Merge pull request #44 from manics/openssl

consideRatio · web-flow · commit c6e86fd828af · 2025-01-19T00:15:47.000+01:00
Replace minica with openssl (linux/arm64 compatibility)
diff --git a/pebble/files/certificate.sh b/pebble/files/certificate.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+set -eux
+
+# Self-signed CA key and certificate
+# openssl genrsa -out root-key.pem 2048
+# openssl req -new -x509 -key root-key.pem -subj "/CN=Pebble Helm Chart self-signed CA" -days 3650 -out root-cert.pem
+
+CA_KEY=/input/root-key.pem
+CA_CERT=/input/root-cert.pem
+
+CERT_DIR=/output/localhost
+
+# Convert "a,a.b,a.b.c" to "DNS:a, DNS:a.b, DNS:a.b.c, "
+SAN_DNS=`echo "$@" | awk -F, '{for(i=1; i<=NF; i++) {printf "DNS:" $i ", "}}'`
+
+# Server certificate key
+if [ ! -f "$CERT_DIR/key.pem" ]; then
+    openssl genrsa -out "$CERT_DIR/key.pem" 2048
+fi
+
+# Server certificate
+openssl req -new -key "$CERT_DIR/key.pem" -subj "/CN=localhost" -addext "subjectAltName = $SAN_DNS IP:127.0.0.1" -addext "extendedKeyUsage = serverAuth,clientAuth" -out "$CERT_DIR/req.csr"
+openssl x509 -CAkey "$CA_KEY" -CA "$CA_CERT" -req -copy_extensions copy -in "$CERT_DIR/req.csr" -days 3650 -out "$CERT_DIR/cert.pem"
diff --git a/pebble/templates/pebble-configmap.yaml b/pebble/templates/pebble-configmap.yaml
@@ -29,6 +29,7 @@ data:
   # ref: https://github.com/letsencrypt/pebble/tree/HEAD/test/certs
   {{- (.Files.Glob "files/root-cert.pem").AsConfig | nindent 2 }}
   {{- (.Files.Glob "files/root-key.pem").AsConfig | nindent 2 }}
+  {{- (.Files.Glob "files/certificate.sh").AsConfig | nindent 2 }}
 {{- end }}
 
 {{- include "pebble.configmap" . | fromYaml | merge .Values.pebble.merge.configmap | toYaml }}
diff --git a/pebble/templates/pebble-deployment.yaml b/pebble/templates/pebble-deployment.yaml
@@ -28,19 +28,7 @@ spec:
 
       initContainers:
         - name: pebble-tls-leaf-creation
-          # This image was built Dec 10, 2018, so it probably has the version
-          # 1.0.1 if minica. The latest version of minica is currently version
-          # 1.0.2.
-          #
-          # Related:
-          # - https://github.com/jsha/minica/releases
-          # - https://hub.docker.com/layers/twalter/minica/latest/images/sha256-3c33ecad86f04fb466ee9dfb2a08f15f7f8cc8f6268304137ebd39eac2218aca?context=explore
-          #
-          # FIXME: Transition to use https://github.com/ryantk/docker-minica and
-          #        https://hub.docker.com/layers/ryantk/minica/latest/images/sha256-c67e2c1885d438b5927176295d41aaab8a72dd9e1272ba85054bfc78191d05b0?context=explore
-          #        that has a linked Dockerfile as well and use version 1.0.2.
-          #
-          image: twalter/minica@sha256:3c33ecad86f04fb466ee9dfb2a08f15f7f8cc8f6268304137ebd39eac2218aca
+          image: "{{ .Values.pebble.openssl.repository }}:{{ .Values.pebble.openssl.tag }}"
           volumeMounts:
             - name: pebble-config-and-tls-root
               mountPath: /input
@@ -50,17 +38,9 @@ spec:
             - name: pebble-temp-tls-leaf
               mountPath: /output/localhost
           command:
-            # Avoid "open localhost/key.pem: file exists" as happen if the
-            # container restarts for some reason.
             - sh
-            - -c
-            - >
-                [ -e localhost/key.pem ] || exec
-                minica
-                -ca-cert /input/root-cert.pem
-                -ca-key /input/root-key.pem
-                -domains {{ include "pebble.domains" . | quote }}
-                -ip-addresses 127.0.0.1
+            - /input/certificate.sh
+            - {{ include "pebble.domains" . | quote }}
 
       containers:
         # Pebble is the acme server, but also expose a REST API on the
diff --git a/pebble/values.schema.json b/pebble/values.schema.json
@@ -33,6 +33,7 @@
       "type": "object",
       "properties": {
         "image": { "$ref": "#/definitions/image" },
+        "openssl": { "$ref": "#/definitions/image" },
         "config": {
           "properties": {
             "pebble": {}
@@ -41,7 +42,7 @@
         },
         "env": { "$ref": "#/definitions/env" }
       },
-      "required": ["config", "image"]
+      "required": ["config", "image", "openssl"]
     },
     "coredns": {
       "type": "object",
diff --git a/pebble/values.yaml b/pebble/values.yaml
@@ -7,6 +7,11 @@ pebble:
     repository: ghcr.io/letsencrypt/pebble
     tag: "" # default is the chart's appVersion, this is an override
 
+  # Image for creating certificates
+  openssl:
+    repository: docker.io/alpine/openssl
+    tag: "3.3.2"
+
   ## config ref: https://github.com/letsencrypt/pebble/blob/52b92744eaad895ac25b19dae429c0bdd134b764/cmd/pebble/main.go#L17
   config:
     pebble:
