Working version. Need to add wait condition for istio-csr pods

8c61399a · Shankar Govindarajan · 5794e5be · 8c61399a · 8c61399a · 8c61399a
Commit 8c61399a authored 1 year ago by Shankar Govindarajan
--- a/ansible/.gitignore
+++ b/ansible/.gitignore
@@ -3,4 +3,5 @@
 *.crt
 *.cer
 *.der
-*.priv
\ No newline at end of file
+*.priv
+*.csr
\ No newline at end of file
--- a/ansible/kubernetes/istio-csr/istio-csr-vault-values.yml
+++ b/ansible/kubernetes/istio-csr/istio-csr-vault-values.yml
-replicaCount: 2
+replicaCount: 1

 image:
  repository: quay.io/jetstack/cert-manager-istio-csr
@@ -20,7 +20,7 @@ app:

  istio:
    namespace: istio-system
-    revisions: ["basic"]
+    revisions: ["default"]

  server:
    maxCertificateDuration: 5m

--- a/ansible/kubernetes/vault/vault-override-values.yml
+++ b/ansible/kubernetes/vault/vault-override-values.yml
 global:
  openshift: true
+  logLevel: "trace"

 server:
  dev:

--- a/ansible/playbooks/install-istio-csr.yml
+++ b/ansible/playbooks/install-istio-csr.yml
@@ -7,6 +7,17 @@
     helm_chart_url: "https://charts.jetstack.io"
     smcp_namespace: "istio-system"
  tasks:
+  - name: Create secret for the Intermediate root CA
+    kubernetes.core.k8s:
+      state: present
+      definition:
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: istio-root-ca
+          namespace: istio-system
+        data:
+          ca.pem: "{{ lookup('file', './RH_Custom_Intermediate_CA.pem') |  b64encode }}"
  - name: Add helm repo for istio-csr
    kubernetes.core.helm_repository:
      name: jetstack
@@ -17,13 +28,4 @@
      release_namespace: istio-system
      chart_ref: jetstack/cert-manager-istio-csr
      values_files:
-      - ../kubernetes/istio-csr/istio-csr-vault-values.yml
-  - name: Wait till pod is running for istio-csr
-    kubernetes.core.k8s_info:
-      kind: Pod
-      wait: yes
-      label_selectors:
-        - "app.kubernetes.io/name = vault"
-      namespace: vault
-      wait_sleep: 10
-      wait_timeout: 360        
\ No newline at end of file
+      - ../kubernetes/istio-csr/istio-csr-vault-values.yml 
\ No newline at end of file
--- a/ansible/playbooks/install-vault.yml
+++ b/ansible/playbooks/install-vault.yml
@@ -19,7 +19,7 @@
      values_files:
      - ../kubernetes/vault/vault-override-values.yml
      release_values:
-        log_level: Debug
+        log_level: Trace
  - name: Wait till pod is running for vault
    kubernetes.core.k8s_info:
      kind: Pod

--- a/ansible/playbooks/integrate-ossm-vault.yml
+++ b/ansible/playbooks/integrate-ossm-vault.yml
@@ -29,7 +29,7 @@
      api_version: v1
      kind: Namespace
      state: present      
-  - name: Create Vault Auth Secret
+  - name: Create Vault Auth Secret For Approle
    kubernetes.core.k8s:
      state: present
      definition:
@@ -41,6 +41,17 @@
          namespace: istio-system
        data:
          secretId: "{{ rh_vault_pki_role_secret_encoded.stdout }}"
+#  - name: Create Vault Auth Secret For root token
+#    kubernetes.core.k8s:
+#      state: present
+#      definition:
+#        apiVersion: v1
+#        kind: Secret
+#        metadata:
+#          name: vault-token
+#          namespace: istio-system
+#        stringData:
+#          token: root
  - name: Create Vault Issuer
    kubernetes.core.k8s:
      state: present
@@ -55,10 +66,12 @@
            server: https://{{ vault_route_object.resources[0].spec.host }}
            path: pki_int_ca/sign/rh-custom-issuer
            auth:
+#              tokenSecretRef:
+#                name: vault-token
+#                key: token            
              appRole:
                path: approle
                roleId: "{{ rh_vault_pki_role_id_object.data.data.role_id }}"
                secretRef:
                  name: rh-vault-pki-role
-                  key: secretId    
-
+                  key: secretId    
\ No newline at end of file
--- a/ansible/playbooks/setup-demo-infra.yml
+++ b/ansible/playbooks/setup-demo-infra.yml
@@ -11,4 +11,5 @@
 - import_playbook: install-cert-manager-operator.yml
 - import_playbook: install-vault.yml
 - import_playbook: init-vault.yml
- import_playbook: integrate-ossm-vault.yml
\ No newline at end of file
+- import_playbook: integrate-ossm-vault.yml
+- import_playbook: install-istio-csr.yml
\ No newline at end of file
--- a/ansible/scripts/create-certs.sh
+++ b/ansible/scripts/create-certs.sh
@@ -52,6 +52,7 @@ vault secrets tune -max-lease-ttl=43800h pki_int_ca # Setting the expire to 5 yr
 # --> max_path_length is equal to 0. This is to signal that this is the last level in our PKI and no more intermediates will follow. 
 # Meaning that the certificates this Ca generates will be for End Entity (EE) users
 vault write -format=json pki_int_ca/intermediate/generate/internal \
+  require_cn=false \
  max_path_length=0 \
  common_name="RH Custom Intermediate CA" \
  ou="RH-FSI" \
@@ -97,31 +98,36 @@ vault read pki_int_ca/crl/rotate
 # --> allow_subdomains=true : This would allow hunter.example.com to be allowed, that is if example.com is in the allowed list. Which because of allow_any_name=True this is allowed.
 # --> use_csr_common_name=true : This will use the CSR common name when you are signing a CSR.
 vault write pki_int_ca/roles/rh-custom-issuer  \
-  issuer_ref="$(vault read -field=default pki_int_ca/config/issuers)" \
-  allow_any_name=True \
-  allow_subdomains=true \
+  allow_any_name=true \
+  allow_uri_sans=true \
+  allow_ip_sans=true \
  ou="RH-SPPRT" \
  organization="Red Hat Consulting" \
  country="US" \
-  key_usage="DigitalSignature, KeyEncipherment" \
  use_csr_common_name=true \
  ttl="4380h" \
  max_ttl="4380h" \
  enforce_hostnames=false \
-  allow_bare_domains=true
-
-# Create a vault policy for the above created vault PKI role
-vault policy write rh-custom-issuer_pki ./rh-custom-issuer-policy.hcl
+  allow_bare_domains=true \
+  require_cn=false \
+  allowed_uri_sans="istio-system.svc, opentlc.com, cluster.local, spiffe://*" \
+  allow_subdomains=true 

 #############################

+# Create a vault policy for the above created vault PKI role
+vault policy write rh-custom-issuer_pki ../scripts/role-issuer-policy.hcl
+
 # --------------------------------------------------------------------------------------------------------------


 ### Create The App Role that will be used to authenticate with Vault server #####
-
 vault auth enable approle

+# Create a vault policy for the above created vault PKI role
+vault policy write approle_policy ../scripts/role-issuer-policy.hcl
+
+
 # --> secret_id_ttl=10m: Duration in either an integer number of seconds (3600) or an integer time unit (60m) after which by default any SecretID expires. A value of zero will allow the SecretID to not expire. However, this option may be overridden by the request's 'ttl' field when generating a SecretID.
 # --> token_num_uses=10: The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. If you require the token to have the ability to create child tokens, you will need to set this value to 0
 # --> token_ttl=10m: The incremental lifetime for generated tokens. This current value of this will be referenced at renewal time
@@ -132,4 +138,5 @@ vault write auth/approle/role/rh-vault-pki-role \
    token_num_uses=10 \
    token_ttl=10m \
    token_max_ttl=15m \
-    secret_id_num_uses=0
\ No newline at end of file
+    secret_id_num_uses=0 \
+    policies=approle_policy
\ No newline at end of file
--- a/ansible/scripts/rh-custom-issuer-policy.hcl
+++ b/ansible/scripts/rh-custom-issuer-policy.hcl
-path "pki_int_ca*" { 
-  capabilities = ["read", "list"] 
-}
-
-path "pki_int_ca/roles/rh-custom-issuer" { 
-  capabilities = ["create", "update"] 
-}
-
-path "pki_int_ca/sign/rh-custom-issuer" { 
-  capabilities = ["create", "update", "read", "list"] 
-}
-
-path "pki_int_ca/issue/rh-custom-issuer" { 
-  capabilities = ["create", "update", "read", "list"] 
-}
-