opensource/supermq
1
0
Fork 0
mirror of https://github.com/absmach/supermq.git synced 2026-06-23 06:40:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

NOISSUE - Update Magistrala certs (#322)

Browse Source 
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
This commit is contained in:
Steve Munene
2025-10-01 18:38:48 +03:00
committed by GitHub
parent 9078a67566
commit 3702e99f17
12 changed files with 779 additions and 586 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docker/.env
+24
View File
@@ -169,6 +169,30 @@ MG_PDF_CONVERTER_URL=http://pdf-generator:3000/forms/chromium/convert/html
### Certs
SMQ_ADDONS_CERTS_PATH_PREFIX=./
# Certs service configuration
AM_CERTS_SECRET=12345678
AM_CERTS_OPENBAO_SECRET_ID_TTL=87600h
# OpenBao PKI CA configuration
AM_CERTS_OPENBAO_PKI_CA_CN=Abstract Machines Certificate Authority
AM_CERTS_OPENBAO_PKI_CA_OU=Abstract Machines
AM_CERTS_OPENBAO_PKI_CA_O=AbstractMacines
AM_CERTS_OPENBAO_PKI_CA_C=FRANCE
AM_CERTS_OPENBAO_PKI_CA_L=PARIS
AM_CERTS_OPENBAO_PKI_CA_ST=PARIS
AM_CERTS_OPENBAO_PKI_CA_ADDR=5 Av. Anatole
AM_CERTS_OPENBAO_PKI_CA_PO=75007
AM_CERTS_OPENBAO_PKI_CA_DNS_NAMES=localhost
AM_CERTS_OPENBAO_PKI_CA_IP_ADDRESSES=127.0.0.1,::1
AM_CERTS_OPENBAO_PKI_CA_URI_SANS=
AM_CERTS_OPENBAO_PKI_CA_EMAIL_ADDRESSES=info@abstractmachines.rs
# OpenBao unseal keys and token
AM_CERTS_OPENBAO_UNSEAL_KEY_1=
AM_CERTS_OPENBAO_UNSEAL_KEY_2=
AM_CERTS_OPENBAO_UNSEAL_KEY_3=
AM_CERTS_OPENBAO_ROOT_TOKEN=
## Addon Services
### Bootstrap
MG_BOOTSTRAP_LOG_LEVEL=debug
docker/supermq-docker-compose.override.yaml
+1 -1
View File
@@ -116,7 +116,7 @@ services:
openbao:
volumes:
- ./addons/certs/prod-entrypoint.sh:/entrypoint.sh
- ./addons/certs/openbao-entrypoint.sh:/entrypoint.sh
networks: !override
- magistrala-base-net
docker/supermq-docker/.env
+64 -43
View File
@@ -425,50 +425,71 @@ SMQ_WS_ADAPTER_INSTANCE_ID=
## Addons Services
# Certs
SMQ_ADDONS_CERTS_PATH_PREFIX=./
SMQ_CERTS_LOG_LEVEL=debug
SMQ_CERTS_SIGN_CA_PATH=/etc/ssl/certs/ca.crt
SMQ_CERTS_SIGN_CA_KEY_PATH=/etc/ssl/certs/ca.key
SMQ_CERTS_HTTP_HOST=certs
SMQ_CERTS_HTTP_PORT=9019
SMQ_CERTS_HTTP_SERVER_CERT=
SMQ_CERTS_HTTP_SERVER_KEY=
SMQ_CERTS_GRPC_HOST=
SMQ_CERTS_GRPC_PORT=
SMQ_CERTS_DB_HOST=certs-db
SMQ_CERTS_DB_PORT=5432
SMQ_CERTS_DB_USER=supermq
SMQ_CERTS_DB_PASS=supermq
SMQ_CERTS_DB_NAME=certs
SMQ_CERTS_DB_SSL_MODE=
SMQ_CERTS_DB_SSL_CERT=
SMQ_CERTS_DB_SSL_KEY=
SMQ_CERTS_DB_SSL_ROOT_CERT=
SMQ_CERTS_INSTANCE_ID=
AM_CERTS_LOG_LEVEL=debug
AM_CERTS_HTTP_HOST=certs
AM_CERTS_HTTP_PORT=9019
AM_CERTS_GRPC_HOST=certs
AM_CERTS_GRPC_PORT=7012
AM_CERTS_RELEASE_TAG=latest
AM_CERTS_TOKEN=
### OpenBao
SMQ_OPENBAO_HOST=supermq-openbao
SMQ_OPENBAO_PORT=8200
SMQ_OPENBAO_ADDR=http://supermq-openbao:8200
SMQ_OPENBAO_NAMESPACE=supermq
SMQ_OPENBAO_UNSEAL_KEY_1=
SMQ_OPENBAO_UNSEAL_KEY_2=
SMQ_OPENBAO_UNSEAL_KEY_3=
SMQ_OPENBAO_TOKEN=
SMQ_OPENBAO_ROOT_TOKEN=openbao-root-token
SMQ_OPENBAO_APP_ROLE=supermq
SMQ_OPENBAO_APP_SECRET=supermq
SMQ_OPENBAO_PKI_PATH=pki
SMQ_OPENBAO_PKI_ROLE=supermq
SMQ_OPENBAO_PKI_CA_CN='SuperMQ Root Certificate Authority'
SMQ_OPENBAO_PKI_CA_OU='SuperMQ'
SMQ_OPENBAO_PKI_CA_O='SuperMQ'
SMQ_OPENBAO_PKI_CA_C='FRANCE'
SMQ_OPENBAO_PKI_CA_L='PARIS'
SMQ_OPENBAO_PKI_CA_ST='PARIS'
SMQ_OPENBAO_PKI_CA_ADDR='5 Av. Anatole'
SMQ_OPENBAO_PKI_CA_PO='75007'
SMQ_OPENBAO_PKI_ROLE_NAME=supermq
## Certs Database Configuration
AM_CERTS_DB_HOST=certs-db
AM_CERTS_DB_PORT=5432
AM_CERTS_DB_USER=absmach
AM_CERTS_DB_PASS=absmach
AM_CERTS_DB=certs
AM_CERTS_DB_SSL_MODE=disable
AM_CERTS_DB_MAX_CONNECTIONS=100
## OpenBao Configuration for Certs
AM_CERTS_OPENBAO_HOST=http://certs-openbao:8200
AM_CERTS_OPENBAO_APP_ROLE=absmach
AM_CERTS_OPENBAO_APP_SECRET=absmach
AM_CERTS_OPENBAO_NAMESPACE=
AM_CERTS_OPENBAO_PKI_PATH=pki
AM_CERTS_OPENBAO_ROLE=absmach
## OpenBao PKI CA Configuration
AM_OPENBAO_PKI_CA_CN=Abstract Machines Root Certificate Authority
AM_OPENBAO_PKI_CA_OU=Abstract Machines
AM_OPENBAO_PKI_CA_O=Abstract Machines
AM_OPENBAO_PKI_CA_C=FRANCE
AM_OPENBAO_PKI_CA_L=PARIS
AM_OPENBAO_PKI_CA_ST=PARIS
AM_OPENBAO_PKI_CA_ADDR=5 Av. Anatole
AM_OPENBAO_PKI_CA_PO=75007
AM_OPENBAO_PKI_CA_DNS_NAMES=localhost
AM_OPENBAO_PKI_CA_IP_ADDRESSES=127.0.0.1,::1
AM_OPENBAO_PKI_CA_URI_SANS=
AM_OPENBAO_PKI_CA_EMAIL_ADDRESSES=info@abstractmachines.rs
## OpenBao Unseal Keys and Token
AM_OPENBAO_UNSEAL_KEY_1=
AM_OPENBAO_UNSEAL_KEY_2=
AM_OPENBAO_UNSEAL_KEY_3=
AM_OPENBAO_ROOT_TOKEN=
## Jaeger Configuration for Certs
AM_JAEGER_URL=http://jaeger:4318/v1/traces
AM_JAEGER_TRACE_RATIO=1.0
#### Auth Client Config for Certs Service
AM_AUTH_GRPC_URL=auth:7001
AM_AUTH_GRPC_TIMEOUT=300s
AM_AUTH_GRPC_CLIENT_CERT=${GRPC_MTLS:+./ssl/certs/auth-grpc-client.crt}
AM_AUTH_GRPC_CLIENT_KEY=${GRPC_MTLS:+./ssl/certs/auth-grpc-client.key}
AM_AUTH_GRPC_SERVER_CA_CERTS=${GRPC_MTLS:+./ssl/certs/ca.crt}
#### Domains Client Config for Certs Service
AM_DOMAINS_GRPC_URL=domains:7003
AM_DOMAINS_GRPC_TIMEOUT=300s
AM_DOMAINS_GRPC_CLIENT_CERT=${GRPC_MTLS:+./ssl/certs/domains-grpc-client.crt}
AM_DOMAINS_GRPC_CLIENT_KEY=${GRPC_MTLS:+./ssl/certs/domains-grpc-client.key}
AM_DOMAINS_GRPC_SERVER_CA_CERTS=${GRPC_MTLS:+./ssl/certs/ca.crt}
SMQ_CERTS_JAEGER_FRONTEND=16687
SMQ_CERTS_JAEGER_OLTP_HTTP=4319
### Postgres
SMQ_POSTGRES_HOST=supermq-postgres
docker/supermq-docker/addons/certs/.env
+87
View File
@@ -0,0 +1,87 @@
# Copyright (c) Abstract Machines
# SPDX-License-Identifier: Apache-2.0
# Docker: Environment variables in Compose
## CERTS
AM_CERTS_LOG_LEVEL=debug
AM_CERTS_DB_HOST=certs-db
AM_CERTS_DB_PORT=5432
AM_CERTS_DB_USER=absmach
AM_CERTS_DB_PASS=absmach
AM_CERTS_DB=certs
AM_CERTS_DB_SSL_MODE=disable
AM_CERTS_DB_SSL_CERT=
AM_CERTS_DB_SSL_KEY=
AM_CERTS_DB_SSL_ROOT_CERT=
AM_CERTS_DB_MAX_CONNECTIONS=100
AM_CERTS_HTTP_HOST=certs
AM_CERTS_HTTP_PORT=9010
AM_CERTS_HTTP_SERVER_CERT=
AM_CERTS_HTTP_SERVER_KEY=
AM_CERTS_GRPC_HOST=certs
AM_CERTS_GRPC_PORT=7012
AM_CERTS_GRPC_SERVER_CERT=
AM_CERTS_GRPC_SERVER_KEY=
AM_CERTS_GRPC_SERVER_CA_CERTS=
AM_CERTS_GRPC_SERVER_CA_KEY=
AM_CERTS_GRPC_CLIENT_CA_CERTS=
AM_CERTS_GRPC_URL=${AM_CERTS_GRPC_HOST}:${AM_CERTS_GRPC_PORT}
AM_CERTS_GRPC_TIMEOUT=
AM_CERTS_GRPC_CLIENT_CERT=
AM_CERTS_GRPC_CLIENT_KEY=
AM_CERTS_GRPC_CLIENT_TLS=
AM_CERTS_GRPC_CA_CERTS=
AM_CERTS_INSTANCE_ID=
AM_CERTS_RELEASE_TAG=latest
AM_CERTS_SECRET=12345678
## OpenBao PKI Config
AM_CERTS_OPENBAO_HOST=http://certs-openbao:8200
AM_CERTS_OPENBAO_APP_ROLE=absmach
AM_CERTS_OPENBAO_APP_SECRET=absmach
AM_CERTS_OPENBAO_SECRET_ID_TTL=87600h
AM_CERTS_OPENBAO_NAMESPACE=
AM_CERTS_OPENBAO_PKI_PATH=pki
AM_CERTS_OPENBAO_ROLE=absmach
AM_CERTS_OPENBAO_PKI_CA_CN=Abstract Machines Certificate Authority
AM_CERTS_OPENBAO_PKI_CA_OU=Abstract Machines
AM_CERTS_OPENBAO_PKI_CA_O=AbstractMacines
AM_CERTS_OPENBAO_PKI_CA_C=FRANCE
AM_CERTS_OPENBAO_PKI_CA_L=PARIS
AM_CERTS_OPENBAO_PKI_CA_ST=PARIS
AM_CERTS_OPENBAO_PKI_CA_ADDR=5 Av. Anatole
AM_CERTS_OPENBAO_PKI_CA_PO=75007
AM_CERTS_OPENBAO_PKI_CA_DNS_NAMES=localhost
AM_CERTS_OPENBAO_PKI_CA_IP_ADDRESSES=127.0.0.1,::1
AM_CERTS_OPENBAO_PKI_CA_URI_SANS=
AM_CERTS_OPENBAO_PKI_CA_EMAIL_ADDRESSES=info@abstractmachines.rs
AM_CERTS_OPENBAO_UNSEAL_KEY_1=
AM_CERTS_OPENBAO_UNSEAL_KEY_2=
AM_CERTS_OPENBAO_UNSEAL_KEY_3=
AM_CERTS_OPENBAO_ROOT_TOKEN=
## Jaeger
AM_JAEGER_PORT=6831
AM_JAEGER_FRONTEND=16686
AM_JAEGER_URL=http://jaeger:4318/v1/traces
AM_JAEGER_TRACE_RATIO=1.0
AM_JAEGER_COLLECTOR_OTLP_ENABLED=true
AM_JAEGER_OLTP_HTTP_PORT=4318
AM_JAEGER_MEMORY_MAX_TRACES=5000
#### Auth Client Config
AM_AUTH_URL=auth:9001
AM_AUTH_GRPC_URL=auth:7001
AM_AUTH_GRPC_TIMEOUT=300s
AM_AUTH_GRPC_CLIENT_CERT=${GRPC_MTLS:+./ssl/certs/auth-grpc-client.crt}
AM_AUTH_GRPC_CLIENT_KEY=${GRPC_MTLS:+./ssl/certs/auth-grpc-client.key}
AM_AUTH_GRPC_CLIENT_CA_CERTS=${GRPC_MTLS:+./ssl/certs/ca.crt}
AM_AUTH_GRPC_SERVER_CA_CERTS=${GRPC_MTLS:+./ssl/certs/ca.crt}
#### Domains Client Config
AM_DOMAINS_URL=domains:9003
AM_DOMAINS_GRPC_URL=domains:7003
AM_DOMAINS_GRPC_TIMEOUT=300s
AM_DOMAINS_GRPC_CLIENT_CERT=${GRPC_MTLS:+./ssl/certs/domains-grpc-client.crt}
AM_DOMAINS_GRPC_CLIENT_KEY=${GRPC_MTLS:+./ssl/certs/domains-grpc-client.key}
AM_DOMAINS_GRPC_CLIENT_CA_CERTS=${GRPC_MTLS:+./ssl/certs/ca.crt}
docker/supermq-docker/addons/certs/Dockerfile
+28
View File
@@ -0,0 +1,28 @@
# Copyright (c) Abstract Machines
# SPDX-License-Identifier: Apache-2.0
FROM golang:1.25-alpine AS builder
ARG SVC
ARG GOARCH
ARG GOARM
ARG VERSION
ARG COMMIT
ARG TIME
WORKDIR /go/src/github.com/absmach/certs
COPY . .
RUN apk update \
&& apk add make upx\
&& make $SVC \
&& upx build/$SVC \
&& mv build/$SVC /exe
FROM scratch
# Required for certs service
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=builder /exe /
ENTRYPOINT ["/exe"]
docker/supermq-docker/addons/certs/Dockerfile.dev
+8
View File
@@ -0,0 +1,8 @@
# Copyright (c) Abstract Machines
# SPDX-License-Identifier: Apache-2.0
FROM scratch
ARG SVC
COPY --from=alpine:latest /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY ./build/$SVC /exe
ENTRYPOINT ["/exe"]
docker/supermq-docker/addons/certs/README.md
-181
View File
@@ -1,181 +0,0 @@
# OpenBao Configuration for SuperMQ
This directory contains both development and production OpenBao configurations for SuperMQ certificate management.
## Overview
Two entrypoint scripts are provided:
- **`dev-entrypoint.sh`**: Development mode with in-memory storage and simple setup
- **`prod-entrypoint.sh`**: Production mode with persistent file storage and proper initialization
Both scripts use environment variables for flexible configuration, allowing you to customize OpenBao behavior without modifying the scripts directly. All configuration is centralized in the `.env` file using the `SMQ_OPENBAO_*` naming convention.
## Configuration Management
### Environment-Based Configuration
All OpenBao configuration is managed through environment variables defined in `/docker/.env`. This approach provides:
- **Consistency**: All OpenBao variables use the `SMQ_OPENBAO_*` naming pattern
- **Flexibility**: Easy customization without script modifications
- **Security**: Sensitive values (tokens, keys) can be externally managed
- **Development/Production Parity**: Same configuration approach for both environments
### Variable Organization
Variables are logically grouped by function:
- **Core**: Basic OpenBao server configuration
- **Authentication**: AppRole and token configuration
- **PKI Engine**: Certificate authority and PKI role settings
- **PKI CA**: Certificate authority details (CN, organization, etc.)
- **Unsealing**: Production unsealing keys and tokens
## Quick Start
### Development Mode (Default)
```bash
docker compose -f docker/docker-compose.yaml -f docker/addons/certs/docker-compose.yaml up -d openbao
```
### Production Mode
To switch to production mode, edit `docker-compose.yaml` and change:
```yaml
- ./dev-entrypoint.sh:/entrypoint.sh
```
to:
```yaml
- ./prod-entrypoint.sh:/entrypoint.sh
```
Then start the service:
```bash
docker compose -f docker/docker-compose.yaml -f docker/addons/certs/docker-compose.yaml up -d openbao
```
## Development Mode Features
- **In-memory storage**: No data persistence (resets on restart)
- **Development server**: Uses `-dev` flag for simple setup
- **Hardcoded tokens**: Uses predictable root token for easy access
- **Quick setup**: Minimal configuration for development
- **No unseal process**: Automatically unsealed
### Development Access
- **Root Token**: `openbao-root-token` (or `SMQ_OPENBAO_ROOT_TOKEN` env var)
- **Web UI**: http://localhost:8200/ui
- **API**: http://localhost:8200
## Production Mode Features
- **File-based storage**: Persistent storage using file backend
- **Proper initialization**: Uses unseal keys and root token
- **Security policies**: Restricted access policies for PKI operations
- **AppRole authentication**: Service-to-service authentication
- **PKI engine**: Certificate authority for SuperMQ services
- **Automatic unsealing**: Handles unsealing on container restart
### Production Security
#### Initial Setup
- On first startup, OpenBao will be automatically initialized with 5 unseal keys and 1 root token
- The initialization data is stored in `/opt/openbao/data/init.json`
- **You must backup this file securely** - it contains the unseal keys and root token
#### Access Production Instance
To get the root token and unseal keys:
```bash
docker exec supermq-openbao cat /opt/openbao/data/init.json
```
Or to get just the root token:
```bash
docker exec supermq-openbao jq -r '.root_token' /opt/openbao/data/init.json
```
#### Manual Operations
```bash
docker exec supermq-openbao bao status
docker exec supermq-openbao bao operator unseal <unseal-key>
docker exec supermq-openbao bao operator seal
```
## Configuration Details
### Development Mode Configuration
- **Storage**: In-memory (no persistence)
- **Listener**: TCP on `0.0.0.0:8200` (TLS disabled)
- **Authentication**: Simple root token
- **PKI**: Basic setup for testing
### Production Mode Configuration
- **Storage**: File backend at `/opt/openbao/data`
- **Listener**: TCP on `0.0.0.0:8200` (TLS disabled for internal use)
- **UI**: Enabled for administration
- **Logging**: Info level
- **Initialization**: 5 unseal keys, 3 required
- **Authentication**: AppRole for services
### PKI Engine (Both Modes)
- **Path**: `/pki`
- **Root CA**: SuperMQ Root CA
- **Certificate Role**: `supermq` role for service certificates
- **Max TTL**: 720 hours (30 days) for dev, 87600 hours (10 years) for root CA in prod
### AppRole Authentication
- **Role**: `supermq`
- **Policies**: `pki-policy` (restricted PKI access)
- **Token TTL**: 1 hour (renewable up to 4 hours)
## Environment Variables
### OpenBao Core Configuration
- `SMQ_OPENBAO_HOST`: OpenBao server hostname (default: `supermq-openbao`)
- `SMQ_OPENBAO_PORT`: OpenBao server port (default: `8200`)
- `SMQ_OPENBAO_ADDR`: Full OpenBao server URL (default: `http://supermq-openbao:8200`)
- `SMQ_OPENBAO_NAMESPACE`: OpenBao namespace
- `SMQ_OPENBAO_ROOT_TOKEN`: Custom root token for development mode
- `SMQ_OPENBAO_TOKEN`: Custom token for production mode
- `SMQ_OPENBAO_UNSEAL_KEY_1`: First unseal key for production mode
- `SMQ_OPENBAO_UNSEAL_KEY_2`: Second unseal key for production mode
- `SMQ_OPENBAO_UNSEAL_KEY_3`: Third unseal key for production mode
### OpenBao Authentication Configuration
- `SMQ_OPENBAO_APP_ROLE`: AppRole role ID for service authentication
- `SMQ_OPENBAO_APP_SECRET`: AppRole secret ID for service authentication
### OpenBao PKI Configuration
- `SMQ_OPENBAO_PKI_PATH`: PKI secrets engine path (default: `pki`)
- `SMQ_OPENBAO_PKI_ROLE`: PKI role name for certificate issuance (default: `supermq`)
- `SMQ_OPENBAO_PKI_ROLE_NAME`: PKI role name for certificate generation (default: `supermq`)
### OpenBao PKI Certificate Authority Configuration
- `SMQ_OPENBAO_PKI_CA_CN`: Certificate Authority Common Name
- `SMQ_OPENBAO_PKI_CA_OU`: Certificate Authority Organizational Unit
- `SMQ_OPENBAO_PKI_CA_O`: Certificate Authority Organization
- `SMQ_OPENBAO_PKI_CA_C`: Certificate Authority Country
- `SMQ_OPENBAO_PKI_CA_L`: Certificate Authority Locality
- `SMQ_OPENBAO_PKI_CA_ST`: Certificate Authority State/Province
- `SMQ_OPENBAO_PKI_CA_ADDR`: Certificate Authority Street Address
- `SMQ_OPENBAO_PKI_CA_PO`: Certificate Authority Postal Code
### Certs Service OpenBao Integration
For the SuperMQ certs service, the following variables are used internally:
- `SMQ_CERTS_OPENBAO_HOST`: Maps to `SMQ_OPENBAO_HOST` and `SMQ_OPENBAO_PORT`
- `SMQ_CERTS_OPENBAO_APP_ROLE`: Maps to `SMQ_OPENBAO_APP_ROLE`
- `SMQ_CERTS_OPENBAO_APP_SECRET`: Maps to `SMQ_OPENBAO_APP_SECRET`
- `SMQ_CERTS_OPENBAO_NAMESPACE`: Maps to `SMQ_OPENBAO_NAMESPACE`
- `SMQ_CERTS_OPENBAO_PKI_PATH`: Maps to `SMQ_OPENBAO_PKI_PATH`
- `SMQ_CERTS_OPENBAO_ROLE`: Maps to `SMQ_OPENBAO_PKI_ROLE`
## Switching Between Modes
### To Switch to Production Mode:
1. Edit `docker-compose.yaml`
2. Change `./dev-entrypoint.sh:/entrypoint.sh` to `./prod-entrypoint.sh:/entrypoint.sh`
3. Restart the container
### To Switch to Development Mode:
1. Edit `docker-compose.yaml`
2. Change `./prod-entrypoint.sh:/entrypoint.sh` to `./dev-entrypoint.sh:/entrypoint.sh`
3. Restart the container
docker/supermq-docker/addons/certs/dev-entrypoint.sh
-72
View File
@@ -1,72 +0,0 @@
#!/bin/sh
# Copyright (c) Abstract Machines
# SPDX-License-Identifier: Apache-2.0
set -e
bao server -dev \
-dev-root-token-id="${BAO_DEV_ROOT_TOKEN_ID}" \
-dev-listen-address="0.0.0.0:8200" \
-log-level=info &
BAO_PID=$!
sleep 5
export BAO_ADDR=http://localhost:8200
export BAO_TOKEN="${BAO_DEV_ROOT_TOKEN_ID}"
if [ -n "$SMQ_OPENBAO_NAMESPACE" ]; then
export BAO_NAMESPACE=$SMQ_OPENBAO_NAMESPACE
fi
bao auth enable approle 2>/dev/null || echo "AppRole already enabled"
bao secrets enable -path=$SMQ_OPENBAO_PKI_PATH pki 2>/dev/null || echo "PKI already enabled"
bao secrets tune -max-lease-ttl=87600h $SMQ_OPENBAO_PKI_PATH >/dev/null 2>&1 || true
bao write -field=certificate $SMQ_OPENBAO_PKI_PATH/root/generate/internal \
common_name="$SMQ_OPENBAO_PKI_CA_CN" \
organization="$SMQ_OPENBAO_PKI_CA_O" \
ou="$SMQ_OPENBAO_PKI_CA_OU" \
country="$SMQ_OPENBAO_PKI_CA_C" \
locality="$SMQ_OPENBAO_PKI_CA_L" \
province="$SMQ_OPENBAO_PKI_CA_ST" \
street_address="$SMQ_OPENBAO_PKI_CA_ADDR" \
postal_code="$SMQ_OPENBAO_PKI_CA_PO" \
ttl=87600h >/dev/null 2>&1 || true
bao write $SMQ_OPENBAO_PKI_PATH/config/urls \
issuing_certificates="http://localhost:8200/v1/$SMQ_OPENBAO_PKI_PATH/ca" \
crl_distribution_points="http://localhost:8200/v1/$SMQ_OPENBAO_PKI_PATH/crl" >/dev/null 2>&1 || true
bao write $SMQ_OPENBAO_PKI_PATH/roles/$SMQ_OPENBAO_PKI_ROLE_NAME \
allow_any_name=true enforce_hostnames=false allow_ip_sans=true \
allow_localhost=true max_ttl=720h ttl=720h >/dev/null 2>&1 || true
cat > /tmp/policy.hcl << EOF
path "$SMQ_OPENBAO_PKI_PATH/issue/$SMQ_OPENBAO_PKI_ROLE_NAME" { capabilities = ["create", "update"] }
path "$SMQ_OPENBAO_PKI_PATH/certs" { capabilities = ["list"] }
path "$SMQ_OPENBAO_PKI_PATH/cert/*" { capabilities = ["read"] }
path "$SMQ_OPENBAO_PKI_PATH/revoke" { capabilities = ["create", "update"] }
path "auth/token/renew-self" { capabilities = ["update"] }
path "auth/token/lookup-self" { capabilities = ["read"] }
EOF
bao policy write pki-policy /tmp/policy.hcl >/dev/null 2>&1 || true
bao write auth/approle/role/supermq \
token_policies=pki-policy token_ttl=1h token_max_ttl=4h renewable=true \
bind_secret_id=true >/dev/null 2>&1 || true
if [ -n "$SMQ_OPENBAO_APP_ROLE" ]; then
bao write auth/approle/role/supermq/role-id role_id="$SMQ_OPENBAO_APP_ROLE" >/dev/null 2>&1 || true
fi
if [ -n "$SMQ_OPENBAO_APP_SECRET" ]; then
bao write auth/approle/role/supermq/custom-secret-id secret_id="$SMQ_OPENBAO_APP_SECRET" >/dev/null 2>&1 || true
fi
echo "OpenBao configuration completed successfully!"
echo "OpenBao is ready for SuperMQ on port 8200"
echo "Root Token: ${BAO_DEV_ROOT_TOKEN_ID}"
wait $BAO_PID
docker/supermq-docker/addons/certs/docker-compose.yaml
+89 -108
View File
@@ -1,134 +1,115 @@
# Copyright (c) Abstract Machines
# SPDX-License-Identifier: Apache-2.0
# This docker-compose file contains optional certs services. Since it's optional, this file is
# dependent of docker-compose file from <project_root>/docker. In order to run this services, execute command:
# docker compose -f docker/docker-compose.yaml -f docker/addons/certs/docker-compose.yaml up
# from project root.
name: "certs"
networks:
supermq-base-net:
name: supermq-base-net
external: true
certs-base-net:
driver: bridge
# Volumes for OpenBao data and configuration
volumes:
supermq-openbao-volume:
supermq-certs-db-volume:
openbao-data:
certs-db-volume:
services:
certs-db:
image: postgres:16.1-alpine
container_name: supermq-certs-db
restart: on-failure
environment:
POSTGRES_USER: ${SMQ_CERTS_DB_USER}
POSTGRES_PASSWORD: ${SMQ_CERTS_DB_PASS}
POSTGRES_DB: ${SMQ_CERTS_DB_NAME}
networks:
- supermq-base-net
volumes:
- supermq-certs-db-volume:/var/lib/postgresql/data
certs:
image: supermq/certs:${SMQ_RELEASE_TAG}
container_name: supermq-certs
image: ghcr.io/absmach/certs:${AM_CERTS_RELEASE_TAG}
container_name: certs
depends_on:
- openbao
- certs-db
restart: on-failure
networks:
- supermq-base-net
ports:
- ${SMQ_CERTS_HTTP_PORT}:${SMQ_CERTS_HTTP_PORT}
- certs-base-net
environment:
SMQ_CERTS_LOG_LEVEL: ${SMQ_CERTS_LOG_LEVEL}
SMQ_CERTS_SIGN_CA_PATH: ${SMQ_CERTS_SIGN_CA_PATH}
SMQ_CERTS_SIGN_CA_KEY_PATH: ${SMQ_CERTS_SIGN_CA_KEY_PATH}
SMQ_CERTS_OPENBAO_HOST: http://${SMQ_OPENBAO_HOST}:${SMQ_OPENBAO_PORT}
SMQ_CERTS_OPENBAO_APP_ROLE: ${SMQ_OPENBAO_APP_ROLE}
SMQ_CERTS_OPENBAO_APP_SECRET: ${SMQ_OPENBAO_APP_SECRET}
SMQ_CERTS_OPENBAO_NAMESPACE: ${SMQ_OPENBAO_NAMESPACE}
SMQ_CERTS_OPENBAO_PKI_PATH: ${SMQ_OPENBAO_PKI_PATH}
SMQ_CERTS_OPENBAO_ROLE: ${SMQ_OPENBAO_PKI_ROLE}
SMQ_CERTS_HTTP_HOST: ${SMQ_CERTS_HTTP_HOST}
SMQ_CERTS_HTTP_PORT: ${SMQ_CERTS_HTTP_PORT}
SMQ_CERTS_HTTP_SERVER_CERT: ${SMQ_CERTS_HTTP_SERVER_CERT}
SMQ_CERTS_HTTP_SERVER_KEY: ${SMQ_CERTS_HTTP_SERVER_KEY}
SMQ_CERTS_DB_HOST: ${SMQ_CERTS_DB_HOST}
SMQ_CERTS_DB_PORT: ${SMQ_CERTS_DB_PORT}
SMQ_CERTS_DB_PASS: ${SMQ_CERTS_DB_PASS}
SMQ_CERTS_DB_USER: ${SMQ_CERTS_DB_USER}
SMQ_CERTS_DB_NAME: ${SMQ_CERTS_DB_NAME}
SMQ_CERTS_DB_SSL_MODE: ${SMQ_CERTS_DB_SSL_MODE}
SMQ_CERTS_DB_SSL_CERT: ${SMQ_CERTS_DB_SSL_CERT}
SMQ_CERTS_DB_SSL_KEY: ${SMQ_CERTS_DB_SSL_KEY}
SMQ_CERTS_DB_SSL_ROOT_CERT: ${SMQ_CERTS_DB_SSL_ROOT_CERT}
SMQ_AUTH_GRPC_URL: ${SMQ_AUTH_GRPC_URL}
SMQ_AUTH_GRPC_TIMEOUT: ${SMQ_AUTH_GRPC_TIMEOUT}
SMQ_AUTH_GRPC_CLIENT_CERT: ${SMQ_AUTH_GRPC_CLIENT_CERT:+/auth-grpc-client.crt}
SMQ_AUTH_GRPC_CLIENT_KEY: ${SMQ_AUTH_GRPC_CLIENT_KEY:+/auth-grpc-client.key}
SMQ_AUTH_GRPC_SERVER_CA_CERTS: ${SMQ_AUTH_GRPC_SERVER_CA_CERTS:+/auth-grpc-server-ca.crt}
SMQ_CLIENTS_URL: ${SMQ_CLIENTS_URL}
SMQ_JAEGER_URL: ${SMQ_JAEGER_URL}
SMQ_JAEGER_TRACE_RATIO: ${SMQ_JAEGER_TRACE_RATIO}
SMQ_SEND_TELEMETRY: ${SMQ_SEND_TELEMETRY}
SMQ_CERTS_INSTANCE_ID: ${SMQ_CERTS_INSTANCE_ID}
SMQ_ALLOW_UNVERIFIED_USER: ${SMQ_ALLOW_UNVERIFIED_USER}
volumes:
- ../../ssl/certs/ca.key:/etc/ssl/certs/ca.key
- ../../ssl/certs/ca.crt:/etc/ssl/certs/ca.crt
- type: bind
source: ${SMQ_ADDONS_CERTS_PATH_PREFIX}${SMQ_AUTH_GRPC_CLIENT_CERT:-./ssl/certs/dummy/client_cert}
target: /auth-grpc-client${SMQ_AUTH_GRPC_CLIENT_CERT:+.crt}
bind:
create_host_path: true
- type: bind
source: ${SMQ_ADDONS_CERTS_PATH_PREFIX}${SMQ_AUTH_GRPC_CLIENT_KEY:-./ssl/certs/dummy/client_key}
target: /auth-grpc-client${SMQ_AUTH_GRPC_CLIENT_KEY:+.key}
bind:
create_host_path: true
- type: bind
source: ${SMQ_ADDONS_CERTS_PATH_PREFIX}${SMQ_AUTH_GRPC_SERVER_CA_CERTS:-./ssl/certs/dummy/server_ca}
target: /auth-grpc-server-ca${SMQ_AUTH_GRPC_SERVER_CA_CERTS:+.crt}
bind:
create_host_path: true
AM_CERTS_LOG_LEVEL: ${AM_CERTS_LOG_LEVEL}
AM_CERTS_HTTP_HOST: ${AM_CERTS_HTTP_HOST}
AM_CERTS_HTTP_PORT: ${AM_CERTS_HTTP_PORT}
AM_CERTS_GRPC_HOST: ${AM_CERTS_GRPC_HOST}
AM_CERTS_GRPC_PORT: ${AM_CERTS_GRPC_PORT}
AM_JAEGER_URL: ${AM_JAEGER_URL}
AM_JAEGER_TRACE_RATIO: ${AM_JAEGER_TRACE_RATIO}
AM_CERTS_OPENBAO_HOST: ${AM_CERTS_OPENBAO_HOST}
AM_CERTS_OPENBAO_APP_ROLE: ${AM_CERTS_OPENBAO_APP_ROLE}
AM_CERTS_OPENBAO_APP_SECRET: ${AM_CERTS_OPENBAO_APP_SECRET}
AM_CERTS_OPENBAO_NAMESPACE: ${AM_CERTS_OPENBAO_NAMESPACE}
AM_CERTS_OPENBAO_PKI_PATH: ${AM_CERTS_OPENBAO_PKI_PATH}
AM_CERTS_OPENBAO_ROLE: ${AM_CERTS_OPENBAO_ROLE}
AM_CERTS_DB_HOST: ${AM_CERTS_DB_HOST}
AM_CERTS_DB_PORT: ${AM_CERTS_DB_PORT}
AM_CERTS_DB_USER: ${AM_CERTS_DB_USER}
AM_CERTS_DB_PASS: ${AM_CERTS_DB_PASS}
AM_CERTS_DB: ${AM_CERTS_DB}
AM_CERTS_DB_SSL_MODE: ${AM_CERTS_DB_SSL_MODE}
AM_AUTH_GRPC_URL: ${AM_AUTH_GRPC_URL}
AM_AUTH_GRPC_TIMEOUT: ${AM_AUTH_GRPC_TIMEOUT}
AM_AUTH_GRPC_CLIENT_CERT: ${AM_AUTH_GRPC_CLIENT_CERT}
AM_AUTH_GRPC_CLIENT_KEY: ${AM_AUTH_GRPC_CLIENT_KEY}
AM_AUTH_GRPC_SERVER_CA_CERTS: ${AM_AUTH_GRPC_SERVER_CA_CERTS}
AM_DOMAINS_GRPC_URL: ${AM_DOMAINS_GRPC_URL}
AM_DOMAINS_GRPC_TIMEOUT: ${AM_DOMAINS_GRPC_TIMEOUT}
AM_DOMAINS_GRPC_CLIENT_CERT: ${AM_DOMAINS_GRPC_CLIENT_CERT:+/domains-grpc-client.crt}
AM_DOMAINS_GRPC_CLIENT_KEY: ${AM_DOMAINS_GRPC_CLIENT_KEY:+/domains-grpc-client.key}
AM_DOMAINS_GRPC_SERVER_CA_CERTS: ${AM_DOMAINS_GRPC_SERVER_CA_CERTS:+/domains-grpc-server-ca.crt}
AM_CERTS_SECRET: ${AM_CERTS_SECRET}
ports:
- ${AM_CERTS_HTTP_PORT}:${AM_CERTS_HTTP_PORT}
- ${AM_CERTS_GRPC_PORT}:${AM_CERTS_GRPC_PORT}
openbao:
image: openbao/openbao:latest
container_name: supermq-openbao
certs-db:
image: postgres:16.2-alpine
container_name: certs-db
restart: on-failure
networks:
- supermq-base-net
ports:
- ${SMQ_OPENBAO_PORT}:${SMQ_OPENBAO_PORT}
- certs-base-net
command: postgres -c "max_connections=${AM_CERTS_DB_MAX_CONNECTIONS}"
environment:
- BAO_DEV_ROOT_TOKEN_ID=${SMQ_OPENBAO_ROOT_TOKEN}
- BAO_ADDR=http://127.0.0.1:${SMQ_OPENBAO_PORT}
- SMQ_OPENBAO_PKI_ROLE=${SMQ_OPENBAO_PKI_ROLE}
- SMQ_OPENBAO_APP_ROLE=${SMQ_OPENBAO_APP_ROLE}
- SMQ_OPENBAO_APP_SECRET=${SMQ_OPENBAO_APP_SECRET}
- SMQ_OPENBAO_PORT=${SMQ_OPENBAO_PORT}
- SMQ_OPENBAO_NAMESPACE=${SMQ_OPENBAO_NAMESPACE}
- SMQ_OPENBAO_UNSEAL_KEY_1=${SMQ_OPENBAO_UNSEAL_KEY_1}
- SMQ_OPENBAO_UNSEAL_KEY_2=${SMQ_OPENBAO_UNSEAL_KEY_2}
- SMQ_OPENBAO_UNSEAL_KEY_3=${SMQ_OPENBAO_UNSEAL_KEY_3}
- SMQ_OPENBAO_TOKEN=${SMQ_OPENBAO_TOKEN}
- SMQ_OPENBAO_PKI_CA_CN=${SMQ_OPENBAO_PKI_CA_CN}
- SMQ_OPENBAO_PKI_CA_OU=${SMQ_OPENBAO_PKI_CA_OU}
- SMQ_OPENBAO_PKI_CA_O=${SMQ_OPENBAO_PKI_CA_O}
- SMQ_OPENBAO_PKI_CA_C=${SMQ_OPENBAO_PKI_CA_C}
- SMQ_OPENBAO_PKI_CA_L=${SMQ_OPENBAO_PKI_CA_L}
- SMQ_OPENBAO_PKI_CA_ST=${SMQ_OPENBAO_PKI_CA_ST}
- SMQ_OPENBAO_PKI_CA_ADDR=${SMQ_OPENBAO_PKI_CA_ADDR}
- SMQ_OPENBAO_PKI_CA_PO=${SMQ_OPENBAO_PKI_CA_PO}
- SMQ_OPENBAO_PKI_ROLE_NAME=${SMQ_OPENBAO_PKI_ROLE_NAME}
POSTGRES_USER: ${AM_CERTS_DB_USER}
POSTGRES_PASSWORD: ${AM_CERTS_DB_PASS}
POSTGRES_DB: ${AM_CERTS_DB}
ports:
- 5454:5432
volumes:
- certs-db-volume:/var/lib/postgresql/data
openbao:
image: openbao/openbao:2.4.0
container_name: certs-openbao
restart: on-failure
networks:
- certs-base-net
ports:
- 8200:8200
environment:
- BAO_ADDR=http://127.0.0.1:8200
- BAO_LOG_LEVEL=info
- AM_CERTS_OPENBAO_PKI_ROLE=${AM_CERTS_OPENBAO_ROLE}
- AM_CERTS_OPENBAO_APP_ROLE=${AM_CERTS_OPENBAO_APP_ROLE}
- AM_CERTS_OPENBAO_APP_SECRET=${AM_CERTS_OPENBAO_APP_SECRET}
- AM_CERTS_OPENBAO_SECRET_ID_TTL=${AM_CERTS_OPENBAO_SECRET_ID_TTL}
- AM_CERTS_OPENBAO_NAMESPACE=${AM_CERTS_OPENBAO_NAMESPACE}
- AM_CERTS_OPENBAO_PKI_CA_CN=${AM_CERTS_OPENBAO_PKI_CA_CN}
- AM_CERTS_OPENBAO_PKI_CA_OU=${AM_CERTS_OPENBAO_PKI_CA_OU}
- AM_CERTS_OPENBAO_PKI_CA_O=${AM_CERTS_OPENBAO_PKI_CA_O}
- AM_CERTS_OPENBAO_PKI_CA_C=${AM_CERTS_OPENBAO_PKI_CA_C}
- AM_CERTS_OPENBAO_PKI_CA_L=${AM_CERTS_OPENBAO_PKI_CA_L}
- AM_CERTS_OPENBAO_PKI_CA_ST=${AM_CERTS_OPENBAO_PKI_CA_ST}
- AM_CERTS_OPENBAO_PKI_CA_ADDR=${AM_CERTS_OPENBAO_PKI_CA_ADDR}
- AM_CERTS_OPENBAO_PKI_CA_PO=${AM_CERTS_OPENBAO_PKI_CA_PO}
- AM_CERTS_OPENBAO_PKI_CA_DNS_NAMES=${AM_CERTS_OPENBAO_PKI_CA_DNS_NAMES}
- AM_CERTS_OPENBAO_PKI_CA_IP_ADDRESSES=${AM_CERTS_OPENBAO_PKI_CA_IP_ADDRESSES}
- AM_CERTS_OPENBAO_PKI_CA_URI_SANS=${AM_CERTS_OPENBAO_PKI_CA_URI_SANS}
- AM_CERTS_OPENBAO_PKI_CA_EMAIL_ADDRESSES=${AM_CERTS_OPENBAO_PKI_CA_EMAIL_ADDRESSES}
- AM_CERTS_OPENBAO_UNSEAL_KEY_1=${AM_CERTS_OPENBAO_UNSEAL_KEY_1}
- AM_CERTS_OPENBAO_UNSEAL_KEY_2=${AM_CERTS_OPENBAO_UNSEAL_KEY_2}
- AM_CERTS_OPENBAO_UNSEAL_KEY_3=${AM_CERTS_OPENBAO_UNSEAL_KEY_3}
- AM_CERTS_OPENBAO_ROOT_TOKEN=${AM_CERTS_OPENBAO_ROOT_TOKEN}
cap_add:
- IPC_LOCK
mem_swappiness: 0
volumes:
- supermq-openbao-volume:/opt/openbao/data
- supermq-openbao-volume:/opt/openbao/config
- ./prod-entrypoint.sh:/entrypoint.sh
- openbao-data:/opt/openbao/data
- openbao-data:/opt/openbao/config
- ./openbao-entrypoint.sh:/entrypoint.sh
entrypoint: /bin/sh
command: /entrypoint.sh
docker/supermq-docker/addons/certs/openbao-entrypoint.sh
Executable
+402
View File
@@ -0,0 +1,402 @@
#!/bin/sh
# Copyright (c) Abstract Machines
# SPDX-License-Identifier: Apache-2.0
set -e
apk add --no-cache jq
# Create required directories
mkdir -p /opt/openbao/config /opt/openbao/data /opt/openbao/logs
cat > /opt/openbao/config/config.hcl << 'EOF'
storage "file" {
path = "/opt/openbao/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}
ui = true
log_level = "Info"
disable_mlock = true
# API timeout settings
default_lease_ttl = "168h"
max_lease_ttl = "720h"
EOF
export BAO_ADDR=http://127.0.0.1:8200
# Check if we have pre-configured unseal keys and root token
if [ -n "$AM_CERTS_OPENBAO_UNSEAL_KEY_1" ] && [ -n "$AM_CERTS_OPENBAO_UNSEAL_KEY_2" ] && [ -n "$AM_CERTS_OPENBAO_UNSEAL_KEY_3" ] && [ -n "$AM_CERTS_OPENBAO_ROOT_TOKEN" ]; then
echo "Using pre-configured unseal keys and root token..."
bao server -config=/opt/openbao/config/config.hcl > /opt/openbao/logs/server.log 2>&1 &
BAO_PID=$!
sleep 5
bao operator unseal "$AM_CERTS_OPENBAO_UNSEAL_KEY_1"
bao operator unseal "$AM_CERTS_OPENBAO_UNSEAL_KEY_2"
bao operator unseal "$AM_CERTS_OPENBAO_UNSEAL_KEY_3"
export BAO_TOKEN=$AM_CERTS_OPENBAO_ROOT_TOKEN
else
# Initialize OpenBao if not already done
if [ ! -f /opt/openbao/data/init.json ]; then
echo "Initializing OpenBao for the first time..."
bao server -config=/opt/openbao/config/config.hcl > /opt/openbao/logs/server.log 2>&1 &
BAO_PID=$!
sleep 5
# Initialize with 5 key shares and threshold of 3
bao operator init -key-shares=5 -key-threshold=3 -format=json > /opt/openbao/data/init.json
# Extract unseal keys and root token
UNSEAL_KEY_1=$(cat /opt/openbao/data/init.json | jq -r '.unseal_keys_b64[0]')
UNSEAL_KEY_2=$(cat /opt/openbao/data/init.json | jq -r '.unseal_keys_b64[1]')
UNSEAL_KEY_3=$(cat /opt/openbao/data/init.json | jq -r '.unseal_keys_b64[2]')
ROOT_TOKEN=$(cat /opt/openbao/data/init.json | jq -r '.root_token')
# Unseal OpenBao
bao operator unseal "$UNSEAL_KEY_1"
bao operator unseal "$UNSEAL_KEY_2"
bao operator unseal "$UNSEAL_KEY_3"
export BAO_TOKEN=$ROOT_TOKEN
echo "OpenBao initialized successfully!"
else
echo "OpenBao already initialized, starting server..."
bao server -config=/opt/openbao/config/config.hcl > /opt/openbao/logs/server.log 2>&1 &
BAO_PID=$!
sleep 5
# Check if OpenBao is sealed and unseal if necessary
if bao status -format=json | jq -e '.sealed == true' >/dev/null; then
echo "OpenBao is sealed, unsealing..."
UNSEAL_KEY_1=$(cat /opt/openbao/data/init.json | jq -r '.unseal_keys_b64[0]')
UNSEAL_KEY_2=$(cat /opt/openbao/data/init.json | jq -r '.unseal_keys_b64[1]')
UNSEAL_KEY_3=$(cat /opt/openbao/data/init.json | jq -r '.unseal_keys_b64[2]')
bao operator unseal "$UNSEAL_KEY_1"
bao operator unseal "$UNSEAL_KEY_2"
bao operator unseal "$UNSEAL_KEY_3"
echo "OpenBao unsealed successfully!"
else
echo "OpenBao is already unsealed!"
fi
ROOT_TOKEN=$(cat /opt/openbao/data/init.json | jq -r '.root_token')
export BAO_TOKEN=$ROOT_TOKEN
fi
fi
# Configure OpenBao PKI and AppRole if not already configured
if [ ! -f /opt/openbao/data/configured ]; then
echo "Configuring OpenBao PKI and AppRole..."
# Create namespace if specified
if [ -n "$AM_CERTS_OPENBAO_NAMESPACE" ]; then
if bao namespace create "$AM_CERTS_OPENBAO_NAMESPACE" 2>/tmp/ns_error; then
export BAO_NAMESPACE="$AM_CERTS_OPENBAO_NAMESPACE"
echo "$AM_CERTS_OPENBAO_NAMESPACE" > /opt/openbao/data/namespace
echo "Created namespace: $AM_CERTS_OPENBAO_NAMESPACE"
else
if grep -q "namespace already exists" /tmp/ns_error; then
export BAO_NAMESPACE="$AM_CERTS_OPENBAO_NAMESPACE"
echo "$AM_CERTS_OPENBAO_NAMESPACE" > /opt/openbao/data/namespace
echo "Using existing namespace: $AM_CERTS_OPENBAO_NAMESPACE"
else
echo "ERROR: Failed to create namespace $AM_CERTS_OPENBAO_NAMESPACE:" >&2
cat /tmp/ns_error >&2
exit 1
fi
fi
rm -f /tmp/ns_error
fi
# Enable authentication methods and secrets engines
if ! bao auth enable approle > /tmp/auth_success 2>/tmp/auth_error; then
if ! grep -q "already in use" /tmp/auth_error; then
echo "ERROR: Failed to enable AppRole auth method:" >&2
cat /tmp/auth_error >&2
exit 1
fi
echo "AppRole already enabled"
fi
rm -f /tmp/auth_error /tmp/auth_success
# Enable PKI secrets engine
if ! bao secrets enable -path=pki pki > /tmp/pki_success 2>/tmp/pki_error; then
# If the failure wasnt because the mount already exists, abort
if ! grep -q "already in use" /tmp/pki_error; then
echo "ERROR: Failed to enable PKI secrets engine:" >&2
cat /tmp/pki_error >&2
exit 1
fi
echo "PKI already enabled"
fi
rm -f /tmp/pki_error /tmp/pki_success
# Configure PKI engine
bao secrets tune -max-lease-ttl=87600h pki > /dev/null
# Validate required CA environment variables
for var in AM_CERTS_OPENBAO_PKI_CA_CN AM_CERTS_OPENBAO_PKI_CA_O AM_CERTS_OPENBAO_PKI_CA_C; do
eval "value=\$var"
if [ -z "$value" ]; then
echo "ERROR: Required environment variable $var is not set" >&2
exit 1
fi
done
PKI_CMD="bao write -field=certificate pki/root/generate/internal \
common_name=\"$AM_CERTS_OPENBAO_PKI_CA_CN\" \
organization=\"$AM_CERTS_OPENBAO_PKI_CA_O\" \
country=\"$AM_CERTS_OPENBAO_PKI_CA_C\" \
ttl=87600h \
key_bits=2048 \
exclude_cn_from_sans=false"
[ -n "$AM_CERTS_OPENBAO_PKI_CA_OU" ] && PKI_CMD="$PKI_CMD ou=\"$AM_CERTS_OPENBAO_PKI_CA_OU\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_L" ] && PKI_CMD="$PKI_CMD locality=\"$AM_CERTS_OPENBAO_PKI_CA_L\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_ST" ] && PKI_CMD="$PKI_CMD province=\"$AM_CERTS_OPENBAO_PKI_CA_ST\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_ADDR" ] && PKI_CMD="$PKI_CMD street_address=\"$AM_CERTS_OPENBAO_PKI_CA_ADDR\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_PO" ] && PKI_CMD="$PKI_CMD postal_code=\"$AM_CERTS_OPENBAO_PKI_CA_PO\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_DNS_NAMES" ] && PKI_CMD="$PKI_CMD alt_names=\"$AM_CERTS_OPENBAO_PKI_CA_DNS_NAMES\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_IP_ADDRESSES" ] && PKI_CMD="$PKI_CMD ip_sans=\"$AM_CERTS_OPENBAO_PKI_CA_IP_ADDRESSES\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_URI_SANS" ] && PKI_CMD="$PKI_CMD uri_sans=\"$AM_CERTS_OPENBAO_PKI_CA_URI_SANS\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_EMAIL_ADDRESSES" ] && PKI_CMD="$PKI_CMD email_sans=\"$AM_CERTS_OPENBAO_PKI_CA_EMAIL_ADDRESSES\""
eval $PKI_CMD > /dev/null
if [ $? -eq 0 ]; then
echo "OpenBao root CA certificate generated successfully!"
else
echo "ERROR: Failed to generate OpenBao root CA certificate" >&2
exit 1
fi
if ! bao secrets enable -path=pki_int pki > /tmp/pki_int_success 2>/tmp/pki_int_error; then
if ! grep -q "already in use" /tmp/pki_int_error; then
echo "ERROR: Failed to enable intermediate PKI secrets engine:" >&2
cat /tmp/pki_int_error >&2
exit 1
fi
echo "Intermediate PKI already enabled"
fi
rm -f /tmp/pki_int_error /tmp/pki_int_success
bao secrets tune -max-lease-ttl=8760h pki_int > /dev/null
INTERMEDIATE_CN="${AM_CERTS_OPENBAO_PKI_CA_CN} Intermediate"
INTERMEDIATE_CSR_CMD="bao write -field=csr pki_int/intermediate/generate/internal \
common_name=\"$INTERMEDIATE_CN\" \
organization=\"$AM_CERTS_OPENBAO_PKI_CA_O\" \
country=\"$AM_CERTS_OPENBAO_PKI_CA_C\" \
ttl=8760h \
key_bits=2048"
[ -n "$AM_CERTS_OPENBAO_PKI_CA_OU" ] && INTERMEDIATE_CSR_CMD="$INTERMEDIATE_CSR_CMD ou=\"$AM_CERTS_OPENBAO_PKI_CA_OU\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_L" ] && INTERMEDIATE_CSR_CMD="$INTERMEDIATE_CSR_CMD locality=\"$AM_CERTS_OPENBAO_PKI_CA_L\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_ST" ] && INTERMEDIATE_CSR_CMD="$INTERMEDIATE_CSR_CMD province=\"$AM_CERTS_OPENBAO_PKI_CA_ST\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_ADDR" ] && INTERMEDIATE_CSR_CMD="$INTERMEDIATE_CSR_CMD street_address=\"$AM_CERTS_OPENBAO_PKI_CA_ADDR\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_PO" ] && INTERMEDIATE_CSR_CMD="$INTERMEDIATE_CSR_CMD postal_code=\"$AM_CERTS_OPENBAO_PKI_CA_PO\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_DNS_NAMES" ] && INTERMEDIATE_CSR_CMD="$INTERMEDIATE_CSR_CMD alt_names=\"$AM_CERTS_OPENBAO_PKI_CA_DNS_NAMES\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_IP_ADDRESSES" ] && INTERMEDIATE_CSR_CMD="$INTERMEDIATE_CSR_CMD ip_sans=\"$AM_CERTS_OPENBAO_PKI_CA_IP_ADDRESSES\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_URI_SANS" ] && INTERMEDIATE_CSR_CMD="$INTERMEDIATE_CSR_CMD uri_sans=\"$AM_CERTS_OPENBAO_PKI_CA_URI_SANS\""
[ -n "$AM_CERTS_OPENBAO_PKI_CA_EMAIL_ADDRESSES" ] && INTERMEDIATE_CSR_CMD="$INTERMEDIATE_CSR_CMD email_sans=\"$AM_CERTS_OPENBAO_PKI_CA_EMAIL_ADDRESSES\""
INTERMEDIATE_CSR=$(eval $INTERMEDIATE_CSR_CMD)
if [ $? -ne 0 ] || [ -z "$INTERMEDIATE_CSR" ]; then
echo "ERROR: Failed to generate intermediate CA CSR" >&2
exit 1
fi
echo "Intermediate CA CSR generated successfully!"
INTERMEDIATE_CERT=$(bao write -field=certificate pki/root/sign-intermediate \
csr="$INTERMEDIATE_CSR" \
format=pem_bundle \
ttl=8760h \
use_csr_values=true)
if [ $? -ne 0 ] || [ -z "$INTERMEDIATE_CERT" ]; then
echo "ERROR: Failed to sign intermediate CA certificate" >&2
exit 1
fi
echo "Intermediate CA certificate signed successfully!"
bao write pki_int/intermediate/set-signed certificate="$INTERMEDIATE_CERT" > /dev/null
if [ $? -eq 0 ]; then
echo "Intermediate CA setup completed successfully!"
else
echo "ERROR: Failed to set signed intermediate certificate" >&2
exit 1
fi
echo "$INTERMEDIATE_CERT" > /opt/openbao/data/intermediate_ca.pem
bao write pki/config/urls \
issuing_certificates='http://127.0.0.1:8200/v1/pki/ca' \
crl_distribution_points='http://127.0.0.1:8200/v1/pki/crl' \
ocsp_servers='http://127.0.0.1:8200/v1/pki/ocsp' > /dev/null
bao write pki_int/config/urls \
issuing_certificates='http://127.0.0.1:8200/v1/pki_int/ca' \
crl_distribution_points='http://127.0.0.1:8200/v1/pki_int/crl' \
ocsp_servers='http://127.0.0.1:8200/v1/pki_int/ocsp' > /dev/null
ROLE_CMD="bao write pki_int/roles/${AM_CERTS_OPENBAO_PKI_ROLE} \
allow_any_name=true \
enforce_hostnames=false \
allow_ip_sans=true \
allow_localhost=true \
allow_bare_domains=true \
allow_subdomains=true \
allow_glob_domains=true \
allowed_domains=\"*\" \
allowed_uri_sans=\"*\" \
allowed_other_sans=\"*\" \
server_flag=true \
client_flag=true \
code_signing_flag=false \
email_protection_flag=false \
key_type=rsa \
key_bits=2048 \
key_usage=\"DigitalSignature,KeyEncipherment,KeyAgreement\" \
ext_key_usage=\"ServerAuth,ClientAuth,OCSPSigning\" \
use_csr_common_name=true \
use_csr_sans=false \
max_ttl=720h \
ttl=720h"
eval "$ROLE_CMD" > /dev/null
# Create PKI policy
cat > /opt/openbao/config/pki-policy.hcl << EOF
path "pki_int/issue/${AM_CERTS_OPENBAO_PKI_ROLE}" {
capabilities = ["create", "update"]
}
path "pki_int/sign/${AM_CERTS_OPENBAO_PKI_ROLE}" {
capabilities = ["create", "update"]
}
path "pki_int/certs" {
capabilities = ["list"]
}
path "pki_int/cert/*" {
capabilities = ["read"]
}
path "pki_int/revoke" {
capabilities = ["create", "update"]
}
path "pki_int/ca" {
capabilities = ["read"]
}
path "pki_int/ca_chain" {
capabilities = ["read"]
}
path "pki_int/crl" {
capabilities = ["read"]
}
path "pki/ca" {
capabilities = ["read"]
}
path "pki/ca_chain" {
capabilities = ["read"]
}
path "pki/crl" {
capabilities = ["read"]
}
# Token management
path "auth/token/renew-self" {
capabilities = ["update"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# System lease renewal
path "sys/renew/*" {
capabilities = ["update"]
}
EOF
bao policy write pki-policy /opt/openbao/config/pki-policy.hcl > /dev/null
# Create AppRole
SECRET_ID_TTL="${AM_CERTS_OPENBAO_SECRET_ID_TTL}"
bao write auth/approle/role/"${AM_CERTS_OPENBAO_PKI_ROLE}" \
token_policies=pki-policy \
token_ttl=1h \
token_max_ttl=4h \
bind_secret_id=true \
secret_id_ttl="$SECRET_ID_TTL" > /dev/null
# Set custom role ID if provided
if [ -n "$AM_CERTS_OPENBAO_APP_ROLE" ]; then
bao write auth/approle/role/"${AM_CERTS_OPENBAO_PKI_ROLE}"/role-id role_id="$AM_CERTS_OPENBAO_APP_ROLE" > /dev/null
fi
# Set custom secret ID if provided
if [ -n "$AM_CERTS_OPENBAO_APP_SECRET" ]; then
bao write auth/approle/role/"${AM_CERTS_OPENBAO_PKI_ROLE}"/custom-secret-id secret_id="$AM_CERTS_OPENBAO_APP_SECRET" > /dev/null
fi
# Generate service token for additional access
SERVICE_TOKEN=$(bao write -field=token auth/token/create \
policies=pki-policy \
ttl=24h \
renewable=true \
display_name="certs-service" 2>/dev/null)
echo "SERVICE_TOKEN=$SERVICE_TOKEN" > /opt/openbao/data/service_token
# Mark configuration as complete
touch /opt/openbao/data/configured
echo "OpenBao configuration completed successfully!"
else
echo "OpenBao already configured, skipping setup..."
# Restore namespace if it exists
if [ -f /opt/openbao/data/namespace ] && [ -n "$AM_CERTS_OPENBAO_NAMESPACE" ]; then
SAVED_NAMESPACE=$(cat /opt/openbao/data/namespace)
if [ "$SAVED_NAMESPACE" = "$AM_CERTS_OPENBAO_NAMESPACE" ]; then
export BAO_NAMESPACE="$AM_CERTS_OPENBAO_NAMESPACE"
fi
fi
if [ -n "$AM_CERTS_OPENBAO_APP_SECRET" ]; then
echo "Verifying existing secret ID validity..."
if ! bao write -field=client_token auth/approle/login role_id="$AM_CERTS_OPENBAO_APP_ROLE" secret_id="$AM_CERTS_OPENBAO_APP_SECRET" > /dev/null 2>&1; then
echo "================================"
echo "ERROR: Secret ID has expired!"
echo "Please regenerate AM_CERTS_OPENBAO_APP_SECRET"
echo "and update your environment configuration"
echo "================================"
else
echo "Existing secret ID is valid"
fi
fi
fi
echo "================================"
echo "OpenBao Production Setup Complete"
echo "================================"
echo "OpenBao Address: http://localhost:8200"
echo "UI Available at: http://localhost:8200/ui"
echo "================================"
echo "IMPORTANT: Store the init.json file securely!"
echo "It contains unseal keys and root token!"
echo "================================"
echo "OpenBao is ready for certs service on port 8200"
if [ -n "$BAO_PID" ]; then
wait $BAO_PID
else
echo "ERROR: OpenBao server process ID not available" >&2
exit 1
fi
docker/supermq-docker/addons/certs/prod-entrypoint.sh
-181
View File
@@ -1,181 +0,0 @@
#!/bin/sh
# Copyright (c) Abstract Machines
# SPDX-License-Identifier: Apache-2.0
set -e
apk add --no-cache jq
mkdir -p /opt/openbao/config /opt/openbao/data /opt/openbao/logs
cat > /opt/openbao/config/config.hcl << 'EOF'
storage "file" {
path = "/opt/openbao/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}
ui = true
log_level = "Info"
disable_mlock = true
# API timeout settings
default_lease_ttl = "168h"
max_lease_ttl = "720h"
EOF
export BAO_ADDR=http://127.0.0.1:8200
if [ -n "$SMQ_OPENBAO_UNSEAL_KEY_1" ] && [ -n "$SMQ_OPENBAO_UNSEAL_KEY_2" ] && [ -n "$SMQ_OPENBAO_UNSEAL_KEY_3" ] && [ -n "$SMQ_OPENBAO_ROOT_TOKEN" ]; then
bao server -config=/opt/openbao/config/config.hcl > /opt/openbao/logs/server.log 2>&1 &
BAO_PID=$!
sleep 5
bao operator unseal "$SMQ_OPENBAO_UNSEAL_KEY_1"
bao operator unseal "$SMQ_OPENBAO_UNSEAL_KEY_2"
bao operator unseal "$SMQ_OPENBAO_UNSEAL_KEY_3"
export BAO_TOKEN=$SMQ_OPENBAO_ROOT_TOKEN
else
if [ ! -f /opt/openbao/data/init.json ]; then
bao server -config=/opt/openbao/config/config.hcl > /opt/openbao/logs/server.log 2>&1 &
BAO_PID=$!
sleep 5
bao operator init -key-shares=5 -key-threshold=3 -format=json > /opt/openbao/data/init.json
UNSEAL_KEY_1=$(cat /opt/openbao/data/init.json | jq -r '.unseal_keys_b64[0]')
UNSEAL_KEY_2=$(cat /opt/openbao/data/init.json | jq -r '.unseal_keys_b64[1]')
UNSEAL_KEY_3=$(cat /opt/openbao/data/init.json | jq -r '.unseal_keys_b64[2]')
ROOT_TOKEN=$(cat /opt/openbao/data/init.json | jq -r '.root_token')
bao operator unseal "$UNSEAL_KEY_1"
bao operator unseal "$UNSEAL_KEY_2"
bao operator unseal "$UNSEAL_KEY_3"
export BAO_TOKEN=$ROOT_TOKEN
else
bao server -config=/opt/openbao/config/config.hcl > /opt/openbao/logs/server.log 2>&1 &
BAO_PID=$!
sleep 5
if bao status | grep -q "Sealed.*true"; then
UNSEAL_KEY_1=$(cat /opt/openbao/data/init.json | jq -r '.unseal_keys_b64[0]')
UNSEAL_KEY_2=$(cat /opt/openbao/data/init.json | jq -r '.unseal_keys_b64[1]')
UNSEAL_KEY_3=$(cat /opt/openbao/data/init.json | jq -r '.unseal_keys_b64[2]')
bao operator unseal "$UNSEAL_KEY_1"
bao operator unseal "$UNSEAL_KEY_2"
bao operator unseal "$UNSEAL_KEY_3"
fi
ROOT_TOKEN=$(cat /opt/openbao/data/init.json | jq -r '.root_token')
export BAO_TOKEN=$ROOT_TOKEN
fi
fi
if [ ! -f /opt/openbao/data/configured ]; then
if bao namespace create "$SMQ_OPENBAO_NAMESPACE" 2>/dev/null; then
export BAO_NAMESPACE="$SMQ_OPENBAO_NAMESPACE"
echo "$SMQ_OPENBAO_NAMESPACE" > /opt/openbao/data/namespace
fi
bao auth enable approle || echo "AppRole already enabled"
bao secrets enable -path=pki pki || echo "PKI already enabled"
bao secrets tune -max-lease-ttl=87600h pki
bao write -field=certificate pki/root/generate/internal \
common_name="${SMQ_OPENBAO_PKI_CA_CN}" \
organization="${SMQ_OPENBAO_PKI_CA_O}" \
ou="${SMQ_OPENBAO_PKI_CA_OU}" \
country="${SMQ_OPENBAO_PKI_CA_C}" \
locality="${SMQ_OPENBAO_PKI_CA_L}" \
province="${SMQ_OPENBAO_PKI_CA_ST}" \
street_address="${SMQ_OPENBAO_PKI_CA_ADDR}" \
postal_code="${SMQ_OPENBAO_PKI_CA_PO}" \
ttl=87600h \
key_bits=2048 \
exclude_cn_from_sans=true
bao write pki/config/urls \
issuing_certificates='http://127.0.0.1:8200/v1/pki/ca' \
crl_distribution_points='http://127.0.0.1:8200/v1/pki/crl'
bao write pki/roles/"${SMQ_OPENBAO_PKI_ROLE_NAME:-supermq}" \
allow_any_name=true \
enforce_hostnames=false \
allow_ip_sans=true \
allow_localhost=true \
max_ttl=720h \
ttl=720h \
key_bits=2048
cat > /opt/openbao/config/pki-policy.hcl << EOF
path "pki/issue/${SMQ_OPENBAO_PKI_ROLE_NAME:-supermq}" {
capabilities = ["create", "update"]
}
path "pki/certs" {
capabilities = ["list"]
}
path "pki/cert/*" {
capabilities = ["read"]
}
path "pki/revoke" {
capabilities = ["create", "update"]
}
path "auth/token/renew-self" {
capabilities = ["update"]
}
path "auth/token/lookup-self" {
capabilities = ["read"]
}
EOF
bao policy write pki-policy /opt/openbao/config/pki-policy.hcl
bao write auth/approle/role/"${SMQ_OPENBAO_PKI_ROLE_NAME:-supermq}" \
token_policies=pki-policy \
token_ttl=1h \
token_max_ttl=4h \
bind_secret_id=true \
secret_id_ttl=24h
if [ -n "$SMQ_OPENBAO_APP_ROLE" ]; then
bao write auth/approle/role/"${SMQ_OPENBAO_PKI_ROLE_NAME:-supermq}"/role-id role_id="$SMQ_OPENBAO_APP_ROLE"
fi
if [ -n "$SMQ_OPENBAO_APP_SECRET" ]; then
bao write auth/approle/role/"${SMQ_OPENBAO_PKI_ROLE_NAME:-supermq}"/custom-secret-id secret_id="$SMQ_OPENBAO_APP_SECRET"
fi
SERVICE_TOKEN=$(bao write -field=token auth/token/create \
policies=pki-policy \
ttl=24h \
renewable=true \
display_name="supermq-service")
echo "SERVICE_TOKEN=$SERVICE_TOKEN" > /opt/openbao/data/service_token
touch /opt/openbao/data/configured
echo "OpenBao configuration completed successfully!"
else
echo "OpenBao already configured, skipping setup..."
if [ -f /opt/openbao/data/namespace ] && [ -n "$SMQ_OPENBAO_NAMESPACE" ]; then
SAVED_NAMESPACE=$(cat /opt/openbao/data/namespace)
if [ "$SAVED_NAMESPACE" = "$SMQ_OPENBAO_NAMESPACE" ]; then
export BAO_NAMESPACE="$SMQ_OPENBAO_NAMESPACE"
fi
fi
fi
echo "================================"
echo "OpenBao Production Setup Complete"
echo "================================"
echo "OpenBao Address: http://localhost:8200"
echo "UI Available at: http://localhost:8200/ui"
echo "================================"
echo "IMPORTANT: Store the init.json file securely!"
echo "It contains unseal keys and root token!"
echo "================================"
echo "OpenBao is ready for SuperMQ on port 8200"
wait $BAO_PID
docker/supermq-docker/certs-docker-compose-override.yaml
+76
View File
@@ -0,0 +1,76 @@
# Copyright (c) Abstract Machines
# SPDX-License-Identifier: Apache-2.0
networks:
supermq-base-net:
external: true
services:
certs:
environment:
AM_CERTS_LOG_LEVEL: ${AM_CERTS_LOG_LEVEL}
AM_CERTS_HTTP_HOST: ${AM_CERTS_HTTP_HOST}
AM_CERTS_HTTP_PORT: ${AM_CERTS_HTTP_PORT}
AM_CERTS_GRPC_HOST: ${AM_CERTS_GRPC_HOST}
AM_CERTS_GRPC_PORT: ${AM_CERTS_GRPC_PORT}
AM_CERTS_RELEASE_TAG: ${AM_CERTS_RELEASE_TAG}
AM_CERTS_TOKEN: ${AM_CERTS_TOKEN}
AM_CERTS_DB_HOST: ${AM_CERTS_DB_HOST}
AM_CERTS_DB_PORT: ${AM_CERTS_DB_PORT}
AM_CERTS_DB_USER: ${AM_CERTS_DB_USER}
AM_CERTS_DB_PASS: ${AM_CERTS_DB_PASS}
AM_CERTS_DB: ${AM_CERTS_DB}
AM_CERTS_DB_SSL_MODE: ${AM_CERTS_DB_SSL_MODE}
AM_CERTS_DB_MAX_CONNECTIONS: ${AM_CERTS_DB_MAX_CONNECTIONS}
AM_CERTS_OPENBAO_HOST: ${AM_CERTS_OPENBAO_HOST}
AM_CERTS_OPENBAO_APP_ROLE: ${AM_CERTS_OPENBAO_APP_ROLE}
AM_CERTS_OPENBAO_APP_SECRET: ${AM_CERTS_OPENBAO_APP_SECRET}
AM_CERTS_OPENBAO_NAMESPACE: ${AM_CERTS_OPENBAO_NAMESPACE}
AM_CERTS_OPENBAO_PKI_PATH: ${AM_CERTS_OPENBAO_PKI_PATH}
AM_CERTS_OPENBAO_ROLE: ${AM_CERTS_OPENBAO_ROLE}
# OpenBao PKI CA configuration
AM_OPENBAO_PKI_CA_CN: ${AM_OPENBAO_PKI_CA_CN}
AM_OPENBAO_PKI_CA_OU: ${AM_OPENBAO_PKI_CA_OU}
AM_OPENBAO_PKI_CA_O: ${AM_OPENBAO_PKI_CA_O}
AM_OPENBAO_PKI_CA_C: ${AM_OPENBAO_PKI_CA_C}
AM_OPENBAO_PKI_CA_L: ${AM_OPENBAO_PKI_CA_L}
AM_OPENBAO_PKI_CA_ST: ${AM_OPENBAO_PKI_CA_ST}
AM_OPENBAO_PKI_CA_ADDR: ${AM_OPENBAO_PKI_CA_ADDR}
AM_OPENBAO_PKI_CA_PO: ${AM_OPENBAO_PKI_CA_PO}
AM_OPENBAO_PKI_CA_DNS_NAMES: ${AM_OPENBAO_PKI_CA_DNS_NAMES}
AM_OPENBAO_PKI_CA_IP_ADDRESSES: ${AM_OPENBAO_PKI_CA_IP_ADDRESSES}
AM_OPENBAO_PKI_CA_URI_SANS: ${AM_OPENBAO_PKI_CA_URI_SANS}
AM_OPENBAO_PKI_CA_EMAIL_ADDRESSES: ${AM_OPENBAO_PKI_CA_EMAIL_ADDRESSES}
AM_OPENBAO_UNSEAL_KEY_1: ${AM_OPENBAO_UNSEAL_KEY_1}
AM_OPENBAO_UNSEAL_KEY_2: ${AM_OPENBAO_UNSEAL_KEY_2}
AM_OPENBAO_UNSEAL_KEY_3: ${AM_OPENBAO_UNSEAL_KEY_3}
AM_OPENBAO_ROOT_TOKEN: ${AM_OPENBAO_ROOT_TOKEN}
AM_JAEGER_URL: ${AM_JAEGER_URL}
AM_JAEGER_TRACE_RATIO: ${AM_JAEGER_TRACE_RATIO}
AM_AUTH_GRPC_URL: ${AM_AUTH_GRPC_URL}
AM_AUTH_GRPC_TIMEOUT: ${AM_AUTH_GRPC_TIMEOUT}
AM_AUTH_GRPC_CLIENT_CERT: ${AM_AUTH_GRPC_CLIENT_CERT}
AM_AUTH_GRPC_CLIENT_KEY: ${AM_AUTH_GRPC_CLIENT_KEY}
AM_AUTH_GRPC_SERVER_CA_CERTS: ${AM_AUTH_GRPC_SERVER_CA_CERTS}
AM_DOMAINS_GRPC_URL: ${AM_DOMAINS_GRPC_URL}
AM_DOMAINS_GRPC_TIMEOUT: ${AM_DOMAINS_GRPC_TIMEOUT}
AM_DOMAINS_GRPC_CLIENT_CERT: ${AM_DOMAINS_GRPC_CLIENT_CERT}
AM_DOMAINS_GRPC_CLIENT_KEY: ${AM_DOMAINS_GRPC_CLIENT_KEY}
AM_DOMAINS_GRPC_SERVER_CA_CERTS: ${AM_DOMAINS_GRPC_SERVER_CA_CERTS}
networks:
- supermq-base-net
certs-db:
networks:
- supermq-base-net
openbao:
networks:
- supermq-base-net