From 84917e7f9db8e6949f58292befe03ece89ed6433 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Fri, 8 Apr 2022 17:40:10 -0400 Subject: [PATCH 01/15] Upgraded to SPIRE version 1.1.3 Signed-off-by: Mariusz Sabath --- charts/spire/values.yaml | 2 +- charts/tornjak/values.yaml | 8 +++----- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index d580707f..7c88397d 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -17,7 +17,7 @@ region: sample-region # SPIRE server trustdomain: spiretest.com # SPIRE version: -spireVersion: 1.0.2 +spireVersion: 1.1.3 # spireServer - location of the SPIRE server spireServer: diff --git a/charts/tornjak/values.yaml b/charts/tornjak/values.yaml index 64eca7d5..68684035 100644 --- a/charts/tornjak/values.yaml +++ b/charts/tornjak/values.yaml @@ -14,15 +14,13 @@ clustername: spire-example # trustdomain is arbitrary but needs to match between Server and Agent trustdomain: spiretest.com # SPIRE version used for consistency across components -spireVersion: 1.0.2 +spireVersion: 1.1.3 # SPIRE Server configuration spireServer: # tornjakImage - Tornjak with SPIRE Server - # TODO this is just a temporary image with several patches. It - # should be removed after the patches are available in the SPIRE main - # img: ghcr.io/spiffe/tornjak-spire-server - img: tsidentity/local-spire-server + img: ghcr.io/spiffe/tornjak-spire-server + socketDir: /run/spire-server/private socketFile: api.sock # selfSignedCA - SPIRE will create the self signed CA unless this value From 72d399c2ff9e064cf92b147ead77ac3e1b15595c Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Fri, 8 Apr 2022 20:08:24 -0400 Subject: [PATCH 02/15] Added x509pop NodeAttestor Signed-off-by: Mariusz Sabath --- charts/tornjak/templates/server-configmap.tpl | 5 +++++ sample-x509/intermediate-key.pem | 13 ++++++++++++ sample-x509/intermediate.pem | 10 +++++++++ sample-x509/leaf-crt-bundle.pem | 19 +++++++++++++++++ sample-x509/leaf-key.pem | 13 ++++++++++++ sample-x509/leaf.pem | 10 +++++++++ sample-x509/leaf1-crt-bundle.pem | 21 +++++++++++++++++++ sample-x509/leaf1-key.pem | 13 ++++++++++++ sample-x509/leaf1.pem | 11 ++++++++++ sample-x509/leaf2-crt-bundle.pem | 21 +++++++++++++++++++ sample-x509/leaf2-key.pem | 13 ++++++++++++ sample-x509/leaf2.pem | 11 ++++++++++ sample-x509/leaf3-crt-bundle.pem | 21 +++++++++++++++++++ sample-x509/leaf3-key.pem | 13 ++++++++++++ sample-x509/leaf3.pem | 11 ++++++++++ sample-x509/root-crt.pem | 10 +++++++++ sample-x509/root-key.pem | 13 ++++++++++++ 17 files changed, 228 insertions(+) create mode 100644 sample-x509/intermediate-key.pem create mode 100644 sample-x509/intermediate.pem create mode 100644 sample-x509/leaf-crt-bundle.pem create mode 100644 sample-x509/leaf-key.pem create mode 100644 sample-x509/leaf.pem create mode 100644 sample-x509/leaf1-crt-bundle.pem create mode 100644 sample-x509/leaf1-key.pem create mode 100644 sample-x509/leaf1.pem create mode 100644 sample-x509/leaf2-crt-bundle.pem create mode 100644 sample-x509/leaf2-key.pem create mode 100644 sample-x509/leaf2.pem create mode 100644 sample-x509/leaf3-crt-bundle.pem create mode 100644 sample-x509/leaf3-key.pem create mode 100644 sample-x509/leaf3.pem create mode 100644 sample-x509/root-crt.pem create mode 100644 sample-x509/root-key.pem diff --git a/charts/tornjak/templates/server-configmap.tpl b/charts/tornjak/templates/server-configmap.tpl index 0c9796a3..9365e4b5 100644 --- a/charts/tornjak/templates/server-configmap.tpl +++ b/charts/tornjak/templates/server-configmap.tpl @@ -70,6 +70,11 @@ data: } } } + NodeAttestor "x509pop" { + plugin_data { + ca_bundle_path = "/opt/spire/sample-keys/rootCA.pem" + } + } {{- if .Values.attestors.aws_iid -}} {{- if .Values.attestors.aws_iid.access_key_id -}} diff --git a/sample-x509/intermediate-key.pem b/sample-x509/intermediate-key.pem new file mode 100644 index 00000000..ecd3fafb --- /dev/null +++ b/sample-x509/intermediate-key.pem @@ -0,0 +1,13 @@ +-----BEGIN PRIVATE KEY----- +MIIB5QIBADANBgkqhkiG9w0BAQEFAASCAc8wggHLAgEAAmEAuUNx9JhXm/vuER34 +f4MW7Pk4vkPECKlbOOzVkUElN1ZhbdjFjLiJ5dmEefcuvAPN4E2Bhi4QXTdPyMf7 ++/2Wu4HVmV073Z+ssgFyP28zbLvNjL6fsGIh+f9HoMOUvcSPAgMBAAECYEH1fkvs +NTzm3CKh/gg//tiN/qLW86N10HGa+IqHnB1wlq2KQQNR7F62K9FUrQHphDa4+FdU +ijd0VeMzJGwPrp55/0mZPoFL0HJWTorOcMTFgM735uxHQVGCoHqxpnXkyQIxAM+i +szD2fhzQ9pzQGTR8T5Z4n4qkASEDyIRyO+weaHFtjP2iXzV7JlxGAhUqeCDhtQIx +AORqssTasNnzuXPXw+Revix0/NWLd0AF6Z5DIvWYtJB7u+hKY3o7JnwTEC/c/cQH +swIwWQ4yhySh8KAbtiR3OxC6XhJ8c01mgo+J2GzakKp2J3hSSZLz/Q9F47vPNt7R +SWElAjEAwR00Zxo9ywc0E6yoAbvYLN37pM900rws95DrTZj9j+oMxCegUwcPUncL +iGveYI3hAjEAhTTowVIxRZINfHyUQuUFkHCmyhApprP1twf7u7vJ0knndFn9Ij5P +wT/zTjQ7kuiE +-----END PRIVATE KEY----- diff --git a/sample-x509/intermediate.pem b/sample-x509/intermediate.pem new file mode 100644 index 00000000..3ea813e8 --- /dev/null +++ b/sample-x509/intermediate.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBZjCB8aADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw +MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQC5 +Q3H0mFeb++4RHfh/gxbs+Ti+Q8QIqVs47NWRQSU3VmFt2MWMuInl2YR59y68A83g +TYGGLhBdN0/Ix/v7/Za7gdWZXTvdn6yyAXI/bzNsu82Mvp+wYiH5/0egw5S9xI8C +AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8ZD15N5gTjVyBrw2 +u//CFPROn0cwDQYJKoZIhvcNAQELBQADYQCygZAp0C9JVW2ivRzpyrFawhohlVAm +gG+NYylNGqaGH2Pc1YfVSwPWdYljcYwejOTrxCZJSs3WEKb/j2VVZF3yOJydTHv3 +TLLkxPII7B31qk+PjR8bA+WgZBVAZILJegY= +-----END CERTIFICATE----- diff --git a/sample-x509/leaf-crt-bundle.pem b/sample-x509/leaf-crt-bundle.pem new file mode 100644 index 00000000..40b9598e --- /dev/null +++ b/sample-x509/leaf-crt-bundle.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIBYTCB7KADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw +MDBaGA85OTk5MTIzMTIzNTk1OVowGzEZMBcGA1UEAxMQc29tZSBjb21tb24gbmFt +ZTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDR/rrOq9GhzI9XFxIOxqEZ7hXmc0P9 +6CjEi3xl5BQVIkQnx46cHKEY6vyEodxjcv5HefJ3Jmpx+4Jf+J9KJ+XGkiD3T7zC +d7FX0zPyMBxtImvojJDxuqlrUCs0cHBZCP8CAwEAAaMSMBAwDgYDVR0PAQH/BAQD +AgeAMA0GCSqGSIb3DQEBCwUAA2EAjp41GzuQBqEIY7F/8O6VQwwDA4qmtTkbSq0P +jYvfDKTaC2tB/nxlZoHdunx2wb/cvjQ0hmp6an5AioX8aRnSp7CwfgM5sDIb6mXz +0EIobXRibY/E88IK2Ok/JUn4Jlpe +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBRzCB0qADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw +MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDA +Gm2bb+E2IKjcS6a2lCpUys5j7ySQIHM19EULD1jjkRT3y2S8dm5jlfQR4UMF6BFq +KuNiEbML5jfEq1IyzmJ6IHuVDxfhxGq24cXSAT308C/ybnOEuSHgVviae8oscZEC +AwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAANhAAsnJCCT +BF3HflSMwISuJ3d6CopcV70Pylza79l97DUGoSeSQEorOjLRFkiB9c9M7SZEgYs5 +IgbjcwkCLkHjXq2UNFjhe28MNBTdfD6yjE/x6QiAunw01flG0sJPU2xUzQ== +-----END CERTIFICATE----- diff --git a/sample-x509/leaf-key.pem b/sample-x509/leaf-key.pem new file mode 100644 index 00000000..84a1a47f --- /dev/null +++ b/sample-x509/leaf-key.pem @@ -0,0 +1,13 @@ +-----BEGIN PRIVATE KEY----- +MIIB5QIBADANBgkqhkiG9w0BAQEFAASCAc8wggHLAgEAAmEA0f66zqvRocyPVxcS +DsahGe4V5nND/egoxIt8ZeQUFSJEJ8eOnByhGOr8hKHcY3L+R3nydyZqcfuCX/if +SiflxpIg90+8wnexV9Mz8jAcbSJr6IyQ8bqpa1ArNHBwWQj/AgMBAAECYQCzSfsQ +jR30OISBZM8kEm5lhyLnmK4KUHbOKBFTpQGIcbMjC3w0yTS545cpXlCeEASBLxQ3 +3XEQSF3W1SmZBHuI/nMXBG3lc48VkeL8++lSPg08DWaEdzJzG6A0gsEjjuECMQD2 +uwDW78B3gW9SP4PUXeRYbo68XoLr28+AIt0Bh07FiMLBsL+7xtkwqM0C7b6PZCkC +MQDZ4mnW0LvVAjjnOQ4SgdWFHZh7fcDQ5s2RvSp3HGFb/ALoRr7yfO10OkMUiTq9 +aOcCMQDWHNiQrcSfsMKTZK0ZmVV07JSPoZEJ71o1/4s9LVfNkm44uhLZeKm4UXR/ +6yNoumkCMGTD7ljXnhar+W8OFvD+NKZkgpGSHes+4pFlH8+IQ4qL6ThNB6AToKmh +DEbiFFVmvwIwVPiNcKPW9d36K/nM5o41lLcpSvJGneGQQsNDHvZDIiMpCFVvxoBz +fzRRb2sFi1gI +-----END PRIVATE KEY----- diff --git a/sample-x509/leaf.pem b/sample-x509/leaf.pem new file mode 100644 index 00000000..c43ae767 --- /dev/null +++ b/sample-x509/leaf.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBYTCB7KADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw +MDBaGA85OTk5MTIzMTIzNTk1OVowGzEZMBcGA1UEAxMQc29tZSBjb21tb24gbmFt +ZTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDR/rrOq9GhzI9XFxIOxqEZ7hXmc0P9 +6CjEi3xl5BQVIkQnx46cHKEY6vyEodxjcv5HefJ3Jmpx+4Jf+J9KJ+XGkiD3T7zC +d7FX0zPyMBxtImvojJDxuqlrUCs0cHBZCP8CAwEAAaMSMBAwDgYDVR0PAQH/BAQD +AgeAMA0GCSqGSIb3DQEBCwUAA2EAjp41GzuQBqEIY7F/8O6VQwwDA4qmtTkbSq0P +jYvfDKTaC2tB/nxlZoHdunx2wb/cvjQ0hmp6an5AioX8aRnSp7CwfgM5sDIb6mXz +0EIobXRibY/E88IK2Ok/JUn4Jlpe +-----END CERTIFICATE----- diff --git a/sample-x509/leaf1-crt-bundle.pem b/sample-x509/leaf1-crt-bundle.pem new file mode 100644 index 00000000..01e7069a --- /dev/null +++ b/sample-x509/leaf1-crt-bundle.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIBhDCCAQ6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw +MDAwWhgPOTk5OTEyMzEyMzU5NTlaMBwxGjAYBgNVBAMTEXNvbWUgY29tbW9uIG5h +bWUxMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANdidHMjvQ1wKcT2apO5zGDYxdbN +PW252t5f1h4zLOkxzIcfS0cq6fd30wagAh1jh/Z/JqjoQZ0p0rx9MhJJDqXgbcSh +89nzwZKxZb6TH3FT7bqAFSEg+pX3VLf12O60cwIDAQABozMwMTAOBgNVHQ8BAf8E +BAMCB4AwHwYDVR0jBBgwFoAU8ZD15N5gTjVyBrw2u//CFPROn0cwDQYJKoZIhvcN +AQELBQADYQCEisuAiPr44rdHzsZ3ULE7WwHtKi4Mz6AM6Z3TWiN/CxpwC24e2MOc +32tENsMY7/+slaMY4ZpCn5acZQKENvSpT5dibTllkCxM5Dczkh0HIa8wr//D26oe +bdavXaOeQS4= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBZjCB8aADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw +MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQC5 +Q3H0mFeb++4RHfh/gxbs+Ti+Q8QIqVs47NWRQSU3VmFt2MWMuInl2YR59y68A83g +TYGGLhBdN0/Ix/v7/Za7gdWZXTvdn6yyAXI/bzNsu82Mvp+wYiH5/0egw5S9xI8C +AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8ZD15N5gTjVyBrw2 +u//CFPROn0cwDQYJKoZIhvcNAQELBQADYQCygZAp0C9JVW2ivRzpyrFawhohlVAm +gG+NYylNGqaGH2Pc1YfVSwPWdYljcYwejOTrxCZJSs3WEKb/j2VVZF3yOJydTHv3 +TLLkxPII7B31qk+PjR8bA+WgZBVAZILJegY= +-----END CERTIFICATE----- diff --git a/sample-x509/leaf1-key.pem b/sample-x509/leaf1-key.pem new file mode 100644 index 00000000..2acfc83e --- /dev/null +++ b/sample-x509/leaf1-key.pem @@ -0,0 +1,13 @@ +-----BEGIN PRIVATE KEY----- +MIIB5AIBADANBgkqhkiG9w0BAQEFAASCAc4wggHKAgEAAmEA12J0cyO9DXApxPZq +k7nMYNjF1s09bbna3l/WHjMs6THMhx9LRyrp93fTBqACHWOH9n8mqOhBnSnSvH0y +EkkOpeBtxKHz2fPBkrFlvpMfcVPtuoAVISD6lfdUt/XY7rRzAgMBAAECYBvEbKDf +baMK38etwQW0gV3G9JKBuTapLEdY8aDJFjQmIGkXJrxREwK9Zu5GuJ8TUppuSk4H +/PCoL1PwEeDqDtrOrTANqwRXTEDZeDk2vuWp6tJqyQdRd/LkGfrh1gEBQQIxAOdH +2U0KbR42VJwe4PQZF6TpHPL4Igzs05oAGSCEPZdH4a4mob1mAouZBUhMbdCHkwIx +AO5nqwj1V+KSaem5+m6DWx4B1GrsHNJw7egJSWKNC7aScNBmEnVhPoGQnHz4BMVr +oQIxANUlJCCaEUIctBFFa+/KCD5VD/bjsw3SXJi6qm2LMe/vsQ78T2brUkEw/utI +dJQPvQIwBcItSG8cq1VcB5A9c1Pq7IOgzOBdJdwicvtecWn0wXkyDmaYxYsOxnRm +w0H+Y4JhAjAdkNFP6fYGzztfNJGclwn9q+sPC+muLOjxi+LWyYHPau8G/wgmTtxU +T9vybUkGOfk= +-----END PRIVATE KEY----- diff --git a/sample-x509/leaf1.pem b/sample-x509/leaf1.pem new file mode 100644 index 00000000..f212ea45 --- /dev/null +++ b/sample-x509/leaf1.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBhDCCAQ6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw +MDAwWhgPOTk5OTEyMzEyMzU5NTlaMBwxGjAYBgNVBAMTEXNvbWUgY29tbW9uIG5h +bWUxMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANdidHMjvQ1wKcT2apO5zGDYxdbN +PW252t5f1h4zLOkxzIcfS0cq6fd30wagAh1jh/Z/JqjoQZ0p0rx9MhJJDqXgbcSh +89nzwZKxZb6TH3FT7bqAFSEg+pX3VLf12O60cwIDAQABozMwMTAOBgNVHQ8BAf8E +BAMCB4AwHwYDVR0jBBgwFoAU8ZD15N5gTjVyBrw2u//CFPROn0cwDQYJKoZIhvcN +AQELBQADYQCEisuAiPr44rdHzsZ3ULE7WwHtKi4Mz6AM6Z3TWiN/CxpwC24e2MOc +32tENsMY7/+slaMY4ZpCn5acZQKENvSpT5dibTllkCxM5Dczkh0HIa8wr//D26oe +bdavXaOeQS4= +-----END CERTIFICATE----- diff --git a/sample-x509/leaf2-crt-bundle.pem b/sample-x509/leaf2-crt-bundle.pem new file mode 100644 index 00000000..18ceae22 --- /dev/null +++ b/sample-x509/leaf2-crt-bundle.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIBhDCCAQ6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw +MDAwWhgPOTk5OTEyMzEyMzU5NTlaMBwxGjAYBgNVBAMTEXNvbWUgY29tbW9uIG5h +bWUyMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9J1cH6rhnWS8FXKwxX0RBTfY45 +83A5xsI2LroKVxGpeY1G6101JylYClmttchHUQYUuwp1ixQrcx+cQwBPnmCtZsE3 +e+AHQaU2mpAJE7I7zb0jSjqR1GoASy+xtjOlJwIDAQABozMwMTAOBgNVHQ8BAf8E +BAMCB4AwHwYDVR0jBBgwFoAU8ZD15N5gTjVyBrw2u//CFPROn0cwDQYJKoZIhvcN +AQELBQADYQBjRSXaG19hofPjuRaClVA6r3fUDCzS/ZzPDYWUqHTQ2mRr9ym+0RD7 ++mG/wye/4UOBu4R81yRlgd5VaVJ4RTqHquLNSUQwT/h20LrbOTPKHhQQqVphEJnk +1f4mZ1LmCwA= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBZjCB8aADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw +MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQC5 +Q3H0mFeb++4RHfh/gxbs+Ti+Q8QIqVs47NWRQSU3VmFt2MWMuInl2YR59y68A83g +TYGGLhBdN0/Ix/v7/Za7gdWZXTvdn6yyAXI/bzNsu82Mvp+wYiH5/0egw5S9xI8C +AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8ZD15N5gTjVyBrw2 +u//CFPROn0cwDQYJKoZIhvcNAQELBQADYQCygZAp0C9JVW2ivRzpyrFawhohlVAm +gG+NYylNGqaGH2Pc1YfVSwPWdYljcYwejOTrxCZJSs3WEKb/j2VVZF3yOJydTHv3 +TLLkxPII7B31qk+PjR8bA+WgZBVAZILJegY= +-----END CERTIFICATE----- diff --git a/sample-x509/leaf2-key.pem b/sample-x509/leaf2-key.pem new file mode 100644 index 00000000..92ae23f5 --- /dev/null +++ b/sample-x509/leaf2-key.pem @@ -0,0 +1,13 @@ +-----BEGIN PRIVATE KEY----- +MIIB5gIBADANBgkqhkiG9w0BAQEFAASCAdAwggHMAgEAAmEAv0nVwfquGdZLwVcr +DFfREFN9jjnzcDnGwjYuugpXEal5jUbrXTUnKVgKWa21yEdRBhS7CnWLFCtzH5xD +AE+eYK1mwTd74AdBpTaakAkTsjvNvSNKOpHUagBLL7G2M6UnAgMBAAECYDQHAAW3 +idzrJUWb0NCVnf5DxxWE+4pdnIq8M+9T2qSqJK5hSKjcSR98m6wSjCvCAXYkNS01 +6CsDELxe13qsocRJe+RU7RxSkv3z/CKEgtgApJUMr1PW4rCSNbVpvrikeQIxAOUH +ZhIrd6LuOq2Fr7S6eGm612Wa3Aa3ZNiGVHDFfrbRY866E0X4FvmAPG2BwCj7UwIx +ANXQqbLkRhGsCkfIw9hidYBxu0sc1zXSOHMHIhS96Tipd+GNpTCD36g9cYBuqbtI +XQIxALPc16A1WsMt7A8SCicYui/ud/JnZ5wuspgJBo95ykWws31KTJCKgSB4QPyP +BWYp2QIxAKTp0Dm+f5zZyQQdAZFAP8jV79O7ZvKINinicpL095FQhLpfee21iShG +W+jncdqVsQIxAMBH4Z4pLuVijMR1xLGXI91Pheu/VRb/wSubUk7HOr/7OzQBFmgE +5/0SoUyeULmOTw== +-----END PRIVATE KEY----- diff --git a/sample-x509/leaf2.pem b/sample-x509/leaf2.pem new file mode 100644 index 00000000..7a62ca7f --- /dev/null +++ b/sample-x509/leaf2.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBhDCCAQ6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw +MDAwWhgPOTk5OTEyMzEyMzU5NTlaMBwxGjAYBgNVBAMTEXNvbWUgY29tbW9uIG5h +bWUyMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9J1cH6rhnWS8FXKwxX0RBTfY45 +83A5xsI2LroKVxGpeY1G6101JylYClmttchHUQYUuwp1ixQrcx+cQwBPnmCtZsE3 +e+AHQaU2mpAJE7I7zb0jSjqR1GoASy+xtjOlJwIDAQABozMwMTAOBgNVHQ8BAf8E +BAMCB4AwHwYDVR0jBBgwFoAU8ZD15N5gTjVyBrw2u//CFPROn0cwDQYJKoZIhvcN +AQELBQADYQBjRSXaG19hofPjuRaClVA6r3fUDCzS/ZzPDYWUqHTQ2mRr9ym+0RD7 ++mG/wye/4UOBu4R81yRlgd5VaVJ4RTqHquLNSUQwT/h20LrbOTPKHhQQqVphEJnk +1f4mZ1LmCwA= +-----END CERTIFICATE----- diff --git a/sample-x509/leaf3-crt-bundle.pem b/sample-x509/leaf3-crt-bundle.pem new file mode 100644 index 00000000..711e876c --- /dev/null +++ b/sample-x509/leaf3-crt-bundle.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIBhDCCAQ6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw +MDAwWhgPOTk5OTEyMzEyMzU5NTlaMBwxGjAYBgNVBAMTEXNvbWUgY29tbW9uIG5h +bWUzMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALe+Q+td+Vr6V0QPUKH5GFjdcirE +vPG4093oQo7jAt8d+IAgpJx1OmB9rMhfO0xBX3i9l+3kdK90IcesGUVA2z4EOoVK +pNsaZda7FKjB1x+GWZTXtvW0/68bPqgIylXcewIDAQABozMwMTAOBgNVHQ8BAf8E +BAMCB4AwHwYDVR0jBBgwFoAU8ZD15N5gTjVyBrw2u//CFPROn0cwDQYJKoZIhvcN +AQELBQADYQBakkW3+ZH01i0mit/7f/AR6A5XsABGge5DR2y8ju7fvmhQAz9GC5C5 +R9ri5/xiWucRADp+d8admKv3lxXMKtZ88g89arwDdVCkC5AsTN4qVhZAhO+kTv4W +DWyWWSUVqog= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBZjCB8aADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw +MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQC5 +Q3H0mFeb++4RHfh/gxbs+Ti+Q8QIqVs47NWRQSU3VmFt2MWMuInl2YR59y68A83g +TYGGLhBdN0/Ix/v7/Za7gdWZXTvdn6yyAXI/bzNsu82Mvp+wYiH5/0egw5S9xI8C +AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8ZD15N5gTjVyBrw2 +u//CFPROn0cwDQYJKoZIhvcNAQELBQADYQCygZAp0C9JVW2ivRzpyrFawhohlVAm +gG+NYylNGqaGH2Pc1YfVSwPWdYljcYwejOTrxCZJSs3WEKb/j2VVZF3yOJydTHv3 +TLLkxPII7B31qk+PjR8bA+WgZBVAZILJegY= +-----END CERTIFICATE----- diff --git a/sample-x509/leaf3-key.pem b/sample-x509/leaf3-key.pem new file mode 100644 index 00000000..199a8460 --- /dev/null +++ b/sample-x509/leaf3-key.pem @@ -0,0 +1,13 @@ +-----BEGIN PRIVATE KEY----- +MIIB4wIBADANBgkqhkiG9w0BAQEFAASCAc0wggHJAgEAAmEAt75D6135WvpXRA9Q +ofkYWN1yKsS88bjT3ehCjuMC3x34gCCknHU6YH2syF87TEFfeL2X7eR0r3Qhx6wZ +RUDbPgQ6hUqk2xpl1rsUqMHXH4ZZlNe29bT/rxs+qAjKVdx7AgMBAAECYE8ZfHm1 +oeQVgz3MbgTcjCutYTmiKkjRLXwJQaXrek/8wf6+jr7ABJqHX7t+q7NfLHONUxFS +LT6C5ocOjord8GWUp9/C9F4reB+RZJDWVGIgnzlRey+XgmjNg3jKKMCMUQIxAMHH +MsKLjuGi2mxyD/zem4Adt1Nd32pojOl8vzm4VRf/qNhJr3QDM2HhfLp0iGMOYwIx +APK+L66rrFCkhrgkWChgQmny6YtGxf4aT816+2Rbslo76zfKB62o9csgL1sO6amp +CQIwQieldrF6eCHG/Br8xlGhON3sRnPX4FYNNXE3P5dkxaqslBqj4bFuC06V7Hn4 +TgkNAjAwWc2pnyxdi8gB2cttj27rJ6V5RomdiaQnq71zSgiGjLTXkfhhkOwUn76P +BrNoRfECMHGdJBAqsK3sDDFZ+M092tsNuf/p8QFS+4dYMfG4W0Kc8FXqOTZWAD0a +WHYBbxmpGQ== +-----END PRIVATE KEY----- diff --git a/sample-x509/leaf3.pem b/sample-x509/leaf3.pem new file mode 100644 index 00000000..d4aeb099 --- /dev/null +++ b/sample-x509/leaf3.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBhDCCAQ6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw +MDAwWhgPOTk5OTEyMzEyMzU5NTlaMBwxGjAYBgNVBAMTEXNvbWUgY29tbW9uIG5h +bWUzMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALe+Q+td+Vr6V0QPUKH5GFjdcirE +vPG4093oQo7jAt8d+IAgpJx1OmB9rMhfO0xBX3i9l+3kdK90IcesGUVA2z4EOoVK +pNsaZda7FKjB1x+GWZTXtvW0/68bPqgIylXcewIDAQABozMwMTAOBgNVHQ8BAf8E +BAMCB4AwHwYDVR0jBBgwFoAU8ZD15N5gTjVyBrw2u//CFPROn0cwDQYJKoZIhvcN +AQELBQADYQBakkW3+ZH01i0mit/7f/AR6A5XsABGge5DR2y8ju7fvmhQAz9GC5C5 +R9ri5/xiWucRADp+d8admKv3lxXMKtZ88g89arwDdVCkC5AsTN4qVhZAhO+kTv4W +DWyWWSUVqog= +-----END CERTIFICATE----- diff --git a/sample-x509/root-crt.pem b/sample-x509/root-crt.pem new file mode 100644 index 00000000..d6f1dbc4 --- /dev/null +++ b/sample-x509/root-crt.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBZjCB8aADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw +MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDb +M2FpVYArMQ0DTbCXZC12pW88PBzg7qnzYNZJhW+UUq7h4q8Iqz61OWUNlE6PWhty +u2rHavN1xHXbmSDPO5T/zg9lFckZsVidPIlTyWyBsjL1pDWQfOT/MEfaShaDMksC +AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUdoi9uHwz794ebY71 +6wNJc6WSXH0wDQYJKoZIhvcNAQELBQADYQAet2usxlbk1MfBrIYNSPUD1zo1lr9L +V70VnTElZCWCTGEiBTcE2+awsiXNbJBXf8QmFxFTdCXIMsNN1DqmNEfx9uXKma+D +O0nx5vXRpXqNnpSTiFVDudINRDV2qWqB5yQ= +-----END CERTIFICATE----- diff --git a/sample-x509/root-key.pem b/sample-x509/root-key.pem new file mode 100644 index 00000000..560a4f3a --- /dev/null +++ b/sample-x509/root-key.pem @@ -0,0 +1,13 @@ +-----BEGIN PRIVATE KEY----- +MIIB5QIBADANBgkqhkiG9w0BAQEFAASCAc8wggHLAgEAAmEA2zNhaVWAKzENA02w +l2QtdqVvPDwc4O6p82DWSYVvlFKu4eKvCKs+tTllDZROj1obcrtqx2rzdcR125kg +zzuU/84PZRXJGbFYnTyJU8lsgbIy9aQ1kHzk/zBH2koWgzJLAgMBAAECYQCnhMPM +QTh7Sbg9LxFnEXshMlspOHOFfz/IrNf3Rg+41duq65eC04RP8TYGQ7IqIdxwJgeG +J1PMvsqtffac9PUqZ41xRRiifwcS06OIgSxW6Lh6H0GfYlQ5MZnsAXQAFxkCMQDs ++MRf3m3AYowKCzZ3pLCgl2JS7HllKfxCkmlCJc7QFfJkv0iAaQtyMg7ujxjo44UC +MQDszU8Lz9an7nzRg+rJiG/JQ7XvUzWRanAkCpwRjcF2WsjZhGE5awZ0wEHgup4T +H48CMQCg5d/gABSg9ciD4U0gO1A6Gc+G4k0ipTlEskiJw0YC/4PPaBmAJtLAvMBq +tfqB1kkCMEucasb8wC+y6MwFcSyUkg0Tv74BNbOO5uu7L4YzWzitWECMEndBAzi4 +QtC9BchZZQIwG5JY1G+zfB15tzaGBfOJiWRbvO0z46umojOU8nYtGM9sOz9dePZg +U+QzJke9yEfC +-----END PRIVATE KEY----- From 85996e176d647580444075854b95f80865a72a2f Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Thu, 14 Apr 2022 12:20:36 -0400 Subject: [PATCH 03/15] Updated Spire Server configuration Signed-off-by: Mariusz Sabath --- charts/tornjak/templates/server-configmap.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/tornjak/templates/server-configmap.tpl b/charts/tornjak/templates/server-configmap.tpl index 9365e4b5..d331763c 100644 --- a/charts/tornjak/templates/server-configmap.tpl +++ b/charts/tornjak/templates/server-configmap.tpl @@ -72,7 +72,7 @@ data: } NodeAttestor "x509pop" { plugin_data { - ca_bundle_path = "/opt/spire/sample-keys/rootCA.pem" + ca_bundle_path = "/opt/spire/sample-x509/rootCA.pem" } } From c1b610bf0583acdaf7655941dc097e3821973a90 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Thu, 14 Apr 2022 16:41:48 -0400 Subject: [PATCH 04/15] Added x509 nodeAttestor support Signed-off-by: Mariusz Sabath --- charts/spire/templates/agent-configmap.tpl | 7 +++++++ charts/spire/templates/agent-daemonset.tpl | 8 ++++++++ .../tornjak/templates/server-statefulset.tpl | 6 ++++++ sample-x509/leaf-crt-bundle.pem | 19 ------------------- sample-x509/leaf-key.pem | 13 ------------- sample-x509/leaf.pem | 10 ---------- utils/install-open-shift-spire.sh | 3 ++- 7 files changed, 23 insertions(+), 43 deletions(-) delete mode 100644 sample-x509/leaf-crt-bundle.pem delete mode 100644 sample-x509/leaf-key.pem delete mode 100644 sample-x509/leaf.pem diff --git a/charts/spire/templates/agent-configmap.tpl b/charts/spire/templates/agent-configmap.tpl index e759b02f..e8d9d970 100644 --- a/charts/spire/templates/agent-configmap.tpl +++ b/charts/spire/templates/agent-configmap.tpl @@ -24,6 +24,13 @@ data: plugin_data { } } + {{- else if .Values.x509 }} + NodeAttestor "x509pop" { + plugin_data { + private_key_path = "/run/spire/agent/key.pem" + certificate_path = "/run/spire/agent/cert.pem" + } + } {{- else }} NodeAttestor "k8s_psat" { plugin_data { diff --git a/charts/spire/templates/agent-daemonset.tpl b/charts/spire/templates/agent-daemonset.tpl index cbf91745..23c3b72e 100644 --- a/charts/spire/templates/agent-daemonset.tpl +++ b/charts/spire/templates/agent-daemonset.tpl @@ -46,6 +46,10 @@ spec: readOnly: true - name: spire-agent-token mountPath: /var/run/secrets/tokens + readOnly: true + - name: agent-x509 + mountPath: /run/spire/agent + readOnly: true livenessProbe: exec: command: @@ -68,6 +72,10 @@ spec: hostPath: path: {{ .Values.spireAgent.socketDir }} type: DirectoryOrCreate + - name: agent-x509 + secret: + defaultMode: 0400 + secretName: agent-x509 - name: spire-agent-token projected: sources: diff --git a/charts/tornjak/templates/server-statefulset.tpl b/charts/tornjak/templates/server-statefulset.tpl index d7b619fb..61a138c8 100644 --- a/charts/tornjak/templates/server-statefulset.tpl +++ b/charts/tornjak/templates/server-statefulset.tpl @@ -33,6 +33,8 @@ spec: # not needed if using volumeClaimTemplates and sockets privileged: true volumeMounts: + - name: sample-x509 + mountPath: /opt/spire/sample-x509 - name: spire-config mountPath: /run/spire/config readOnly: true @@ -124,6 +126,10 @@ spec: mountPath: {{ .Values.oidc.socketDir }} {{- end }} volumes: + - name: sample-x509 + secret: + defaultMode: 0400 + secretName: sample-x509 - name: spire-config configMap: name: spire-server diff --git a/sample-x509/leaf-crt-bundle.pem b/sample-x509/leaf-crt-bundle.pem deleted file mode 100644 index 40b9598e..00000000 --- a/sample-x509/leaf-crt-bundle.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBYTCB7KADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw -MDBaGA85OTk5MTIzMTIzNTk1OVowGzEZMBcGA1UEAxMQc29tZSBjb21tb24gbmFt -ZTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDR/rrOq9GhzI9XFxIOxqEZ7hXmc0P9 -6CjEi3xl5BQVIkQnx46cHKEY6vyEodxjcv5HefJ3Jmpx+4Jf+J9KJ+XGkiD3T7zC -d7FX0zPyMBxtImvojJDxuqlrUCs0cHBZCP8CAwEAAaMSMBAwDgYDVR0PAQH/BAQD -AgeAMA0GCSqGSIb3DQEBCwUAA2EAjp41GzuQBqEIY7F/8O6VQwwDA4qmtTkbSq0P -jYvfDKTaC2tB/nxlZoHdunx2wb/cvjQ0hmp6an5AioX8aRnSp7CwfgM5sDIb6mXz -0EIobXRibY/E88IK2Ok/JUn4Jlpe ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIBRzCB0qADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw -MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDA -Gm2bb+E2IKjcS6a2lCpUys5j7ySQIHM19EULD1jjkRT3y2S8dm5jlfQR4UMF6BFq -KuNiEbML5jfEq1IyzmJ6IHuVDxfhxGq24cXSAT308C/ybnOEuSHgVviae8oscZEC -AwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAANhAAsnJCCT -BF3HflSMwISuJ3d6CopcV70Pylza79l97DUGoSeSQEorOjLRFkiB9c9M7SZEgYs5 -IgbjcwkCLkHjXq2UNFjhe28MNBTdfD6yjE/x6QiAunw01flG0sJPU2xUzQ== ------END CERTIFICATE----- diff --git a/sample-x509/leaf-key.pem b/sample-x509/leaf-key.pem deleted file mode 100644 index 84a1a47f..00000000 --- a/sample-x509/leaf-key.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIB5QIBADANBgkqhkiG9w0BAQEFAASCAc8wggHLAgEAAmEA0f66zqvRocyPVxcS -DsahGe4V5nND/egoxIt8ZeQUFSJEJ8eOnByhGOr8hKHcY3L+R3nydyZqcfuCX/if -SiflxpIg90+8wnexV9Mz8jAcbSJr6IyQ8bqpa1ArNHBwWQj/AgMBAAECYQCzSfsQ -jR30OISBZM8kEm5lhyLnmK4KUHbOKBFTpQGIcbMjC3w0yTS545cpXlCeEASBLxQ3 -3XEQSF3W1SmZBHuI/nMXBG3lc48VkeL8++lSPg08DWaEdzJzG6A0gsEjjuECMQD2 -uwDW78B3gW9SP4PUXeRYbo68XoLr28+AIt0Bh07FiMLBsL+7xtkwqM0C7b6PZCkC -MQDZ4mnW0LvVAjjnOQ4SgdWFHZh7fcDQ5s2RvSp3HGFb/ALoRr7yfO10OkMUiTq9 -aOcCMQDWHNiQrcSfsMKTZK0ZmVV07JSPoZEJ71o1/4s9LVfNkm44uhLZeKm4UXR/ -6yNoumkCMGTD7ljXnhar+W8OFvD+NKZkgpGSHes+4pFlH8+IQ4qL6ThNB6AToKmh -DEbiFFVmvwIwVPiNcKPW9d36K/nM5o41lLcpSvJGneGQQsNDHvZDIiMpCFVvxoBz -fzRRb2sFi1gI ------END PRIVATE KEY----- diff --git a/sample-x509/leaf.pem b/sample-x509/leaf.pem deleted file mode 100644 index c43ae767..00000000 --- a/sample-x509/leaf.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBYTCB7KADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw -MDBaGA85OTk5MTIzMTIzNTk1OVowGzEZMBcGA1UEAxMQc29tZSBjb21tb24gbmFt -ZTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDR/rrOq9GhzI9XFxIOxqEZ7hXmc0P9 -6CjEi3xl5BQVIkQnx46cHKEY6vyEodxjcv5HefJ3Jmpx+4Jf+J9KJ+XGkiD3T7zC -d7FX0zPyMBxtImvojJDxuqlrUCs0cHBZCP8CAwEAAaMSMBAwDgYDVR0PAQH/BAQD -AgeAMA0GCSqGSIb3DQEBCwUAA2EAjp41GzuQBqEIY7F/8O6VQwwDA4qmtTkbSq0P -jYvfDKTaC2tB/nxlZoHdunx2wb/cvjQ0hmp6an5AioX8aRnSp7CwfgM5sDIb6mXz -0EIobXRibY/E88IK2Ok/JUn4Jlpe ------END CERTIFICATE----- diff --git a/utils/install-open-shift-spire.sh b/utils/install-open-shift-spire.sh index 5e727c8e..de802711 100755 --- a/utils/install-open-shift-spire.sh +++ b/utils/install-open-shift-spire.sh @@ -182,7 +182,8 @@ oc_cli adm policy add-scc-to-user privileged -z $SPIRE_AG_SA helm install --set "spireServer.address=$SPIRESERVER" --set "namespace=$PROJECT" \ --set "clustername=$CLUSTERNAME" --set "trustdomain=$TRUSTDOMAIN" \ --set "region=$REGION" \ - --set "openShift=true" spire charts/spire # --debug + --set "x509=true" \ + --set "openShift=true" spire charts/spire --debug cat << EOF From 91181e28ecf5294b7c44b8a1124591c7e60f22f0 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Thu, 14 Apr 2022 18:23:36 -0400 Subject: [PATCH 05/15] Documenation updates Signed-off-by: Mariusz Sabath --- docs/x509.md | 147 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 147 insertions(+) create mode 100644 docs/x509.md diff --git a/docs/x509.md b/docs/x509.md new file mode 100644 index 00000000..a1d53d59 --- /dev/null +++ b/docs/x509.md @@ -0,0 +1,147 @@ +# Tornjak + SPIRE with x509pop (Proof of Possession) for Confidential Computing project +The `x509pop` nodeAttestor plugin attests nodes that have been provisioned with +an x509 identity through an out-of-band mechanism. +It verifies that the certificate is rooted to a trusted set of CAs +and issues a signature based proof-of-possession challenge to the agent plugin +to verify that the node is in possession of the private key. + + +## Pre-install: Get the code and create Keys +### Get the code +Obtain the clone of the repo: + +```console +git clone https://github.com/IBM/trusted-service-identity.git +git checkout conf_container +``` +### Create keys and certificates for testing +Keys are already created in `sample-x509` directory. + +To create new keys: + +To test the configuration and setup, one can use the already rendered +Keys and Certs: +https://github.com/spiffe/spire/blob/v1.2.0/test/fixture/nodeattestor/x509pop/ + +To tool for generating them: +https://github.com/spiffe/spire/blob/v1.2.0/test/fixture/nodeattestor/x509pop/generate.go + +Sample execution: +```console +cd sample-x509 +go run generate.go +cd .. +``` + +Setting up the keys for SPIRE Server: +* generate rootCA key +* create rootCert (rootKey) +* generate intermediate Key +* create intermediateCert(intermKey, rootKey, rootCert) + + +## Install the SPIRE Server with OIDC and Vault +Server NodeAttestor just needs the rootCA cert for verification (rootCA.pem) + +Pass the cert as a Secret: +```console + +kubectl -n tornjak create secret generic sample-x509 \ +--from-file=rootCA.pem="sample-x509/root-crt.pem" +``` + +### Server deployment +Here we are using OpenShift cluster in IBM Cloud. +Setup `KUBECONFIG` and deploy: + +```console +# use a script to get CLUSTER_NAME +utils/get-cluster-info.sh + +# or set it up explicitly: +export CLUSTER_NAME=openshift-ibmcloud-01 +utils/install-open-shift-tornjak.sh -c $CLUSTER_NAME -t openshift.space-x.com --oidc +``` + +Test Access the Tornjak +http://tornjak-http-tornjak.openshift-ibmcloud-01-9d995c4a8c7c5f281ce13d5467ff6a94-0000.us-south.containers.appdomain.cloud/ + +Test Access to OIDC: +```console +curl -k https://oidc-tornjak.openshift-ibmcloud-01-9d995c4a8c7c5f281ce13d5467ff6a94-0000.us-south.containers.appdomain.cloud/.well-known/openid-configuration +``` + +Capture the `spire-bundle` to be used for Spire Agents: + +```console +kubectl -n tornjak get configmap spire-bundle -oyaml | kubectl patch --type json --patch '[{"op": "replace", "path": "/metadata/namespace", "value":"spire"}]' -f - --dry-run=client -oyaml > spire-bundle.yaml +``` + +### Setup Vault with OIDC: +https://github.com/IBM/trusted-service-identity/blob/main/docs/spire-oidc-vault.md + +## Deploy SPIRE Agents in Remote Clusters +Follow the pre-Install steps above to get the code and the keys. Keys are already created in `sample-x509` directory. + + +## Deploy the keys +Eventually, the x509 cert will be delivered to the host out-of-bound, but for now, let's pass them as secrets. + +```console +# create a namespace: +kubectl create ns spire + +# create a secret with keys: +kubectl -n spire create secret generic agent-x509 \ +--from-file=key.pem="sample-x509/leaf1-key.pem" \ +--from-file=cert.pem="sample-x509/leaf1-crt-bundle.pem" +``` + +### Setup env. +Deploy `spire-bundle` obtained from the SPIRE server. + +```console +kubectl -n spire create -f spire-bundle.yaml +``` + +Get the cluster name and region. +In IBM cloud, use the script: + +```console +utils/get-cluster-info.sh +# otherwise setup directly: +export CLUSTER_NAME= +export REGION=us-south +``` + +Point at the SPIRE Server: +```console +export SPIRE_SERVER=spire-server-tornjak.openshift-ibmcloud-01-9d995c4a8c7c5f281ce13d5467ff6a94-0000.us-south.containers.appdomain.cloud +``` + + +Install the Spire Agents + +If installing on OpenShift: + +```console +utils/install-open-shift-spire.sh -c $CLUSTER_NAME -r $REGION -s $SPIRE_SERVER -t openshift.space-x.com +``` + +If installing in native Kubernetes environment: + +```console +helm install --set "spireServer.address=$SPIRE_SERVER" \ +--set "namespace=spire" \ +--set "clustername=$CLUSTER_NAME" --set "trustdomain=openshift.space-x.com" \ +--set "region=$REGION" \ +--set "x509=true" --set \ +--set "openShift=false" spire charts/spire --debug +``` + + +### To cleanup the cluster (removes everything) + +```console +utils/install-open-shift-spire.sh --clean +``` From d5974fa9d6b9a896bd18a22461e9ed615f613d49 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Fri, 15 Apr 2022 10:24:41 -0400 Subject: [PATCH 06/15] Updated documentation Signed-off-by: Mariusz Sabath --- docs/x509.md | 79 ++++------------------------------------------------ 1 file changed, 5 insertions(+), 74 deletions(-) diff --git a/docs/x509.md b/docs/x509.md index a1d53d59..e912f5e4 100644 --- a/docs/x509.md +++ b/docs/x509.md @@ -17,16 +17,10 @@ git checkout conf_container ### Create keys and certificates for testing Keys are already created in `sample-x509` directory. -To create new keys: - -To test the configuration and setup, one can use the already rendered -Keys and Certs: -https://github.com/spiffe/spire/blob/v1.2.0/test/fixture/nodeattestor/x509pop/ - -To tool for generating them: +The script for generating keys is based on: https://github.com/spiffe/spire/blob/v1.2.0/test/fixture/nodeattestor/x509pop/generate.go -Sample execution: +To create new sample keys: ```console cd sample-x509 go run generate.go @@ -63,13 +57,7 @@ export CLUSTER_NAME=openshift-ibmcloud-01 utils/install-open-shift-tornjak.sh -c $CLUSTER_NAME -t openshift.space-x.com --oidc ``` -Test Access the Tornjak -http://tornjak-http-tornjak.openshift-ibmcloud-01-9d995c4a8c7c5f281ce13d5467ff6a94-0000.us-south.containers.appdomain.cloud/ - -Test Access to OIDC: -```console -curl -k https://oidc-tornjak.openshift-ibmcloud-01-9d995c4a8c7c5f281ce13d5467ff6a94-0000.us-south.containers.appdomain.cloud/.well-known/openid-configuration -``` +Test access to Tornjak and OIDC, as shown at the end of the deployment. Capture the `spire-bundle` to be used for Spire Agents: @@ -81,67 +69,10 @@ kubectl -n tornjak get configmap spire-bundle -oyaml | kubectl patch --type json https://github.com/IBM/trusted-service-identity/blob/main/docs/spire-oidc-vault.md ## Deploy SPIRE Agents in Remote Clusters -Follow the pre-Install steps above to get the code and the keys. Keys are already created in `sample-x509` directory. - - -## Deploy the keys -Eventually, the x509 cert will be delivered to the host out-of-bound, but for now, let's pass them as secrets. - -```console -# create a namespace: -kubectl create ns spire - -# create a secret with keys: -kubectl -n spire create secret generic agent-x509 \ ---from-file=key.pem="sample-x509/leaf1-key.pem" \ ---from-file=cert.pem="sample-x509/leaf1-crt-bundle.pem" -``` - -### Setup env. -Deploy `spire-bundle` obtained from the SPIRE server. - -```console -kubectl -n spire create -f spire-bundle.yaml -``` - -Get the cluster name and region. -In IBM cloud, use the script: - -```console -utils/get-cluster-info.sh -# otherwise setup directly: -export CLUSTER_NAME= -export REGION=us-south -``` - -Point at the SPIRE Server: -```console -export SPIRE_SERVER=spire-server-tornjak.openshift-ibmcloud-01-9d995c4a8c7c5f281ce13d5467ff6a94-0000.us-south.containers.appdomain.cloud -``` - - -Install the Spire Agents - -If installing on OpenShift: - -```console -utils/install-open-shift-spire.sh -c $CLUSTER_NAME -r $REGION -s $SPIRE_SERVER -t openshift.space-x.com -``` - -If installing in native Kubernetes environment: - -```console -helm install --set "spireServer.address=$SPIRE_SERVER" \ ---set "namespace=spire" \ ---set "clustername=$CLUSTER_NAME" --set "trustdomain=openshift.space-x.com" \ ---set "region=$REGION" \ ---set "x509=true" --set \ ---set "openShift=false" spire charts/spire --debug -``` - +Follow the deployment of [agent with x509](./x509-agent.md) ### To cleanup the cluster (removes everything) ```console -utils/install-open-shift-spire.sh --clean +utils/install-open-shift-tornjak.sh --clean ``` From c633d035356b059b9ae887d95a4b83c0aa1c49bb Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Fri, 15 Apr 2022 11:45:35 -0400 Subject: [PATCH 07/15] Minor changes to support K8s v1.22 Signed-off-by: Mariusz Sabath --- charts/tornjak/templates/server-configmap.tpl | 2 ++ docs/x509.md | 5 +++++ utils/install-open-shift-tornjak.sh | 4 ++++ 3 files changed, 11 insertions(+) diff --git a/charts/tornjak/templates/server-configmap.tpl b/charts/tornjak/templates/server-configmap.tpl index d331763c..c017370f 100644 --- a/charts/tornjak/templates/server-configmap.tpl +++ b/charts/tornjak/templates/server-configmap.tpl @@ -18,6 +18,8 @@ data: data_dir = "/run/spire/data" log_level = "DEBUG" default_svid_ttl = "1h" + # extended to 7 days, just for testing + ca_ttl = "168h" socket_path = "{{ .Values.spireServer.socketDir }}/{{ .Values.spireServer.socketFile }}" {{- if .Values.oidc.enable }} diff --git a/docs/x509.md b/docs/x509.md index e912f5e4..bf779351 100644 --- a/docs/x509.md +++ b/docs/x509.md @@ -35,6 +35,11 @@ Setting up the keys for SPIRE Server: ## Install the SPIRE Server with OIDC and Vault +Create a new namespace +```console +kubectl create ns tornjak +``` + Server NodeAttestor just needs the rootCA cert for verification (rootCA.pem) Pass the cert as a Secret: diff --git a/utils/install-open-shift-tornjak.sh b/utils/install-open-shift-tornjak.sh index 6ad7dadb..c0509f56 100755 --- a/utils/install-open-shift-tornjak.sh +++ b/utils/install-open-shift-tornjak.sh @@ -218,8 +218,10 @@ echo "$INGRESS" # setup TLS secret: CRN=$(ibmcloud oc ingress secret get -c "$CLUSTERNAME" --name "$INGSEC" --namespace openshift-ingress --output json | jq -r '.crn') + # not needed for k8s 1.22 anymore: #ibmcloud oc ingress secret create --cluster "$CLUSTERNAME" --cert-crn "$CRN" --name "$INGSEC" --namespace "$PROJECT" + if [ "$?" == "0" ]; then echo "All good" fi @@ -230,6 +232,8 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: spireingress + annotations: + kubernetes.io/ingress.class: "public-iks-k8s-nginx" spec: tls: - hosts: From b6f4092314094b5071978527650406cddb618a3f Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Mon, 25 Apr 2022 20:06:47 -0400 Subject: [PATCH 08/15] Added Keylime deployment scripts Signed-off-by: Mariusz Sabath --- utils/conf/intermediate-config.txt | 132 +++++++++++++++++++++++++++++ utils/createNodeScript.sh | 66 +++++++++++++++ utils/deployKeysKeylime.sh | 14 +++ 3 files changed, 212 insertions(+) create mode 100644 utils/conf/intermediate-config.txt create mode 100755 utils/createNodeScript.sh create mode 100644 utils/deployKeysKeylime.sh diff --git a/utils/conf/intermediate-config.txt b/utils/conf/intermediate-config.txt new file mode 100644 index 00000000..f9320b8e --- /dev/null +++ b/utils/conf/intermediate-config.txt @@ -0,0 +1,132 @@ +# OpenSSL intermediate CA configuration file. +# Copy to `/root/ca/intermediate/openssl.cnf`. + +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = /target/run/spire/x509 +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/intermediate.key.pem +certificate = $dir/intermediate.cert.pem + +# For certificate revocation lists. +crlnumber = $dir/crlnumber +crl = $dir/crl/intermediate.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = GB +stateOrProvinceName_default = England +localityName_default = +0.organizationName_default = Alice Ltd +organizationalUnitName_default = +emailAddress_default = + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning diff --git a/utils/createNodeScript.sh b/utils/createNodeScript.sh new file mode 100755 index 00000000..6144645e --- /dev/null +++ b/utils/createNodeScript.sh @@ -0,0 +1,66 @@ +#!/bin/bash +function usage { + echo "$0 [node] [key-directory]" + echo "where " + echo " node - name of the node to create keys" + echo " key-directory - directory with intermediate key, '../x509' default (optional)" + exit 1 +} +[[ -z $1 ]] && usage +NODE=$1 +if [[ "$2" != "" ]] ; then + KEYS="$2" +else + KEYS="../x509" +fi +FILE=$NODE.sh +TARGET_DIR="/target/run/spire/x509" + +echo "#!/bin/bash -x" > $FILE +chmod 755 $FILE + +echo "mkdir -p $TARGET_DIR" >> $FILE + +echo "cat > $TARGET_DIR/intermediate.cert.pem <> $FILE +if [ -f $KEYS/intermediate.cert.pem ]; then + cat $KEYS/intermediate.cert.pem >> $FILE + echo "EOF" >> $FILE + echo " " >> $FILE +else + echo "Error! Missing file $KEYS/intermediate.cert.pem" + exit 1 +fi + +if [ -f $KEYS/intermediate.key.pem ]; then + echo "cat > $TARGET_DIR/intermediate.key.pem <> $FILE + cat $KEYS/intermediate.key.pem >> $FILE + echo "EOF" >> $FILE + echo " " >> $FILE +else + echo "Error! Missing file $KEYS/intermediate.key.pem" + exit 1 +fi + +echo "cat > $TARGET_DIR/intermediate-openssl.cnf <> $FILE +cat conf/intermediate-config.txt >> $FILE +echo "EOF" >> $FILE +echo " " >> $FILE + +echo "openssl genrsa -out $TARGET_DIR/$NODE.key.pem 2048" >> $FILE +echo "chmod 400 $TARGET_DIR/$NODE.key.pem" >> $FILE + +echo 'SUBJ="/C=US/ST=CA/O=MyOrg, Inc./CN='"$NODE"'"' >> $FILE + +echo "openssl req -new -sha256 -key $TARGET_DIR/$NODE.key.pem \\" >> $FILE +echo ' -subj "${SUBJ}"'" -out $TARGET_DIR/$NODE.csr \ " >> $FILE +echo " -config $TARGET_DIR/intermediate-openssl.cnf 2>/dev/null" >> $FILE + +echo "openssl ca -config $TARGET_DIR/intermediate-openssl.cnf \\" >> $FILE +echo " -extensions server_cert -days 375 -notext -md sha256 \\" >> $FILE +echo " -in $TARGET_DIR/$NODE.csr \\" >> $FILE +echo " -out $TARGET_DIR/$NODE.cert.pem 2>/dev/null" >> $FILE +echo "chmod 444 $TARGET_DIR/$NODE.cert.pem" >> $FILE + + +echo "cat $TARGET_DIR/$NODE.cert.pem \\" >> $FILE +echo " $TARGET_DIR/intermediate.pem > $TARGET_DIR/$NODE-bundle.cert.pem" >> $FILE diff --git a/utils/deployKeysKeylime.sh b/utils/deployKeysKeylime.sh new file mode 100644 index 00000000..422d8ebd --- /dev/null +++ b/utils/deployKeysKeylime.sh @@ -0,0 +1,14 @@ +#!/bin/bash +function usage { + echo "$0 [node]" + echo "where " + echo " node - name of the node to deploy keys" + exit 1 +} +[[ -z $1 ]] && usage + +keylime-op -u undercloud.yml -m mzone.yml -o deactivate -n $NODE +keylime-op -u undercloud.yml -m mzone.yml -o autorun -s `pwd`/script/${NODE}.sh -n $NODE +keylime-op -u undercloud.yml -m mzone.yml -o activate -n $NODE + +keylime-op -u undercloud.yml -m mzone.yml -o status From 6c56a98e9dc1ec78b73f41f48a01e2b707489d51 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 26 Apr 2022 11:28:52 -0400 Subject: [PATCH 09/15] Update the key deployment scripts Signed-off-by: Mariusz Sabath --- charts/spire/templates/agent-configmap.tpl | 4 ++-- charts/spire/templates/agent-daemonset.tpl | 6 +++--- utils/conf/intermediate-config.txt | 22 +++++++++++----------- utils/createNodeScript.sh | 18 +++++++++--------- utils/deployKeysKeylime.sh | 9 +++++---- 5 files changed, 30 insertions(+), 29 deletions(-) mode change 100644 => 100755 utils/deployKeysKeylime.sh diff --git a/charts/spire/templates/agent-configmap.tpl b/charts/spire/templates/agent-configmap.tpl index e8d9d970..918eb4bd 100644 --- a/charts/spire/templates/agent-configmap.tpl +++ b/charts/spire/templates/agent-configmap.tpl @@ -27,8 +27,8 @@ data: {{- else if .Values.x509 }} NodeAttestor "x509pop" { plugin_data { - private_key_path = "/run/spire/agent/key.pem" - certificate_path = "/run/spire/agent/cert.pem" + private_key_path = "/run/spire/agent/node.key.pem" + certificate_path = "/run/spire/agent/node-bundle.cert.pem" } } {{- else }} diff --git a/charts/spire/templates/agent-daemonset.tpl b/charts/spire/templates/agent-daemonset.tpl index 23c3b72e..9616d9f3 100644 --- a/charts/spire/templates/agent-daemonset.tpl +++ b/charts/spire/templates/agent-daemonset.tpl @@ -73,9 +73,9 @@ spec: path: {{ .Values.spireAgent.socketDir }} type: DirectoryOrCreate - name: agent-x509 - secret: - defaultMode: 0400 - secretName: agent-x509 + hostPath: + path: /run/spire/x509 + type: Directory - name: spire-agent-token projected: sources: diff --git a/utils/conf/intermediate-config.txt b/utils/conf/intermediate-config.txt index f9320b8e..ae6af008 100644 --- a/utils/conf/intermediate-config.txt +++ b/utils/conf/intermediate-config.txt @@ -1,8 +1,8 @@ # OpenSSL intermediate CA configuration file. -# Copy to `/root/ca/intermediate/openssl.cnf`. +# Copy to '/root/ca/intermediate/openssl.cnf'. [ ca ] -# `man ca` +# 'man ca' default_ca = CA_default [ CA_default ] @@ -36,7 +36,7 @@ policy = policy_loose [ policy_strict ] # The root CA should only sign intermediate certificates that match. -# See the POLICY FORMAT section of `man ca`. +# See the POLICY FORMAT section of 'man ca'. countryName = match stateOrProvinceName = match organizationName = match @@ -46,7 +46,7 @@ emailAddress = optional [ policy_loose ] # Allow the intermediate CA to sign a more diverse range of certificates. -# See the POLICY FORMAT section of the `ca` man page. +# See the POLICY FORMAT section of the 'ca' man page. countryName = optional stateOrProvinceName = optional localityName = optional @@ -56,7 +56,7 @@ commonName = supplied emailAddress = optional [ req ] -# Options for the `req` tool (`man req`). +# Options for the 'req' tool ('man req'). default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only @@ -86,21 +86,21 @@ organizationalUnitName_default = emailAddress_default = [ v3_ca ] -# Extensions for a typical CA (`man x509v3_config`). +# Extensions for a typical CA ('man x509v3_config'). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ v3_intermediate_ca ] -# Extensions for a typical intermediate CA (`man x509v3_config`). +# Extensions for a typical intermediate CA ('man x509v3_config'). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ usr_cert ] -# Extensions for client certificates (`man x509v3_config`). +# Extensions for client certificates ('man x509v3_config'). basicConstraints = CA:FALSE nsCertType = client, email nsComment = "OpenSSL Generated Client Certificate" @@ -110,7 +110,7 @@ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection [ server_cert ] -# Extensions for server certificates (`man x509v3_config`). +# Extensions for server certificates ('man x509v3_config'). basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" @@ -120,11 +120,11 @@ keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth [ crl_ext ] -# Extension for CRLs (`man x509v3_config`). +# Extension for CRLs ('man x509v3_config'). authorityKeyIdentifier=keyid:always [ ocsp ] -# Extension for OCSP signing certificates (`man ocsp`). +# Extension for OCSP signing certificates ('man ocsp'). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer diff --git a/utils/createNodeScript.sh b/utils/createNodeScript.sh index 6144645e..3a5a1d99 100755 --- a/utils/createNodeScript.sh +++ b/utils/createNodeScript.sh @@ -46,21 +46,21 @@ cat conf/intermediate-config.txt >> $FILE echo "EOF" >> $FILE echo " " >> $FILE -echo "openssl genrsa -out $TARGET_DIR/$NODE.key.pem 2048" >> $FILE -echo "chmod 400 $TARGET_DIR/$NODE.key.pem" >> $FILE +echo "openssl genrsa -out $TARGET_DIR/node.key.pem 2048" >> $FILE +echo "chmod 400 $TARGET_DIR/node.key.pem" >> $FILE echo 'SUBJ="/C=US/ST=CA/O=MyOrg, Inc./CN='"$NODE"'"' >> $FILE -echo "openssl req -new -sha256 -key $TARGET_DIR/$NODE.key.pem \\" >> $FILE -echo ' -subj "${SUBJ}"'" -out $TARGET_DIR/$NODE.csr \ " >> $FILE +echo "openssl req -new -sha256 -key $TARGET_DIR/node.key.pem \\" >> $FILE +echo ' -subj "${SUBJ}"'" -out $TARGET_DIR/node.csr \ " >> $FILE echo " -config $TARGET_DIR/intermediate-openssl.cnf 2>/dev/null" >> $FILE echo "openssl ca -config $TARGET_DIR/intermediate-openssl.cnf \\" >> $FILE echo " -extensions server_cert -days 375 -notext -md sha256 \\" >> $FILE -echo " -in $TARGET_DIR/$NODE.csr \\" >> $FILE -echo " -out $TARGET_DIR/$NODE.cert.pem 2>/dev/null" >> $FILE -echo "chmod 444 $TARGET_DIR/$NODE.cert.pem" >> $FILE +echo " -in $TARGET_DIR/node.csr \\" >> $FILE +echo " -out $TARGET_DIR/node.cert.pem 2>/dev/null" >> $FILE +echo "chmod 444 $TARGET_DIR/node.cert.pem" >> $FILE -echo "cat $TARGET_DIR/$NODE.cert.pem \\" >> $FILE -echo " $TARGET_DIR/intermediate.pem > $TARGET_DIR/$NODE-bundle.cert.pem" >> $FILE +echo "cat $TARGET_DIR/node.cert.pem \\" >> $FILE +echo " $TARGET_DIR/intermediate.pem > $TARGET_DIR/node-bundle.cert.pem" >> $FILE diff --git a/utils/deployKeysKeylime.sh b/utils/deployKeysKeylime.sh old mode 100644 new mode 100755 index 422d8ebd..2ddd4a41 --- a/utils/deployKeysKeylime.sh +++ b/utils/deployKeysKeylime.sh @@ -6,9 +6,10 @@ function usage { exit 1 } [[ -z $1 ]] && usage +NODE=$1 -keylime-op -u undercloud.yml -m mzone.yml -o deactivate -n $NODE -keylime-op -u undercloud.yml -m mzone.yml -o autorun -s `pwd`/script/${NODE}.sh -n $NODE -keylime-op -u undercloud.yml -m mzone.yml -o activate -n $NODE +keylime-op -u /root/undercloud.yml -m /root/mzone.yml -o deactivate -n $NODE +keylime-op -u /root/undercloud.yml -m /root/mzone.yml -o autorun -s `pwd`/${NODE}.sh -n $NODE +keylime-op -u /root/undercloud.yml -m /root/mzone.yml -o activate -n $NODE -keylime-op -u undercloud.yml -m mzone.yml -o status +keylime-op -u /root/undercloud.yml -m /root/mzone.yml -o status From 1dd9e3b505721721badde36a5461c0ccc898b15f Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 26 Apr 2022 19:11:45 -0400 Subject: [PATCH 10/15] Key deployment script updates Signed-off-by: Mariusz Sabath --- utils/conf/intermediate-config.txt | 22 +++++++------- utils/createNodeScript.sh | 46 +++++++++++++++++++----------- 2 files changed, 41 insertions(+), 27 deletions(-) diff --git a/utils/conf/intermediate-config.txt b/utils/conf/intermediate-config.txt index ae6af008..1f2c9b99 100644 --- a/utils/conf/intermediate-config.txt +++ b/utils/conf/intermediate-config.txt @@ -7,21 +7,21 @@ default_ca = CA_default [ CA_default ] # Directory and file locations. -dir = /target/run/spire/x509 -certs = $dir/certs -crl_dir = $dir/crl -new_certs_dir = $dir/newcerts -database = $dir/index.txt -serial = $dir/serial -RANDFILE = $dir/private/.rand +dir = /tmp/ca +certs = \$dir/certs +crl_dir = \$dir/crl +new_certs_dir = \$dir/newcerts +database = \$dir/index.txt +serial = \$dir/serial +RANDFILE = \$dir/private/.rand # The root key and root certificate. -private_key = $dir/intermediate.key.pem -certificate = $dir/intermediate.cert.pem +private_key = \$dir/intermediate.key.pem +certificate = \$dir/intermediate.cert.pem # For certificate revocation lists. -crlnumber = $dir/crlnumber -crl = $dir/crl/intermediate.crl.pem +crlnumber = \$dir/crlnumber +crl = \$dir/crl/intermediate.crl.pem crl_extensions = crl_ext default_crl_days = 30 diff --git a/utils/createNodeScript.sh b/utils/createNodeScript.sh index 3a5a1d99..92bad56f 100755 --- a/utils/createNodeScript.sh +++ b/utils/createNodeScript.sh @@ -15,13 +15,20 @@ else fi FILE=$NODE.sh TARGET_DIR="/target/run/spire/x509" +TEMP_DIR="/tmp/ca" echo "#!/bin/bash -x" > $FILE chmod 755 $FILE -echo "mkdir -p $TARGET_DIR" >> $FILE +echo "mkdir -p $TEMP_DIR" >> $FILE +echo "cd $TEMP_DIR" >> $FILE +echo "mkdir certs crl newcerts private" >> $FILE +echo "chmod 700 private" >> $FILE +echo "touch index.txt" >> $FILE +echo "echo 1000 > serial" >> $FILE +echo "cd -" >> $FILE -echo "cat > $TARGET_DIR/intermediate.cert.pem <> $FILE +echo "cat > $TEMP_DIR/intermediate.cert.pem <> $FILE if [ -f $KEYS/intermediate.cert.pem ]; then cat $KEYS/intermediate.cert.pem >> $FILE echo "EOF" >> $FILE @@ -32,7 +39,7 @@ else fi if [ -f $KEYS/intermediate.key.pem ]; then - echo "cat > $TARGET_DIR/intermediate.key.pem <> $FILE + echo "cat > $TEMP_DIR/intermediate.key.pem <> $FILE cat $KEYS/intermediate.key.pem >> $FILE echo "EOF" >> $FILE echo " " >> $FILE @@ -41,26 +48,33 @@ else exit 1 fi -echo "cat > $TARGET_DIR/intermediate-openssl.cnf <> $FILE +echo "cat > $TEMP_DIR/intermediate-openssl.cnf <> $FILE cat conf/intermediate-config.txt >> $FILE echo "EOF" >> $FILE echo " " >> $FILE -echo "openssl genrsa -out $TARGET_DIR/node.key.pem 2048" >> $FILE -echo "chmod 400 $TARGET_DIR/node.key.pem" >> $FILE +echo "openssl genrsa -out $TEMP_DIR/node.key.pem 2048" >> $FILE +echo "chmod 400 $TEMP_DIR/node.key.pem" >> $FILE echo 'SUBJ="/C=US/ST=CA/O=MyOrg, Inc./CN='"$NODE"'"' >> $FILE -echo "openssl req -new -sha256 -key $TARGET_DIR/node.key.pem \\" >> $FILE -echo ' -subj "${SUBJ}"'" -out $TARGET_DIR/node.csr \ " >> $FILE -echo " -config $TARGET_DIR/intermediate-openssl.cnf 2>/dev/null" >> $FILE +echo "openssl req -new -sha256 -key $TEMP_DIR/node.key.pem \\" >> $FILE +echo ' -subj "${SUBJ}"'" -out $TEMP_DIR/node.csr \\" >> $FILE +echo " -config $TEMP_DIR/intermediate-openssl.cnf 2>/dev/null" >> $FILE -echo "openssl ca -config $TARGET_DIR/intermediate-openssl.cnf \\" >> $FILE +echo "openssl ca -batch -config $TEMP_DIR/intermediate-openssl.cnf \\" >> $FILE echo " -extensions server_cert -days 375 -notext -md sha256 \\" >> $FILE -echo " -in $TARGET_DIR/node.csr \\" >> $FILE -echo " -out $TARGET_DIR/node.cert.pem 2>/dev/null" >> $FILE -echo "chmod 444 $TARGET_DIR/node.cert.pem" >> $FILE - +echo " -in $TEMP_DIR/node.csr \\" >> $FILE +echo " -out $TEMP_DIR/node.cert.pem 2>/dev/null" >> $FILE +echo "chmod 444 $TEMP_DIR/node.cert.pem" >> $FILE -echo "cat $TARGET_DIR/node.cert.pem \\" >> $FILE -echo " $TARGET_DIR/intermediate.pem > $TARGET_DIR/node-bundle.cert.pem" >> $FILE +echo "" >> $FILE +echo "# cleanup:" >> $FILE +echo "mkdir -p $TARGET_DIR" >> $FILE +echo "cat $TEMP_DIR/node.cert.pem \\" >> $FILE +echo " $TEMP_DIR/intermediate.cert.pem > $TARGET_DIR/node-bundle.cert.pem" >> $FILE +echo "mv $TEMP_DIR/node.key.pem $TARGET_DIR/" >> $FILE +echo "rm -rf $TEMP_DIR/" >> $FILE +echo "" >> $FILE +echo "" >> $FILE +echo "" >> $FILE From 3f9d847629cde435e6aac8b69e6b2d318bbc0b71 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 26 Apr 2022 19:31:36 -0400 Subject: [PATCH 11/15] Script updates Signed-off-by: Mariusz Sabath --- utils/conf/intermediate-config.txt | 6 +- utils/createNodeScript.sh | 98 +++++++++++++++--------------- utils/deployKeysKeylime.sh | 15 ----- 3 files changed, 53 insertions(+), 66 deletions(-) delete mode 100755 utils/deployKeysKeylime.sh diff --git a/utils/conf/intermediate-config.txt b/utils/conf/intermediate-config.txt index 1f2c9b99..7c4dd034 100644 --- a/utils/conf/intermediate-config.txt +++ b/utils/conf/intermediate-config.txt @@ -78,10 +78,10 @@ commonName = Common Name emailAddress = Email Address # Optionally, specify some defaults. -countryName_default = GB -stateOrProvinceName_default = England +countryName_default = US +stateOrProvinceName_default = NY localityName_default = -0.organizationName_default = Alice Ltd +0.organizationName_default = SPIRE Ltd organizationalUnitName_default = emailAddress_default = diff --git a/utils/createNodeScript.sh b/utils/createNodeScript.sh index 92bad56f..c31538aa 100755 --- a/utils/createNodeScript.sh +++ b/utils/createNodeScript.sh @@ -13,68 +13,70 @@ if [[ "$2" != "" ]] ; then else KEYS="../x509" fi -FILE=$NODE.sh -TARGET_DIR="/target/run/spire/x509" + +SCRIPTS="scripts" +FILE=${SCRIPTS}/${NODE}.sh TEMP_DIR="/tmp/ca" +TARGET_DIR="/target/run/spire/x509" -echo "#!/bin/bash -x" > $FILE -chmod 755 $FILE +echo "#!/bin/bash" > ${FILE} +chmod 755 ${FILE} -echo "mkdir -p $TEMP_DIR" >> $FILE -echo "cd $TEMP_DIR" >> $FILE -echo "mkdir certs crl newcerts private" >> $FILE -echo "chmod 700 private" >> $FILE -echo "touch index.txt" >> $FILE -echo "echo 1000 > serial" >> $FILE -echo "cd -" >> $FILE +echo "mkdir -p $SCRIPTS" >> ${FILE} +echo "mkdir -p ${TEMP_DIR}" >> ${FILE} +echo "cd ${TEMP_DIR}" >> ${FILE} +echo "mkdir certs crl newcerts private" >> ${FILE} +echo "chmod 700 private" >> ${FILE} +echo "touch index.txt" >> ${FILE} +echo "echo 1000 > serial" >> ${FILE} +echo "cd -" >> ${FILE} -echo "cat > $TEMP_DIR/intermediate.cert.pem <> $FILE -if [ -f $KEYS/intermediate.cert.pem ]; then - cat $KEYS/intermediate.cert.pem >> $FILE - echo "EOF" >> $FILE - echo " " >> $FILE +echo "cat > ${TEMP_DIR}/intermediate.cert.pem <> ${FILE} +if [ -f ${KEYS}/intermediate.cert.pem ]; then + cat ${KEYS}/intermediate.cert.pem >> ${FILE} + echo "EOF" >> ${FILE} + echo " " >> ${FILE} else - echo "Error! Missing file $KEYS/intermediate.cert.pem" + echo "Error! Missing file ${KEYS}/intermediate.cert.pem" exit 1 fi -if [ -f $KEYS/intermediate.key.pem ]; then - echo "cat > $TEMP_DIR/intermediate.key.pem <> $FILE - cat $KEYS/intermediate.key.pem >> $FILE - echo "EOF" >> $FILE - echo " " >> $FILE +if [ -f ${KEYS}/intermediate.key.pem ]; then + echo "cat > ${TEMP_DIR}/intermediate.key.pem <> ${FILE} + cat ${KEYS}/intermediate.key.pem >> ${FILE} + echo "EOF" >> ${FILE} + echo " " >> ${FILE} else - echo "Error! Missing file $KEYS/intermediate.key.pem" + echo "Error! Missing file ${KEYS}/intermediate.key.pem" exit 1 fi -echo "cat > $TEMP_DIR/intermediate-openssl.cnf <> $FILE -cat conf/intermediate-config.txt >> $FILE -echo "EOF" >> $FILE -echo " " >> $FILE +echo "cat > ${TEMP_DIR}/intermediate-openssl.cnf <> ${FILE} +cat conf/intermediate-config.txt >> ${FILE} +echo "EOF" >> ${FILE} +echo " " >> ${FILE} -echo "openssl genrsa -out $TEMP_DIR/node.key.pem 2048" >> $FILE -echo "chmod 400 $TEMP_DIR/node.key.pem" >> $FILE +echo "openssl genrsa -out ${TEMP_DIR}/node.key.pem 2048" >> ${FILE} +echo "chmod 400 ${TEMP_DIR}/node.key.pem" >> ${FILE} -echo 'SUBJ="/C=US/ST=CA/O=MyOrg, Inc./CN='"$NODE"'"' >> $FILE +echo 'SUBJ="/C=US/ST=CA/O=MyOrg, Inc./CN='"$NODE"'"' >> ${FILE} -echo "openssl req -new -sha256 -key $TEMP_DIR/node.key.pem \\" >> $FILE -echo ' -subj "${SUBJ}"'" -out $TEMP_DIR/node.csr \\" >> $FILE -echo " -config $TEMP_DIR/intermediate-openssl.cnf 2>/dev/null" >> $FILE +echo "openssl req -new -sha256 -key ${TEMP_DIR}/node.key.pem \\" >> ${FILE} +echo ' -subj "${SUBJ}"'" -out ${TEMP_DIR}/node.csr \\" >> ${FILE} +echo " -config ${TEMP_DIR}/intermediate-openssl.cnf 2>/dev/null" >> ${FILE} -echo "openssl ca -batch -config $TEMP_DIR/intermediate-openssl.cnf \\" >> $FILE -echo " -extensions server_cert -days 375 -notext -md sha256 \\" >> $FILE -echo " -in $TEMP_DIR/node.csr \\" >> $FILE -echo " -out $TEMP_DIR/node.cert.pem 2>/dev/null" >> $FILE -echo "chmod 444 $TEMP_DIR/node.cert.pem" >> $FILE +echo "openssl ca -batch -config ${TEMP_DIR}/intermediate-openssl.cnf \\" >> ${FILE} +echo " -extensions server_cert -days 375 -notext -md sha256 \\" >> ${FILE} +echo " -in ${TEMP_DIR}/node.csr \\" >> ${FILE} +echo " -out ${TEMP_DIR}/node.cert.pem 2>/dev/null" >> ${FILE} +echo "chmod 444 ${TEMP_DIR}/node.cert.pem" >> ${FILE} -echo "" >> $FILE -echo "# cleanup:" >> $FILE -echo "mkdir -p $TARGET_DIR" >> $FILE -echo "cat $TEMP_DIR/node.cert.pem \\" >> $FILE -echo " $TEMP_DIR/intermediate.cert.pem > $TARGET_DIR/node-bundle.cert.pem" >> $FILE -echo "mv $TEMP_DIR/node.key.pem $TARGET_DIR/" >> $FILE -echo "rm -rf $TEMP_DIR/" >> $FILE -echo "" >> $FILE -echo "" >> $FILE -echo "" >> $FILE +echo "" >> ${FILE} +echo "# cleanup:" >> ${FILE} +echo "mkdir -p ${TARGET_DIR}" >> ${FILE} +echo "cat ${TEMP_DIR}/node.cert.pem \\" >> ${FILE} +echo " ${TEMP_DIR}/intermediate.cert.pem > ${TARGET_DIR}/node-bundle.cert.pem" >> ${FILE} +echo "mv ${TEMP_DIR}/node.key.pem ${TARGET_DIR}/" >> ${FILE} +echo "rm -rf ${TEMP_DIR}/" >> ${FILE} +echo "rm -rf $SCRIPTS/" >> ${FILE} +echo "" >> ${FILE} diff --git a/utils/deployKeysKeylime.sh b/utils/deployKeysKeylime.sh deleted file mode 100755 index 2ddd4a41..00000000 --- a/utils/deployKeysKeylime.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -function usage { - echo "$0 [node]" - echo "where " - echo " node - name of the node to deploy keys" - exit 1 -} -[[ -z $1 ]] && usage -NODE=$1 - -keylime-op -u /root/undercloud.yml -m /root/mzone.yml -o deactivate -n $NODE -keylime-op -u /root/undercloud.yml -m /root/mzone.yml -o autorun -s `pwd`/${NODE}.sh -n $NODE -keylime-op -u /root/undercloud.yml -m /root/mzone.yml -o activate -n $NODE - -keylime-op -u /root/undercloud.yml -m /root/mzone.yml -o status From b50beec9f328c3a94f77be5e3c89beb1bf950922 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Tue, 26 Apr 2022 20:23:12 -0400 Subject: [PATCH 12/15] Updated key script Signed-off-by: Mariusz Sabath --- utils/createNodeScript.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/createNodeScript.sh b/utils/createNodeScript.sh index c31538aa..d7a064a4 100755 --- a/utils/createNodeScript.sh +++ b/utils/createNodeScript.sh @@ -15,6 +15,7 @@ else fi SCRIPTS="scripts" +mkdir -p ${SCRIPTS} FILE=${SCRIPTS}/${NODE}.sh TEMP_DIR="/tmp/ca" TARGET_DIR="/target/run/spire/x509" @@ -22,7 +23,6 @@ TARGET_DIR="/target/run/spire/x509" echo "#!/bin/bash" > ${FILE} chmod 755 ${FILE} -echo "mkdir -p $SCRIPTS" >> ${FILE} echo "mkdir -p ${TEMP_DIR}" >> ${FILE} echo "cd ${TEMP_DIR}" >> ${FILE} echo "mkdir certs crl newcerts private" >> ${FILE} From f76290694fcc4f3fd5e4ee0b7253259ea5500b87 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Thu, 5 May 2022 14:57:37 -0400 Subject: [PATCH 13/15] Update Keylime attestion scripts and docs Signed-off-by: Mariusz Sabath --- docs/x509-create.md | 10 ++++++++++ docs/x509.md | 6 +++++- sample-x509/intermediate-key.pem | 13 ------------- sample-x509/intermediate.pem | 10 ---------- sample-x509/leaf1-crt-bundle.pem | 21 --------------------- sample-x509/leaf1-key.pem | 13 ------------- sample-x509/leaf1.pem | 11 ----------- sample-x509/leaf2-crt-bundle.pem | 21 --------------------- sample-x509/leaf2-key.pem | 13 ------------- sample-x509/leaf2.pem | 11 ----------- sample-x509/leaf3-crt-bundle.pem | 21 --------------------- sample-x509/leaf3-key.pem | 13 ------------- sample-x509/leaf3.pem | 11 ----------- sample-x509/root-crt.pem | 10 ---------- sample-x509/root-key.pem | 13 ------------- 15 files changed, 15 insertions(+), 182 deletions(-) delete mode 100644 sample-x509/intermediate-key.pem delete mode 100644 sample-x509/intermediate.pem delete mode 100644 sample-x509/leaf1-crt-bundle.pem delete mode 100644 sample-x509/leaf1-key.pem delete mode 100644 sample-x509/leaf1.pem delete mode 100644 sample-x509/leaf2-crt-bundle.pem delete mode 100644 sample-x509/leaf2-key.pem delete mode 100644 sample-x509/leaf2.pem delete mode 100644 sample-x509/leaf3-crt-bundle.pem delete mode 100644 sample-x509/leaf3-key.pem delete mode 100644 sample-x509/leaf3.pem delete mode 100644 sample-x509/root-crt.pem delete mode 100644 sample-x509/root-key.pem diff --git a/docs/x509-create.md b/docs/x509-create.md index 282762d8..5aba5e4e 100644 --- a/docs/x509-create.md +++ b/docs/x509-create.md @@ -30,6 +30,16 @@ The steps are following: ### Generating RootCA +This example comes with sample x509 certificates and keys to demonstrate +`x509pop` nodeAttestor capabilities. + +The sample keys are present in [../sample-x509](../sample-x509) directory. +You can create a new set of certs and keys: +* [using a script](#generate_keys_using_a_script) +* [manually (recommended)](#generate_keys_manually) + +## Generate keys using a script +To create new sample certs and keys: ```console mkdir x509/ca cd x509/ca diff --git a/docs/x509.md b/docs/x509.md index bf779351..37f3b263 100644 --- a/docs/x509.md +++ b/docs/x509.md @@ -5,6 +5,10 @@ It verifies that the certificate is rooted to a trusted set of CAs and issues a signature based proof-of-possession challenge to the agent plugin to verify that the node is in possession of the private key. +## Index +* Create x509 certs and keys using a script +* Create x509 certs and keys manually (recommended) +* Deploy the ## Pre-install: Get the code and create Keys ### Get the code @@ -46,7 +50,7 @@ Pass the cert as a Secret: ```console kubectl -n tornjak create secret generic sample-x509 \ ---from-file=rootCA.pem="sample-x509/root-crt.pem" +--from-file=rootCA.pem="sample-x509/root.cert.pem" ``` ### Server deployment diff --git a/sample-x509/intermediate-key.pem b/sample-x509/intermediate-key.pem deleted file mode 100644 index ecd3fafb..00000000 --- a/sample-x509/intermediate-key.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIB5QIBADANBgkqhkiG9w0BAQEFAASCAc8wggHLAgEAAmEAuUNx9JhXm/vuER34 -f4MW7Pk4vkPECKlbOOzVkUElN1ZhbdjFjLiJ5dmEefcuvAPN4E2Bhi4QXTdPyMf7 -+/2Wu4HVmV073Z+ssgFyP28zbLvNjL6fsGIh+f9HoMOUvcSPAgMBAAECYEH1fkvs -NTzm3CKh/gg//tiN/qLW86N10HGa+IqHnB1wlq2KQQNR7F62K9FUrQHphDa4+FdU -ijd0VeMzJGwPrp55/0mZPoFL0HJWTorOcMTFgM735uxHQVGCoHqxpnXkyQIxAM+i -szD2fhzQ9pzQGTR8T5Z4n4qkASEDyIRyO+weaHFtjP2iXzV7JlxGAhUqeCDhtQIx -AORqssTasNnzuXPXw+Revix0/NWLd0AF6Z5DIvWYtJB7u+hKY3o7JnwTEC/c/cQH -swIwWQ4yhySh8KAbtiR3OxC6XhJ8c01mgo+J2GzakKp2J3hSSZLz/Q9F47vPNt7R -SWElAjEAwR00Zxo9ywc0E6yoAbvYLN37pM900rws95DrTZj9j+oMxCegUwcPUncL -iGveYI3hAjEAhTTowVIxRZINfHyUQuUFkHCmyhApprP1twf7u7vJ0knndFn9Ij5P -wT/zTjQ7kuiE ------END PRIVATE KEY----- diff --git a/sample-x509/intermediate.pem b/sample-x509/intermediate.pem deleted file mode 100644 index 3ea813e8..00000000 --- a/sample-x509/intermediate.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBZjCB8aADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw -MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQC5 -Q3H0mFeb++4RHfh/gxbs+Ti+Q8QIqVs47NWRQSU3VmFt2MWMuInl2YR59y68A83g -TYGGLhBdN0/Ix/v7/Za7gdWZXTvdn6yyAXI/bzNsu82Mvp+wYiH5/0egw5S9xI8C -AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8ZD15N5gTjVyBrw2 -u//CFPROn0cwDQYJKoZIhvcNAQELBQADYQCygZAp0C9JVW2ivRzpyrFawhohlVAm -gG+NYylNGqaGH2Pc1YfVSwPWdYljcYwejOTrxCZJSs3WEKb/j2VVZF3yOJydTHv3 -TLLkxPII7B31qk+PjR8bA+WgZBVAZILJegY= ------END CERTIFICATE----- diff --git a/sample-x509/leaf1-crt-bundle.pem b/sample-x509/leaf1-crt-bundle.pem deleted file mode 100644 index 01e7069a..00000000 --- a/sample-x509/leaf1-crt-bundle.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBhDCCAQ6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw -MDAwWhgPOTk5OTEyMzEyMzU5NTlaMBwxGjAYBgNVBAMTEXNvbWUgY29tbW9uIG5h -bWUxMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANdidHMjvQ1wKcT2apO5zGDYxdbN -PW252t5f1h4zLOkxzIcfS0cq6fd30wagAh1jh/Z/JqjoQZ0p0rx9MhJJDqXgbcSh -89nzwZKxZb6TH3FT7bqAFSEg+pX3VLf12O60cwIDAQABozMwMTAOBgNVHQ8BAf8E -BAMCB4AwHwYDVR0jBBgwFoAU8ZD15N5gTjVyBrw2u//CFPROn0cwDQYJKoZIhvcN -AQELBQADYQCEisuAiPr44rdHzsZ3ULE7WwHtKi4Mz6AM6Z3TWiN/CxpwC24e2MOc -32tENsMY7/+slaMY4ZpCn5acZQKENvSpT5dibTllkCxM5Dczkh0HIa8wr//D26oe -bdavXaOeQS4= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIBZjCB8aADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw -MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQC5 -Q3H0mFeb++4RHfh/gxbs+Ti+Q8QIqVs47NWRQSU3VmFt2MWMuInl2YR59y68A83g -TYGGLhBdN0/Ix/v7/Za7gdWZXTvdn6yyAXI/bzNsu82Mvp+wYiH5/0egw5S9xI8C -AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8ZD15N5gTjVyBrw2 -u//CFPROn0cwDQYJKoZIhvcNAQELBQADYQCygZAp0C9JVW2ivRzpyrFawhohlVAm -gG+NYylNGqaGH2Pc1YfVSwPWdYljcYwejOTrxCZJSs3WEKb/j2VVZF3yOJydTHv3 -TLLkxPII7B31qk+PjR8bA+WgZBVAZILJegY= ------END CERTIFICATE----- diff --git a/sample-x509/leaf1-key.pem b/sample-x509/leaf1-key.pem deleted file mode 100644 index 2acfc83e..00000000 --- a/sample-x509/leaf1-key.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIB5AIBADANBgkqhkiG9w0BAQEFAASCAc4wggHKAgEAAmEA12J0cyO9DXApxPZq -k7nMYNjF1s09bbna3l/WHjMs6THMhx9LRyrp93fTBqACHWOH9n8mqOhBnSnSvH0y -EkkOpeBtxKHz2fPBkrFlvpMfcVPtuoAVISD6lfdUt/XY7rRzAgMBAAECYBvEbKDf -baMK38etwQW0gV3G9JKBuTapLEdY8aDJFjQmIGkXJrxREwK9Zu5GuJ8TUppuSk4H -/PCoL1PwEeDqDtrOrTANqwRXTEDZeDk2vuWp6tJqyQdRd/LkGfrh1gEBQQIxAOdH -2U0KbR42VJwe4PQZF6TpHPL4Igzs05oAGSCEPZdH4a4mob1mAouZBUhMbdCHkwIx -AO5nqwj1V+KSaem5+m6DWx4B1GrsHNJw7egJSWKNC7aScNBmEnVhPoGQnHz4BMVr -oQIxANUlJCCaEUIctBFFa+/KCD5VD/bjsw3SXJi6qm2LMe/vsQ78T2brUkEw/utI -dJQPvQIwBcItSG8cq1VcB5A9c1Pq7IOgzOBdJdwicvtecWn0wXkyDmaYxYsOxnRm -w0H+Y4JhAjAdkNFP6fYGzztfNJGclwn9q+sPC+muLOjxi+LWyYHPau8G/wgmTtxU -T9vybUkGOfk= ------END PRIVATE KEY----- diff --git a/sample-x509/leaf1.pem b/sample-x509/leaf1.pem deleted file mode 100644 index f212ea45..00000000 --- a/sample-x509/leaf1.pem +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBhDCCAQ6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw -MDAwWhgPOTk5OTEyMzEyMzU5NTlaMBwxGjAYBgNVBAMTEXNvbWUgY29tbW9uIG5h -bWUxMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANdidHMjvQ1wKcT2apO5zGDYxdbN -PW252t5f1h4zLOkxzIcfS0cq6fd30wagAh1jh/Z/JqjoQZ0p0rx9MhJJDqXgbcSh -89nzwZKxZb6TH3FT7bqAFSEg+pX3VLf12O60cwIDAQABozMwMTAOBgNVHQ8BAf8E -BAMCB4AwHwYDVR0jBBgwFoAU8ZD15N5gTjVyBrw2u//CFPROn0cwDQYJKoZIhvcN -AQELBQADYQCEisuAiPr44rdHzsZ3ULE7WwHtKi4Mz6AM6Z3TWiN/CxpwC24e2MOc -32tENsMY7/+slaMY4ZpCn5acZQKENvSpT5dibTllkCxM5Dczkh0HIa8wr//D26oe -bdavXaOeQS4= ------END CERTIFICATE----- diff --git a/sample-x509/leaf2-crt-bundle.pem b/sample-x509/leaf2-crt-bundle.pem deleted file mode 100644 index 18ceae22..00000000 --- a/sample-x509/leaf2-crt-bundle.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBhDCCAQ6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw -MDAwWhgPOTk5OTEyMzEyMzU5NTlaMBwxGjAYBgNVBAMTEXNvbWUgY29tbW9uIG5h -bWUyMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9J1cH6rhnWS8FXKwxX0RBTfY45 -83A5xsI2LroKVxGpeY1G6101JylYClmttchHUQYUuwp1ixQrcx+cQwBPnmCtZsE3 -e+AHQaU2mpAJE7I7zb0jSjqR1GoASy+xtjOlJwIDAQABozMwMTAOBgNVHQ8BAf8E -BAMCB4AwHwYDVR0jBBgwFoAU8ZD15N5gTjVyBrw2u//CFPROn0cwDQYJKoZIhvcN -AQELBQADYQBjRSXaG19hofPjuRaClVA6r3fUDCzS/ZzPDYWUqHTQ2mRr9ym+0RD7 -+mG/wye/4UOBu4R81yRlgd5VaVJ4RTqHquLNSUQwT/h20LrbOTPKHhQQqVphEJnk -1f4mZ1LmCwA= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIBZjCB8aADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw -MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQC5 -Q3H0mFeb++4RHfh/gxbs+Ti+Q8QIqVs47NWRQSU3VmFt2MWMuInl2YR59y68A83g -TYGGLhBdN0/Ix/v7/Za7gdWZXTvdn6yyAXI/bzNsu82Mvp+wYiH5/0egw5S9xI8C -AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8ZD15N5gTjVyBrw2 -u//CFPROn0cwDQYJKoZIhvcNAQELBQADYQCygZAp0C9JVW2ivRzpyrFawhohlVAm -gG+NYylNGqaGH2Pc1YfVSwPWdYljcYwejOTrxCZJSs3WEKb/j2VVZF3yOJydTHv3 -TLLkxPII7B31qk+PjR8bA+WgZBVAZILJegY= ------END CERTIFICATE----- diff --git a/sample-x509/leaf2-key.pem b/sample-x509/leaf2-key.pem deleted file mode 100644 index 92ae23f5..00000000 --- a/sample-x509/leaf2-key.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIB5gIBADANBgkqhkiG9w0BAQEFAASCAdAwggHMAgEAAmEAv0nVwfquGdZLwVcr -DFfREFN9jjnzcDnGwjYuugpXEal5jUbrXTUnKVgKWa21yEdRBhS7CnWLFCtzH5xD -AE+eYK1mwTd74AdBpTaakAkTsjvNvSNKOpHUagBLL7G2M6UnAgMBAAECYDQHAAW3 -idzrJUWb0NCVnf5DxxWE+4pdnIq8M+9T2qSqJK5hSKjcSR98m6wSjCvCAXYkNS01 -6CsDELxe13qsocRJe+RU7RxSkv3z/CKEgtgApJUMr1PW4rCSNbVpvrikeQIxAOUH -ZhIrd6LuOq2Fr7S6eGm612Wa3Aa3ZNiGVHDFfrbRY866E0X4FvmAPG2BwCj7UwIx -ANXQqbLkRhGsCkfIw9hidYBxu0sc1zXSOHMHIhS96Tipd+GNpTCD36g9cYBuqbtI -XQIxALPc16A1WsMt7A8SCicYui/ud/JnZ5wuspgJBo95ykWws31KTJCKgSB4QPyP -BWYp2QIxAKTp0Dm+f5zZyQQdAZFAP8jV79O7ZvKINinicpL095FQhLpfee21iShG -W+jncdqVsQIxAMBH4Z4pLuVijMR1xLGXI91Pheu/VRb/wSubUk7HOr/7OzQBFmgE -5/0SoUyeULmOTw== ------END PRIVATE KEY----- diff --git a/sample-x509/leaf2.pem b/sample-x509/leaf2.pem deleted file mode 100644 index 7a62ca7f..00000000 --- a/sample-x509/leaf2.pem +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBhDCCAQ6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw -MDAwWhgPOTk5OTEyMzEyMzU5NTlaMBwxGjAYBgNVBAMTEXNvbWUgY29tbW9uIG5h -bWUyMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9J1cH6rhnWS8FXKwxX0RBTfY45 -83A5xsI2LroKVxGpeY1G6101JylYClmttchHUQYUuwp1ixQrcx+cQwBPnmCtZsE3 -e+AHQaU2mpAJE7I7zb0jSjqR1GoASy+xtjOlJwIDAQABozMwMTAOBgNVHQ8BAf8E -BAMCB4AwHwYDVR0jBBgwFoAU8ZD15N5gTjVyBrw2u//CFPROn0cwDQYJKoZIhvcN -AQELBQADYQBjRSXaG19hofPjuRaClVA6r3fUDCzS/ZzPDYWUqHTQ2mRr9ym+0RD7 -+mG/wye/4UOBu4R81yRlgd5VaVJ4RTqHquLNSUQwT/h20LrbOTPKHhQQqVphEJnk -1f4mZ1LmCwA= ------END CERTIFICATE----- diff --git a/sample-x509/leaf3-crt-bundle.pem b/sample-x509/leaf3-crt-bundle.pem deleted file mode 100644 index 711e876c..00000000 --- a/sample-x509/leaf3-crt-bundle.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBhDCCAQ6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw -MDAwWhgPOTk5OTEyMzEyMzU5NTlaMBwxGjAYBgNVBAMTEXNvbWUgY29tbW9uIG5h -bWUzMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALe+Q+td+Vr6V0QPUKH5GFjdcirE -vPG4093oQo7jAt8d+IAgpJx1OmB9rMhfO0xBX3i9l+3kdK90IcesGUVA2z4EOoVK -pNsaZda7FKjB1x+GWZTXtvW0/68bPqgIylXcewIDAQABozMwMTAOBgNVHQ8BAf8E -BAMCB4AwHwYDVR0jBBgwFoAU8ZD15N5gTjVyBrw2u//CFPROn0cwDQYJKoZIhvcN -AQELBQADYQBakkW3+ZH01i0mit/7f/AR6A5XsABGge5DR2y8ju7fvmhQAz9GC5C5 -R9ri5/xiWucRADp+d8admKv3lxXMKtZ88g89arwDdVCkC5AsTN4qVhZAhO+kTv4W -DWyWWSUVqog= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIBZjCB8aADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw -MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQC5 -Q3H0mFeb++4RHfh/gxbs+Ti+Q8QIqVs47NWRQSU3VmFt2MWMuInl2YR59y68A83g -TYGGLhBdN0/Ix/v7/Za7gdWZXTvdn6yyAXI/bzNsu82Mvp+wYiH5/0egw5S9xI8C -AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8ZD15N5gTjVyBrw2 -u//CFPROn0cwDQYJKoZIhvcNAQELBQADYQCygZAp0C9JVW2ivRzpyrFawhohlVAm -gG+NYylNGqaGH2Pc1YfVSwPWdYljcYwejOTrxCZJSs3WEKb/j2VVZF3yOJydTHv3 -TLLkxPII7B31qk+PjR8bA+WgZBVAZILJegY= ------END CERTIFICATE----- diff --git a/sample-x509/leaf3-key.pem b/sample-x509/leaf3-key.pem deleted file mode 100644 index 199a8460..00000000 --- a/sample-x509/leaf3-key.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIB4wIBADANBgkqhkiG9w0BAQEFAASCAc0wggHJAgEAAmEAt75D6135WvpXRA9Q -ofkYWN1yKsS88bjT3ehCjuMC3x34gCCknHU6YH2syF87TEFfeL2X7eR0r3Qhx6wZ -RUDbPgQ6hUqk2xpl1rsUqMHXH4ZZlNe29bT/rxs+qAjKVdx7AgMBAAECYE8ZfHm1 -oeQVgz3MbgTcjCutYTmiKkjRLXwJQaXrek/8wf6+jr7ABJqHX7t+q7NfLHONUxFS -LT6C5ocOjord8GWUp9/C9F4reB+RZJDWVGIgnzlRey+XgmjNg3jKKMCMUQIxAMHH -MsKLjuGi2mxyD/zem4Adt1Nd32pojOl8vzm4VRf/qNhJr3QDM2HhfLp0iGMOYwIx -APK+L66rrFCkhrgkWChgQmny6YtGxf4aT816+2Rbslo76zfKB62o9csgL1sO6amp -CQIwQieldrF6eCHG/Br8xlGhON3sRnPX4FYNNXE3P5dkxaqslBqj4bFuC06V7Hn4 -TgkNAjAwWc2pnyxdi8gB2cttj27rJ6V5RomdiaQnq71zSgiGjLTXkfhhkOwUn76P -BrNoRfECMHGdJBAqsK3sDDFZ+M092tsNuf/p8QFS+4dYMfG4W0Kc8FXqOTZWAD0a -WHYBbxmpGQ== ------END PRIVATE KEY----- diff --git a/sample-x509/leaf3.pem b/sample-x509/leaf3.pem deleted file mode 100644 index d4aeb099..00000000 --- a/sample-x509/leaf3.pem +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBhDCCAQ6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAAMCIYDzAwMDEwMTAxMDAw -MDAwWhgPOTk5OTEyMzEyMzU5NTlaMBwxGjAYBgNVBAMTEXNvbWUgY29tbW9uIG5h -bWUzMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALe+Q+td+Vr6V0QPUKH5GFjdcirE -vPG4093oQo7jAt8d+IAgpJx1OmB9rMhfO0xBX3i9l+3kdK90IcesGUVA2z4EOoVK -pNsaZda7FKjB1x+GWZTXtvW0/68bPqgIylXcewIDAQABozMwMTAOBgNVHQ8BAf8E -BAMCB4AwHwYDVR0jBBgwFoAU8ZD15N5gTjVyBrw2u//CFPROn0cwDQYJKoZIhvcN -AQELBQADYQBakkW3+ZH01i0mit/7f/AR6A5XsABGge5DR2y8ju7fvmhQAz9GC5C5 -R9ri5/xiWucRADp+d8admKv3lxXMKtZ88g89arwDdVCkC5AsTN4qVhZAhO+kTv4W -DWyWWSUVqog= ------END CERTIFICATE----- diff --git a/sample-x509/root-crt.pem b/sample-x509/root-crt.pem deleted file mode 100644 index d6f1dbc4..00000000 --- a/sample-x509/root-crt.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBZjCB8aADAgECAgEBMA0GCSqGSIb3DQEBCwUAMAAwIhgPMDAwMTAxMDEwMDAw -MDBaGA85OTk5MTIzMTIzNTk1OVowADB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQDb -M2FpVYArMQ0DTbCXZC12pW88PBzg7qnzYNZJhW+UUq7h4q8Iqz61OWUNlE6PWhty -u2rHavN1xHXbmSDPO5T/zg9lFckZsVidPIlTyWyBsjL1pDWQfOT/MEfaShaDMksC -AwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUdoi9uHwz794ebY71 -6wNJc6WSXH0wDQYJKoZIhvcNAQELBQADYQAet2usxlbk1MfBrIYNSPUD1zo1lr9L -V70VnTElZCWCTGEiBTcE2+awsiXNbJBXf8QmFxFTdCXIMsNN1DqmNEfx9uXKma+D -O0nx5vXRpXqNnpSTiFVDudINRDV2qWqB5yQ= ------END CERTIFICATE----- diff --git a/sample-x509/root-key.pem b/sample-x509/root-key.pem deleted file mode 100644 index 560a4f3a..00000000 --- a/sample-x509/root-key.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIB5QIBADANBgkqhkiG9w0BAQEFAASCAc8wggHLAgEAAmEA2zNhaVWAKzENA02w -l2QtdqVvPDwc4O6p82DWSYVvlFKu4eKvCKs+tTllDZROj1obcrtqx2rzdcR125kg -zzuU/84PZRXJGbFYnTyJU8lsgbIy9aQ1kHzk/zBH2koWgzJLAgMBAAECYQCnhMPM -QTh7Sbg9LxFnEXshMlspOHOFfz/IrNf3Rg+41duq65eC04RP8TYGQ7IqIdxwJgeG -J1PMvsqtffac9PUqZ41xRRiifwcS06OIgSxW6Lh6H0GfYlQ5MZnsAXQAFxkCMQDs -+MRf3m3AYowKCzZ3pLCgl2JS7HllKfxCkmlCJc7QFfJkv0iAaQtyMg7ujxjo44UC -MQDszU8Lz9an7nzRg+rJiG/JQ7XvUzWRanAkCpwRjcF2WsjZhGE5awZ0wEHgup4T -H48CMQCg5d/gABSg9ciD4U0gO1A6Gc+G4k0ipTlEskiJw0YC/4PPaBmAJtLAvMBq -tfqB1kkCMEucasb8wC+y6MwFcSyUkg0Tv74BNbOO5uu7L4YzWzitWECMEndBAzi4 -QtC9BchZZQIwG5JY1G+zfB15tzaGBfOJiWRbvO0z46umojOU8nYtGM9sOz9dePZg -U+QzJke9yEfC ------END PRIVATE KEY----- From 752236c8d89200a5208bef107ca14b97663bfa08 Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Fri, 6 May 2022 17:08:28 -0400 Subject: [PATCH 14/15] Cleanup the x509 deployment scripts Signed-off-by: Mariusz Sabath --- utils/conf/intermediate-config.txt | 132 ----------------------------- utils/createNodeScript.sh | 82 ------------------ 2 files changed, 214 deletions(-) delete mode 100644 utils/conf/intermediate-config.txt delete mode 100755 utils/createNodeScript.sh diff --git a/utils/conf/intermediate-config.txt b/utils/conf/intermediate-config.txt deleted file mode 100644 index 7c4dd034..00000000 --- a/utils/conf/intermediate-config.txt +++ /dev/null @@ -1,132 +0,0 @@ -# OpenSSL intermediate CA configuration file. -# Copy to '/root/ca/intermediate/openssl.cnf'. - -[ ca ] -# 'man ca' -default_ca = CA_default - -[ CA_default ] -# Directory and file locations. -dir = /tmp/ca -certs = \$dir/certs -crl_dir = \$dir/crl -new_certs_dir = \$dir/newcerts -database = \$dir/index.txt -serial = \$dir/serial -RANDFILE = \$dir/private/.rand - -# The root key and root certificate. -private_key = \$dir/intermediate.key.pem -certificate = \$dir/intermediate.cert.pem - -# For certificate revocation lists. -crlnumber = \$dir/crlnumber -crl = \$dir/crl/intermediate.crl.pem -crl_extensions = crl_ext -default_crl_days = 30 - -# SHA-1 is deprecated, so use SHA-2 instead. -default_md = sha256 - -name_opt = ca_default -cert_opt = ca_default -default_days = 375 -preserve = no -policy = policy_loose - -[ policy_strict ] -# The root CA should only sign intermediate certificates that match. -# See the POLICY FORMAT section of 'man ca'. -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -[ policy_loose ] -# Allow the intermediate CA to sign a more diverse range of certificates. -# See the POLICY FORMAT section of the 'ca' man page. -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -[ req ] -# Options for the 'req' tool ('man req'). -default_bits = 2048 -distinguished_name = req_distinguished_name -string_mask = utf8only - -# SHA-1 is deprecated, so use SHA-2 instead. -default_md = sha256 - -# Extension to add when the -x509 option is used. -x509_extensions = v3_ca - -[ req_distinguished_name ] -# See . -countryName = Country Name (2 letter code) -stateOrProvinceName = State or Province Name -localityName = Locality Name -0.organizationName = Organization Name -organizationalUnitName = Organizational Unit Name -commonName = Common Name -emailAddress = Email Address - -# Optionally, specify some defaults. -countryName_default = US -stateOrProvinceName_default = NY -localityName_default = -0.organizationName_default = SPIRE Ltd -organizationalUnitName_default = -emailAddress_default = - -[ v3_ca ] -# Extensions for a typical CA ('man x509v3_config'). -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer -basicConstraints = critical, CA:true -keyUsage = critical, digitalSignature, cRLSign, keyCertSign - -[ v3_intermediate_ca ] -# Extensions for a typical intermediate CA ('man x509v3_config'). -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer -basicConstraints = critical, CA:true, pathlen:0 -keyUsage = critical, digitalSignature, cRLSign, keyCertSign - -[ usr_cert ] -# Extensions for client certificates ('man x509v3_config'). -basicConstraints = CA:FALSE -nsCertType = client, email -nsComment = "OpenSSL Generated Client Certificate" -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer -keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage = clientAuth, emailProtection - -[ server_cert ] -# Extensions for server certificates ('man x509v3_config'). -basicConstraints = CA:FALSE -nsCertType = server -nsComment = "OpenSSL Generated Server Certificate" -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer:always -keyUsage = critical, digitalSignature, keyEncipherment -extendedKeyUsage = serverAuth - -[ crl_ext ] -# Extension for CRLs ('man x509v3_config'). -authorityKeyIdentifier=keyid:always - -[ ocsp ] -# Extension for OCSP signing certificates ('man ocsp'). -basicConstraints = CA:FALSE -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer -keyUsage = critical, digitalSignature -extendedKeyUsage = critical, OCSPSigning diff --git a/utils/createNodeScript.sh b/utils/createNodeScript.sh deleted file mode 100755 index d7a064a4..00000000 --- a/utils/createNodeScript.sh +++ /dev/null @@ -1,82 +0,0 @@ -#!/bin/bash -function usage { - echo "$0 [node] [key-directory]" - echo "where " - echo " node - name of the node to create keys" - echo " key-directory - directory with intermediate key, '../x509' default (optional)" - exit 1 -} -[[ -z $1 ]] && usage -NODE=$1 -if [[ "$2" != "" ]] ; then - KEYS="$2" -else - KEYS="../x509" -fi - -SCRIPTS="scripts" -mkdir -p ${SCRIPTS} -FILE=${SCRIPTS}/${NODE}.sh -TEMP_DIR="/tmp/ca" -TARGET_DIR="/target/run/spire/x509" - -echo "#!/bin/bash" > ${FILE} -chmod 755 ${FILE} - -echo "mkdir -p ${TEMP_DIR}" >> ${FILE} -echo "cd ${TEMP_DIR}" >> ${FILE} -echo "mkdir certs crl newcerts private" >> ${FILE} -echo "chmod 700 private" >> ${FILE} -echo "touch index.txt" >> ${FILE} -echo "echo 1000 > serial" >> ${FILE} -echo "cd -" >> ${FILE} - -echo "cat > ${TEMP_DIR}/intermediate.cert.pem <> ${FILE} -if [ -f ${KEYS}/intermediate.cert.pem ]; then - cat ${KEYS}/intermediate.cert.pem >> ${FILE} - echo "EOF" >> ${FILE} - echo " " >> ${FILE} -else - echo "Error! Missing file ${KEYS}/intermediate.cert.pem" - exit 1 -fi - -if [ -f ${KEYS}/intermediate.key.pem ]; then - echo "cat > ${TEMP_DIR}/intermediate.key.pem <> ${FILE} - cat ${KEYS}/intermediate.key.pem >> ${FILE} - echo "EOF" >> ${FILE} - echo " " >> ${FILE} -else - echo "Error! Missing file ${KEYS}/intermediate.key.pem" - exit 1 -fi - -echo "cat > ${TEMP_DIR}/intermediate-openssl.cnf <> ${FILE} -cat conf/intermediate-config.txt >> ${FILE} -echo "EOF" >> ${FILE} -echo " " >> ${FILE} - -echo "openssl genrsa -out ${TEMP_DIR}/node.key.pem 2048" >> ${FILE} -echo "chmod 400 ${TEMP_DIR}/node.key.pem" >> ${FILE} - -echo 'SUBJ="/C=US/ST=CA/O=MyOrg, Inc./CN='"$NODE"'"' >> ${FILE} - -echo "openssl req -new -sha256 -key ${TEMP_DIR}/node.key.pem \\" >> ${FILE} -echo ' -subj "${SUBJ}"'" -out ${TEMP_DIR}/node.csr \\" >> ${FILE} -echo " -config ${TEMP_DIR}/intermediate-openssl.cnf 2>/dev/null" >> ${FILE} - -echo "openssl ca -batch -config ${TEMP_DIR}/intermediate-openssl.cnf \\" >> ${FILE} -echo " -extensions server_cert -days 375 -notext -md sha256 \\" >> ${FILE} -echo " -in ${TEMP_DIR}/node.csr \\" >> ${FILE} -echo " -out ${TEMP_DIR}/node.cert.pem 2>/dev/null" >> ${FILE} -echo "chmod 444 ${TEMP_DIR}/node.cert.pem" >> ${FILE} - -echo "" >> ${FILE} -echo "# cleanup:" >> ${FILE} -echo "mkdir -p ${TARGET_DIR}" >> ${FILE} -echo "cat ${TEMP_DIR}/node.cert.pem \\" >> ${FILE} -echo " ${TEMP_DIR}/intermediate.cert.pem > ${TARGET_DIR}/node-bundle.cert.pem" >> ${FILE} -echo "mv ${TEMP_DIR}/node.key.pem ${TARGET_DIR}/" >> ${FILE} -echo "rm -rf ${TEMP_DIR}/" >> ${FILE} -echo "rm -rf $SCRIPTS/" >> ${FILE} -echo "" >> ${FILE} From 44a7ca7abb670e97b76245aa86c550a8f1889e1c Mon Sep 17 00:00:00 2001 From: Mariusz Sabath Date: Thu, 12 May 2022 19:24:21 -0400 Subject: [PATCH 15/15] updated keylime documentation Signed-off-by: Mariusz Sabath --- docs/spire-workload-registrar.md | 70 ++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/docs/spire-workload-registrar.md b/docs/spire-workload-registrar.md index 6cf26ddc..e70cf35e 100644 --- a/docs/spire-workload-registrar.md +++ b/docs/spire-workload-registrar.md @@ -152,6 +152,76 @@ or delete them, if needed, using `Entry ID` value: -socketPath /run/spire/sockets/registration.sock ``` +## IMPORTANT: For non-k8s node attestors +When using NodeAttestor other than *k8s_psa* +you must create entries to tie your agents to the parent ID with specific attestation +(see issue [852](https://github.com/spiffe/spire/issues/852)) + +Once the workload registrar entry is created (as above), +the registrar will create entries for each node. +For example: +* spiffe://openshift.space-x.com/k8s-workload-registrar/spire-01/node/10.170.231.21 + - k8s_psat:cluster:spire-01 + - k8s_psat:agent_node_uid:7f450925-f3b3-4274-bfe9-e9d09bafbc12 +* spiffe://openshift.space-x.com/k8s-workload-registrar/spire-01/node/10.170.231.14 + - k8s_psat:cluster:spire-01 + - k8s_psat:agent_node_uid:c8b69816-f5f9-4e90-aaa1-6445d5bba11a + +with `spiffe://openshift.space-x.com/spire/server` as Parent ID + +Now we have to create new entries that would tie the above SPIFFE IDs to the +attested entries. +Look at the agent list and gather the selectors: + +For example, agents: +``` +* spiffe://openshift.space-x.com/spire/agent/x509pop/ca34d6728cf332689646010a1d9012d8fa449a3f + +"selectors": [ + { + "type": "x509pop", + "value": "ca:fingerprint:42cd4a9e007c67a52bfb28cf3f4a8cfd576fbfd2" + }, + { + "type": "x509pop", + "value": "ca:fingerprint:df27569b5adc9c44db043ea1f509c9f79a049e2d" + }, + { + "type": "x509pop", + "value": "subject:cn:some common name1" + } + +* spiffe://openshift.space-x.com/spire/agent/x509pop/1753fc2737195744cd52942d9723e1d7d2804249 + +"selectors": [ + { + "type": "x509pop", + "value": "ca:fingerprint:42cd4a9e007c67a52bfb28cf3f4a8cfd576fbfd2" + }, + { + "type": "x509pop", + "value": "ca:fingerprint:df27569b5adc9c44db043ea1f509c9f79a049e2d" + }, + { + "type": "x509pop", + "value": "subject:cn:some common name2" + } +] +``` + +So now we have to tie them together. Create new entries, one per each node: + +For example (pick one of the selector values to guarantee uniqueness): + +* SPIFFE ID: spiffe://openshift.space-x.com/k8s-workload-registrar/spire-01/node/10.170.231.14 + - Parent ID: spiffe://openshift.space-x.com/spire/agent/x509pop/1753fc2737195744cd52942d9723e1d7d2804249 + - Selectors: x509pop:ca:fingerprint:42cd4a9e007c67a52bfb28cf3f4a8cfd576fbfd2 +* SPIFFE ID: spiffe://openshift.space-x.com/k8s-workload-registrar/spire-01/node/10.170.231.21 + - Parent ID: spiffe://openshift.space-x.com/spire/agent/x509pop/ca34d6728cf332689646010a1d9012d8fa449a3f + - Selectors: x509pop:subject:cn:"some common name1" + +No ADMIN selection required. + ## Create sample deployment To see this environment in action, let’s deploy a sample workload with a simple SPIRE client. This example starts a pod that contains SPIRE agent binaries. We can use them to get SPIFFE identity. Before deploying the client, let’s take a look at the deployment file: