From 717998b801729ee6170c92514b5052ca6fcf1c2b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20L=C3=BCscher?= <stephan.luescher@mykolab.com>
Date: Thu, 4 May 2023 15:02:05 +0000
Subject: [PATCH] feat: create ssh key for automation tasks

includes refactoring for build process
---
 forge-pod.yml          | 19 ++++++++++++++-----
 minica/Containerfile   | 11 +++++++----
 minica/certificates.sh | 21 +++++++++++++++++++++
 rvproxy/Caddyfile      |  2 +-
 setup/Containerfile    | 14 +++++++-------
 5 files changed, 50 insertions(+), 17 deletions(-)
 create mode 100644 minica/certificates.sh

diff --git a/forge-pod.yml b/forge-pod.yml
index 2f8a1c8..b97f31f 100644
--- a/forge-pod.yml
+++ b/forge-pod.yml
@@ -7,9 +7,9 @@ metadata:
 spec:
   restartPolicy: Always
   volumes:
-    - name: ublue-os_forge-minica-pvc
+    - name: ublue-os_forge-certs-pvc
       persistentVolumeClaim:
-        claimName: ublue-os_forge-minica
+        claimName: ublue-os_forge-certs
 
     - name: ublue-os_forge-registry-pvc
       persistentVolumeClaim:
@@ -28,7 +28,7 @@ spec:
           cpu: 200m
       volumeMounts:
         - mountPath: /certs
-          name: ublue-os_forge-minica-pvc
+          name: ublue-os_forge-certs-pvc
       ports:
         - containerPort: 443
           hostPort: 443
@@ -42,7 +42,7 @@ spec:
           cpu: 200m
       volumeMounts:
         - mountPath: /certs
-          name: ublue-os_forge-minica-pvc
+          name: ublue-os_forge-certs-pvc
           subPath: _.ublue.local
         - mountPath: /var/lib/registry
           name: ublue-os_forge-registry-pvc
@@ -59,12 +59,21 @@ spec:
       volumeMounts:
         - mountPath: /var/lib/semaphore
           name: ublue-os_forge-semaphore-pvc
+        - mountPath: /certs
+          subPath: ssh
+          name: ublue-os_forge-certs-pvc
+          readOnly: true
       ports:
         - containerPort: 3000
           protocol: TCP
 
     - name: setup.ublue.local
       image: setup
+      volumeMounts:
+        - mountPath: /certs
+          subPath: ssh
+          name: ublue-os_forge-certs-pvc
+          readOnly: true
       resources:
         limits:
           memory: 512Mi
@@ -75,4 +84,4 @@ spec:
       image: minica
       volumeMounts:
         - mountPath: /certs
-          name: ublue-os_forge-minica-pvc
+          name: ublue-os_forge-certs-pvc
diff --git a/minica/Containerfile b/minica/Containerfile
index ef38695..228cc03 100644
--- a/minica/Containerfile
+++ b/minica/Containerfile
@@ -1,10 +1,13 @@
 # Source Image
 FROM docker.io/library/golang:1.20
 
+# Copy script
+WORKDIR /certs
+COPY certificates.sh .
+RUN chmod +x ./certificates.sh
+
 # Install minica
 RUN go install github.com/jsha/minica@latest
 
-# Generate wildcard certificate
-WORKDIR /certs
-RUN minica --domains "*.ublue.local,ublue.local,localhost" \
-    --ip-addresses 127.0.0.1
+# Container start command
+CMD ["/certs/certificates.sh"]
\ No newline at end of file
diff --git a/minica/certificates.sh b/minica/certificates.sh
new file mode 100644
index 0000000..a287b2e
--- /dev/null
+++ b/minica/certificates.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+## Create SSH keys and certificates for uBlue-OS Forge
+
+CERTIFICATE_DIRECTORY="/certs"
+SSH_KEY_NAME="ublue-os_forge-id_ed25519"
+TLS_ROOT_CERTIFICATE_NAME="ublue-os_forge-root"
+
+if [ ! -f ${CERTIFICATE_DIRECTORY}/ssh/${SSH_KEY_NAME} ];
+then
+    echo "uBlue Forge SSH key not present. Creating new key..."
+    mkdir ${CERTIFICATE_DIRECTORY}/ssh -p
+    mkdir ${CERTIFICATE_DIRECTORY}/tls -p
+    # Generate SSH key
+    ssh-keygen -o -a 100 -t ed25519 -f ${CERTIFICATE_DIRECTORY}/ssh/${SSH_KEY_NAME} -C "forge@ublue.local"
+else
+    echo "Existing uBlue Forge SSH key found. Nothing to do..."
+fi
+
+# Creating TLS certificates
+echo "Creating / Updating TLS certificate..."
+minica --domains "*.ublue.local,ublue.local,localhost" --ip-addresses 127.0.0.1 -ca-cert "${CERTIFICATE_DIRECTORY}/tls/${TLS_ROOT_CERTIFICATE_NAME}.pem" -ca-key "${CERTIFICATE_DIRECTORY}/tls/${TLS_ROOT_CERTIFICATE_NAME}-key.pem"
diff --git a/rvproxy/Caddyfile b/rvproxy/Caddyfile
index 83853e1..c217b97 100644
--- a/rvproxy/Caddyfile
+++ b/rvproxy/Caddyfile
@@ -16,7 +16,7 @@
                 reverse_proxy ublue-os_forge-registry.ublue.local:5000 {
                         transport http {
                                 tls
-                                tls_trusted_ca_certs /certs/minica.pem
+                                tls_trusted_ca_certs /certs/tls/ublue-os_forge-root.pem
                         }
                 }
         }
diff --git a/setup/Containerfile b/setup/Containerfile
index 545679f..a8f759e 100644
--- a/setup/Containerfile
+++ b/setup/Containerfile
@@ -1,11 +1,11 @@
 # Source Image
 FROM docker.io/library/python:alpine3.17
 
-# Install forge setup project
-COPY ./ansible /ansible
-RUN pip3 install -r /ansible/requirements.txt
-RUN chmod +x /ansible/startup.sh
-
-# Run starup script
+# Install ansible setup project
 WORKDIR /ansible
-CMD ["./startup.sh"]
+COPY ./ansible .
+RUN pip3 install -r ./requirements.txt
+RUN chmod +x ./startup.sh
+
+# Container start command
+CMD ["/ansible/startup.sh"]