使用terraform 生成自签名证书
terraform 是一个很不错的基础设施工具,我们可以用来做关于基础设施部署的事情,可以实现基础设施即代码
以下演示一个简单的自签名证书的生成(使用tls provider)
resource "tls_private_key" "example" {
algorithm = "RSA"
}
resource "tls_self_signed_cert" "example" {
key_algorithm = "${tls_private_key.example.algorithm}"
private_key_pem = "${tls_private_key.example.private_key_pem}"
# Certificate expires after 12 hours.
validity_period_hours = 120000000
# Generate a new certificate if Terraform is run within three
# hours of the certificate's expiration time.
early_renewal_hours = 30000000
is_ca_certificate = true
# Reasonable set of uses for a server SSL certificate.
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
ip_addresses = ["127.0.0.1","192.168.0.111","10.10.18.119"]
dns_names = ["api.example.com", "k8sapi.example.com"]
subject {
common_name = "example.com"
organization = "example, Inc"
}
}
data "archive_file" "userinfos" {
type = "zip"
output_path = "tf-result/cert.zip"
source {
content = tls_private_key.example.private_key_pem
filename = "private_key_pem"
}
source {
content = tls_private_key.example.public_key_pem
filename = "public_key_pem"
}
source {
content = tls_self_signed_cert.example.cert_pem
filename = "cert_pem"
}
}
以上代码使用了archive
provider 进行生成文件压缩,使用tls_private_key
生成私钥
使用tls_self_signed_cert
生成自签名证书
terraform init
terraform plan
效果
Refreshing Terraform state in-memory prior to plan
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:
# data.archive_file.userinfos will be read during apply
# (config refers to values not yet known)
<= data "archive_file" "userinfos" {
+ id = (known after apply)
+ output_base64sha256 = (known after apply)
+ output_md5 = (known after apply)
+ output_path = "tf-result/cert.zip"
+ output_sha = (known after apply)
+ output_size = (known after apply)
+ type = "zip"
+ source {
+ content = (known after apply)
+ filename = "cert_pem"
}
+ source {
+ content = (known after apply)
+ filename = "private_key_pem"
}
+ source {
+ content = (known after apply)
+ filename = "public_key_pem"
}
}
# tls_private_key.example will be created
+ resource "tls_private_key" "example" {
+ algorithm = "RSA"
+ ecdsa_curve = "P224"
+ id = (known after apply)
+ private_key_pem = (known after apply)
+ public_key_fingerprint_md5 = (known after apply)
+ public_key_openssh = (known after apply)
+ public_key_pem = (known after apply)
+ rsa_bits = 2048
}
# tls_self_signed_cert.example will be created
+ resource "tls_self_signed_cert" "example" {
+ allowed_uses = [
+ "key_encipherment",
+ "digital_signature",
+ "server_auth",
]
+ cert_pem = (known after apply)
+ dns_names = [
+ "api.example.com",
+ "k8sapi.example.com",
]
+ early_renewal_hours = 30000000
+ id = (known after apply)
+ ip_addresses = [
+ "127.0.0.1",
+ "192.168.0.111",
+ "10.10.18.119",
]
+ is_ca_certificate = true
+ key_algorithm = "RSA"
+ private_key_pem = (known after apply)
+ validity_end_time = (known after apply)
+ validity_period_hours = 120000000
+ validity_start_time = (known after apply)
+ subject {
+ common_name = "example.com"
+ organization = "example, Inc"
}
}
Plan: 2 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
terraform apply
效果
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:
# data.archive_file.userinfos will be read during apply
# (config refers to values not yet known)
<= data "archive_file" "userinfos" {
+ id = (known after apply)
+ output_base64sha256 = (known after apply)
+ output_md5 = (known after apply)
+ output_path = "tf-result/cert.zip"
+ output_sha = (known after apply)
+ output_size = (known after apply)
+ type = "zip"
+ source {
+ content = (known after apply)
+ filename = "cert_pem"
}
+ source {
+ content = (known after apply)
+ filename = "private_key_pem"
}
+ source {
+ content = (known after apply)
+ filename = "public_key_pem"
}
}
# tls_private_key.example will be created
+ resource "tls_private_key" "example" {
+ algorithm = "RSA"
+ ecdsa_curve = "P224"
+ id = (known after apply)
+ private_key_pem = (known after apply)
+ public_key_fingerprint_md5 = (known after apply)
+ public_key_openssh = (known after apply)
+ public_key_pem = (known after apply)
+ rsa_bits = 2048
}
# tls_self_signed_cert.example will be created
+ resource "tls_self_signed_cert" "example" {
+ allowed_uses = [
+ "key_encipherment",
+ "digital_signature",
+ "server_auth",
]
+ cert_pem = (known after apply)
+ dns_names = [
+ "api.example.com",
+ "k8sapi.example.com",
]
+ early_renewal_hours = 30000000
+ id = (known after apply)
+ ip_addresses = [
+ "127.0.0.1",
+ "192.168.0.111",
+ "10.10.18.119",
]
+ is_ca_certificate = true
+ key_algorithm = "RSA"
+ private_key_pem = (known after apply)
+ validity_end_time = (known after apply)
+ validity_period_hours = 120000000
+ validity_start_time = (known after apply)
+ subject {
+ common_name = "example.com"
+ organization = "example, Inc"
}
}
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
tls_private_key.example: Creating
tls_private_key.example: Creation complete after 0s [id=4bb57b583566785ce23a003432515e07fcebfdba]
tls_self_signed_cert.example: Creating
tls_self_signed_cert.example: Creation complete after 0s [id=132700825268662052341550768328847386301]
data.archive_file.userinfos: Refreshing state
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
unzip cert.zip
Archive: cert.zip
inflating: cert_pem
inflating: private_key_pem
inflating: public_key_pem
我们可以结合vault 的tls 管理以及tf 方便的进行证书管理——基础设施即代码
https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html
https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine