API Connect

 View Only

Bring your own API Connect external certificates

By Mark Parzygnat posted Fri December 11, 2020 03:00 PM

  
Summary:
There are a number of scenarios in which you might want to generate your own certificate and use that in a deployment of API Connect. Before doing this, you will want to test the scenario. This blog will provide you a tool that will generate the certificates, build .yaml files and deploy the secrets to your environment.

A couple of notes:
  • This is not an officially supported tool
  • This will generate the external certs, or certs with external endpoints. Find more information here: Certificate reference
  • This is meant to be used for development and test purposes
  • Verify the secrets that are applied are accurate to your yaml files
  • Code is free to use and can be altered as you need


Instructions to run:

This will also apply the secrets to the project space you are currently logged into.

To use this,

  • Copy and paste the code below in a file. I called the script APIC_Crypto.sh to your local machine.
  • run the following command
chmod +x APIC_Crypto.sh
  • login to your OCP cluster
  • Switch to the project space you wish to install, or create a new space such as APIC (any or all of the subsystems)
  • run
./APIC_Crypto.sh

You will now have all the secrets applied needed for the external certs and secrets in your OCP cluster.

Script:

#!/bin/bash
#parse project
oc project > one.txt
while read -ra line;
do
    for word in "${line[2]}";
    do
         echo "${word:1:${#word}-2}" > two.txt
    done;
done < one.txt
NS=`cat two.txt`
rm one.txt two.txt

#parse host
oc get routes -A > one.txt
sed '3q;d' one.txt > two.txt
while read -ra line;
do
    for word in "${line[2]}";
    do
         echo "${word#*.}" > three.txt
    done;
done < two.txt
HOST=`cat three.txt`
rm one.txt two.txt three.txt

#APIC management subsystem
MGMT=admin.$HOST
MGMT2=manager.$HOST
MGMT3=api.$HOST
MGMT4=consumer.$HOST
ANALYTICSCLIENT=ac.$HOST
ANALYTICSINGESTION=ai.$HOST
PORTAL_ADMIN=api.portal.$HOST
PORTALURL=portal.$HOST
GATEWAYCLIENT=gateway.$HOST

#APIC Gateway subsystem:
GW5END=gwv5-endpoint.$HOST
GW5MAN=gwv5-manager-endpoint.$HOST
GW6END=gwv6-endpoint.$HOST
GW6MAN=gwv6-manager-endpoint.$HOST
GWSERV=gateway-service.$HOST
GWPEER=gateway-peering.$HOST
ns=$NS
SUBJ="/O=cert-manager/CN="
​
# Root Key
openssl genrsa -out ca.key 4096
# Root CA
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.crt -subj ${SUBJ}dsgdfgdf
kubectl create secret tls ingress-ca --key ca.key --cert ca.crt -n $ns

#variables
VAR_SUBJ[1]=$SUBJ
VAR_KEY[1]=api-endpoint
VAR_EXT[1]="\n[SAN]\nsubjectAltName=DNS:$MGMT3,DNS:$MGMT3\nextendedKeyUsage=serverAuth"
VAR_SUBJ[2]=$SUBJ
VAR_KEY[2]=consumer-endpoint
VAR_EXT[2]="\n[SAN]\nsubjectAltName=DNS:$MGMT4,DNS:$MGMT4\nextendedKeyUsage=serverAuth"
VAR_SUBJ[3]=$SUBJ
VAR_KEY[3]=apim-endpoint
VAR_EXT[3]="\n[SAN]\nsubjectAltName=DNS:$MGMT2,DNS:$MGMT2\nextendedKeyUsage=serverAuth"
VAR_SUBJ[4]=$SUBJ
VAR_KEY[4]=cm-endpoint
VAR_EXT[4]="\n[SAN]\nsubjectAltName=DNS:$MGMT,DNS:$MGMT\nextendedKeyUsage=serverAuth"

VAR_SUBJ[5]=$SUBJ
VAR_KEY[5]=portal-admin
VAR_EXT[5]="\n[SAN]\nsubjectAltName=DNS:$PORTAL_ADMIN,DNS:$PORTAL_ADMIN\nextendedKeyUsage=serverAuth"
VAR_SUBJ[6]=$SUBJ
VAR_KEY[6]=portal-web
VAR_EXT[6]="\n[SAN]\nsubjectAltName=DNS:$PORTALURL,DNS:$PORTALURL\nextendedKeyUsage=serverAuth"
VAR_SUBJ[7]=$SUBJ
VAR_KEY[7]=analytics-ac-endpoint
VAR_EXT[7]="\n[SAN]\nsubjectAltName=DNS:$ANALYTICSCLIENT,DNS:$ANALYTICSCLIENT\nextendedKeyUsage=serverAuth"
VAR_SUBJ[8]=$SUBJ
VAR_KEY[8]=analytics-ai-endpoint
VAR_EXT[8]="\n[SAN]\nsubjectAltName=DNS:$ANALYTICSINGESTION,DNS:$ANALYTICSINGESTION\nextendedKeyUsage=serverAuth"

VAR_SUBJ[9]=$SUBJ
VAR_KEY[9]=portal-admin-client
VAR_EXT[9]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[10]=$SUBJ
VAR_KEY[10]=analytics-ingestion-client
VAR_EXT[10]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[11]=$SUBJ
VAR_KEY[11]=analytics-client-client
VAR_EXT[11]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[12]=$SUBJ
VAR_KEY[12]=gateway-client-client
VAR_EXT[12]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"

#gwv5-endpoint
VAR_SUBJ[13]=$SUBJ
VAR_KEY[13]=gwv5-endpoint
VAR_EXT[13]="\n[SAN]\nsubjectAltName=DNS:$GW5END,DNS:$GW5END\nextendedKeyUsage=serverAuth"

#gwv5-manage
VAR_SUBJ[14]=$SUBJ
VAR_KEY[14]=gwv5-manager-endpoint
VAR_EXT[14]="\n[SAN]\nsubjectAltName=DNS:$GW5MAN,DNS:$GW5MAN\nextendedKeyUsage=serverAuth"

#gwv6-endpoint
VAR_SUBJ[15]=$SUBJ
VAR_KEY[15]=gwv6-endpoint
VAR_EXT[15]="\n[SAN]\nsubjectAltName=DNS:$GW6END,DNS:$GW6END\nextendedKeyUsage=serverAuth"

#gwv6-manager
VAR_SUBJ[16]=$SUBJ
VAR_KEY[16]=gwv6-manager-endpoint
VAR_EXT[16]="\n[SAN]\nsubjectAltName=DNS:$GW6MAN,DNS:$GW6MAN\nextendedKeyUsage=serverAuth"

#gw-service
VAR_SUBJ[17]=$SUBJ
VAR_KEY[17]=gateway-service
VAR_EXT[17]="\n[SAN]\nsubjectAltName=DNS:$GWSERV,DNS:$GWSERV\nextendedKeyUsage=serverAuth"

#gw-peering
VAR_SUBJ[18]=$SUBJ
VAR_KEY[18]=gateway-peering
VAR_EXT[18]="\n[SAN]\nsubjectAltName=DNS:$GWPEER,DNS:$GWPEER\nextendedKeyUsage=serverAuth"

#main
i=1
while [[ $i -le 18 ]]; do
  echo --  ${VAR_SUBJ[$i]} --
  echo --  ${VAR_KEY[$i]} --
  echo --  ${VAR_EXT[$i]} --
  openssl genrsa -out ${VAR_KEY[$i]}.key 2048
  if [ $? != 0 ] ; then exit 1 ; fi
  # openssl req -new -sha256 -key $]}.key -subj $]} -out $]}.csr
  openssl req -new -sha256 -key ${VAR_KEY[$i]}.key -subj "${VAR_SUBJ[$i]}${VAR_KEY[$i]}" -out ${VAR_KEY[$i]}.csr
  cat /etc/ssl/openssl.cnf > tmp.cnf
  echo ${VAR_EXT[$i]} >> tmp.cnf
  echo ${VAR_EXT[$i]} > tmp2.cnf
  if [ $? != 0 ] ; then exit 1 ; fi
  openssl x509 -req -in ${VAR_KEY[$i]}.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ${VAR_KEY[$i]}.crt -days 500 -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(printf "${VAR_EXT[$i]}")) -extensions SAN
cat >ksec.yaml <<EOF
apiVersion: v1
data:
  ca.crt: $(base64   ca.crt | tr -d '\n' )
  tls.crt: $(base64  ${VAR_KEY[$i]}.crt | tr -d '\n' )
  tls.key: $(base64   ${VAR_KEY[$i]}.key | tr -d '\n' )
kind: Secret
metadata:
  name:  ${VAR_KEY[$i]}
type: kubernetes.io/tls
EOF
  if [ $? != 0 ] ; then exit 1 ; fi
  kubectl apply -f ksec.yaml -n$ns
  if [ $? != 0 ] ; then exit 1 ; fi
  let i+=1
done
​


Special thanks to Chris Phillips, Barry Mosakowski, and Jeff Imholz

#bringuplab#MarkBarry#custom-certs#apic#IBMCloudPakforIntegration(ICP4I)


​​​​​​
0 comments
30 views

Permalink