From 3091dcda6ce4db5ea26651c1e2097377db4d4753 Mon Sep 17 00:00:00 2001
From: Jonathan Ervine <jonny@olympus.ipa.champion>
Date: Thu, 23 Apr 2020 21:49:10 +0800
Subject: [PATCH] 	modified:   Dockerfile 	new file:   start.sh
 Customised to be ready to bootstrap CA

---
 .nfs000000000e0c87de00000001 | Bin 0 -> 16384 bytes
 Dockerfile                   |  15 +++-
 start.sh                     | 163 +++++++++++++++++++++++++++++++++++
 3 files changed, 174 insertions(+), 4 deletions(-)
 create mode 100644 .nfs000000000e0c87de00000001
 create mode 100644 start.sh

diff --git a/.nfs000000000e0c87de00000001 b/.nfs000000000e0c87de00000001
new file mode 100644
index 0000000000000000000000000000000000000000..6f8934746ef01f12ebf287791c687ee1971fc0ae
GIT binary patch
literal 16384
zcmeHOO>i7X6`lkL33hCX9H^o~{5;w!TaeL8mT}D5!db7@i6~nVyONzkGGcb7cX!bI
zWu`~AY)lF+Cg2NP0!0A@90<vcD{(?`fe>z#52QGS04@qH5PnRBD!%UNnO#Y{vSltn
z%~pL{Z~wg4{dM>2_uh<K<7a2i(9y9&8b0p@4u9uUZ(QBI=jTsq+GhgaUl--K`2_B|
z7bfwT6PjaI*YrXs@CSAIoD^90g2d<Lj>F4V;B(XQSrnHq9zC*h<ggJZF*9P$!dkT)
zb2H*&ad(iYqO4$`U|`1#Jg7|`niv<|M)dvk(EAp5ETQO7Fi<d1Fi<d1Fi<d1Fi<d1
zFi<e?zsmp*@712c@b6Vq2-WvJo4((neow0Jr#IEBpT$?fK*2!4K*2!4K*2!4K*2!4
zK*2!4K*2!4K*7L&Ap@qZY4>AXZ;F5)&;PUd|E;~6_7~vCz$?IuzzaYCd;&ND90l$N
z{<TNb{sH_A_$%-_a2@y_@GKAj3qS>U82IOdnsy7g0sIiS26O=i*gy@qxm(i`fCG;M
zCjbI|xl7Z20elN+0#)GFdo=Ae;LE@|FahiXUVlK-eg^y$co}#J_!01R-~r&*n0Nww
z9QZKsA>dc<*0gT|SAkCh=YeHl4{+l?Z~=S+_!{sWz=6HMEAP^@?*lH-0c^km9s=Ha
zr>6Z0_#<!~_yX{GU>Vp4JOb<mZXwC?Ti{jTyTBUo81O;hVc;f`G`|Pl0KN)*1-JxE
z11Eth@P0t7<!`bC4wiL<W;mIy8(fHq2NXs@$Rc;0BIX5ajChxM6!_F-Zb&wB8E5Fy
zV4-VTjACX*jK_q(CTF&4=#k^&{S4RDv@06XYSLmBcd7I^83C=Eo=b*dN9#tE`1IMl
zI#M!?HW^ww@hy%wMQF99$`6jxW$Xg08<4?BUuH`aUQMWV{0`w=k+#$E%rGX?xAS2+
zK9y#xXX?%QYOPMb>9IHz!yX$OL;rD4m+~|%@(5Z>3uoq6YSoqbYO{H6t})#!Xw03R
zY0k{e)*E>xHXLSg!QoxQGL0m1NiU)AV&k+fYrx~06JrJ}GD0(sF9eZov>g{i&-Dxt
ztJCu4?y2DE`l;&T>4lZ~UZ=e65b<gnSu@kNBNoT0xa#zDquy+0b+)g{r)TprL08&X
zP$*i8S8vENvAPb&&vY@wtosI)6GR`|o<F&gvU5gvUk6nL%b=E|H|t!%ROz6%%9$5Z
znR{W`On6{1yc6`4{EX&Zm8{z}*J8%8v#`0_K_quk7hB0?F|mu7E{mcdipNmhWL)k!
z-gROei-?I`A0|;4#OzTr+nhz>)R5T{=LaW5?&Awx$Lc~<=sK3ealWiBvsPnGYdctQ
z`G*K6&vRn2YgVK_($j-QUc%)@zrb4EAXrVedlI26@Wp;}+O$Na6J+>|#_9YqF#sRs
z+0g?zU96mMIO?cwD-j#JcUF1_2=db7=aXI&qZcPnkkuQuupoCZWbB}U2eU%DCa0p8
zs*4MAwR&Sgr>QB@d6Y0cpI6FRPwOVKlu=Tmwy-jslgye8nf?wYpGn$gp0}Aq&!X*o
z9=*Q9R&obZ=@YiyY%*5U<|N+K!#_E@$jNG3+NNrpwf<@h6CI){@n>Muh}q2Nj_Jli
za)kCgSY<xWv}JNCubEL9mq}UCUKZLSA6FG#I}A`7tvMDmEla*zD0_|$RMQ(UG+1r|
zgBMK=8-7|XW{1W?2ikTy593O?e*iXXn~4k4VhHQxv>l9?8R9?&k;B)gb~bnmFHuGu
zR%kJncQfpZoE)jyiJMT6p5DCDa!rV<DqZmO-W2zqD$xm_Y;Drpoz%Rez-2ARx5XjP
zY^xzGzoANVA^CNjm*{i8bPjkD5{#r3c%g6{Xgx@T73%pGsLXV<;Bq9s4|SDXj*`52
zz~bhW+hAFb*Re)kW#bZ86zAFZvYtzn6BhmZW|_^{Fl`T8e0h0e>x>>{*ZMkULmx;_
zznlRK;TGw$o1h_|zPvozf$+#u*T(a35j`qRI`L?o%nn|Q-9*y(<mA%$vB?Q<zTP-9
z(-h7M)f<hu#<Hx*R~!pJLJM=#a}_$}bP{oSB|N>ZES{L|mi;6=IcCDMYZKgz1O#>9
z2Ffix*7MS~*y4fST6SkB3j62Z^T@Oz{=`)2@{pQ}Q99TaV=UWjt&CgIw*wE3C5N4`
zEvg!yG>uE+#z#>kn;8~O9-?FEnK*D@^omrOy9rW_`t_fS9-$6{4~R2QnHwl>YoA&0
z#moqAP|Ld?+`>Anz>qm+OFD_!1-Np$da^E^%5B;->y5KBwfY_1o+GL2ksoTD#-|ep
z7M3#Y@JhDo+DN`WxJBkx4z3l><=`6WVGgd69`)AYNLB`ln{U)l%{(<oQ638DFrd=^
z8aQ_mvnYp58Bk#*r3KaN!VRqCOi^iqx@Js%z^TQUkK@C~g!xeZmvm-~OK_tng!|Gv
zFq<bN&&vpHE{6UX;T6OPkFw*eK}EJo!m<jzLM6i8h5Gz_b>YdWayRf8UXN!8*3&Vc
zV=gQ(u8V-0!h^5%?jd2DMdYMhNeo>Z*<XfTE4NI%TQB1O8;EVMBlZ>XfA)O;dBpV%
zK*aTb2d)9TfnC5&#OE&p0Wbml8FBdwzz={g0Ucl;@HS%e*MR2%5wAZ3B)}3d15|(y
z0B<8!e-n5Wcp3OMa1~eu=75g?j{v)XKOk=Z9dHeJ7Wg7C1sn$+1MUOv0d8VGKLNzN
zUJ`RFJ_Q2>0|f&G0|f&G1OFck2<Jz6K(#8O9lyh(Fmileq0;43GqX?B8}p5s*@Y`<
z78p6LD#6(lweWTEFIADs$V0fTE|f}kGkgDrq;j7M<SB$hMtvCoc$oQsNL7a>?~ay5
zqqrOe0bfa@{ZSPoWPzx$A$jJSE#_{Y&MT!Zv7xeuBJ%>Dk4mWzt<~pF!DCH7dEPAz
zJ1WF{5s%oafoF27ds=9WE3zoh6E^W^z~b<YWpUedTm+Z%0kWOz6`JYzLBx~{g3}!b
zNrV8XLQ8rW*s*>-uQNmEEdI+U@|v=CZDM2H6H$;L!-9T!xk2KIg-nIYidv&yU8t+-
zC_x4{9TOq-a551oT`VzH_~hd3^yzx8SdfqWV_BwJnegG$Pd-ER$^(cEwW!F0H5G`d
zdX<()^;@ok99B(oFG>vgK%&31Tn|mHk{q>Ajur#gPxBZzZIhc74VhTGLT6Nx_*|MK
zPBkgdUhDB%A(7{hS>}j!5MQL+jjbM)*|N2X7UWJ~fFiYa{5W>Uu!l56IgKh4xBW(j
z9E26@$l)wFrvuCWfzdlj`Su<;DS9>q(c7JkG%J|1IOxetein8h2akR7h(0??+jUP*
z9iCC;BgwMFch_6mi8~tjR?TTi-g$)NnHG-$hdfF{yp=tO!$XF?laQtR70EK$;aK?;
z2a;_V?I`dJ*Fky}DJMOnad?Ucrugpk_b<|I)T)#ZRNYS3Rz9<pR4U|iz71zVHQ2f2
Vbd`t7mDP74HN63bi<R}-zX7Z(bb0^)

literal 0
HcmV?d00001

diff --git a/Dockerfile b/Dockerfile
index e45d4de..e98e97b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,19 +11,26 @@ ENV LANG='en_US.UTF-8' \
     STEP_GROUP='step' \
     STEP_UID='1001' \
     STEP_GID='1001' \
-    STEP_VERSION='0.14.2'
+    STEP_VERSION='0.14.2' \
+    STEP="/home/step" \
+    STEPPATH="/home/step" \
+    STEPDEBUG="1"
 
-RUN zypper -n in tar wget gzip && \
+RUN zypper -n in tar wget curl gzip && \
     groupadd -g $STEP_GID $STEP_GROUP && \
     useradd -u $STEP_UID -g $STEP_GROUP -M $STEP_USER
 
 RUN wget https://github.com/smallstep/cli/releases/download/v$STEP_VERSION/step_linux_$STEP_VERSION\_amd64.tar.gz && \
-    mkdir -p /step/bin && \
-    tar -zxvf step_linux_$STEP_VERSION\_amd64.tar.gz -C /step/bin/
+    tar -zxvf step_linux_$STEP_VERSION\_amd64.tar.gz -C /usr/local/bin/ && \
+    mkdir /home/step
+
 RUN rm step_linux_$STEP_VERSION\_amd64.tar.gz
 
 EXPOSE 9000/tcp
 
 USER $STEP_USER
+WORKDIR /home/step
+STOPSIGNAL SIGTERM
 
 CMD [ "/bin/sh" ]
+
diff --git a/start.sh b/start.sh
new file mode 100644
index 0000000..3464dba
--- /dev/null
+++ b/start.sh
@@ -0,0 +1,163 @@
+#!/bin/bash
+
+echo "Welcome to Step Certificates configuration."
+
+STEPPATH=/home/step
+
+# assert_variable exists if the given variable is not set.
+function assert_variable () {
+  if [ -z "$1" ];
+  then
+    echo "Error: variable $1 has not been set."
+    exit 1
+  fi
+}
+
+# check required variables
+assert_variable "$NAMESPACE"
+assert_variable "$PREFIX"
+assert_variable "$LABELS"
+assert_variable "$CA_URL"
+assert_variable "$CA_NAME"
+assert_variable "$CA_DNS"
+assert_variable "$CA_ADDRESS"
+assert_variable "$CA_PROVISIONER"
+
+# check autocert required variables
+if [ "$AUTOCERT" == "true" ]; then
+  assert_variable "$AUTOCERT_SERVICE"
+  assert_variable "$AUTOCERT_LABEL"
+fi
+
+# generate password if necessary
+CA_PASSWORD=${CA_PASSWORD:-$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')}
+CA_PROVISIONER_PASSWORD=${CA_PROVISIONER_PASSWORD:-$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')}
+
+echo -e "\e[1mChecking cluster permissions...\e[0m"
+
+function permission_error () {
+  # TODO: Figure out the actual service account instead of assuming default.
+  echo
+  echo -e "\033[0;31mPERMISSION ERROR\033[0m"
+  echo "Set permissions by running the following command, then try again:"
+  echo -e "\e[1m"
+  echo "    kubectl create clusterrolebinding autocert-init-binding \\"
+  echo "      --clusterrole cluster-admin \\"
+  echo "      --user \"system:serviceaccount:default:default\""
+  echo -e "\e[0m"
+  echo "Once setup is complete you can remove this binding by running:"
+  echo -e "\e[1m"
+  echo "    kubectl delete clusterrolebinding autocert-init-binding"
+  echo -e "\e[0m"
+
+  exit 1
+}
+
+# Use the service account context
+kubectl config set-cluster cfc --server=https://kubernetes.default --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+kubectl config set-context cfc --cluster=cfc
+kubectl config set-credentials user --token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+kubectl config set-context cfc --user=user
+kubectl config use-context cfc
+
+echo -n "Checking for permission to create configmaps in $NAMESPACE namespace: "
+kubectl auth can-i create configmaps --namespace $NAMESPACE
+if [ $? -ne 0 ]; then
+  permission_error "create configmaps"
+fi
+
+echo -n "Checking for permission to create secrets in $NAMESPACE namespace: "
+kubectl auth can-i create secrets --namespace $NAMESPACE
+if [ $? -ne 0 ]; then
+  permission_error "create secrets"
+fi
+
+if [ "$AUTOCERT" == "true" ]; then
+  echo -n "Checking for permission to create mutatingwebhookconfiguration in $NAMESPACE namespace: "
+  kubectl auth can-i create mutatingwebhookconfiguration --namespace $NAMESPACE
+  if [ $? -ne 0 ]; then
+    permission_error "create mutatingwebhookconfiguration"
+  fi
+fi
+
+# Setting this here on purpose, after the above section which explicitly checks
+# for and handles exit errors.
+set -e
+
+TMP_CA_PASSWORD=$(mktemp /tmp/autocert.XXXXXX)
+TMP_CA_PROVISIONER_PASSWORD=$(mktemp /tmp/autocert.XXXXXX)
+
+echo $CA_PASSWORD > $TMP_CA_PASSWORD
+echo $CA_PROVISIONER_PASSWORD > $TMP_CA_PROVISIONER_PASSWORD
+
+step ca init \
+  --name "$CA_NAME" \
+  --dns "$CA_DNS" \
+  --address "$CA_ADDRESS" \
+  --password-file "$TMP_CA_PASSWORD" \
+  --provisioner "$CA_DEFAULT_PROVISIONER" \
+  --provisioner-password-file "$TMP_CA_PROVISIONER_PASSWORD" \
+  --with-ca-url "$CA_URL"
+
+rm -f $TMP_CA_PASSWORD $TMP_CA_PROVISIONER_PASSWORD
+
+echo
+echo -e "\e[1mCreating configmaps and secrets in $NAMESPACE namespace ...\e[0m"
+
+function kbreplace() {
+  kubectl $@ -o yaml --dry-run | kubectl replace -f -
+}
+
+# Replace secrets created on helm install
+# It allows to properly remove them on help delete
+kbreplace -n $NAMESPACE create configmap $PREFIX-config --from-file $(step path)/config
+kbreplace -n $NAMESPACE create configmap $PREFIX-certs --from-file $(step path)/certs
+kbreplace -n $NAMESPACE create configmap $PREFIX-secrets --from-file $(step path)/secrets
+
+kbreplace -n $NAMESPACE create secret generic $PREFIX-ca-password --from-literal "password=${CA_PASSWORD}"
+kbreplace -n $NAMESPACE create secret generic $PREFIX-provisioner-password --from-literal "password=${CA_PROVISIONER_PASSWORD}"
+
+# Label all configmaps and secrets
+kubectl -n $NAMESPACE label configmap $PREFIX-config $LABELS
+kubectl -n $NAMESPACE label configmap $PREFIX-certs $LABELS
+kubectl -n $NAMESPACE label configmap $PREFIX-secrets $LABELS
+kubectl -n $NAMESPACE label secret $PREFIX-ca-password $LABELS
+kubectl -n $NAMESPACE label secret $PREFIX-provisioner-password $LABELS
+
+# Replace webhook if necessary
+if [ "$AUTOCERT" == "true" ]; then
+  CA_BUNDLE=$(cat $(step path)/certs/root_ca.crt | base64 | tr -d '\n')
+  cat <<EOF | kubectl replace -f -
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: $PREFIX-webhook-config
+webhooks:
+  - name: $AUTOCERT_LABEL
+    clientConfig:
+      service:
+        name: $AUTOCERT_SERVICE
+        namespace: $NAMESPACE
+        path: "/mutate"
+      caBundle: $CA_BUNDLE
+    rules:
+      - operations: ["CREATE"]
+        apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
+    failurePolicy: Ignore
+    namespaceSelector:
+      matchLabels:
+        $AUTOCERT_LABEL: enabled
+EOF
+  kubectl -n $NAMESPACE label mutatingwebhookconfiguration $PREFIX-webhook-config $LABELS
+fi
+
+FINGERPRINT=$(step certificate fingerprint $(step path)/certs/root_ca.crt)
+
+echo
+echo -e "\e[1mStep Certificates installed!\e[0m"
+echo
+echo "CA URL: ${CA_URL}"
+echo "CA Fingerprint: ${FINGERPRINT}"
+echo