summaryrefslogtreecommitdiffstats
path: root/kubernetes/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/contrib')
-rw-r--r--kubernetes/contrib/components/ejbca/requirements.yaml3
-rwxr-xr-xkubernetes/contrib/components/ejbca/resources/ejbca-config.sh24
-rw-r--r--kubernetes/contrib/components/ejbca/templates/deployment.yaml2
3 files changed, 28 insertions, 1 deletions
diff --git a/kubernetes/contrib/components/ejbca/requirements.yaml b/kubernetes/contrib/components/ejbca/requirements.yaml
index 31db08aa3a..8762d969f9 100644
--- a/kubernetes/contrib/components/ejbca/requirements.yaml
+++ b/kubernetes/contrib/components/ejbca/requirements.yaml
@@ -26,3 +26,6 @@ dependencies:
- name: repositoryGenerator
version: ~8.x-0
repository: '@local'
+ - name: cmpv2Config
+ version: ~8.x-0
+ repository: '@local'
diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh
index ad10240b94..2c672e2f07 100755
--- a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh
+++ b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh
@@ -8,16 +8,31 @@ waitForEjbcaToStart() {
}
configureEjbca() {
+ ejbca.sh ca init \
+ --caname ManagementCA \
+ --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \
+ --tokenType soft \
+ --keyspec 3072 \
+ --keytype RSA \
+ -v 3652 \
+ --policy null \
+ -s SHA256WithRSA \
+ -type "x509"
ejbca.sh config cmp addalias --alias cmpRA
ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra
ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK}
- ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe
+ ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature
+ ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate'
+ ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA'
+ ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true
#Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth)
ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles
#Profile name taken from certprofile filename (certprofile_<profile-name>-<id>.xml)
ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER
#ID taken from entityprofile filename (entityprofile_<profile-name>-<id>.xml)
ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849
+ caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p')
+ ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject"
ejbca.sh config cmp dumpalias --alias cmpRA
ejbca.sh config cmp addalias --alias cmp
ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true
@@ -27,6 +42,13 @@ configureEjbca() {
ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN
ejbca.sh config cmp dumpalias --alias cmp
ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem
+ #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation)
+ ejbca.sh roles addrole "Certificate Update Admin"
+ ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT
+ ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT
+ ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT
+ ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT
+ ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}"
}
diff --git a/kubernetes/contrib/components/ejbca/templates/deployment.yaml b/kubernetes/contrib/components/ejbca/templates/deployment.yaml
index 46f7d3521c..fc163ee2e2 100644
--- a/kubernetes/contrib/components/ejbca/templates/deployment.yaml
+++ b/kubernetes/contrib/components/ejbca/templates/deployment.yaml
@@ -61,6 +61,8 @@ spec:
env:
- name: INITIAL_ADMIN
value: ";PublicAccessAuthenticationToken:TRANSPORT_ANY;"
+ - name: NO_CREATE_CA
+ value: "true"
- name: DATABASE_JDBC_URL
value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ .Values.mysqlDatabase }}
- name: DATABASE_USER