Better certificate generation #1
Conversation
chregu
force-pushed
the
certificate-generation-improvements
branch
from
01a2878 to
c43800f
Compare
| @@ -7,3 +7,6 @@ | |||
|
|
|||
| # Local | |||
| .env | |||
|
|
|||
There was a problem hiding this comment.
added a comment, left the whitespace
| @@ -0,0 +1,5 @@ | |||
| #!/usr/bin/env bash | |||
| DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | |||
There was a problem hiding this comment.
There's really nothing less ugly?
DIR=$(realpath $(dirname $(dirname $0)))
?
There was a problem hiding this comment.
There was a problem hiding this comment.
It's even worse (or not really possible at all) in Posix sh
https://stackoverflow.com/questions/29832037/how-to-get-script-directory-in-posix-sh#29834779
build/helper/Dockerfile
Outdated
| @@ -0,0 +1,5 @@ | |||
| FROM debian:stable-slim | |||
There was a problem hiding this comment.
Please specify the Debian release; buster-slim; but thanks for using Debian!
scripts/env.sh
Outdated
| @@ -0,0 +1,13 @@ | |||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
Would be best to avoid bashisms and use standard /bin/sh, no?
| @@ -0,0 +1,59 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
Not coherent with the /usr/bin/env calls elsewhere.
There was a problem hiding this comment.
replaced with #!/usr/bin/env bash for now (see chat discussion)
chregu
changed the title
scripts/generate-certificates.sh
Outdated
| chmod 600 $PROJECT_NAME.key $PROJECT_NAME.pem | ||
| fi | ||
| docker run --rm -v $DIR/../:/generate/ -v $PONTSUN_DIR_ETC/certificates/:/certs/ -it liip/pontsun-helper:latest /generate/scripts/helper/docker-generate-certificates.sh $1 | ||
| if [[ "$OSTYPE" == "darwin"* ]]; then |
There was a problem hiding this comment.
If we start to support explicitly Mac, shouldn't we support other platforms also ?
There was a problem hiding this comment.
Sure. Windows support is needed/wanted, too. But I need the help of our windows users here and something that can be added later.
We supported mac before anyway already (the source of this scripts and the docs/ at least ;))
There was a problem hiding this comment.
smallstep CLI has a command to install certificates into truststores for windows, linux and macOS.
Respective code is at smallstep/truststore:
There was a problem hiding this comment.
It's now included and used, if installed (didn't check on windows, but that's something to be added later)
|
|
||
| # Load env file | ||
| set -a | ||
| test -f $(dirname $0)/../../containers/.env && source $(dirname $0)/../../containers/.env |
There was a problem hiding this comment.
It is not specified in the README.md that we need to copy the .env file and without it it's not working by default. We should maybe warn the user if we don't find some env variables and stop the script with an explicit message.
There was a problem hiding this comment.
It does that now. Plus I added some section to the README
scripts/generate-certificates.sh
Outdated
| cat $PROJECT_NAME.crt $PROJECT_NAME.key > $PROJECT_NAME.pem | ||
| chmod 600 $PROJECT_NAME.key $PROJECT_NAME.pem | ||
| fi | ||
| docker run --rm -v $DIR/../:/generate/ -v $PONTSUN_DIR_ETC/certificates/:/certs/ -it liip/pontsun-helper:latest /generate/scripts/helper/docker-generate-certificates.sh $1 |
There was a problem hiding this comment.
By default the liip/pontsun-helper image doesn't exist, we should maybe integrate the build process of the image here or push this image to a repo so users only need to pull it here.
There was a problem hiding this comment.
I'm still in the process of recovering our "liip" docker hub account, so that we can push it there (and then yes, why not add it into CI/CD)and people don't have to do anything.
scripts/pontsun
Outdated
| @@ -0,0 +1,45 @@ | |||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
For a single command that also exists as a script maybe this binary is not needed. Is there other commands that are planned to be added later ?
There was a problem hiding this comment.
Yes, there will be more up and down for example (see #5 which is WIP for now)
One reason to do this was also, that we have to possibility to maybe move away from a shell script here and do it in go or whatever other language.
chregu
force-pushed
the
certificate-generation-improvements
branch
2 times, most recently
from
e9fefaa to
02ddea4
Compare
chregu
force-pushed
the
certificate-generation-improvements
branch
from
02ddea4 to
cac4c2b
Compare
chregu
changed the title
|
what's the status here? // Edit: actually it does exist, I just didn't see it (and needs a |
Initial problem: The certificate generation doesn't work on OS X, since openssl behaves differently (it errors out)
Solution: Use a docker image to generate to certificates on all platforms. Also to make the environment consistent.
Problem 2: If you want to have an additional domain name other than the default one for your project (let's say, api.rokka.test instead of rokka-api.pontsun.test), there was no easy way.
Solution 2: Add alternate DNS entries to the cert. The script now reads all the existing and adds new one before recreating it.
More stuff in this MR:
Moved certificates from
certificates/toetc/certificatesto be able to have more config options in that directory (it's configurable via the PONTSUN_DIR_ETC variable)Automatically installs the generated root certificate to the system trust store on OS X or if smallstep-cli is installed (https://smallstep.com/docs/cli/), if it doesn't exist already (needs password)
The helper image (liip/pontsun-helper:latest) for openssl cert generation isn't on hub.docker.com yet (I need to get the credentials before I can upload it), you have to generate it first locally with
build/build.sh