#!/usr/bin/env bash
set -euo pipefail
function configure_root_ca(){
# $1:- Base directory for Root CA
echo "Generate Root CA"
echo 'set_var EASYRSA_DN "org"' >> $1/vars
echo 'set_var EASYRSA_KEY_SIZE 4096' >> $1/vars
#TODO: Parametrize the below configurations
echo 'set_var EASYRSA_REQ_COUNTRY "DE"' >> $1/vars
echo 'set_var EASYRSA_REQ_PROVINCE "Berlin"' >> $1/vars
echo 'set_var EASYRSA_REQ_CITY "Berlin"' >> $1/vars
echo 'set_var EASYRSA_REQ_ORG "Planetmint GmbH"' >> $1/vars
echo 'set_var EASYRSA_REQ_OU "ROOT-CA"' >> $1/vars
echo 'set_var EASYRSA_REQ_EMAIL "contact@ipdb.global"' >> $1//vars
sed -i.bk '/^extendedKeyUsage/ s/$/,clientAuth/' $1/x509-types/server
echo "set_var EASYRSA_SSL_CONF \"$1/openssl-1.0.cnf\"" >> $1/vars
echo "set_var EASYRSA_PKI \"$1/pki\"" >> $1/vars
echo "set_var EASYRSA_EXT_DIR \"$1/x509-types\"" >> $1/vars
$1/easyrsa init-pki
$1/easyrsa build-ca
$1/easyrsa gen-crl
}
function configure_member_cert_gen(){
# $1:- Base directory for MongoDB Member Requests/Keys
echo "Generate MongoDB Member Requests/Certificate(s)"
echo 'set_var EASYRSA_DN "org"' >> $1/vars
echo 'set_var EASYRSA_KEY_SIZE 4096' >> $1/vars
#TODO: Parametrize the below configurations
echo 'set_var EASYRSA_REQ_COUNTRY "DE"' >> $1/vars
echo 'set_var EASYRSA_REQ_PROVINCE "Berlin"' >> $1/vars
echo 'set_var EASYRSA_REQ_CITY "Berlin"' >> $1/vars
echo 'set_var EASYRSA_REQ_ORG "Planetmint GmbH"' >> $1/vars
echo 'set_var EASYRSA_REQ_OU "MONGO-MEMBER"' >> $1/vars
echo 'set_var EASYRSA_REQ_EMAIL "contact@ipdb.global"' >> $1/vars
echo "set_var EASYRSA_SSL_CONF \"$1/openssl-1.0.cnf\"" >> $1/vars
echo "set_var EASYRSA_PKI \"$1/pki\"" >> $1/vars
$1/easyrsa init-pki
$1/easyrsa --req-cn="$MDB_CN"-"$INDEX" --subject-alt-name=DNS:localhost,DNS:"$MDB_CN"-"$INDEX" gen-req "$MDB_CN"-"$INDEX" nopass
}
function configure_client_cert_gen(){
# $1:- Base directory for MongoDB Client Requests/Keys
echo "Generate MongoDB Client Requests/Certificate(s)"
echo 'set_var EASYRSA_DN "org"' >> $1/vars
echo 'set_var EASYRSA_KEY_SIZE 4096' >> $1/vars
#TODO: Parametrize the below configurations
echo 'set_var EASYRSA_REQ_COUNTRY "DE"' >> $1/vars
echo 'set_var EASYRSA_REQ_PROVINCE "Berlin"' >> $1/vars
echo 'set_var EASYRSA_REQ_CITY "Berlin"' >> $1/vars
echo 'set_var EASYRSA_REQ_ORG "Planetmint GmbH"' >> $1/vars
echo 'set_var EASYRSA_REQ_OU "MONGO-CLIENT"' >> $1/vars
echo 'set_var EASYRSA_REQ_EMAIL "contact@ipdb.global"' >> $1/vars
echo "set_var EASYRSA_SSL_CONF \"$1/openssl-1.0.cnf\"" >> $1/vars
echo "set_var EASYRSA_PKI \"$1/pki\"" >> $1/vars
$1/easyrsa init-pki
$1/easyrsa gen-req "$BDB_CN" nopass
$1/easyrsa gen-req "$MDB_MON_CN"-"$INDEX" nopass
}
function import_requests(){
# $1:- Base directory for Root CA
$1/easyrsa import-req $BASE_MEMBER_CERT_DIR/$BASE_EASY_RSA_PATH/pki/reqs/"$MDB_CN"-"$INDEX".req "$MDB_CN"-"$INDEX"
$1/easyrsa import-req $BASE_CLIENT_CERT_DIR/$BASE_EASY_RSA_PATH/pki/reqs/"$BDB_CN".req "$BDB_CN"
$1/easyrsa import-req $BASE_CLIENT_CERT_DIR/$BASE_EASY_RSA_PATH/pki/reqs/"$MDB_MON_CN"-"$INDEX".req "$MDB_MON_CN"-"$INDEX"
}
function sign_requests(){
# $1:- Base directory for Root CA
$1/easyrsa --subject-alt-name=DNS:localhost,DNS:"$MDB_CN"-"$INDEX" sign-req server "$MDB_CN"-"$INDEX"
$1/easyrsa sign-req client "$BDB_CN"
$1/easyrsa sign-req client "$MDB_MON_CN"-"$INDEX"
}
function make_pem_files(){
# $1:- Base directory for Root CA
# $2:- Base directory for kubernetes related config for secret.yaml
mkdir $2
cat $1/pki/issued/"$MDB_CN"-"$INDEX".crt $BASE_MEMBER_CERT_DIR/$BASE_EASY_RSA_PATH/pki/private/"$MDB_CN"-"$INDEX".key > $2/"$MDB_CN"-"$INDEX".pem
cat $1/pki/issued/"$BDB_CN".crt $BASE_CLIENT_CERT_DIR/$BASE_EASY_RSA_PATH/pki/private/"$BDB_CN".key > $2/"$BDB_CN".pem
cat $1/pki/issued/"$MDB_MON_CN"-"$INDEX".crt $BASE_CLIENT_CERT_DIR/$BASE_EASY_RSA_PATH/pki/private/"$MDB_MON_CN"-"$INDEX".key > $2/"$MDB_MON_CN"-"$INDEX".pem
}
function convert_b64(){
# $1:- Base directory for kubernetes related config for secret.yaml
# $2:- Base directory for Root CA
# $3:- Base directory for client requests/keys
cat $1/"$MDB_CN"-"$INDEX".pem | base64 -w 0 > $1/"$MDB_CN"-"$INDEX".pem.b64
cat $1/"$BDB_CN".pem | base64 -w 0 > $1/"$BDB_CN".pem.b64
cat $1/"$MDB_MON_CN"-"$INDEX".pem | base64 -w 0 > $1/"$MDB_MON_CN"-"$INDEX".pem.b64
cat $3/pki/private/"$BDB_CN".key | base64 -w 0 > $1/"$BDB_CN".key.b64
cat $2/pki/ca.crt | base64 -w 0 > $1/ca.crt.b64
cat $2/pki/crl.pem | base64 -w 0 > $1/crl.pem.b64
}
function configure_common(){
apt-get update -y
apt-get install openssl -y
wget https://github.com/OpenVPN/easy-rsa/archive/3.0.1.tar.gz -P $1
tar xzvf $1/3.0.1.tar.gz -C $1/
rm $1/3.0.1.tar.gz
cp $1/$BASE_EASY_RSA_PATH/vars.example $1/$BASE_EASY_RSA_PATH/vars
}
function get_users(){
mkdir $1
openssl x509 -in $BASE_CA_DIR/$BASE_EASY_RSA_PATH/pki/issued/"$MDB_CN"-"$INDEX".crt -inform PEM -subject \
-nameopt RFC2253 | head -n 1 | sed -r 's/^subject= //' > $1/"$MDB_CN"-"$INDEX".user
openssl x509 -in $BASE_CA_DIR/$BASE_EASY_RSA_PATH/pki/issued/"$BDB_CN".crt -inform PEM -subject \
-nameopt RFC2253 | head -n 1 | sed -r 's/^subject= //' > $1/"$BDB_CN".user
openssl x509 -in $BASE_CA_DIR/$BASE_EASY_RSA_PATH/pki/issued/"$MDB_MON_CN"-"$INDEX".crt -inform PEM -subject \
-nameopt RFC2253 | head -n 1 | sed -r 's/^subject= //' > $1/"$MDB_MON_CN"-"$INDEX".user
}
function generate_secretes_no_threescale(){
# $1:- Base DIR for MongoDB certs
# #2:- Secret Token
# $3:- HTTPS certificate key file
# $4:- HTTPS certificate chain
mdb_instance_pem=`cat $1/"$MDB_CN"-"$INDEX".pem.b64`
bdb_instance_pem=`cat $1/"$BDB_CN".pem.b64`
bdb_instance_key=`cat $1/"$BDB_CN".key.b64`
root_ca_pem=`cat $1/ca.crt.b64`
root_crl_pem=`cat $1/crl.pem.b64`
secrete_token=`echo $2 | base64 -w 0`
if [ -f $3 ]; then
https_cert_key=`cat $3 | base64 -w 0`
else
https_cert_key=""
fi
if [ -f $4 ]; then
https_cert_chain_pem=`cat $4 | base64 -w 0`
else
https_cert_chain_pem=""
fi
mdb_admin_password=`echo $5 | base64 -w 0`
cat > secret.yaml << EOF
apiVersion: v1
kind: Secret
metadata:
name: mdb-certs
namespace: default
type: Opaque
data:
# Base64-encoded, concatenated certificate and private key
mdb-instance.pem: "${mdb_instance_pem}"
---
apiVersion: v1
kind: Secret
metadata:
name: bdb-certs
namespace: default
type: Opaque
data:
# Base64-encoded Planetmint instance certificate
bdb-instance.pem: "${bdb_instance_pem}"
# Base64-encoded private key (<bdb-instance-name>.key)
bdb-instance.key: "${bdb_instance_key}"
---
apiVersion: v1
kind: Secret
metadata:
name: nginx-secret-header
namespace: default
type: Opaque
data:
# Base64-encoded secret token to authorize POST requests
secret-token: "${secrete_token}"
---
apiVersion: v1
kind: Secret
metadata:
name: https-certs
namespace: default
type: Opaque
data:
# Base64-encoded HTTPS private key
cert.key: "${https_cert_key}"
# Base64-encoded HTTPS certificate chain
# starting with your primary SSL cert (e.g. your_domain.crt)
# followed by all intermediate certs.
# If cert if from DigiCert, download "Best format for nginx".
cert.pem: "${https_cert_chain_pem}"
---
apiVersion: v1
kind: Secret
metadata:
name: ca-auth
namespace: default
type: Opaque
data:
# CA used to issue members/client certificates
# Base64-encoded CA certificate (ca.crt)
ca.pem: "${root_ca_pem}"
crl.pem: "${root_crl_pem}"
---
apiVersion: v1
kind: Secret
metadata:
name: mdb-config
namespace: default
type: Opaque
data:
# Password for for MongoDB adminuser
mdb-admin-password: "${mdb_admin_password}"
EOF
}
function generate_config_map(){
mdb_instance_name="$MDB_CN-$INDEX"
ngx_instance_name="ngx-instance-$INDEX"
bdb_user=`cat "${1}"/"$BDB_CN".user`
mdb_admin_username="${2}"
node_fqdn="${3}"
bdb_persistent_peers="${4}"
bdb_validators="${5}"
bdb_validators_power="${6}"
bdb_genesis_time="${7}"
bdb_chain_id="${8}"
bdb_instance_name="${9}"
dns_resolver_k8s="${10}"
auth_mode="${11}"
node_frontend_port="${12}"
cat > config-map.yaml << EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: vars
namespace: default
data:
# node-fqdn is the DNS name registered for your HTTPS certificate.
node-fqdn: "${node_fqdn}"
# node-frontend-port is the port number on which this node's services
# are available to external clients.
node-frontend-port: "${node_frontend_port}"
# node-health-check-port is the port number on which an external load
# balancer can check the status/liveness of the external/public server.
# In our deployment, Kubernetes sends 'livenessProbes' to this port and
# interprets a successful response as a 'healthy' service.
node-health-check-port: "8888"
# node-dns-server-ip is the IP of the DNS server. A Kubernetes deployment
# always has a DNS server (kube-dns).
node-dns-server-ip: "${dns_resolver_k8s}"
# mdb-instance-name is the name of the MongoDB instance in this Kubernetes cluster.
mdb-instance-name: "${mdb_instance_name}"
# ngx-instance-name is the name of the NGINX instance in this Kubernetes cluster.
ngx-instance-name: "${ngx_instance_name}"
# bdb-instance-name is the name of the Planetmint instance in this Kubernetes cluster.
bdb-instance-name: "${bdb_instance_name}"
# openresty-instance-name is the name of the OpenResty instance in this
# Kubernetes cluster.
openresty-instance-name: "openresty-instance-0"
# ngx-mdb-instance-name is the FQDN of the MongoDB instance in this
# Kubernetes cluster.
ngx-mdb-instance-name: "${mdb_instance_name}.default.svc.cluster.local"
# ngx-bdb-instance-name is the FQDN of the Planetmint instance in this
# Kubernetes cluster.
ngx-bdb-instance-name: "${bdb_instance_name}.default.svc.cluster.local"
# ngx-openresty-instance-name is the FQDN of the OpenResty instance in this
# Kubernetes cluster.
ngx-openresty-instance-name: "openresty-instance-0.default.svc.cluster.local"
# mongodb-backend-port is the port on which MongoDB is actually
# available/listening for requests.
mongodb-backend-port: "27017"
# openresty-backend-port is the port number on which OpenResty is listening
# for requests. This is used by the NGINX instance to forward the requests to
# the right port, and by OpenResty instance to bind to the correct port to
# receive requests from NGINX instance.
openresty-backend-port: "8080"
# Planetmint configuration parameters
# Refer https://docs.planetmint.io/en/latest/node-setup/configuration.html
# planetmint-api-port is the port number on which Planetmint is listening
# for HTTP requests.
planetmint-api-port: "9984"
# planetmint-server-bind is the socket where Planetmint binds for API
# requests.
planetmint-server-bind: "0.0.0.0:9984"
# planetmint-ws-port and planetmint-ws-interface form the socket where
# Planetmint binds for Websocket connections.
planetmint-ws-port: "9985"
planetmint-ws-interface: "0.0.0.0"
# planetmint-database-name is the database collection used by Planetmint with
# the MongoDB backend.
planetmint-database-name: "bigchain"
# planetmint-wsserver-advertised-scheme is the protocol used to access the
# WebSocket API in Planetmint; can be 'ws' or 'wss' (default).
planetmint-wsserver-advertised-scheme: "wss"
# Optional: Optimize storage engine(wired tiger)
# cache size. e.g. (2048MB, 2GB, 1TB), otherwise
# it will use the default cache size; i.e. max((50% RAM - 1GB), 256MB)
storage-engine-cache-size: ""
# POST API authorization mode [threescale | secret-token]
authorization-mode: "${auth_mode}"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: bdb-config
namespace: default
data:
# Planetmint instance authentication user name
bdb-user: "${bdb_user}"
# planetmint-database-maxtries is the maximum number of times that Planetmint
# will try to establish a connection with the database backend.
# If it is set to 0, then it will try forever.
planetmint-database-maxtries: "3"
# planetmint-database-connection-timeout is the maximum number of
# milliseconds that Planetmint will wait before closing the connection while
# connecting to the database backend.
planetmint-database-connection-timeout: "5000"
# planetmint-log-level is the log level used to log to the console.
planetmint-log-level: "debug"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: tendermint-config
namespace: default
data:
# bdb-persistent-peers is the list of all the peers in the network.
bdb-persistent-peers: "${bdb_persistent_peers}"
# bdb-validators is the list of all validators in the network.
bdb-validators: "${bdb_validators}"
# bdb-validator-power is the validators voting power, make sure the order and
# the number of nodes in bdb-validator-power and bdb-validators is the same.
bdb-validator-power: "${bdb_validators_power}"
# bdb-genesis-time is the official time of blockchain start.
# example: 0001-01-01T00:00:00Z
bdb-genesis-time: "${bdb_genesis_time}"
# bdb-chain-id is the ID of the blockchain. Must be unique for every blockchain.
# example: test-chain-KPI1Ud
bdb-chain-id: "${bdb_chain_id}"
# bdb-abci-port is used by Tendermint Core for ABCI traffic. Planetmint nodes
# use that internally.
bdb-abci-port: "26658"
# bdb-p2p-port is used by Tendermint Core to communicate with
# other peers in the network. This port is accessible publicly.
bdb-p2p-port: "26656"
# bdb-rpc-port is used by Tendermint Core to rpc. Planetmint nodes
# use this port internally.
bdb-rpc-port: "26657"
# bdb-pub-key-access is the port number used to host/publish the
# public key of the tendemrint node in this cluster.
bdb-pub-key-access: "9986"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mdb-config
namespace: default
data:
# User name for MongoDB adminuser
mdb-admin-username: "${mdb_admin_username}"
mdb-mon-user: ""
EOF
}