From 549e0a20d7ccd8f026b9cf7f931232bc9fd85b21 Mon Sep 17 00:00:00 2001 From: Jackson <11304426+jax-b@users.noreply.github.com> Date: Mon, 17 Feb 2025 00:26:41 +0000 Subject: [PATCH 1/5] added new options to change the Issueing CA for the nginx containeradded new options to change the Issueing CA for the nginx container --- templates/deployment.yaml | 2 +- values.yaml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/templates/deployment.yaml b/templates/deployment.yaml index e14b24c..f30941e 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -59,7 +59,7 @@ spec: until [ -f /opt/keyfactor/appserver/standalone/deployments/ejbca.ear.deployed ]; do sleep 5; done until [[ $(/opt/keyfactor/bin/ejbca.sh roles listadmins --role "Super Administrator Role" | grep -v 'USERNAME TYPE_EQUALCASE "ejbca"') ]]; do sleep 5; done sleep 5 - /opt/keyfactor/bin/ejbca.sh ra addendentity --username '{{ .Values.nginx.host }}' --dn 'CN={{ .Values.nginx.host }}' --caname 'ManagementCA' --type 1 --token PEM --altname 'dNSName={{ .Values.nginx.host }}' --certprofile SERVER --password NOTUSED + /opt/keyfactor/bin/ejbca.sh ra addendentity --username '{{ .Values.nginx.host }}' --dn 'CN={{ .Values.nginx.host }}' --caname '{{ .Values.nginx.issuingCA }}' --type 1 --token PEM --altname 'dNSName={{ .Values.nginx.host }}' --certprofile {{ .Values.nginx.certificateProfile }} --password NOTUSED /opt/keyfactor/bin/ejbca.sh ra setendentitystatus --username '{{ .Values.nginx.host }}' -S 10 /opt/keyfactor/bin/ejbca.sh ra setclearpwd '{{ .Values.nginx.host }}' NOTUSED /opt/keyfactor/bin/ejbca.sh batch '{{ .Values.nginx.host }}' -dir /tmp/nginx/ssl/ diff --git a/values.yaml b/values.yaml index 8c79ce6..8f291bf 100644 --- a/values.yaml +++ b/values.yaml @@ -138,6 +138,10 @@ nginx: mountInternalNginxCert: false # Name of the secret that contains the certificate, key, and CA certificate secretInternalNginxCert: "internal-nginx-credential-secret-ca" + # After you have setup your root or subordinate CA, you can use the following to issue a certificate for nginx from that CA Insted + issuingCA: ManagementCA + # The certificate profile to use when issuing the certificate for nginx + certificateProfile: SERVER service: enabled: false type: NodePort From 13420d4fed29284609ec0036117fb1e829abf136 Mon Sep 17 00:00:00 2001 From: Jackson <11304426+jax-b@users.noreply.github.com> Date: Mon, 17 Feb 2025 00:49:28 +0000 Subject: [PATCH 2/5] added quotes to cert profile --- templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/deployment.yaml b/templates/deployment.yaml index f30941e..adad861 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -59,7 +59,7 @@ spec: until [ -f /opt/keyfactor/appserver/standalone/deployments/ejbca.ear.deployed ]; do sleep 5; done until [[ $(/opt/keyfactor/bin/ejbca.sh roles listadmins --role "Super Administrator Role" | grep -v 'USERNAME TYPE_EQUALCASE "ejbca"') ]]; do sleep 5; done sleep 5 - /opt/keyfactor/bin/ejbca.sh ra addendentity --username '{{ .Values.nginx.host }}' --dn 'CN={{ .Values.nginx.host }}' --caname '{{ .Values.nginx.issuingCA }}' --type 1 --token PEM --altname 'dNSName={{ .Values.nginx.host }}' --certprofile {{ .Values.nginx.certificateProfile }} --password NOTUSED + /opt/keyfactor/bin/ejbca.sh ra addendentity --username '{{ .Values.nginx.host }}' --dn 'CN={{ .Values.nginx.host }}' --caname '{{ .Values.nginx.issuingCA }}' --type 1 --token PEM --altname 'dNSName={{ .Values.nginx.host }}' --certprofile '{{ .Values.nginx.certificateProfile }}' --password NOTUSED /opt/keyfactor/bin/ejbca.sh ra setendentitystatus --username '{{ .Values.nginx.host }}' -S 10 /opt/keyfactor/bin/ejbca.sh ra setclearpwd '{{ .Values.nginx.host }}' NOTUSED /opt/keyfactor/bin/ejbca.sh batch '{{ .Values.nginx.host }}' -dir /tmp/nginx/ssl/ From 366b343e7ef468588015e3e8fff92b1820db338a Mon Sep 17 00:00:00 2001 From: Jackson <11304426+jax-b@users.noreply.github.com> Date: Mon, 17 Feb 2025 00:50:15 +0000 Subject: [PATCH 3/5] added loadbalancer ip to nginx service --- templates/nginx-service.yaml | 3 +++ values.yaml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/templates/nginx-service.yaml b/templates/nginx-service.yaml index 9de59c7..f5cbd31 100644 --- a/templates/nginx-service.yaml +++ b/templates/nginx-service.yaml @@ -26,4 +26,7 @@ spec: {{- end }} selector: {{- include "ejbca.selectorLabels" . | nindent 4 }} + {{- if eq .Values.nginx.service.type "LoadBalancer" (.Values.nginx.service.loadBalancerIP) }} + loadBalancerIP: {{ .Values.nginx.service.loadBalancerIP }} + {{- end }} {{- end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 8f291bf..20fdd9b 100644 --- a/values.yaml +++ b/values.yaml @@ -147,6 +147,8 @@ nginx: type: NodePort httpPort: 30080 httpsPort: 30443 + # When using NGINX as a load balancer service type, you can specify the load balancer IP address for network controllers to use (ig metallb) + loadBalancerIP: # Requires proxyAJP or proxyHttp service to be enabled for adminweb access ingress: From 9404e2d24158b1299645e639f15ed71cc71e617a Mon Sep 17 00:00:00 2001 From: Jackson <11304426+jax-b@users.noreply.github.com> Date: Mon, 17 Feb 2025 01:02:45 +0000 Subject: [PATCH 4/5] Update Readme for new options --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 68d9aa6..c8c9f22 100644 --- a/README.md +++ b/README.md @@ -588,10 +588,13 @@ The following lists other variables that provide additional miscellaneous capabi | nginx.proxy_url_host | The hostname used to proxy from NGINX to EJBCA. When NGINX is in the same pod as EJBCA use localhost | | | nginx.mountInternalNginxCert | Use a Secret mounted TLS certificate, private key, and CA cert for NGINX. Use when there is no active CA or use a TLS cert not issued by the ManagementCA | | | nginx.secretInternalNginxCert | Name of the secret that contains the certificate, key, and CA certificate | | +| nginx.issuingCA | Changes the CA to issue the cert out of | ManagementCA | +| nginx.certificateProfile | Changes the profile to issue the certificate out of | SERVER | | nginx.service.enabled | Creates a service for accessing EJBCA. This should be used when using `services.proxyHttp.type=LoadBalancer` | false | | nginx.service.type | Type of service to create for NGINX reverse proxy | NodePort | | nginx.service.httpPort | HTTP port to use for NGINX reverse proxy. Do not assert a value to disable HTTP at the service | 30080 | | nginx.service.httpsPort | HTTPS port to use for NGINX reverse proxy | 30443 | +| nginx.service.loadBalancerIP | When using NGINX as a load balancer service type, Optionaly specify the load balancer IP address for network controllers to use (Type must be load balancer) | UNSET | | nginx.conf | NGINX server configuration parameters | | ### Ingress Parameters From 19910df8a7063cd7420852aadb05905db7dbe4bb Mon Sep 17 00:00:00 2001 From: Jackson <11304426+jax-b@users.noreply.github.com> Date: Mon, 17 Feb 2025 02:05:38 +0000 Subject: [PATCH 5/5] added resetEndEntity option. --- README.md | 3 ++- templates/deployment.yaml | 4 ++++ values.yaml | 2 ++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c8c9f22..32ed185 100644 --- a/README.md +++ b/README.md @@ -589,7 +589,8 @@ The following lists other variables that provide additional miscellaneous capabi | nginx.mountInternalNginxCert | Use a Secret mounted TLS certificate, private key, and CA cert for NGINX. Use when there is no active CA or use a TLS cert not issued by the ManagementCA | | | nginx.secretInternalNginxCert | Name of the secret that contains the certificate, key, and CA certificate | | | nginx.issuingCA | Changes the CA to issue the cert out of | ManagementCA | -| nginx.certificateProfile | Changes the profile to issue the certificate out of | SERVER | +| nginx.certificateProfile | Changes the profile to issue the certificate out of | SERVER | +| nginx.resetEndEntity | Removes the previous end entity Used when rotating the CA out. | false | | nginx.service.enabled | Creates a service for accessing EJBCA. This should be used when using `services.proxyHttp.type=LoadBalancer` | false | | nginx.service.type | Type of service to create for NGINX reverse proxy | NodePort | | nginx.service.httpPort | HTTP port to use for NGINX reverse proxy. Do not assert a value to disable HTTP at the service | 30080 | diff --git a/templates/deployment.yaml b/templates/deployment.yaml index adad861..3c9af44 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -59,6 +59,10 @@ spec: until [ -f /opt/keyfactor/appserver/standalone/deployments/ejbca.ear.deployed ]; do sleep 5; done until [[ $(/opt/keyfactor/bin/ejbca.sh roles listadmins --role "Super Administrator Role" | grep -v 'USERNAME TYPE_EQUALCASE "ejbca"') ]]; do sleep 5; done sleep 5 + {{- if .Values.nginx.resetEndEntity }} + /opt/keyfactor/bin/ejbca.sh ra revokeendentity --username '{{ .Values.nginx.host }}' -r 0 + /opt/keyfactor/bin/ejbca.sh ra delendentity --username '{{ .Values.nginx.host }}' -force + {{- end }} /opt/keyfactor/bin/ejbca.sh ra addendentity --username '{{ .Values.nginx.host }}' --dn 'CN={{ .Values.nginx.host }}' --caname '{{ .Values.nginx.issuingCA }}' --type 1 --token PEM --altname 'dNSName={{ .Values.nginx.host }}' --certprofile '{{ .Values.nginx.certificateProfile }}' --password NOTUSED /opt/keyfactor/bin/ejbca.sh ra setendentitystatus --username '{{ .Values.nginx.host }}' -S 10 /opt/keyfactor/bin/ejbca.sh ra setclearpwd '{{ .Values.nginx.host }}' NOTUSED diff --git a/values.yaml b/values.yaml index 20fdd9b..d1b4993 100644 --- a/values.yaml +++ b/values.yaml @@ -142,6 +142,8 @@ nginx: issuingCA: ManagementCA # The certificate profile to use when issuing the certificate for nginx certificateProfile: SERVER + # Removes the end entity and revokes all certificates (used for swapping out the CA) (not recommended to keep on) + resetEndEntity: false service: enabled: false type: NodePort