# # ============LICENSE_START======================================================= # Copyright (C) 2022 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # SPDX-License-Identifier: Apache-2.0 # ============LICENSE_END========================================================= # --- apiVersion: v1 kind: ConfigMap metadata: name: cfssl-init namespace: default data: db-pg.json: | { "driver":"postgres", "data_source":"postgres://cfssl:cfssl@postgres:5432/cfssl?sslmode=disable" } ca-csr.json: | { "CN":"EST Root CA", "hosts": [ "cluster.local", "localhost" ], "key":{ "algo":"rsa", "size": 2048 }, "names":[ { "C":"IE", "L":"Dublin", "O":"EST", "OU":"NONRTRIC", "ST":"Ireland" } ] } cfssl-config.json: | { "signing": { "default": { "ocsp_url": "http://rapps-cfssl.default:8889", "crl_url": "http://rapps-cfssl.default:8888/crl", "expiry": "175200h", "usages": [ "signing", "key encipherment", "client auth" ] }, "profiles": { "ocsp": { "usages": ["digital signature", "ocsp signing"], "expiry": "175200h" }, "intermediate": { "usages": ["cert sign", "crl sign"], "expiry": "175200h", "ca_constraint": {"is_ca": true} }, "server": { "usages": ["signing", "key encipherment", "server auth"], "expiry": "175200h" }, "client": { "usages": ["signing", "key encipherment", "client auth"], "expiry": "175200h" } } } } server-ca.csr.json: | { "CN": "EST intermediate CA", "key": { "algo":"rsa", "size": 2048 }, "names": [ { "C":"IE", "L":"Dublin", "O":"EST", "OU":"NONRTRIC", "ST":"Ireland" } ] } --- apiVersion: apps/v1 kind: Deployment metadata: name: rapps-cfssl namespace: default spec: selector: matchLabels: app: rapps-cfssl template: metadata: labels: app: rapps-cfssl version: v1 spec: containers: - name: rapps-cfssl image: ktimoney/rapps-cfssl imagePullPolicy: IfNotPresent ports: - name: http containerPort: 8888 command: - sh - -c - | cd /certs # Generate Root CA cfssl gencert -initca /config/ca-csr.json | cfssljson -bare ca - # Generate intermediate CA cfssl gencert -ca /certs/ca.pem -ca-key /certs/ca-key.pem -config="/config/cfssl-config.json" \ -profile="intermediate" /config/server-ca.csr.json| cfssljson -bare ca-server - # Generate ocsp CA cfssl gencert -ca /certs/ca-server.pem -ca-key /certs/ca-server-key.pem -config \ /config/cfssl-config.json -profile="ocsp" /config/ca-csr.json| cfssljson -bare server-ocsp - # Start cfssl server cfssl serve -db-config=/config/db-pg.json -loglevel=0 -ca-key=/certs/ca-server-key.pem -ca=/certs/ca-server.pem \ -config=/config/cfssl-config.json -responder=/certs/server-ocsp.pem -responder-key=/certs/server-ocsp-key.pem resources: limits: memory: 256Mi cpu: "250m" requests: memory: 128Mi cpu: "80m" volumeMounts: - name: cfssl-init mountPath: /config/db-pg.json subPath: db-pg.json - name: cfssl-init mountPath: /config/ca-csr.json subPath: ca-csr.json - name: cfssl-init mountPath: /config/cfssl-config.json subPath: cfssl-config.json - name: cfssl-init mountPath: /config/server-ca.csr.json subPath: server-ca.csr.json volumes: - name: cfssl-init configMap: name: cfssl-init defaultMode: 0755 --- apiVersion: v1 kind: Service metadata: name: rapps-cfssl namespace: default labels: app: rapps-cfssl service: rapps-cfssl spec: type: LoadBalancer selector: app: rapps-cfssl ports: - name: http port: 8888 targetPort: 8888 nodePort: 31888