startup script for codespace

.devcontainer/test-on-create.sh

@@ -4,15 +4,13 @@ set -u
 
 set -e
 
-KUBERNETES_VERSION=v1.22.10
+KUBERNETES_VERSION=v1.26.1
 GO_VERSION=1.17.8
 OPERATOR_SDK_VERSION=v1.19.x
-
-
-
+CERT_MANAGER_VERSION=v1.12.6 
 
 sudo apt-get update
-sudo apt-get install snap
+sudo apt-get install snap dos2unix 
 
 
 # uninstall existing golang 
@@ -115,6 +113,22 @@ minikube start -p aged --kubernetes-version=${KUBERNETES_VERSION}
 
 kubectl get nodes -o wide
 
+# install cert-manager
+
+helm repo add jetstack https://charts.jetstack.io --force-update
+
+helm repo update
+
+helm search repo cert-manager
+helm search repo cert-manager --versions | grep v1.
+
+helm install \
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --create-namespace \
+  --version $CERT_MANAGER_VERSION  \
+  --set installCRDs=true
+
 
 code --install-extension redhat.vscode-yaml --force
 code --install-extension ms-kubernetes-tools.vscode-kubernetes-tools --force

.github/workflows/adcs-simulator.yaml

@@ -0,0 +1,76 @@
+name: adcs-simulator pipeline
+
+on:
+  push:
+    paths:
+      - 'test/adcs-sim/**.go'
+      - 'test/**.go'
+      - 'test/Dockerfile'
+
+
+jobs:
+
+  buildDocker:
+    runs-on: ubuntu-latest
+    env:
+      APP_NAME: adcs-simulator
+
+    steps:
+    - uses: actions/checkout@v2
+      name: Checkout
+      with:
+
+        ref: master
+
+    - name: Docker meta
+      id: meta
+      uses: docker/metadata-action@v4
+
+      with:
+      # list of Docker images to use as base name for tags
+        images: |
+          djkormo/adcs-sim
+        # generate Docker tags based on the following events/attributes
+        tags: |
+          type=schedule
+          type=ref,event=branch
+          type=ref,event=pr
+          type=semver,pattern={{version}}
+          type=semver,pattern={{major}}.{{minor}}
+          type=semver,pattern={{major}}
+          type=sha
+
+    - name: Login to DockerHub
+      if: github.event_name != 'pull_request'
+
+      uses: docker/login-action@v2 
+
+      with:
+        username: ${{ secrets.DOCKER_USERNAME }}
+        password: ${{ secrets.DOCKER_PASSWORD }}
+
+    - name: Build and push
+
+      uses: docker/build-push-action@v3
+
+      with:
+        context: ./test
+        push: ${{ github.event_name != 'pull_request' }}
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+
+        image-ref: djkormo/adcs-sim:master
+
+        format: 'table'
+        exit-code: '1'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
+        skip-dirs: /usr/local/bin/ca
+
+

.github/workflows/helm-chart-releaser.yaml

@@ -23,8 +23,9 @@ jobs:
           git config user.name "$GITHUB_ACTOR"
           git config user.email "[email protected]"
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.1.0
+        uses: helm/chart-releaser-action@v1.6.0
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         with:
           charts_dir: charts
+          skip_existing: false

.gitignore

@@ -6,7 +6,6 @@
 *.so
 *.dylib
 bin
-adcs-issuer
 # Test binary, build with `go test -c`
 *.test
 
@@ -37,3 +36,4 @@ adcs-sim
 *.crt
 *.key
 *-all.yaml
+*.exe

README-DEV.md

@@ -123,38 +123,98 @@ spec:
 In one terminal
 
 inside test/adcs-sim
+
+```
+
+go build -o adcs-sim main.go
+
+go run main.go  --workdir=/d/development/kubernetes/go/adcs-issuer/test/adcs-sim --dns=adcs1.example.com,adcs1.example.com --ips=10.10.10.1,10.10.10.2
+
+
+./adcs-sim  --workdir=/d/development/kubernetes/go/adcs-issuer/test/adcs-sim --dns=adcs1.example.com,adcs1.example.com --ips=10.10.10.1,10.10.10.2
+
+
+```
+
+Generate the private key of the root CA:
+
+```
+openssl genrsa -out root.pem 4096
+```
+
+Generate the self-signed root CA certificate:
+
+```
+openssl req -x509 -sha256 -new -nodes -key root.pem -days 3650 -out root.key -addext "subjectAltName=DNS:example.com,DNS:*.example.com,IP:10.0.0.1" \
+
+  -subj '/C=PL/ST=Warsaw/L=Mordor/O=ADCSSIM/OU=IT/CN=example.com'
+
 ```
-go run main.go --dns=adcs1.example.com,adcs1.example.com --ips=10.10.10.1,10.10.10.2
+
+Review the certificate:
+```
+openssl x509 -in root.key -text
 ```
 
+Based on
+https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl
+
+
+
 
-openssl req -in test/adcs-sim/ca/server.csr -noout -text
+openssl x509 -in test/adcs-sim/ca/root.pem -noout -text
 
 
+kubectl -n cert-manager port-forward svc/adcs-sim-service 8443:8443&
 
-make run  ENABLE_WEBHOOKS=false ENABLE_DEBUG=true
 
 https://localhost:8443/certcarc.asp
 
 https://localhost:8443/certfnsh.asp
 
+https://localhost:8443/certnew.cer
+
+https://localhost:8443/certnew.p7b
+
+
+
+openssl s_client -connect localhost:8443 -showcerts
 
 
 
-username=$(kubectl get secret test-adcs-issuer-credentials  -n cert-manager -o jsonpath='{.data.username}' | base64 --decode)
-password=$(kubectl get secret test-adcs-issuer-credentials  -n cert-manager -o jsonpath='{.data.password}' | base64 --decode)
-url=$(kubectl get adcsissuer test-adcs-issuer  -n cert-manager -o jsonpath='{.spec.url}')
-ca=$(kubectl get adcsissuer test-adcs-issuer  -n cert-manager -o jsonpath='{.spec.caBundle}' | base64 --decode  )
+username=$(kubectl get secret adcs-issuer-credentials  -n cert-manager -o jsonpath='{.data.username}' | base64 --decode)
+password=$(kubectl get secret adcs-issuer-credentials  -n cert-manager -o jsonpath='{.data.password}' | base64 --decode)
+url=$(kubectl get adcsissuer adcs-cluster-issuer-adcs-sim  -n cert-manager -o jsonpath='{.spec.url}')
+ca=$(kubectl get clusteradcsissuer adcs-cluster-issuer-adcs-sim  -n cert-manager -o jsonpath='{.spec.caBundle}' | base64 --decode  )
 echo "username: ${username}"
 echo "password: ${password}"
 echo "url: ${url}"
 echo "ca: ${ca}"
 echo ${ca} > ca.crt
-curl   -u "${username}:${password}" --ntlm "${url}/certfnsh.asp" -vv
-curl  --cacert ./ca.crt  -u "${username}:${password}" --ntlm "${url}/certfnsh.asp" -vv
+curl  -k -u "${username}:${password}" --ntlm "${url}/certfnsh.asp" -vv
+curl  -k --cacert ./ca.crt  -u "${username}:${password}" --ntlm "${url}/certfnsh.asp" -vv
 
-curl  -u '${username}:${password}' --ntlm '${url}/certsrv/certfnsh.asp' -vv
+curl  -k -u '${username}:${password}' --ntlm '${url}/certsrv/certfnsh.asp' -vv
 
 curl -X POST -k -v -u "${username}:${password}" --ntlm "${url}/certcarc.asp" -vv
 
-curl -X POST  -u "${username}:${password}" --ntlm "${url}/certfnsh.asp" -vv
+curl -X POST -k -u "${username}:${password}" --ntlm "${url}/certfnsh.asp" -vv
+
+
+Usefull command for testing 
+
+  kubectl -n cert-manager logs deploy/adcs-issuer-controller-manager
+
+  kubectl -n cert-manager logs deploy/adcs-sim-deployment
+
+  kubectl -n cert-manager logs deploy/cert-manager
+
+  kubectl -n cert-manager get certificate,certificaterequest,adcsrequest 
+
+  kubectl -n cert-manager delete certificate --all   
+  kubectl -n cert-manager delete certificaterequest --all
+  kubectl -n cert-manager delete adcsrequest --all
+
+  kubectl -n cert-manager rollout restart deploy/adcs-issuer-controller-manager
+  kubectl -n cert-manager rollout restart deploy/adcs-sim-deployment
+

charts/Chart.yaml → charts/adcs-issuer/Chart.yaml

@@ -13,10 +13,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.0.4
+version: 2.0.8
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.0.4"
+appVersion: "2.0.8"
 

charts/templates/adcsissuer-crd.yaml → charts/adcs-issuer/templates/adcsissuer-crd.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.crd.install  }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -84,4 +85,6 @@ status:
     kind: ""
     plural: ""
   conditions: []
-  storedVersions: []
+  storedVersions: []
+
+{{- end  }}    

charts/templates/adcsrequest-crd.yaml → charts/adcs-issuer/templates/adcsrequest-crd.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.crd.install  }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -101,4 +102,6 @@ status:
     kind: ""
     plural: ""
   conditions: []
-  storedVersions: []
+  storedVersions: []
+
+{{- end  }}    

charts/templates/cert-manager-controller-approve-dcs-certmanager-csf-nokia-com-rbac.yaml → charts/adcs-issuer/templates/cert-manager-controller-approve-dcs-certmanager-csf-nokia-com-rbac.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.controllerManager.rbac.enabled  }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -24,8 +25,12 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: '{{ include "chart.fullname" . }}-cert-manager-controller-approve:adcs-certmanager-csf-nokia-com'
+  name: {{ include "chart.fullname" . }}-cert-manager-controller-approve:adcs-certmanager-csf-nokia-com
 subjects:
 - kind: ServiceAccount
-  name: '{{ include "chart.fullname" . }}-cert-manager'
-  namespace: '{{ .Release.Namespace }}'
+  name: {{ .Values.controllerManager.rbac.serviceAccountName }}
+  namespace: {{ .Release.Namespace }}
+- kind: ServiceAccount
+  name: {{ .Values.controllerManager.rbac.certManagerServiceAccountName }}
+  namespace: {{ .Values.controllerManager.rbac.certManagerNamespace }}
+{{- end  }}    

charts/templates/clusteradcsissuer-crd.yaml → charts/adcs-issuer/templates/clusteradcsissuer-crd.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.crd.install  }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -84,4 +85,6 @@ status:
     kind: ""
     plural: ""
   conditions: []
-  storedVersions: []
+  storedVersions: []
+
+{{- end  }}