mcfearsome/certificates.sh

## certificates.sh
apiVersion: batch/v1
kind: Job
metadata:
  name: certificate-vault-sg-07dc26eb8f2031520-1
  namespace: vault-server
  annotations:
    cfn-client-token: dcd3b6e6-5814-9767-5f03-6fa6ad673274

spec:

  template:
    spec:
      containers:
        - name: certificate-vault-sg-07dc26eb8f2031520-1
          image: amazonlinux
          command:
            - /bin/bash
            - '-c'
          args:
            - >
              sleep 15; yum install -y awscli 2>&1 > /dev/null; export
              AWS_REGION=us-west-2; export RELEASE_NAME=sg-07dc26eb8f2031520;
              export NAMESPACE=vault-server; aws sts get-caller-identity; aws s3
              cp ${S3_SCRIPT_URL} ./script.sh && sed -i
              's/certificates.k8s.io\/v1beta/certificates.k8s.io\/v/g'
              ./script.sh && chmod +x ./script.sh && ./script.sh
          env:
            - name: S3_SCRIPT_URL
              value: >-
                s3://aws-quickstart/quickstart-eks-hashicorp-vault/scripts/certificates.sh
            - name: NAME_SPACE
              value: vault-server
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: Always
      restartPolicy: Never
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      serviceAccountName: boot-vault-sg-07dc26eb8f2031520
      serviceAccount: boot-vault-sg-07dc26eb8f2031520
      securityContext: {}
      schedulerName: default-scheduler
  completionMode: NonIndexed
  suspend: false

## certs.sh
#!/bin/bash -e
# SERVICE is the name of the Vault service in Kubernetes.
# It does not have to match the actual running service, though it may help for consistency.
SERVICE=vault-${RELEASE_NAME}
# NAMESPACE where the Vault service is running.
# NAMESPACE=vault-namespace
# Exported by executor
# SECRET_NAME to create in the Kubernetes secrets store.
SECRET_NAME=vault-server-tls
# TMPDIR is a temporary working directory.
TMPDIR=/tmp
# Sleep timer
SLEEP_TIME=15
# Name of the CSR
echo "Name the CSR: vault-csr-${RELEASE_NAME}"
export CSR_NAME=vault-csr-${RELEASE_NAME}

# Install OpenSSL
echo "Install openssl"
yum install -y openssl 2>&1

# Install Kubernetes cli
echo "Install Kubernetes cli"
curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/kubectl
chmod +x ./kubectl
mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
kubectl version --short --client

# Create a private key
echo "Generate certificate Private key"
openssl genrsa -out ${TMPDIR}/vault.key 2048

# Create CSR
echo "Create CSR file"
cat <<EOF >${TMPDIR}/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${SERVICE}
DNS.2 = ${SERVICE}.${NAMESPACE}
DNS.3 = ${SERVICE}.${NAMESPACE}.svc
DNS.4 = ${SERVICE}.${NAMESPACE}.svc.cluster.local
DNS.5 = vault-${RELEASE_NAME}-0.vault-${RELEASE_NAME}-internal
DNS.6 = vault-${RELEASE_NAME}-1.vault-${RELEASE_NAME}-internal
DNS.7 = vault-${RELEASE_NAME}-2.vault-${RELEASE_NAME}-internal
IP.1 = 127.0.0.1
EOF

# Sign the CSR
echo "Sign the CSR"
openssl req -new -key ${TMPDIR}/vault.key -subj "/CN=${SERVICE}.${NAMESPACE}.svc" -out ${TMPDIR}/server.csr -config ${TMPDIR}/csr.conf

echo "Create a CSR Manifest file"
cat <<EOF >${TMPDIR}/csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${CSR_NAME}
spec:
  groups:
  - system:authenticated
  request: $(cat ${TMPDIR}/server.csr | base64 | tr -d '\n')
  signerName: beta.eks.amazonaws.com/app-serving
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

echo "Create CSR from manifest file"
kubectl create -f ${TMPDIR}/csr.yaml

# TODO: Loop this till cert is signed
sleep ${SLEEP_TIME}
echo "Fetch the CSR from kubernetes"
kubectl get csr ${CSR_NAME}

# Approve Cert
echo "Approve the Certificate"
kubectl certificate approve ${CSR_NAME}

serverCert=$(kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}')
echo "${serverCert}" | openssl base64 -d -A -out ${TMPDIR}/vault.crt

# kubectl config view --raw -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 -d > ${TMPDIR}/vault.ca
echo "Fetch Kubernetes CA Certificate"
kubectl get secret -o jsonpath="{.items[?(@.type==\"kubernetes.io/service-account-token\")].data['ca\.crt']}" | base64 --decode > ${TMPDIR}/vault.ca 2>/dev/null || true

echo "Create secret containing the TLS Certificates and key"
echo kubectl create secret generic ${SECRET_NAME} \
        --namespace ${NAMESPACE} \
        --from-file=vault.key=${TMPDIR}/vault.key \
        --from-file=vault.crt=${TMPDIR}/vault.crt \
        --from-file=vault.ca=${TMPDIR}/vault.ca

kubectl create secret generic ${SECRET_NAME} \
        --namespace ${NAMESPACE} \
        --from-file=vault.key=${TMPDIR}/vault.key \
        --from-file=vault.crt=${TMPDIR}/vault.crt \
        --from-file=vault.ca=${TMPDIR}/vault.ca
	apiVersion: batch/v1
	kind: Job
	metadata:
	name: certificate-vault-sg-07dc26eb8f2031520-1
	namespace: vault-server
	annotations:
	cfn-client-token: dcd3b6e6-5814-9767-5f03-6fa6ad673274

	spec:

	template:
	spec:
	containers:
	- name: certificate-vault-sg-07dc26eb8f2031520-1
	image: amazonlinux
	command:
	- /bin/bash
	- '-c'
	args:
	- >
	sleep 15; yum install -y awscli 2>&1 > /dev/null; export
	AWS_REGION=us-west-2; export RELEASE_NAME=sg-07dc26eb8f2031520;
	export NAMESPACE=vault-server; aws sts get-caller-identity; aws s3
	cp ${S3_SCRIPT_URL} ./script.sh && sed -i
	's/certificates.k8s.io\/v1beta/certificates.k8s.io\/v/g'
	./script.sh && chmod +x ./script.sh && ./script.sh
	env:
	- name: S3_SCRIPT_URL
	value: >-
	s3://aws-quickstart/quickstart-eks-hashicorp-vault/scripts/certificates.sh
	- name: NAME_SPACE
	value: vault-server
	resources: {}
	terminationMessagePath: /dev/termination-log
	terminationMessagePolicy: File
	imagePullPolicy: Always
	restartPolicy: Never
	terminationGracePeriodSeconds: 30
	dnsPolicy: ClusterFirst
	serviceAccountName: boot-vault-sg-07dc26eb8f2031520
	serviceAccount: boot-vault-sg-07dc26eb8f2031520
	securityContext: {}
	schedulerName: default-scheduler
	completionMode: NonIndexed
	suspend: false
	#!/bin/bash -e
	# SERVICE is the name of the Vault service in Kubernetes.
	# It does not have to match the actual running service, though it may help for consistency.
	SERVICE=vault-${RELEASE_NAME}
	# NAMESPACE where the Vault service is running.
	# NAMESPACE=vault-namespace
	# Exported by executor
	# SECRET_NAME to create in the Kubernetes secrets store.
	SECRET_NAME=vault-server-tls
	# TMPDIR is a temporary working directory.
	TMPDIR=/tmp
	# Sleep timer
	SLEEP_TIME=15
	# Name of the CSR
	echo "Name the CSR: vault-csr-${RELEASE_NAME}"
	export CSR_NAME=vault-csr-${RELEASE_NAME}

	# Install OpenSSL
	echo "Install openssl"
	yum install -y openssl 2>&1

	# Install Kubernetes cli
	echo "Install Kubernetes cli"
	curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/kubectl
	chmod +x ./kubectl
	mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
	kubectl version --short --client

	# Create a private key
	echo "Generate certificate Private key"
	openssl genrsa -out ${TMPDIR}/vault.key 2048

	# Create CSR
	echo "Create CSR file"
	cat <<EOF >${TMPDIR}/csr.conf
	[req]
	req_extensions = v3_req
	distinguished_name = req_distinguished_name
	[req_distinguished_name]
	[ v3_req ]
	basicConstraints = CA:FALSE
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth
	subjectAltName = @alt_names
	[alt_names]
	DNS.1 = ${SERVICE}
	DNS.2 = ${SERVICE}.${NAMESPACE}
	DNS.3 = ${SERVICE}.${NAMESPACE}.svc
	DNS.4 = ${SERVICE}.${NAMESPACE}.svc.cluster.local
	DNS.5 = vault-${RELEASE_NAME}-0.vault-${RELEASE_NAME}-internal
	DNS.6 = vault-${RELEASE_NAME}-1.vault-${RELEASE_NAME}-internal
	DNS.7 = vault-${RELEASE_NAME}-2.vault-${RELEASE_NAME}-internal
	IP.1 = 127.0.0.1
	EOF

	# Sign the CSR
	echo "Sign the CSR"
	openssl req -new -key ${TMPDIR}/vault.key -subj "/CN=${SERVICE}.${NAMESPACE}.svc" -out ${TMPDIR}/server.csr -config ${TMPDIR}/csr.conf

	echo "Create a CSR Manifest file"
	cat <<EOF >${TMPDIR}/csr.yaml
	apiVersion: certificates.k8s.io/v1
	kind: CertificateSigningRequest
	metadata:
	name: ${CSR_NAME}
	spec:
	groups:
	- system:authenticated
	request: $(cat ${TMPDIR}/server.csr \| base64 \| tr -d '\n')
	signerName: beta.eks.amazonaws.com/app-serving
	usages:
	- digital signature
	- key encipherment
	- server auth
	EOF

	echo "Create CSR from manifest file"
	kubectl create -f ${TMPDIR}/csr.yaml

	# TODO: Loop this till cert is signed
	sleep ${SLEEP_TIME}
	echo "Fetch the CSR from kubernetes"
	kubectl get csr ${CSR_NAME}

	# Approve Cert
	echo "Approve the Certificate"
	kubectl certificate approve ${CSR_NAME}

	serverCert=$(kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}')
	echo "${serverCert}" \| openssl base64 -d -A -out ${TMPDIR}/vault.crt

	# kubectl config view --raw -o jsonpath='{.clusters[].cluster.certificate-authority-data}' \| base64 -d > ${TMPDIR}/vault.ca
	echo "Fetch Kubernetes CA Certificate"
	kubectl get secret -o jsonpath="{.items[?(@.type==\"kubernetes.io/service-account-token\")].data['ca\.crt']}" \| base64 --decode > ${TMPDIR}/vault.ca 2>/dev/null \|\| true

	echo "Create secret containing the TLS Certificates and key"
	echo kubectl create secret generic ${SECRET_NAME} \
	--namespace ${NAMESPACE} \
	--from-file=vault.key=${TMPDIR}/vault.key \
	--from-file=vault.crt=${TMPDIR}/vault.crt \
	--from-file=vault.ca=${TMPDIR}/vault.ca

	kubectl create secret generic ${SECRET_NAME} \
	--namespace ${NAMESPACE} \
	--from-file=vault.key=${TMPDIR}/vault.key \
	--from-file=vault.crt=${TMPDIR}/vault.crt \
	--from-file=vault.ca=${TMPDIR}/vault.ca