API Connect

API Connect

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Bring your own API Connect external certificates

By Mark Parzygnat posted Fri December 11, 2020 03:00 PM

  
Summary:
There are a number of scenarios in which you might want to generate your own certificate and use that in a deployment of API Connect. Before doing this, you will want to test the scenario. This blog will provide you a tool that will generate the certificates, build .yaml files and deploy the secrets to your environment.

A couple of notes:
  • This is not an officially supported tool
  • This will generate the external certs, or certs with external endpoints. Find more information here: Certificate reference
  • This is meant to be used for development and test purposes
  • Verify the secrets that are applied are accurate to your yaml files
  • Code is free to use and can be altered as you need


Instructions to run:

This will also apply the secrets to the project space you are currently logged into.

To use this,

  • Copy and paste the code below in a file. I called the script APIC_Crypto.sh to your local machine.
  • run the following command
chmod +x APIC_Crypto.sh
  • login to your OCP cluster
  • Switch to the project space you wish to install, or create a new space such as APIC (any or all of the subsystems)
  • run
./APIC_Crypto.sh

You will now have all the secrets applied needed for the external certs and secrets in your OCP cluster.

Script:

#!/bin/bash
#parse project
oc project > one.txt
while read -ra line;
do
    for word in "${line[2]}";
    do
         echo "${word:1:${#word}-2}" > two.txt
    done;
done < one.txt
NS=`cat two.txt`
rm one.txt two.txt

#parse host
oc get routes -A > one.txt
sed '3q;d' one.txt > two.txt
while read -ra line;
do
    for word in "${line[2]}";
    do
         echo "${word#*.}" > three.txt
    done;
done < two.txt
HOST=`cat three.txt`
rm one.txt two.txt three.txt

#APIC management subsystem
MGMT=admin.$HOST
MGMT2=manager.$HOST
MGMT3=api.$HOST
MGMT4=consumer.$HOST
ANALYTICSCLIENT=ac.$HOST
ANALYTICSINGESTION=ai.$HOST
PORTAL_ADMIN=api.portal.$HOST
PORTALURL=portal.$HOST
GATEWAYCLIENT=gateway.$HOST

#APIC Gateway subsystem:
GW5END=gwv5-endpoint.$HOST
GW5MAN=gwv5-manager-endpoint.$HOST
GW6END=gwv6-endpoint.$HOST
GW6MAN=gwv6-manager-endpoint.$HOST
GWSERV=gateway-service.$HOST
GWPEER=gateway-peering.$HOST
ns=$NS
SUBJ="/O=cert-manager/CN="
​
# Root Key
openssl genrsa -out ca.key 4096
# Root CA
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.crt -subj ${SUBJ}dsgdfgdf
kubectl create secret tls ingress-ca --key ca.key --cert ca.crt -n $ns

#variables
VAR_SUBJ[1]=$SUBJ
VAR_KEY[1]=api-endpoint
VAR_EXT[1]="\n[SAN]\nsubjectAltName=DNS:$MGMT3,DNS:$MGMT3\nextendedKeyUsage=serverAuth"
VAR_SUBJ[2]=$SUBJ
VAR_KEY[2]=consumer-endpoint
VAR_EXT[2]="\n[SAN]\nsubjectAltName=DNS:$MGMT4,DNS:$MGMT4\nextendedKeyUsage=serverAuth"
VAR_SUBJ[3]=$SUBJ
VAR_KEY[3]=apim-endpoint
VAR_EXT[3]="\n[SAN]\nsubjectAltName=DNS:$MGMT2,DNS:$MGMT2\nextendedKeyUsage=serverAuth"
VAR_SUBJ[4]=$SUBJ
VAR_KEY[4]=cm-endpoint
VAR_EXT[4]="\n[SAN]\nsubjectAltName=DNS:$MGMT,DNS:$MGMT\nextendedKeyUsage=serverAuth"

VAR_SUBJ[5]=$SUBJ
VAR_KEY[5]=portal-admin
VAR_EXT[5]="\n[SAN]\nsubjectAltName=DNS:$PORTAL_ADMIN,DNS:$PORTAL_ADMIN\nextendedKeyUsage=serverAuth"
VAR_SUBJ[6]=$SUBJ
VAR_KEY[6]=portal-web
VAR_EXT[6]="\n[SAN]\nsubjectAltName=DNS:$PORTALURL,DNS:$PORTALURL\nextendedKeyUsage=serverAuth"
VAR_SUBJ[7]=$SUBJ
VAR_KEY[7]=analytics-ac-endpoint
VAR_EXT[7]="\n[SAN]\nsubjectAltName=DNS:$ANALYTICSCLIENT,DNS:$ANALYTICSCLIENT\nextendedKeyUsage=serverAuth"
VAR_SUBJ[8]=$SUBJ
VAR_KEY[8]=analytics-ai-endpoint
VAR_EXT[8]="\n[SAN]\nsubjectAltName=DNS:$ANALYTICSINGESTION,DNS:$ANALYTICSINGESTION\nextendedKeyUsage=serverAuth"

VAR_SUBJ[9]=$SUBJ
VAR_KEY[9]=portal-admin-client
VAR_EXT[9]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[10]=$SUBJ
VAR_KEY[10]=analytics-ingestion-client
VAR_EXT[10]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[11]=$SUBJ
VAR_KEY[11]=analytics-client-client
VAR_EXT[11]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[12]=$SUBJ
VAR_KEY[12]=gateway-client-client
VAR_EXT[12]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"

#gwv5-endpoint
VAR_SUBJ[13]=$SUBJ
VAR_KEY[13]=gwv5-endpoint
VAR_EXT[13]="\n[SAN]\nsubjectAltName=DNS:$GW5END,DNS:$GW5END\nextendedKeyUsage=serverAuth"

#gwv5-manage
VAR_SUBJ[14]=$SUBJ
VAR_KEY[14]=gwv5-manager-endpoint
VAR_EXT[14]="\n[SAN]\nsubjectAltName=DNS:$GW5MAN,DNS:$GW5MAN\nextendedKeyUsage=serverAuth"

#gwv6-endpoint
VAR_SUBJ[15]=$SUBJ
VAR_KEY[15]=gwv6-endpoint
VAR_EXT[15]="\n[SAN]\nsubjectAltName=DNS:$GW6END,DNS:$GW6END\nextendedKeyUsage=serverAuth"

#gwv6-manager
VAR_SUBJ[16]=$SUBJ
VAR_KEY[16]=gwv6-manager-endpoint
VAR_EXT[16]="\n[SAN]\nsubjectAltName=DNS:$GW6MAN,DNS:$GW6MAN\nextendedKeyUsage=serverAuth"

#gw-service
VAR_SUBJ[17]=$SUBJ
VAR_KEY[17]=gateway-service
VAR_EXT[17]="\n[SAN]\nsubjectAltName=DNS:$GWSERV,DNS:$GWSERV\nextendedKeyUsage=serverAuth"

#gw-peering
VAR_SUBJ[18]=$SUBJ
VAR_KEY[18]=gateway-peering
VAR_EXT[18]="\n[SAN]\nsubjectAltName=DNS:$GWPEER,DNS:$GWPEER\nextendedKeyUsage=serverAuth"

#main
i=1
while [[ $i -le 18 ]]; do
  echo --  ${VAR_SUBJ[$i]} --
  echo --  ${VAR_KEY[$i]} --
  echo --  ${VAR_EXT[$i]} --
  openssl genrsa -out ${VAR_KEY[$i]}.key 2048
  if [ $? != 0 ] ; then exit 1 ; fi
  # openssl req -new -sha256 -key $]}.key -subj $]} -out $]}.csr
  openssl req -new -sha256 -key ${VAR_KEY[$i]}.key -subj "${VAR_SUBJ[$i]}${VAR_KEY[$i]}" -out ${VAR_KEY[$i]}.csr
  cat /etc/ssl/openssl.cnf > tmp.cnf
  echo ${VAR_EXT[$i]} >> tmp.cnf
  echo ${VAR_EXT[$i]} > tmp2.cnf
  if [ $? != 0 ] ; then exit 1 ; fi
  openssl x509 -req -in ${VAR_KEY[$i]}.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ${VAR_KEY[$i]}.crt -days 500 -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(printf "${VAR_EXT[$i]}")) -extensions SAN
cat >ksec.yaml <<EOF
apiVersion: v1
data:
  ca.crt: $(base64   ca.crt | tr -d '\n' )
  tls.crt: $(base64  ${VAR_KEY[$i]}.crt | tr -d '\n' )
  tls.key: $(base64   ${VAR_KEY[$i]}.key | tr -d '\n' )
kind: Secret
metadata:
  name:  ${VAR_KEY[$i]}
type: kubernetes.io/tls
EOF
  if [ $? != 0 ] ; then exit 1 ; fi
  kubectl apply -f ksec.yaml -n$ns
  if [ $? != 0 ] ; then exit 1 ; fi
  let i+=1
done
​


Special thanks to Chris Phillips, Barry Mosakowski, and Jeff Imholz

#bringuplab#MarkBarry#custom-certs#apic#IBMCloudPakforIntegration(ICP4I)


​​​​​​
0 comments
30 views

Permalink