Open lukehinds opened 3 years ago
Here's how we do it. I'll take recommendations for improvements too. I hope this helps!
# Let's say we're generating a 2021 shard
echo "Generating CTFE signing keys"
SHARD=2021
SHARD_NEXT=$((${SHARD}+1))
LOG_START="$(date -d "${SHARD}-01-01 00:00:00" -u +%s)"
LOG_END="$(date -d "${SHARD_NEXT}-01-07 00:00:00" -u +%s)"
openssl ecparam -name prime256v1 -genkey -noout -outform der -out ${SHARD}-ctfe-signing-key-decrypted.der
PRIVKEY="$(xxd -i -c1000 < ${SHARD}-ctfe-signing-key-decrypted.der | sed s/\,\ 0/\\\\/g | sed s/^..0x/\\\\x/g)"
PUBKEY="$(openssl ec -in ${SHARD}-ctfe-signing-key-decrypted.der -inform der -outform der -pubout | xxd -i -c1000 | sed s/\,\ 0/\\\\/g | sed s/^..0x/\\\\x/g)"
LOG_ID="$(kubectl exec -it fedora -n ${LOG} -- sh -c 'PASS=$(< /dev/urandom tr -dc _A-Z-a-z-0-9-_ | head -c32); \
openssl ecparam -name prime256v1 -genkey -noout -out createtree-signing-key-decrypted.pem; \
openssl ec -in createtree-signing-key-decrypted.pem -aes256 -out createtree-signing-privkey.pem -passout pass:${PASS}; \
/godev/bin/createtree -admin_server log-server:8090 -pem_key_path createtree-signing-privkey.pem -pem_key_password ${PASS} -signature_algorithm ECDSA -display_name '${SHARD}' -description '${SHARD}' -max_root_duration 12h -storage_system mysql -tree_type LOG -tree_state ACTIVE -hash_algorithm SHA256 -hash_strategy RFC6962_SHA256;' | tail -n1)"
echo "${LOG_ID}"
# Cleanup old stuff prior to starting
rm -f "manifests/${LOG}/${LOG}-ct-server.cfg"
# Get prior CTFE config because we must append to it.
# TODO: There's probably a native kubernetes way to do this, but I've not found it.
if kubectl get secrets/ctfe-config -n "${LOG}"; then
kubectl get secret/ctfe-config -n "${LOG}" -o jsonpath='{.data.ctfe-config}' | base64 -d > "manifests/${LOG}/${LOG}-ct-server.cfg"
fi
cat << EOF >> manifests/${LOG}/${LOG}-ct-server.cfg
config {
log_id: ${LOG_ID}
prefix: "${SHARD}"
not_after_start: {seconds: ${LOG_START}}
not_after_limit: {seconds: ${LOG_END}}
roots_pem_file: "/accepted-roots.pem"
max_merge_delay_sec: 86400
reject_expired: true
public_key: {
der: "${PUBKEY}"
}
private_key: {
[type.googleapis.com/keyspb.PrivateKey] {
der: "${PRIVKEY}"
}
}
}
EOF
if ! kubectl get secrets/ctfe-config -n "${LOG}"; then
echo "Creating secret/ctfe-config"
kubectl create secret generic -n "${LOG}" ctfe-config --from-file=ctfe-config-file="manifests/${LOG}/${LOG}-ct-server.cfg"
else
echo "Updating existing secret/ctfe-config"
kubectl create secret generic -n "${LOG}" ctfe-config --from-file=ctfe-config-file="manifests/${LOG}/${LOG}-ct-server.cfg" -o yaml --dry-run | kubectl replace -f -
kubectl patch deployment/trillian-ctfe-deployment -n ${LOG} -p "{\"spec\":{\"template\":{\"metadata\":{\"labels\":{\"date\":\"`date +'%s'`\"}}}}}"
fi
Hey, this looks like unicode (utf8?), do you have any pointers on how I can generate this?