WIP OPGOPS-1771 Add containerised CA#128
Conversation
|
Needs readme for parameters to use both base and ca containers |
| }, | ||
| "auth_keys": { | ||
| "key1": { | ||
| "key": "{{if exists "/opg/base/cakey" }}{{getv "/opg/base/cakey"}}{{end}}", |
There was a problem hiding this comment.
I like cakey, but should this not be ca/key rather?
There was a problem hiding this comment.
I tried to create only a single level for my variables. Extra hierarchy is more confusing imo.
There was a problem hiding this comment.
Yes and no, you have csr/xxx variables as well, just think it's a tiny bit clearer than cakey :)
Though it is pendantry and I am getting quite fond of cake in code
There was a problem hiding this comment.
Lets come to a standard and I'll alter it.
| "auth_key": "server", | ||
| "expiry": "8760h", | ||
| "usages": [ | ||
| "signing", |
There was a problem hiding this comment.
shouldn't the server profiles keys also have a whitelist
There was a problem hiding this comment.
Nothing used the server profile so far. Clients can all remote sign their certs using client profile.
Not sure what server auth adds into the mix here?
There was a problem hiding this comment.
Confirmed that server profile usage extensions to the SSL cert allow it to be used for web server use.
Andreas K (carinadigital)
changed the title
|
|
||
| `OPG_CA_CLIENTNAMEWHITELIST` - Regex string to limit the domains that will be signed for the client signing profile. Backslashes must be escaped for use in the json template. | ||
|
|
||
| `OPG_CA_CSR_CN`, `OPG_BASE_CSR_CN` - The `common name` attribute of the certificate. |
There was a problem hiding this comment.
Do we want to have both these certs on th CA? We could remove the base container CFSSL SSL cert gen or reuse SKIP_SSL_GENERATE
| keys = [ | ||
| "/opg/base/csr/cn", | ||
| "/opg/base/csr/hosts", | ||
| "/opg/base/csr_cn", |
There was a problem hiding this comment.
Won't this get exploded to /opg/base/csr/cn by conf_d?
| [ -s "$CONF_DIR/server-key.pem" ] && \ | ||
| [ -s "$CONF_DIR/server.pem" ] && \ | ||
| [ -s "$CONF_DIR/server.csr" ] \ | ||
| [ -s "$CONF_DIR/$PROFILE-key.pem" ] && \ |
There was a problem hiding this comment.
Probably a stupid question but isn't "${PROFILE}" safer for interpolation?
There was a problem hiding this comment.
yep it's safer. Changing
| @@ -0,0 +1,29 @@ | |||
| { | |||
| {{if exists "/opg/base/csr/cn"}} | |||
There was a problem hiding this comment.
this conflicts with your variable declared in cert_csr.json.toml
Andreas K (carinadigital)
force-pushed
the
OPGOPS-1771
branch
from
897501b to
574abe5
Compare
Andreas K (carinadigital)
force-pushed
the
OPGOPS-1771
branch
from
574abe5 to
9dcd3b6
Compare
3 participants
No description provided.