Skip to content

Instantly share code, notes, and snippets.

@mmastoras
Last active January 11, 2020 18:43
Show Gist options
  • Save mmastoras/8a969d1c14e69f17306823abffa3ec39 to your computer and use it in GitHub Desktop.
Save mmastoras/8a969d1c14e69f17306823abffa3ec39 to your computer and use it in GitHub Desktop.
create JKS keys from vault pki
docker-entrypoint.sh
```
# create truststore and keystore from pem files if they exist
if [ -f "$ZOO_CONF_DIR/ssl/root-int-ca.pem" ] && [ -f "$ZOO_CONF_DIR/ssl/node.pem"]; then
# create truststore jks
truststore_password="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 12 | head -n 1)"
echo $truststore_password > $TRUSTSTORE_WORKING_DIRECTORY/truststore_password.txt
keytool -import -alias root-int-ca -trustcacerts -file $ZOO_CONF_DIR/ssl/root-int-ca.pem \
-keystore $ZOO_CONF_DIR/ssl/kafka-truststore.jks -storepass $truststore_password
# create keystore jks
keystore_password="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 12 | head -n 1)"
openssl pkcs12 -inkey node-1.pem -in node-1.pem -name node-1 -export -out node-1.p12
keytool -importkeystore -deststorepass $keystore_password \
-destkeystore keystore.jks -srckeystore node-1.p12 -srcstoretype PKCS12
# update passwords in zoo.cfg
sed -i "s/TRUSTSTORE_PASSWORD/$truststore_password/g" /$ZOO_CONF_DIR/zoo.cfg
sed -i "s/KEYSTORE_PASSWORD/$keystore_password/g" /$ZOO_CONF_DIR/zoo.cfg
fi
```
nomad templates
```
meta {
mtls_path = "secret/teams/sre/kafka-poc/zk1/mtls"
vault_addr = "https://vault.simulpong.com:8200"
cluster_dc = "alpha"
vault_cert_path = "alphaintca/issue/alpha-dot-consul"
root_ca_path = "alpharootca/cert/ca"
int_ca_path = "alphaintca/cert/ca"
cert_ttl = "168h"
}
template {
destination = "local/conf/ssl/root-int-ca.pem"
data = <<EOH
{{ $root_ca_path := env "NOMAD_META_root_ca_path" -}}
{{ $int_ca_path := env "NOMAD_META_int_ca_path" -}}
{{ with secret (printf "%s" $int_ca_path) }}
{{ .Data.certificate -}}
{{ end -}}
{{ with secret (printf "%s" $root_ca_path) }}
{{ .Data.certificate -}}
{{ end }}
EOH
}
template {
destination = "local/conf/ssl/node.pem"
change_mode = "noop"
data = <<EOH
{{ $ip_address := env "NOMAD_IP_client" -}}
{{ $vault_cert_path := env "NOMAD_META_vault_cert_path" -}}
{{ $cluster_dc := env "NOMAD_META_cluster_dc" -}}
{{ $cert_ttl := env "NOMAD_META_cert_ttl" -}}
{{ with secret (printf "%s" $vault_cert_path) (printf "common_name=zk-%s.service.%s.consul" $cluster_dc $cluster_dc) (printf "alt_names=zk-%s.service.%s.consul" $cluster_dc $cluster_dc) (printf "ip_sans=%s" $ip_address) (printf "ttl=%s" $cert_ttl) }}
{{ .Data.certificate -}}
{{ end }}
EOH
}
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment