Helm-Toolkit: TLS cert generator

This PS adds a function to generate tls certificates from a
CA. It also adds a script to generate a snakeoil ca for dev
and future gating work.

Change-Id: Ic94a9ab5fa3ebb912b507008a6b2f78e16dade67
Signed-off-by: Pete Birley <pete@port.direct>

helm-toolkit/templates/tls/_tls_generate_certs.tpl

@@ -0,0 +1,70 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Produces a certificate from a certificate authority.
+values: |
+  test:
+    hosts:
+      names:
+        - barbican.openstackhelm.example
+        - barbican.openstack.svc.cluster.local
+      ips:
+        - 127.0.0.1
+        - 192.168.0.1
+    life: 3
+    ca:
+      crt: |
+        <CA CRT>
+      key: |
+        <CA PRIVATE KEY>
+usage: |
+  {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+  ca: |
+    <CA CRT>
+  crt: |
+    <CRT>
+  exp: 2018-09-01T10:56:07.895392915-05:00
+  key: |
+    <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $expDate := date_modify (printf "+%sh" (mul $params.life 24 |toString)) now }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) (rest $local.certHosts) (int $params.life) $ca }}
+{{- $certificate := dict "crt" $rawCert.Cert "key" $rawCert.Key "ca" $params.ca.crt "exp" $expDate "" }}
+{{- $certificate | toYaml }}
+{{- end -}}

tools/gate/tls-ca-boostrapper/01-setup.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+
+# Copyright 2018 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+set -xe
+
+CFSSLURL=https://pkg.cfssl.org/R1.2
+for CFSSL_BIN in cfssl cfssljson; do
+  if ! type -p "${CFSSL_BIN}"; then
+    sudo curl -sSL -o "/usr/local/bin/${CFSSL_BIN}" "${CFSSLURL}/${CFSSL_BIN}_linux-amd64"
+    sudo chmod +x "/usr/local/bin/${CFSSL_BIN}"
+    ls "/usr/local/bin/${CFSSL_BIN}"
+  fi
+done
+
+OSH_CONFIG_ROOT="/etc/openstack-helm"
+OSH_CA_ROOT="${OSH_CONFIG_ROOT}/certs/ca"
+OSH_SERVER_TLS_ROOT="${OSH_CONFIG_ROOT}/certs/server"
+
+sudo mkdir -p ${OSH_CONFIG_ROOT}
+sudo chown $(whoami): -R ${OSH_CONFIG_ROOT}
+
+mkdir -p "${OSH_CA_ROOT}"
+tee ${OSH_CA_ROOT}/ca-config.json << EOF
+{
+    "signing": {
+        "default": {
+            "expiry": "1y"
+        },
+        "profiles": {
+            "server": {
+                "expiry": "1y",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth"
+                ]
+            }
+        }
+    }
+}
+EOF
+
+tee ${OSH_CA_ROOT}/ca-csr.json << EOF
+{
+  "CN": "ACME Company",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "SomeState",
+      "ST": "SomeCity",
+      "O": "SomeOrg",
+      "OU": "SomeUnit"
+    }
+  ]
+}
+EOF
+
+cfssl gencert -initca ${OSH_CA_ROOT}/ca-csr.json | cfssljson -bare ${OSH_CA_ROOT}/ca -
+
+function check_cert_and_key () {
+  TLS_CERT=$1
+  TLS_KEY=$2
+  openssl x509 -inform pem -in ${TLS_CERT} -noout -text
+  CERT_MOD="$(openssl x509 -noout -modulus -in ${TLS_CERT})"
+  KEY_MOD="$(openssl rsa -noout -modulus -in ${TLS_KEY})"
+  if ! [ "${CERT_MOD}" = "${KEY_MOD}" ]; then
+    echo "Failure: TLS private key does not match this certificate."
+    exit 1
+  else
+    CERT_MOD=""
+    KEY_MOD=""
+    echo "Pass: ${TLS_CERT} is valid with ${TLS_KEY}"
+  fi
+}
+check_cert_and_key ${OSH_CA_ROOT}/ca.pem ${OSH_CA_ROOT}/ca-key.pem