Joy Nag joycse06

## template.ctmpl
....
  {{- with $d := key $consul_key | parseJSON -}}
    {{- $pki_issuer := $d.primary_issuer -}}
    ....

    {{- with secret $pki_path $common_name_param $ttl_param -}}
    ....

    {{- range $secondary_path := $d.secondary_issuers -}}
    ....

## trust-chain.txt
0 .. Sectigo Limited….
1 .. The USERTRUST Network/CN=USERTrust RSA
2 .. CN=AddTrust External CA Root
3 .. CN=AddTrust External CA Root

## kafka-client.yml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: kafka-consumer
  namespace: default
  labels:
    project: kafka-consumer
    team: event-streamer
  annotations:
    kafka-auth/enable: 'true'

## complete-rotation.json
{
  "primary_issuer": "kafka-pki/root-b",
  "secondary_issuers": []
}

## swap-roots.json
{
  "primary_issuer": "kafka-pki/root-b",
  "secondary_issuers": ["kafka-pki/root-a"]
}

## add-root-b.json
{
  "primary_issuer": "kafka-pki/root-a",
  "secondary_issuers": ["kafka-pki/root-b"]
}

## before-rotation.json
{
  "primary_issuer": "kafka-pki/root-a",
  "secondary_issuers": []
}

## consul-key.tf
resource "consul_keys" "root" {
  key {
    path = "some/path/in/consul"
    value = <<-EOT
    {
      "primary_issuer": "kafka-pki/root-a",
      "secondary_issuers": []
    }
    EOT
  }

## vault-preparation.tf
locals {
  kafka_pki_prefix             = "prefix"
  kafka_broker_allowed_domains = ["broker.kafka.com"]
  kafka_client_allowed_domains = ["client.kafka.com"]
}

module "root_a" {
 source                 = "./common/kafka_pki"
 path                   = "${local.kafka_pki_prefix}/root-a"
 root_ca_common_name    = "Root A"

## JVM revocation settings
-Dcom.sun.security.enableCRLDP=true -Dcom.sun.net.ssl.checkRevocation=true
	....
	{{- with $d := key $consul_key \| parseJSON -}}
	{{- $pki_issuer := $d.primary_issuer -}}
	....

	{{- with secret $pki_path $common_name_param $ttl_param -}}
	....

	{{- range $secondary_path := $d.secondary_issuers -}}
	....
	0 .. Sectigo Limited….
	1 .. The USERTRUST Network/CN=USERTrust RSA
	2 .. CN=AddTrust External CA Root
	3 .. CN=AddTrust External CA Root
	apiVersion: extensions/v1beta1
	kind: Deployment
	metadata:
	name: kafka-consumer
	namespace: default
	labels:
	project: kafka-consumer
	team: event-streamer
	annotations:
	kafka-auth/enable: 'true'
	{
	"primary_issuer": "kafka-pki/root-b",
	"secondary_issuers": []
	}
	{
	"primary_issuer": "kafka-pki/root-b",
	"secondary_issuers": ["kafka-pki/root-a"]
	}
	{
	"primary_issuer": "kafka-pki/root-a",
	"secondary_issuers": ["kafka-pki/root-b"]
	}
	resource "consul_keys" "root" {
	key {
	path = "some/path/in/consul"
	value = <<-EOT
	{
	"primary_issuer": "kafka-pki/root-a",
	"secondary_issuers": []
	}
	EOT
	}
	locals {
	kafka_pki_prefix = "prefix"
	kafka_broker_allowed_domains = ["broker.kafka.com"]
	kafka_client_allowed_domains = ["client.kafka.com"]
	}

	module "root_a" {
	source = "./common/kafka_pki"
	path = "${local.kafka_pki_prefix}/root-a"
	root_ca_common_name = "Root A"