Skip to content

Commit

Permalink
Remove path-tools dependency & bump smallstep-wrapper
Browse files Browse the repository at this point in the history
  • Loading branch information
andsens committed May 31, 2024
1 parent 7bf275d commit 8082cc8
Show file tree
Hide file tree
Showing 13 changed files with 12 additions and 25 deletions.
3 changes: 1 addition & 2 deletions bin/pkidb-browser
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
pkidb_browser() {
set -eo pipefail; shopt -s inherit_errexit
local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..")
PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin")
source "$pkgroot/common.sh"

DOC="pkidb-browser - Exclusively manage Browser CAs
Expand All @@ -22,7 +21,7 @@ printf "%s\n" "${DOC:47:37}" >&2;exit 1;}';local varnames=(FINGERPRINT) varname
for varname in "${varnames[@]}"; do unset "var_$varname";done;parse 1 "$@"
local p=${DOCOPT_PREFIX:-''};for varname in "${varnames[@]}"; do unset \
"$p$varname";done;if declare -p var_FINGERPRINT >/dev/null 2>&1; then eval \
$p'FINGERPRINT=("${var_FINGERPRINT[@]}")';else eval $p'FINGERPRINT=()';fi;eval
$p'FINGERPRINT=("${var_FINGERPRINT[@]}")';else eval $p'FINGERPRINT=()';fi;eval
local docopt_i=1;[[ $BASH_VERSION =~ ^4.3 ]] && docopt_i=2;for \
((;docopt_i>0;docopt_i--)); do for varname in "${varnames[@]}"; do declare -p \
"$p$varname";done;done;}
Expand Down
1 change: 0 additions & 1 deletion bin/pkidb-ca
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
pkidb_ca() {
set -eo pipefail; shopt -s inherit_errexit
local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..")
PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin")
source "$pkgroot/common.sh"

DOC="pkidb-ca - Retrieve a CA certificate using the SHA-256 fingerprint
Expand Down
1 change: 0 additions & 1 deletion bin/pkidb-client-krl
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
pkidb_client_krl() {
set -eo pipefail; shopt -s inherit_errexit
local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..")
PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin")
source "$pkgroot/common.sh"

DOC="pkidb-client-krl - Retrieve a CMS signed KRL and verify it against CAs
Expand Down
1 change: 0 additions & 1 deletion bin/pkidb-crl
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
pkidb_crl() {
set -eo pipefail; shopt -s inherit_errexit
local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..")
PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin")
source "$pkgroot/common.sh"

DOC="pkidb-crl - Retrieve a CRL and verify it against CAs
Expand Down
1 change: 0 additions & 1 deletion bin/pkidb-k8s-secrets
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
pkidb_k8s_secrets() {
set -eo pipefail; shopt -s inherit_errexit
local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..")
PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin")
source "$pkgroot/common.sh"
DOC="pkidb-k8s-secrets - Retrieve CAs via fingerprint and create k8s secrets from them
Usage:
Expand Down
3 changes: 1 addition & 2 deletions bin/pkidb-os
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
pkidb_os() {
set -eo pipefail; shopt -s inherit_errexit
local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..")
PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin")
source "$pkgroot/common.sh"

DOC="pkidb-os - Exclusively manage OS local CAs (/usr/local/share-ca-certificates)
Expand All @@ -22,7 +21,7 @@ printf "%s\n" "${DOC:78:32}" >&2;exit 1;}';local varnames=(FINGERPRINT) varname
for varname in "${varnames[@]}"; do unset "var_$varname";done;parse 1 "$@"
local p=${DOCOPT_PREFIX:-''};for varname in "${varnames[@]}"; do unset \
"$p$varname";done;if declare -p var_FINGERPRINT >/dev/null 2>&1; then eval \
$p'FINGERPRINT=("${var_FINGERPRINT[@]}")';else eval $p'FINGERPRINT=()';fi;eval
$p'FINGERPRINT=("${var_FINGERPRINT[@]}")';else eval $p'FINGERPRINT=()';fi;eval
local docopt_i=1;[[ $BASH_VERSION =~ ^4.3 ]] && docopt_i=2;for \
((;docopt_i>0;docopt_i--)); do for varname in "${varnames[@]}"; do declare -p \
"$p$varname";done;done;}
Expand Down
1 change: 0 additions & 1 deletion bin/pkidb-pam
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
pkidb_pam() {
set -eo pipefail; shopt -s inherit_errexit
local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..")
PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin")
source "$pkgroot/common.sh"

DOC="pkidb-pam - Exclusively manage PAM CAs and cache CRLs
Expand Down
1 change: 0 additions & 1 deletion bin/pkidb-sshd
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
pkidb_sshd() {
set -eo pipefail; shopt -s inherit_errexit
local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..")
PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin")
source "$pkgroot/common.sh"

DOC="pkidb-sshd - Manage client CAs for openssh-server and renew its hostkey
Expand Down
3 changes: 1 addition & 2 deletions bin/pkidb-step
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,13 @@
pkidb_step() {
set -eo pipefail; shopt -s inherit_errexit
local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..")
PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin")
source "$pkgroot/common.sh"
check_all_deps

[[ -n $STEP_ROOT_FP ]] || fatal "\$STEP_ROOT_FP is not defined"
export STEP_URL
STEP_URL=$(LOGLEVEL=warning "$pkgroot/bin/pkidb-ca" "$STEP_ROOT_FP" | get_subject_field "2.5.4.87" url)
exec step "$@"
exec "$pkgroot/.upkg/.bin/step" "$@"
}

pkidb_step "$@"
8 changes: 4 additions & 4 deletions bin/sign-dev-tls-cert
Original file line number Diff line number Diff line change
Expand Up @@ -55,18 +55,18 @@ for varname in "${varnames[@]}"; do declare -p "$p$varname";done;done;}
fi
# shellcheck disable=2154
if [[ ! -e key.pem || ! -e bundle.pem ]] || $domains_changed || $__force_renewal || \
STEP_SKIP_P11_KIT=true pkidb-step certificate needs-renewal --expires-in=100% bundle.pem 2>&1 | LOGPROGRAM=step pipe_info; then
STEP_SKIP_P11_KIT=true "$pkgroot/bin/pkidb-step" certificate needs-renewal --expires-in=100% bundle.pem 2>&1 | LOGPROGRAM=step pipe_info; then
# Certificate does not exist or has expired, we must authenticate with a YubiKey
export STEP_PIN_DESC="${FQDN} must be issued/renewed. To do that \`step\` needs to authenticate to step-ca with your YubiKey #%s"
local domain san_opts=()
for domain in "${__san[@]}"; do
[[ $domain = *.local ]] || fatal "The SAN '%s' must be a .local domain" "$domain"
san_opts+=(--san "$domain")
done
pkidb-step ca certificate "${san_opts[@]}" --force "$FQDN" bundle.pem key.pem
elif STEP_SKIP_P11_KIT=true pkidb-step certificate needs-renewal --expires-in=50% bundle.pem 2>&1 | LOGPROGRAM=step pipe_info; then
"$pkgroot/bin/pkidb-step" ca certificate "${san_opts[@]}" --force "$FQDN" bundle.pem key.pem
elif STEP_SKIP_P11_KIT=true "$pkgroot/bin/pkidb-step" certificate needs-renewal --expires-in=50% bundle.pem 2>&1 | LOGPROGRAM=step pipe_info; then
# Certificate is still valid. Renew without having to ask for YubiKey access.
STEP_SKIP_P11_KIT=true pkidb-step ca renew --force bundle.pem key.pem 2>&1 | LOGPROGRAM=step pipe_info
STEP_SKIP_P11_KIT=true "$pkgroot/bin/pkidb-step" ca renew --force bundle.pem key.pem 2>&1 | LOGPROGRAM=step pipe_info
fi
)
}
Expand Down
2 changes: 1 addition & 1 deletion common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ source "$pkgroot/.upkg/collections.sh/collections.sh"
[[ -n "$PKIDBURL" ]] || fatal "\$PKIDBURL is not set, unable to continue."

check_all_deps() {
checkdeps openssl curl
"$pkgroot/.upkg/.bin/checkdeps" openssl curl
}

get_ca_url() {
Expand Down
4 changes: 2 additions & 2 deletions k8s-secrets/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@ RUN wget -q "https://dl.k8s.io/release/v1.27.4/bin/linux/amd64/kubectl" && \
WORKDIR /pkidb-tools
COPY common.sh k8s-secrets/upkg.json /pkidb-tools/
COPY --chmod=0755 bin/pkidb-k8s-secrets bin/pkidb-ca /pkidb-tools/
RUN bash -ec 'u=https://github.com/orbit-online/upkg/releases/download/v0.24.4/upkg-install.tar.gz;\
RUN bash -ec 'u=https://github.com/orbit-online/upkg/releases/download/v0.26.3/upkg-install.tar.gz;\
t=$(mktemp); trap "rm \"$t\"" EXIT;wget -qO"$t" "$u" || curl -fsLo"$t" "$u";\
shasum -a 256 -c <(echo "4398bebb91fbf9103b44ffb415e66bc3c7c99522cae27535b2050054869bfbb7 $t");\
shasum -a 256 -c <(echo "ae99b32cd7cd97a8d102999c8c87bc40844bf9994925dd432b8c0347bb23dc46 $t");\
tar xzC /usr/local -f "$t"'

ENTRYPOINT ["/pkidb-tools/pkidb-k8s-secrets"]
8 changes: 2 additions & 6 deletions upkg.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,13 @@
"tar": "https://github.com/orbit-online/collections.sh/releases/download/v1.0.0/collections.sh.tar.gz",
"sha256": "ca741323c2bd77f547fa9aea41050d85dfc5f1ce3ff42f73b7a12f7c90b9be2e"
},
{
"tar": "https://github.com/orbit-online/path-tools/releases/download/v1.0.0/path-tools.tar.gz",
"sha256": "2ae2a98714aa81e2142b749dac9ecdb61e050e66bf8bd33aef0fccb2ce66c84b"
},
{
"tar": "https://github.com/andsens/docopt.sh/releases/download/v2.0.1/docopt-lib.sh.tar.gz",
"sha256": "539053da8b3063921b8889dbe752279e3a215d8fa3e2550d6521e094981f26a2"
},
{
"tar": "https://github.com/orbit-online/smallstep-wrapper/releases/download/v3.0.3/smallstep-wrapper.tar.gz",
"sha256": "d99f510d8ae2d172b801e430aed1e12b71cfde5bd6f326cf670c1d148b2970c5"
"tar": "https://github.com/orbit-online/smallstep-wrapper/releases/download/v3.0.4/smallstep-wrapper.tar.gz",
"sha256": "cfe7381536227c06db3c8ddc8be9efd81166df2d5f2deec2dc239b37e743ee67"
}
]
}

0 comments on commit 8082cc8

Please sign in to comment.