~damien/infrastructure

1c777065a7fa670f508e7365b099a3d9e795ac77 — Damien Radtke 2 years ago 602d799
Better cert provisioning
M .gitignore => .gitignore +0 -1
@@ 1,6 1,5 @@
.*.swp
.terraform
*.backup
secrets.tfvars
*.pem
*.p12

M ca/consul-agent-ca.srl => ca/consul-agent-ca.srl +1 -1
@@ 1,1 1,1 @@
2E741F16F5701C92061B3669C7546E4A1AA2C820
2E741F16F5701C92061B3669C7546E4A1AA2C853

M ca/nomad-agent-ca.srl => ca/nomad-agent-ca.srl +1 -1
@@ 1,1 1,1 @@
3A95C8A7EE198C7858E58366940C5F258426061A
3A95C8A7EE198C7858E58366940C5F2584260632

M ca/provision-cert => ca/provision-cert +19 -5
@@ 4,7 4,7 @@
#
#   provision-cert \
#       --ca consul-agent \
#       --cn server1.dc2.consul \
#       --hostname server1.dc2.consul \
#       --addr 1.1.1.1 \
#       --owner consul:consul \
#       --outdir /etc/ssl/consul-agent \


@@ 17,7 17,7 @@ cd "$(dirname "${BASH_SOURCE[0]}")"
while [[ $# -gt 0 ]]; do
	case "$1" in
		--ca) ca="$2"; shift 2;;
		--cn) cn="$2"; shift 2;;
		--hostname) hostname="$2"; shift 2;;
		--addr) addr="$2"; shift 2;;
		--owner) owner="$2"; shift 2;;
		--outdir) outdir="$2"; shift 2;;


@@ 30,10 30,23 @@ done
tmp="$(mktemp --directory)"
trap "rm -rf '${tmp}'" EXIT

# CN is apparently deprecated, but is normally set to the primary hostname
# (since it can only accept one) for backwards compatability. If no hostname
# was specified, it defaults to the name of the cert.
cn="${hostname:-${basename}}"

# Subject Alt Name is what actually holds the list of valid DNS addresses.
# We always include localhost so that commands can be run locally, and add
# the requested hostname if it was provided.
san="DNS:localhost"
if [[ -n "${hostname:-}" ]]; then
	san="${san},DNS:${hostname}"
fi

# Generate a private key and CSR remotely
ssh root@"${addr}" <<EOF
cd '${outdir}'
openssl req -new -newkey rsa:2048 -nodes -keyout '${basename}.key' -out '${basename}.csr' -subj '/CN=${cn}'
openssl req -new -newkey rsa:2048 -nodes -keyout '${basename}.key' -out '${basename}.csr' -subj '/CN=${cn}' -addext 'subjectAltName=${san}'
EOF

# Copy the CSR down for cert generation


@@ 52,7 65,8 @@ openssl x509 -req \
	-CAkey "${ca}-ca.key" \
	${serial_arg} \
	-out "${tmp}/${basename}.crt" \
	-days "${days:-3650}"
	-days "${days:-3650}" \
	-extfile <(echo "subjectAltName = ${san}")
# TODO: add key usages? https://learn.hashicorp.com/tutorials/nomad/security-enable-tls

# Copy the certificate back up


@@ 62,4 76,4 @@ scp "${tmp}/${basename}.crt" root@"${addr}":"${outdir}/${basename}.crt"
ssh root@"${addr}" "rm ${outdir}/${basename}.csr"

# Update the owner.
ssh root@"${addr}" "chown -R ${owner} /etc/ssl/${ca}"
ssh root@"${addr}" "chown ${owner} ${outdir}/${basename}.{crt,key}"

M ca/vault-server-ca.srl => ca/vault-server-ca.srl +1 -1
@@ 1,1 1,1 @@
73BA2463646820941EB0EC0FDCDC6DE86EE141F7
73BA2463646820941EB0EC0FDCDC6DE86EE1420D

M packer/image.pkr.hcl => packer/image.pkr.hcl +1 -1
@@ 164,7 164,7 @@ build {
      "sudo -u damien /usr/local/bin/consul -autocomplete-install",
      "sudo -u damien /usr/local/bin/nomad -autocomplete-install",
      "sudo -u damien /usr/local/bin/vault -autocomplete-install",
      "usermod --append --groups consul damien",
      "usermod --append --groups consul,vault,nomad damien",
    ]
  }
}

M terraform/.gitignore => terraform/.gitignore +1 -0
@@ 3,3 3,4 @@
*.tfstate.*
debug.log
.terraform.lock.hcl
*.tfvars

M terraform/cluster/consul-server/main.tf => terraform/cluster/consul-server/main.tf +1 -1
@@ 37,7 37,7 @@ resource "linode_instance" "servers" {
  }

  provisioner "local-exec" {
    command = "../ca/provision-cert --addr ${self.ip_address} --ca consul-agent --cn server.${self.region}.consul --owner consul:consul --outdir /etc/ssl/consul-agent --basename consul"
    command = "../ca/provision-cert --addr ${self.ip_address} --ca consul-agent --hostname server.${self.region}.consul --owner consul:consul --outdir /etc/ssl/consul-agent --basename consul"
  }

  provisioner "file" {

M terraform/cluster/nomad-client/main.tf => terraform/cluster/nomad-client/main.tf +2 -2
@@ 50,7 50,7 @@ resource "linode_instance" "clients" {
  }

  provisioner "local-exec" {
    command = "../ca/provision-cert --addr ${self.ip_address} --ca consul-agent --cn client.${self.region}.consul --owner consul:consul --outdir /etc/ssl/consul-agent --basename consul"
    command = "../ca/provision-cert --addr ${self.ip_address} --ca consul-agent --hostname client.${self.region}.consul --owner consul:consul --outdir /etc/ssl/consul-agent --basename consul"
  }

  provisioner "file" {


@@ 64,7 64,7 @@ resource "linode_instance" "clients" {
  }

  provisioner "local-exec" {
    command = "../ca/provision-cert --addr ${self.ip_address} --ca nomad-agent --cn client.${self.region}.nomad --owner nomad:nomad --outdir /etc/ssl/nomad-agent --basename nomad"
    command = "../ca/provision-cert --addr ${self.ip_address} --ca nomad-agent --hostname client.${self.region}.nomad --owner nomad:nomad --outdir /etc/ssl/nomad-agent --basename nomad"
  }

  provisioner "file" {

M terraform/cluster/nomad-server/main.tf => terraform/cluster/nomad-server/main.tf +2 -2
@@ 33,7 33,7 @@ resource "linode_instance" "servers" {
  }

  provisioner "local-exec" {
    command = "../ca/provision-cert --addr ${self.ip_address} --ca consul-agent --cn client.${self.region}.consul --owner consul:consul --outdir /etc/ssl/consul-agent --basename consul"
    command = "../ca/provision-cert --addr ${self.ip_address} --ca consul-agent --hostname client.${self.region}.consul --owner consul:consul --outdir /etc/ssl/consul-agent --basename consul"
  }

  provisioner "file" {


@@ 47,7 47,7 @@ resource "linode_instance" "servers" {
  }

  provisioner "local-exec" {
    command = "../ca/provision-cert --addr ${self.ip_address} --ca nomad-agent --cn server.${self.region}.nomad --owner nomad:nomad --outdir /etc/ssl/nomad-agent --basename nomad"
    command = "../ca/provision-cert --addr ${self.ip_address} --ca nomad-agent --hostname server.${self.region}.nomad --owner nomad:nomad --outdir /etc/ssl/nomad-agent --basename nomad"
  }

  provisioner "file" {

M terraform/cluster/vault-server/main.tf => terraform/cluster/vault-server/main.tf +6 -2
@@ 33,7 33,7 @@ resource "linode_instance" "servers" {
  }

  provisioner "local-exec" {
    command = "../ca/provision-cert --addr ${self.ip_address} --ca consul-agent --cn client.${self.region}.consul --owner consul:consul --outdir /etc/ssl/consul-agent --basename consul"
    command = "../ca/provision-cert --addr ${self.ip_address} --ca consul-agent --hostname client.${self.region}.consul --owner consul:consul --outdir /etc/ssl/consul-agent --basename consul"
  }

  provisioner "file" {


@@ 47,7 47,11 @@ resource "linode_instance" "servers" {
  }

  provisioner "local-exec" {
    command = "../ca/provision-cert --addr ${self.ip_address} --ca vault-server --cn server.${self.region}.vault --owner vault:vault --outdir /etc/ssl/vault-server --basename vault"
    command = "../ca/provision-cert --addr ${self.ip_address} --ca vault-server --hostname server.${self.region}.vault --owner vault:vault --outdir /etc/ssl/vault-server --basename vault"
  }

  provisioner "local-exec" {
    command = "../ca/provision-cert --addr ${self.ip_address} --ca vault-server --owner damien:nobody --outdir /etc/ssl/vault-server --basename cli"
  }

  provisioner "file" {

M terraform/main.tf => terraform/main.tf +1 -1
@@ 18,7 18,7 @@ data "linode_profile" "me" {}
module "cluster" {
  source           = "./cluster"
  datacenter       = "ca-central"
  image            = "private/12878715"
  image            = "private/13315378"
  authorized_users = [data.linode_profile.me.username]
  instance_type    = "g6-nanode-1"
  vault_token      = "root_token"