~damien/infrastructure

e72863f89964bb2bf88cbc0a159641d0c342bfc9 — Damien Radtke 2 years ago 52593c4 master
Renew CAs
8 files changed, 78 insertions(+), 60 deletions(-)

M artifacts/vault-write-certs.sh
M ca/consul-agent-ca.crt
M ca/nomad-agent-ca.crt
A ca/renew-cert
M ca/vault-server-ca.crt
M jobs/acme-renewer.nomad.erb
R jobs/{damienradtkecom.nomad.erb => damienradtkecom.nomad}
M jobs/fabio.nomad.erb
M artifacts/vault-write-certs.sh => artifacts/vault-write-certs.sh +1 -1
@@ 24,7 24,7 @@ DATA="$(jq --null-input --compact-output --arg cert "${CERT}" --arg key "${KEY}"
URL="https://vault.service.consul:8200/v1/secret/data/fabio/certs/${DOMAIN}"
echo "[vault-write-certs.sh] Saving cert and key to ${URL}"

curl --cacert /etc/ssl/vault/ca.pem \
curl --cacert /etc/ssl/vault-server/ca.crt \
  --header "X-Vault-Token: ${VAULT_TOKEN}" \
  --header "Content-Type: application/json" \
  --request POST \

M ca/consul-agent-ca.crt => ca/consul-agent-ca.crt +15 -17
@@ 1,19 1,17 @@
-----BEGIN CERTIFICATE-----
MIIDFTCCAf2gAwIBAgIUQI6dda+SDRrfeGUTY1Igs1nJ+54wDQYJKoZIhvcNAQEL
BQAwGjEYMBYGA1UEAwwPY29uc3VsLWFnZW50IENBMB4XDTIxMDYyOTIxMDgxNVoX
DTIyMDYyOTIxMDgxNVowGjEYMBYGA1UEAwwPY29uc3VsLWFnZW50IENBMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo8jKPl0tC5055xxoSpxSfo9xFwn5
b8O47zmXJtUHnfljzYr+kh6mYeLRrkDk8qyhZZ8jEQwIMwJua+5OHnhRsv6DSwwv
U4wZjAn5s/vj1VDKa3mIfO2sLLPFshaYvWONxMwoZ5yRVZ55Y7APo3qWBHHccv/D
MVc32QagIiJLY++12VJa+oDKfeysHHZVTmbHosxwJGzc5cA/qUD6Bxjy8b8wV7jn
zhSEiAl+46kXA/TGVEmEdVpILJm4JzT5XNl292mbzW9afXjY3h9K5I04d+qOEBrI
h8HKVO6KTsCnyuZMv+9+sLQuA/w92VGSuV03LuX4VbnKYXyNc6rw4dhjhQIDAQAB
o1MwUTAdBgNVHQ4EFgQURjwfuVDSeUNtjMGPqyZYIsM0uB8wHwYDVR0jBBgwFoAU
RjwfuVDSeUNtjMGPqyZYIsM0uB8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAQEAdY7Homhv6tedRKDM2b2Bu9gqQODMILuAxymG9BefmnS0IKHfqpHy
y9fHy7pRpTAfmWJSuAC/FHOnEpykN/gFEck5ym75n22YIM3JfwLftV7vhrRmYIqc
wdTGybHtvS0+VxL4S8INQgJgCfutj+b2QZp/S8p8Y9s5zQXMWNYd+oruum3jhsuS
lrtiTB7NRcKtOJyhQ6/XeXIk9VVnmeNJLPQP1t/aPcNkkIBq0zAvWYrOfQ5AENWC
BwGAASpWg+UycKqIHSGAORE7UnK/ESqOp4M6RKCLEjzZ7ELYYoxrwXrqBvV1Q+c0
4swJOtMEWu+lTjz8LRx97BN9j0fwQjk+FQ==
MIICuzCCAaMCFBoV9BmFOqzGBgJ5Pezkxf2J1O6hMA0GCSqGSIb3DQEBCwUAMBox
GDAWBgNVBAMMD2NvbnN1bC1hZ2VudCBDQTAeFw0yMjA3MjgwMTU0NTRaFw0zMjA3
MjUwMTU0NTRaMBoxGDAWBgNVBAMMD2NvbnN1bC1hZ2VudCBDQTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKPIyj5dLQudOeccaEqcUn6PcRcJ+W/DuO85
lybVB535Y82K/pIepmHi0a5A5PKsoWWfIxEMCDMCbmvuTh54UbL+g0sML1OMGYwJ
+bP749VQymt5iHztrCyzxbIWmL1jjcTMKGeckVWeeWOwD6N6lgRx3HL/wzFXN9kG
oCIiS2PvtdlSWvqAyn3srBx2VU5mx6LMcCRs3OXAP6lA+gcY8vG/MFe4584UhIgJ
fuOpFwP0xlRJhHVaSCyZuCc0+VzZdvdpm81vWn142N4fSuSNOHfqjhAayIfBylTu
ik7Ap8rmTL/vfrC0LgP8PdlRkrldNy7l+FW5ymF8jXOq8OHYY4UCAwEAATANBgkq
hkiG9w0BAQsFAAOCAQEAaPPnbqPcVA5DEAErerKIuS9ud5WFT40HT9k/+fjeQpy4
ZfDJMGlO89nPQO++bul7rE9f9n3XcxeBYUP7YBTgP/v0+Ge3v50gAr//HkFSfBCU
5pDMhZJomOT+92WjAmrF8bCPZJNs0xA649Vi12ZPN0ptEJcfEQwGvry/crtXDaA6
3hpnYQYgrnNFbvLEBCOfyOMRcJM4dAGVqceTaW91qf5m1Ak/FXcFpuQHu6pNRSzp
E+m36dTMX1Cu0URyjnh1pcjQfUPjgUpBTVpmntkMwgurjn05S7bAHaizSqfYu+kD
bcWIPAbz8/cBQ8HafP/DsCGWr7ZIMzZxn78RpHaBnw==
-----END CERTIFICATE-----

M ca/nomad-agent-ca.crt => ca/nomad-agent-ca.crt +15 -17
@@ 1,19 1,17 @@
-----BEGIN CERTIFICATE-----
MIIDEzCCAfugAwIBAgIUXebAuVRMeSR4Xuq5RO2x43cMGu0wDQYJKoZIhvcNAQEL
BQAwGTEXMBUGA1UEAwwObm9tYWQtYWdlbnQgQ0EwHhcNMjEwNjMwMTIyMzE2WhcN
MjIwNjMwMTIyMzE2WjAZMRcwFQYDVQQDDA5ub21hZC1hZ2VudCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALoJG71NMFJEehyiPZsm0j7RqeYWSOd5
bGTN6j/ZT+UFY9Oiq1YjtO8bAnlykQIqQ4U1sXnZkptXvvrTKUjFJABhyzR3bc6N
vFYjjXa5wyw6S0GPD6lcpIJ1KJguKXrzU836+FiGd44e0tXo3m5asEU7OC6Cc3PQ
pvdpY+Hfr//L///vriitud3G3m93Ujo2w660oEtUWbasDksh+dyP12AQs/RP8l0S
usfNTfDd3vcWNuSbDJbaIHg8171ie5jsEggBqhjJJigFcrsw/5mhOyruvptc9i4y
9Zp36wlmhspyzslb8N13UngdUHcKQOvtEkbBwtbdinu2/l6QM/NCRrMCAwEAAaNT
MFEwHQYDVR0OBBYEFPOHlXY/PngXhHzFuqlPtyTmDpX8MB8GA1UdIwQYMBaAFPOH
lXY/PngXhHzFuqlPtyTmDpX8MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBABpz6ml+m9Cyt2zKbA+SpEGSOaRbeJpE7BWnb/oEwLyb09e9CygZZlKa
UMegdXPN8+F9TSnisxa4t9ez+7jZoskApFIGYNFFxr6nuNfif136YvBO9TGXtCFL
lZGOSFJkDIb1d4Q19MJfmbsoX5dV8/xjzy6q/3uR88ySBG8Gr4X792qZtLjj8h2G
7a9SdiCj0zSZ2HiZdcKEiu2W9MBVVBbOLhdpwJ2U2iLWN/ML0Fu+gGS1EtlK76rm
sBOEUI1IUcCaJPO7iAb67cesLlw9fkqDlUY+vJhhx0a1h3e83HwROpMnLFGDRwus
Vm4pEOKLyafXucX6JD9FhDHxm5Ji+NQ=
MIICuTCCAaECFCZlcSv6w5ouXGqq+ymhzdQTOePpMA0GCSqGSIb3DQEBCwUAMBkx
FzAVBgNVBAMMDm5vbWFkLWFnZW50IENBMB4XDTIyMDcyODAxNTUxMFoXDTMyMDcy
NTAxNTUxMFowGTEXMBUGA1UEAwwObm9tYWQtYWdlbnQgQ0EwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC6CRu9TTBSRHocoj2bJtI+0anmFkjneWxkzeo/
2U/lBWPToqtWI7TvGwJ5cpECKkOFNbF52ZKbV7760ylIxSQAYcs0d23OjbxWI412
ucMsOktBjw+pXKSCdSiYLil681PN+vhYhneOHtLV6N5uWrBFOzgugnNz0Kb3aWPh
36//y///764orbndxt5vd1I6NsOutKBLVFm2rA5LIfncj9dgELP0T/JdErrHzU3w
3d73FjbkmwyW2iB4PNe9YnuY7BIIAaoYySYoBXK7MP+ZoTsq7r6bXPYuMvWad+sJ
ZobKcs7JW/Ddd1J4HVB3CkDr7RJGwcLW3Yp7tv5ekDPzQkazAgMBAAEwDQYJKoZI
hvcNAQELBQADggEBABEUlQdqxPTMai8LmFWP7jZwmAs5qaQXexHKiJzuNCdy1luE
KXSGSHoYHH60KsAAz/jakqM/m9FR/zk++r1pMlKzBBXM7oQbu9pyNk3okHwek2XJ
qvd1XRa9/cfVWYMsSOnKUmfsfzVz9djEav+mQ9h300ZvuYrWZJ22Jn/PqJiTLRL/
litoolm0LEkmMdLnzuFQsiAyXKzuoSRA4MG0IyZrLnQIWmJBcGjUfTsSCe0YCOvY
OgLUqc7MfEVjhh2bjPnbGOJlj1WJoAbRTSpA+7GzYJZrflEIxiVHpTji/YcbinA6
7S16pf6/UC8m7jouvCEC71bvNvsvHTsT9LOhsU0=
-----END CERTIFICATE-----

A ca/renew-cert => ca/renew-cert +21 -0
@@ 0,0 1,21 @@
#!/usr/bin/env bash
#
# This script is used to renew a certificate, likely a certificate authority.
#
#  $ ./renew-cert vault-server-ca
#
#

set -eu -o pipefail

if [[ $# -ne 1 ]]; then
	echo "usage: $0 <name>"
	exit 1
fi

name="$1"

csr="$(mktemp)"
openssl x509 -x509toreq -in "${name}.crt" -signkey "${name}.key" -out "${csr}"
openssl x509 -req -days 3650 -in "${csr}" -signkey "${name}.key" -out "${name}.crt"
rm "${csr}"

M ca/vault-server-ca.crt => ca/vault-server-ca.crt +15 -17
@@ 1,19 1,17 @@
-----BEGIN CERTIFICATE-----
MIIDFTCCAf2gAwIBAgIUG7nY07/pNKsNw3U57J+LtsLRz/cwDQYJKoZIhvcNAQEL
BQAwGjEYMBYGA1UEAwwPdmF1bHQtc2VydmVyIENBMB4XDTIxMDYzMDEyMjMzMVoX
DTIyMDYzMDEyMjMzMVowGjEYMBYGA1UEAwwPdmF1bHQtc2VydmVyIENBMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxdFrL9VNyKYYsnb87egzHbOiw4az
Osq1OQt1qAq+aIlLOjT5XHmcnV/HhZzYqUVZ7CjlsNJBLgRdOwfmj34ABtsy9IP4
cx3aXh/YQ9bH9lxeK7jzXFOarDiIVBtKnDwGR8+ANgpHkps62OimayK7zFec5tvT
jfMaMLnHZ3XrJIFd6uA13r/v/JeUpoizsS7DFbbWxzy4w3aJRCiNPyvLoDvEg54W
MRJflTGbjAX4XUOn4FTkvnWX2cA3zkuk7qEMAO5VMGkrA6IGsDmPSrraQN2Fw4Mf
5NNXoAVfwCJiGMzBiwV/cmxoisFMIvVMNTIHFBg1bIKF1ziIUYWCCC6s5wIDAQAB
o1MwUTAdBgNVHQ4EFgQUrz82qwwUuZG+/FYBwaI0QVcpWewwHwYDVR0jBBgwFoAU
rz82qwwUuZG+/FYBwaI0QVcpWewwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAQEAguEF/gVGimJhqqMifhfP7Oxxmz6v0clsIp/gR4qn9OZ1/F+Xfjkp
cbyfC0urizQYYgfp2ttKV0Q0kzB2Hx+5eGuZQ9UERVDhiCNlQIHnI5ZG3cJD+Xly
TQq+wokOWw7T1ojeqBFUGED5Fc3R9OfF66srfvOmUx5dGHAJk8dJEL6DnJjZ7abm
gYxAgaS4WoWOPlbMl4KFr65Q8VEO/5LnlSu4vDWUj+N4IoD88J7933v7Uhc09sM/
Ik2e/+0mq3+PwDn5bsPzVPFnZxdKTJJktef0wBlSpHvD9/iGhIVguaKanRgQY/Ps
ZjDbq8a5Vp2p1gPZ3ctNBJlgvv0JfDcxtA==
MIICuzCCAaMCFG59Q0rc+VogCE3vsr/y1Q/CYe11MA0GCSqGSIb3DQEBCwUAMBox
GDAWBgNVBAMMD3ZhdWx0LXNlcnZlciBDQTAeFw0yMjA3MjgwMTU1MDVaFw0zMjA3
MjUwMTU1MDVaMBoxGDAWBgNVBAMMD3ZhdWx0LXNlcnZlciBDQTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMXRay/VTcimGLJ2/O3oMx2zosOGszrKtTkL
dagKvmiJSzo0+Vx5nJ1fx4Wc2KlFWewo5bDSQS4EXTsH5o9+AAbbMvSD+HMd2l4f
2EPWx/ZcXiu481xTmqw4iFQbSpw8BkfPgDYKR5KbOtjopmsiu8xXnObb043zGjC5
x2d16ySBXergNd6/7/yXlKaIs7EuwxW21sc8uMN2iUQojT8ry6A7xIOeFjESX5Ux
m4wF+F1Dp+BU5L51l9nAN85LpO6hDADuVTBpKwOiBrA5j0q62kDdhcODH+TTV6AF
X8AiYhjMwYsFf3JsaIrBTCL1TDUyBxQYNWyChdc4iFGFgggurOcCAwEAATANBgkq
hkiG9w0BAQsFAAOCAQEACekZF1N7LE8ioac8guASW0OaUbgn8/5PupiylOf/Xo1n
Sr8wQEbpNsT6EX2qbjSa1CrX8y8sS58pVpYIk7WgIP/5Rgh/EhH7Px80LCxA3yuO
+hZrw8cw42NLOfrYNMBWbBKNMtEevocycvlX8Qk1U/WfPTDi8iBejQ3FyIaYM6Rx
NKa+d/bq4hiXQcepfGkX0sLXYTBFCW7y8wJEA4ZXb4HPqHsQm6/IdfQw+KKltHmJ
50xqsoR60Z7LNKfZmi/6IsryL6bINewqqv4I8cEIgH5q+mmuKnpI/nIFngKPOhpS
fF7Qosderl72hakDMmUS6NFykIKed6uGNiYpqs8G/A==
-----END CERTIFICATE-----

M jobs/acme-renewer.nomad.erb => jobs/acme-renewer.nomad.erb +1 -1
@@ 74,7 74,7 @@ job "acme-renewer" {

				env {
					LINODE_V4_API_KEY = "<%= secret('linode/acme-renewer', 'api_key') %>"
					VAULT_CAPATH = "/etc/ssl/vault/ca.pem"
					VAULT_CAPATH = "/etc/ssl/vault-server/ca.crt"
					VAULT_ADDR = "https://vault.service.consul:8200"
				}
			}

R jobs/damienradtkecom.nomad.erb => jobs/damienradtkecom.nomad +6 -2
@@ 1,4 1,8 @@
// TODO: use variables: https://www.nomadproject.io/docs/job-specification/hcl2/variables
variable "ref" {
  type = string
  default = "master"
}

job "damienradtkecom" {
	region = "global"



@@ 61,7 65,7 @@ job "damienradtkecom" {
				source = "github.com/dradtke/blog"
				destination = "local/blog/"
				options {
					ref = "<%= ENV['REF'] || 'master' %>"
					ref = var.ref
				}
			}


M jobs/fabio.nomad.erb => jobs/fabio.nomad.erb +4 -5
@@ 1,7 1,6 @@
<%
  @fabio_version  = "1.5.15"
  @golang_version = "1.15.5"
  @fabio_checksum = "sha256:14c7a02ca95fb00a4f3010eab4e3c0e354a3f4953d2a793cb800332012f42066"
  @fabio_version  = "1.6.1"
  @fabio_checksum = "sha256:74db83e1db2a561012b3acfbdf98f4c499387be623af62a372e880c78eff98ab"
%>

job "fabio" {


@@ 35,7 34,7 @@ job "fabio" {
			driver = "exec"
			user   = "fabio"
			config {
				command = "fabio-<%= @fabio_version %>-go<%= @golang_version %>-linux_amd64"
				command = "fabio-<%= @fabio_version %>-linux_amd64"
				// TODO: this currently fails because consul-key.pem is not readable
				// Need to figure out a way to get fabio a client cert
				args = [


@@ 49,7 48,7 @@ job "fabio" {
			}

			artifact {
				source = "https://github.com/fabiolb/fabio/releases/download/v<%= @fabio_version %>/fabio-<%= @fabio_version %>-go<%= @golang_version %>-linux_amd64"
				source = "https://github.com/fabiolb/fabio/releases/download/v<%= @fabio_version %>/fabio-<%= @fabio_version %>-linux_amd64"
				options {
					checksum = "<%= @fabio_checksum %>"
				}