Add new infra architecture
This commit is contained in:
Urtzi Alfaro
204
infrastructure/security/certificates/generate-certificates.sh
Executable file
204
infrastructure/security/certificates/generate-certificates.sh
Executable file
@@ -0,0 +1,204 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Generate TLS certificates for PostgreSQL and Redis
|
||||
# Self-signed certificates for internal cluster use
|
||||
|
||||
set -e
|
||||
|
||||
TLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
CA_DIR="$TLS_DIR/ca"
|
||||
POSTGRES_DIR="$TLS_DIR/postgres"
|
||||
REDIS_DIR="$TLS_DIR/redis"
|
||||
|
||||
echo "Generating TLS certificates for Bakery IA..."
|
||||
echo "Directory: $TLS_DIR"
|
||||
echo ""
|
||||
|
||||
# Clean up old certificates
|
||||
echo "Cleaning up old certificates..."
|
||||
rm -rf "$CA_DIR"/* "$POSTGRES_DIR"/* "$REDIS_DIR"/* 2>/dev/null || true
|
||||
|
||||
# =====================================
|
||||
# 1. Generate Certificate Authority (CA)
|
||||
# =====================================
|
||||
|
||||
echo "Step 1: Generating Certificate Authority (CA)..."
|
||||
|
||||
# Generate CA private key
|
||||
openssl genrsa -out "$CA_DIR/ca-key.pem" 4096
|
||||
|
||||
# Generate CA certificate (valid for 10 years)
|
||||
openssl req -new -x509 -days 3650 -key "$CA_DIR/ca-key.pem" -out "$CA_DIR/ca-cert.pem" \
|
||||
-subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Security/CN=BakeryIA-CA"
|
||||
|
||||
echo "✓ CA certificate generated"
|
||||
echo ""
|
||||
|
||||
# =====================================
|
||||
# 2. Generate PostgreSQL Server Certificates
|
||||
# =====================================
|
||||
|
||||
echo "Step 2: Generating PostgreSQL server certificates..."
|
||||
|
||||
# Generate PostgreSQL server private key
|
||||
openssl genrsa -out "$POSTGRES_DIR/server-key.pem" 4096
|
||||
|
||||
# Create certificate signing request (CSR)
|
||||
openssl req -new -key "$POSTGRES_DIR/server-key.pem" -out "$POSTGRES_DIR/server.csr" \
|
||||
-subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Database/CN=*.bakery-ia.svc.cluster.local"
|
||||
|
||||
# Create SAN (Subject Alternative Names) configuration
|
||||
cat > "$POSTGRES_DIR/san.cnf" <<EOF
|
||||
[req]
|
||||
distinguished_name = req_distinguished_name
|
||||
req_extensions = v3_req
|
||||
prompt = no
|
||||
|
||||
[req_distinguished_name]
|
||||
C = US
|
||||
ST = California
|
||||
L = SanFrancisco
|
||||
O = BakeryIA
|
||||
OU = Database
|
||||
CN = *.bakery-ia.svc.cluster.local
|
||||
|
||||
[v3_req]
|
||||
keyUsage = keyEncipherment, dataEncipherment
|
||||
extendedKeyUsage = serverAuth, clientAuth
|
||||
subjectAltName = @alt_names
|
||||
|
||||
[alt_names]
|
||||
DNS.1 = *.bakery-ia.svc.cluster.local
|
||||
DNS.2 = *.bakery-ia
|
||||
DNS.3 = auth-db-service
|
||||
DNS.4 = tenant-db-service
|
||||
DNS.5 = training-db-service
|
||||
DNS.6 = forecasting-db-service
|
||||
DNS.7 = sales-db-service
|
||||
DNS.8 = external-db-service
|
||||
DNS.9 = notification-db-service
|
||||
DNS.10 = inventory-db-service
|
||||
DNS.11 = recipes-db-service
|
||||
DNS.12 = suppliers-db-service
|
||||
DNS.13 = pos-db-service
|
||||
DNS.14 = orders-db-service
|
||||
DNS.15 = production-db-service
|
||||
DNS.16 = alert-processor-db-service
|
||||
DNS.17 = localhost
|
||||
IP.1 = 127.0.0.1
|
||||
EOF
|
||||
|
||||
# Sign the certificate with CA (valid for 3 years)
|
||||
openssl x509 -req -in "$POSTGRES_DIR/server.csr" \
|
||||
-CA "$CA_DIR/ca-cert.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial \
|
||||
-out "$POSTGRES_DIR/server-cert.pem" -days 1095 \
|
||||
-extensions v3_req -extfile "$POSTGRES_DIR/san.cnf"
|
||||
|
||||
# PostgreSQL requires specific permissions on key file
|
||||
chmod 600 "$POSTGRES_DIR/server-key.pem"
|
||||
chmod 644 "$POSTGRES_DIR/server-cert.pem"
|
||||
|
||||
# Copy CA cert for PostgreSQL clients
|
||||
cp "$CA_DIR/ca-cert.pem" "$POSTGRES_DIR/ca-cert.pem"
|
||||
|
||||
echo "✓ PostgreSQL certificates generated"
|
||||
echo ""
|
||||
|
||||
# =====================================
|
||||
# 3. Generate Redis Server Certificates
|
||||
# =====================================
|
||||
|
||||
echo "Step 3: Generating Redis server certificates..."
|
||||
|
||||
# Generate Redis server private key
|
||||
openssl genrsa -out "$REDIS_DIR/redis-key.pem" 4096
|
||||
|
||||
# Create certificate signing request (CSR)
|
||||
openssl req -new -key "$REDIS_DIR/redis-key.pem" -out "$REDIS_DIR/redis.csr" \
|
||||
-subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Cache/CN=redis-service.bakery-ia.svc.cluster.local"
|
||||
|
||||
# Create SAN configuration for Redis
|
||||
cat > "$REDIS_DIR/san.cnf" <<EOF
|
||||
[req]
|
||||
distinguished_name = req_distinguished_name
|
||||
req_extensions = v3_req
|
||||
prompt = no
|
||||
|
||||
[req_distinguished_name]
|
||||
C = US
|
||||
ST = California
|
||||
L = SanFrancisco
|
||||
O = BakeryIA
|
||||
OU = Cache
|
||||
CN = redis-service.bakery-ia.svc.cluster.local
|
||||
|
||||
[v3_req]
|
||||
keyUsage = keyEncipherment, dataEncipherment
|
||||
extendedKeyUsage = serverAuth, clientAuth
|
||||
subjectAltName = @alt_names
|
||||
|
||||
[alt_names]
|
||||
DNS.1 = redis-service.bakery-ia.svc.cluster.local
|
||||
DNS.2 = redis-service.bakery-ia
|
||||
DNS.3 = redis-service
|
||||
DNS.4 = localhost
|
||||
IP.1 = 127.0.0.1
|
||||
EOF
|
||||
|
||||
# Sign the certificate with CA (valid for 3 years)
|
||||
openssl x509 -req -in "$REDIS_DIR/redis.csr" \
|
||||
-CA "$CA_DIR/ca-cert.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial \
|
||||
-out "$REDIS_DIR/redis-cert.pem" -days 1095 \
|
||||
-extensions v3_req -extfile "$REDIS_DIR/san.cnf"
|
||||
|
||||
# Redis requires specific permissions
|
||||
chmod 600 "$REDIS_DIR/redis-key.pem"
|
||||
chmod 644 "$REDIS_DIR/redis-cert.pem"
|
||||
|
||||
# Copy CA cert for Redis clients
|
||||
cp "$CA_DIR/ca-cert.pem" "$REDIS_DIR/ca-cert.pem"
|
||||
|
||||
echo "✓ Redis certificates generated"
|
||||
echo ""
|
||||
|
||||
# =====================================
|
||||
# 4. Verify Certificates
|
||||
# =====================================
|
||||
|
||||
echo "Step 4: Verifying certificates..."
|
||||
|
||||
# Verify PostgreSQL certificate
|
||||
echo "PostgreSQL certificate details:"
|
||||
openssl x509 -in "$POSTGRES_DIR/server-cert.pem" -noout -subject -issuer -dates
|
||||
openssl verify -CAfile "$CA_DIR/ca-cert.pem" "$POSTGRES_DIR/server-cert.pem"
|
||||
|
||||
echo ""
|
||||
echo "Redis certificate details:"
|
||||
openssl x509 -in "$REDIS_DIR/redis-cert.pem" -noout -subject -issuer -dates
|
||||
openssl verify -CAfile "$CA_DIR/ca-cert.pem" "$REDIS_DIR/redis-cert.pem"
|
||||
|
||||
echo ""
|
||||
echo "===================="
|
||||
echo "✓ All certificates generated successfully!"
|
||||
echo ""
|
||||
echo "Generated files:"
|
||||
echo " CA:"
|
||||
echo " - $CA_DIR/ca-cert.pem (Certificate Authority certificate)"
|
||||
echo " - $CA_DIR/ca-key.pem (CA private key - keep secure!)"
|
||||
echo ""
|
||||
echo " PostgreSQL:"
|
||||
echo " - $POSTGRES_DIR/server-cert.pem (Server certificate)"
|
||||
echo " - $POSTGRES_DIR/server-key.pem (Server private key)"
|
||||
echo " - $POSTGRES_DIR/ca-cert.pem (CA certificate for clients)"
|
||||
echo ""
|
||||
echo " Redis:"
|
||||
echo " - $REDIS_DIR/redis-cert.pem (Server certificate)"
|
||||
echo " - $REDIS_DIR/redis-key.pem (Server private key)"
|
||||
echo " - $REDIS_DIR/ca-cert.pem (CA certificate for clients)"
|
||||
echo ""
|
||||
echo "Certificate validity: 3 years"
|
||||
echo "Next steps:"
|
||||
echo " 1. Create Kubernetes secrets from these certificates"
|
||||
echo " 2. Mount secrets in database pods"
|
||||
echo " 3. Configure PostgreSQL and Redis to use TLS"
|
||||
echo " 4. Update client connection strings to require SSL"
|
||||
Reference in New Issue
Block a user