Oct 12, 2016 Adding Certs to Cloud Foundry Deployments
We recently added etcd TLS to several environments and leveraged the certificate creation scripts in
cf-release/scripts. These are wonderful little scripts but leave it as an exercise to copy and paste in the contents of the flat files into your deployment manifest. After my second copy-pasta a colleague (thanks Tom) created a helpful script to copy the certs into my clipboard.
In this example we will create certificates needed for etcd for CF v243. Start by getting the CF release, checking out the correct release and switching to the scripts folder:
git clone firstname.lastname@example.org:cloudfoundry/cf-release.git cd cf-release git checkout v243 cd scripts
Now that we are in the scripts folder there are several helpful scripts to generate certs for several CF components. In this case we'll create the certs for etcd:
This will create a folder called
etcd-certs and inside this folder you will see all the files created:
-r--r--r-- 1.5K client.crt -r--r--r-- 891B client.csr -r--r----- 1.6K client.key -r--r--r-- 1.8K etcd-ca.crt -r--r----- 3.2K etcd-ca.key -r--r--r-- 918B etcdCA.crl -r--r--r-- 1.8K peer-ca.crt -r--r----- 3.2K peer-ca.key -r--r--r-- 1.6K peer.crt -r--r--r-- 1.0K peer.csr -r--r----- 1.6K peer.key -r--r--r-- 918B peerCA.crl -r--r--r-- 1.6K server.crt -r--r--r-- 1.0K server.csr -r--r----- 1.6K server.key
So now begins the awkward cat-copy-paste into your deployment manifest, unless...
Create a file named
certs_please.yml in the
etcd-certs folder and copy in the following contents:
client_cert: (( file "./client.crt" )) client_key: (( file "./client.key" )) peer_cert: (( file "./peer.crt" )) peer_key: (( file "./peer.key" )) server_cert: (( file "./server.crt" )) server_key: (( file "./server.key" )) ca_cert: (( file "./etcd-ca.crt" )) peer_ca_cert: (( file "./peer-ca.crt" ))
Now run the
spruce command to copy the contents to your clipboard buffer:
spruce merge certs_please.yml | pbcopy
Now paste into your deployment manifest. Less mess, less debugging copy-pasta errors.