tlsproxy from pass; fix tls stuff
This commit is contained in:
parent
7c1444b714
commit
226fbabf65
5 changed files with 56 additions and 53 deletions
|
@ -5,7 +5,9 @@ YEAR=$(date +%Y)
|
|||
|
||||
cmd mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
|
||||
|
||||
for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key consul$YEAR-client.crt consul$YEAR-client.key; do
|
||||
for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key \
|
||||
consul$YEAR-client.crt consul$YEAR-client.key
|
||||
do
|
||||
if pass $PKI/$file >/dev/null; then
|
||||
write_pass $PKI/$file /var/lib/consul/pki/$file
|
||||
cmd chown consul:root /var/lib/consul/pki/$file
|
||||
|
@ -15,9 +17,12 @@ done
|
|||
cmd systemctl restart consul
|
||||
cmd sleep 10
|
||||
|
||||
for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key; do
|
||||
for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key \
|
||||
consul$YEAR.crt consul$YEAR-client.crt consul$YEAR-client.key
|
||||
do
|
||||
if pass $PKI/$file >/dev/null; then
|
||||
write_pass $PKI/$file /var/lib/nomad/pki/$file
|
||||
cmd "chown \$(stat -c %u /var/lib/private/nomad) /var/lib/nomad/pki/$file"
|
||||
fi
|
||||
done
|
||||
|
||||
|
|
4
sshtool
4
sshtool
|
@ -20,7 +20,7 @@ else
|
|||
fi
|
||||
|
||||
if [ -z "$ROOT_PASS" ]; then
|
||||
read -s -p "Enter remote root password: " ROOT_PASS
|
||||
read -s -p "Enter remote sudo password: " ROOT_PASS
|
||||
echo
|
||||
fi
|
||||
|
||||
|
@ -35,7 +35,7 @@ echo \$DEPLOYTOOL_ROOT_PASSWORD
|
|||
EOG
|
||||
chmod +x /tmp/deploytool_askpass
|
||||
export SUDO_ASKPASS=/tmp/deploytool_askpass
|
||||
sudo -A sh - <<EOEVERYTHING
|
||||
sudo -A sh - <<'EOEVERYTHING'
|
||||
EOF
|
||||
}
|
||||
|
||||
|
|
12
tlsenv.sh
12
tlsenv.sh
|
@ -1,12 +0,0 @@
|
|||
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
||||
YEAR=$(date +%Y)
|
||||
|
||||
export NOMAD_ADDR=https://localhost:14646
|
||||
export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt
|
||||
export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt
|
||||
export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key
|
||||
|
||||
export CONSUL_HTTP_ADDR=https://localhost:8501
|
||||
export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt
|
||||
export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt
|
||||
export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key
|
47
tlsproxy
Executable file
47
tlsproxy
Executable file
|
@ -0,0 +1,47 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -xe
|
||||
|
||||
# Enter proper cluster subdirectory
|
||||
|
||||
cd $(dirname $0)
|
||||
|
||||
CLUSTER="$1"
|
||||
if [ ! -d "cluster/$CLUSTER" ]; then
|
||||
echo "Usage: $0 <cluster name>"
|
||||
echo "The cluster name must be the name of a subdirectory of cluster/"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
PREFIX="deuxfleurs/cluster/$CLUSTER"
|
||||
|
||||
# Do actual stuff
|
||||
|
||||
YEAR=$(date +%Y)
|
||||
|
||||
CERTDIR=$(mktemp -d)
|
||||
|
||||
_int() {
|
||||
echo "Caught SIGINT signal!"
|
||||
rm -rv $CERTDIR
|
||||
kill -INT "$child1" 2>/dev/null
|
||||
kill -INT "$child2" 2>/dev/null
|
||||
}
|
||||
|
||||
trap _int SIGINT
|
||||
|
||||
pass $PREFIX/nomad$YEAR.crt > $CERTDIR/nomad.crt
|
||||
pass $PREFIX/nomad$YEAR-client.crt > $CERTDIR/nomad-client.crt
|
||||
pass $PREFIX/nomad$YEAR-client.key > $CERTDIR/nomad-client.key
|
||||
pass $PREFIX/consul$YEAR.crt > $CERTDIR/consul.crt
|
||||
pass $PREFIX/consul$YEAR-client.crt > $CERTDIR/consul-client.crt
|
||||
pass $PREFIX/consul$YEAR-client.key > $CERTDIR/consul-client.key
|
||||
|
||||
socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt &
|
||||
child1=$!
|
||||
|
||||
socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt &
|
||||
child2=$!
|
||||
|
||||
wait "$child1"
|
||||
wait "$child2"
|
37
tlsproxy.sh
37
tlsproxy.sh
|
@ -1,37 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -xe
|
||||
|
||||
# Enter proper cluster subdirectory
|
||||
|
||||
cd $(dirname $0)
|
||||
|
||||
CLUSTER="$1"
|
||||
if [ ! -d "cluster/$CLUSTER" ]; then
|
||||
echo "Usage: $0 <cluster name>"
|
||||
echo "The cluster name must be the name of a subdirectory of cluster/"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
cd cluster/$CLUSTER
|
||||
|
||||
# Do actual stuff
|
||||
|
||||
YEAR=$(date +%Y)
|
||||
|
||||
_int() {
|
||||
echo "Caught SIGINT signal!"
|
||||
kill -INT "$child1" 2>/dev/null
|
||||
kill -INT "$child2" 2>/dev/null
|
||||
}
|
||||
|
||||
trap _int SIGINT
|
||||
|
||||
socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt &
|
||||
child1=$!
|
||||
|
||||
socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt &
|
||||
child2=$!
|
||||
|
||||
wait "$child1"
|
||||
wait "$child2"
|
Loading…
Reference in a new issue