------------------------------------- | |
# get Event Gateway connection address | |
# ------------------------------------------------------------------- | |
echo "\n\033[1;33m querying openshift for gateway connection address...\033[0m" | |
GATEWAY_ROUTE=$(oc get route -n $NAMESPACE -lapp.kubernetes.io/instance=$INSTANCE-egw -lapp.kubernetes.io/name=event-gateway -o name | grep gw-client) | |
GATEWAY_ADDRESS=$(oc get $GATEWAY_ROUTE -n $NAMESPACE -o jsonpath="{.spec.host}") | |
echo "gateway address: $GATEWAY_ADDRESS" | |
# ------------------------------------------------------------------- | |
# outputting results | |
# ------------------------------------------------------------------- | |
echo "\n\033[1;33m connection properties:\033[0m" | |
echo "\033[1m bootstrap.servers=$GATEWAY_ADDRESS:443\033[0m" | |
echo "\033[1m ssl.truststore.location=my.p12\033[0m" | |
echo "\033[1m ssl.truststore.type=PKCS12\033[0m" | |
echo "\033[1m ssl.truststore.password=password\033[0m" | |
echo "\033[1m ssl.endpoint.identification.algorithm=\033[0m" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment