towards cert-manager ca issuer

Signed-off-by: Salvatore Dario Minonne <sminonne@redhat.com>

.gitignore

@@ -9,3 +9,5 @@
 kubeconfig.*
 kubeconfig
 trashcan/
+mini-ca/root/
+mini-ca/intermediate

demo.sh

@@ -10,19 +10,12 @@ command -v kubectl >/dev/null 2>&1 || { log::error >&2 "can't find kubectl.  Abo
 #check pre-requisities: TODO check version
 command -v argocd >/dev/null 2>&1 || { log::error >&2 "can't find argocd. Aborting."; exit 1; }
 
-
 command -v helm >/dev/null 2>&1 || { log::error >&2 "can't find helm. Aborting."; exit 1; }
 
-
 command -v curl >/dev/null 2>&1 || { log::error >&2 "can't find curl. Aborting."; exit 1; }
 
-MGMTIP=$(minikube -p "${MGMT}" ip)
-MGMTURL=https://${MGMTIP}:8443
-
 clear
 
-
-
 #################
 # Install ArgoCD
 #################
@@ -34,23 +27,11 @@ wait_until "all_pods_in_namespace_for_context_are_running argocd $(get_client_co
 pe "kubectl config use-context  $(get_client_context_from_cluster_name ${MGMT})"
 pe "kubectl config set-context --current --namespace=argocd"
 
-pe "argocd cluster list"
-
-########################
-# Add clusters to argo
-#######################
-for mc in "${managedclusters[@]}"; do
-    pe "kubectl --context $(get_client_context_from_cluster_name ${mc}) config view --minify --flatten > ${mc}.kubeconfig"
-    pe "argocd cluster add ${mc} --kubeconfig= ${mc}.kubeconfig -y"
-done
-
-pe "argocd cluster list"
-
-
-
-#####################################
+##########################################################
 # Creates ingress-nginx on clusters
-####################################
+# Commented out for minikube since in minikube is available
+# native as addon
+###########################################################
 #cat <<EOF | kubectl --context $(get_client_context_from_cluster_name ${MGMT}) apply -n argocd -f -
 #apiVersion: argoproj.io/v1alpha1
 #kind: ApplicationSet
@@ -90,9 +71,27 @@ pe "argocd cluster list"
 
 
 
-#######################
-# Deploy cert-manager
-#######################
+#############################################################
+# Deploy cert-manager as Argo application to ${MGMT} cluster
+#############################################################
+log::info "deploying cert-manager"
+cat <<EOF | kubectl --context $(get_client_context_from_cluster_name ${MGMT}) apply  -f -
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: default
+  namespace: argocd
+spec:
+  sourceRepos:
+    - '*'
+  destinations:
+    - namespace: '*'
+      server: '*'
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'
+EOF
+
 
 cat <<EOF | kubectl --context $(get_client_context_from_cluster_name ${MGMT}) apply  -f -
 apiVersion: argoproj.io/v1alpha1
@@ -119,7 +118,8 @@ spec:
       - CreateNamespace=true
 EOF
 
-
+log::info "waiting for cert-manager to install..."
+sleep 10
 wait_until "crd_defined_for_context certificates.cert-manager.io $(get_client_context_from_cluster_name ${MGMT})" 10 120
 wait_until "crd_defined_for_context issuers.cert-manager.io $(get_client_context_from_cluster_name ${MGMT})" 10 120
 wait_until "all_pods_in_namespace_for_context_are_running cert-manager  $(get_client_context_from_cluster_name ${MGMT})" 10 120
@@ -128,6 +128,7 @@ wait_until "all_pods_in_namespace_for_context_are_running cert-manager  $(get_cl
 ##################################
 # Deploy self-signed  cert issuer
 ##################################
+log::info "Creating cert-manager Issuer"
 cat <<EOF | kubectl --context $(get_client_context_from_cluster_name ${MGMT}) apply  -f -
 apiVersion: cert-manager.io/v1
 kind: Issuer
@@ -141,7 +142,9 @@ EOF
 #################
 # generate certs
 #################
+log::info "Creating certificate CR for cert-manager"
 for mc in "${managedclusters[@]}"; do
+    log::info "Creating ${mc}-cert} CR certificates.cert-manager.io"
     cat <<EOF | kubectl --context $(get_client_context_from_cluster_name ${MGMT}) apply  -f -
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -150,14 +153,11 @@ metadata:
   namespace: cert-manager
 spec:
   secretName: ${mc}-tls
-  secretTemplate:
-    annotations:
-      cluster-url: $(minikube -p ${mc} ip)
-    labels:
-      cluster: ${mc}
   duration: 24h
   renewBefore: 12h
   secretTemplate:
+    annotations:
+      syncrets-namespace: guestbook
     labels:
       cluster: ${mc}
   commonName: ${mc}
@@ -205,6 +205,7 @@ wait_until "deployment_in_namespace_for_context_up_and_running gitea-memcached d
 #TODO for airplane mode retrieve image docker.io/bitnami/postgresql:15.2.0-debian-11-r14
 wait_until "pod_in_namespace_for_context_is_running gitea-postgresql-0 default $(get_client_context_from_cluster_name ${MGMT})" 10 120
 
+MGMTIP=$(minikube -p "${MGMT}" ip)
 
 #patch the gitea svc on ${MGMT} cluster with the minikube IP address
 kubectl --context $(get_client_context_from_cluster_name ${MGMT}) -n default patch svc gitea-http -p "{\"spec\":{\"externalIPs\":[\"${MGMTIP}\"]}}"
@@ -216,6 +217,19 @@ GITEAPORT=$(kubectl --context $(get_client_context_from_cluster_name ${MGMT}) -n
 wait_until "http_endpoint_is_up http://${MGMTIP}:${GITEAPORT}" 10 120
 
 
+########################
+# Add clusters to argo
+#######################
+pe "argocd --core=true cluster list"
+
+for mc in "${managedclusters[@]}"; do
+    pe "kubectl --context $(get_client_context_from_cluster_name ${mc}) config view --minify --flatten > ${mc}.kubeconfig"
+    pe "argocd --core=true cluster add ${mc} --kubeconfig= ${mc}.kubeconfig -y"
+done
+
+pe "argocd --core=true cluster list"
+
+
 
 ###########################
 # creating guestbook on git
@@ -229,7 +243,6 @@ curl -u 'gitea_admin:r8sA8CPHD9!bt6d' \
     -i
 #TODO check $?
 
-
 GUESTBOOKTMP=$(mktemp -d)/guestbook
 git init ${GUESTBOOKTMP}
 cd ${GUESTBOOKTMP}
@@ -290,7 +303,7 @@ spec:
                 number: 80
     tls:
     - hosts:
-      - $(minikube -p cluster1 ip)
+      - $(minikube -p ${mc} ip)
       secretName: ${mc}-tls
 EOF
     git add ${GUESTBOOKTMP}/${mc}/guestbook-ingress.yaml

mini-ca/README.md

@@ -0,0 +1,100 @@
+This sets of script generate a mini CA through openssl.
+
+```shell
+$ ./check-or-generate-root.sh
+...
+```
+
+```shell
+$ ./check-or-generate-intermediate.sh
+```
+
+
+Now let's add the intermediate cert as a trusted certificate authority. 
+
+``` shell
+$ sudo cp intermediate/intermediate_cert.pem /etc/pki/ca-trust/source/anchors/intermediate_cert.pem
+```
+
+```shell
+$ sudo update-ca-trust
+```
+
+OK now we can test, let's generate a certificate for localhost with the just added CA.
+
+
+```shell
+cat << EOF > localhost.cnf
+[req]
+prompt                  = no
+distinguished_name      = distinguished_name_server_cert
+req_extensions          = v3_server_cert
+
+[distinguished_name_server_cert]
+countryName             = FR
+stateOrProvinceName     = Paca
+localityName            = Trourrettes sur Loup
+organizationName        = Minonne
+commonName              = localhost
+
+[v3_server_cert]
+subjectAltName = DNS:localhost
+EOF
+```
+
+```shell
+openssl genpkey \
+    -algorithm ED448 \
+    -out localhost-key.pem
+```
+
+```shell
+openssl req \
+    -config localhost.cnf \
+    -new \
+    -key localhost-key.pem \
+    -out localhost-csr.pem \
+    -text
+```
+
+
+let's sign it with the intermediate CA
+
+
+```shell
+openssl ca \
+    -batch \
+    -config ./intermediate/intermediate.cnf \
+    -in  ./localhost-csr.pem \
+    -out ./localhost-cert.pem 
+```
+
+
+and now let's create a test http server on localhost.
+
+```shell
+openssl s_server -key localhost-key.pem -cert localhost-cert.pem -accept 5000 -WWW
+```
+
+and now in another shell you can connect to the server:
+
+```shell
+$ curl https://localhost:5000
+```
+
+
+
+To remove the intermediate CA
+
+`` shell
+$ sudo rm /etc/pki/ca-trust/source/anchors/intermediate_cert.pem
+```
+
+```shell
+$ sudo update-ca-trust
+```
+
+
+
+Thanks to https://github.com/PacktPublishing/Demystifying-Cryptography-with-OpenSSL-3/tree/main/Chapter12/mini-ca
+and https://www.devdungeon.com/content/how-add-trusted-ca-certificate-centosfedora