使用terraform 生成自签名证书
terraform 是一个很不错的基础设施工具,我们可以用来做关于基础设施部署的事情,可以实现基础设施即代码
以下演示一个简单的自签名证书的生成(使用tls provider)
main.tf 文件
resource "tls_private_key" "example" {
algorithm = "RSA"
}
resource "tls_self_signed_cert" "example" {
key_algorithm = "${tls_private_key.example.algorithm}"
private_key_pem = "${tls_private_key.example.private_key_pem}"
# Certificate expires after 12 hours.
validity_period_hours = 120000000
# Generate a new certificate if Terraform is run within three
# hours of the certificate's expiration time.
early_renewal_hours = 30000000
is_ca_certificate = true
# Reasonable set of uses for a server SSL certificate.
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
ip_addresses = ["127.0.0.1","192.168.0.111","10.10.18.119"]
dns_names = ["api.example.com", "k8sapi.example.com"]
subject {
common_name = "example.com"
organization = "example, Inc"
}
}
data "archive_file" "userinfos" {
type = "zip"
output_path = "tf-result/cert.zip"
source {
content = tls_private_key.example.private_key_pem
filename = "private_key_pem"
}
source {
content = tls_private_key.example.public_key_pem
filename = "public_key_pem"
}
source {
content = tls_self_signed_cert.example.cert_pem
filename = "cert_pem"
}
}
resource 说明
以上代码使用了archive provider 进行生成文件压缩,使用tls_private_key 生成私钥
使用tls_self_signed_cert 生成自签名证书
运行
- init 下载插件
terraform init
- 查看计划
terraform plan
效果
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:
# data.archive_file.userinfos will be read during apply
# (config refers to values not yet known)
<= data "archive_file" "userinfos" {
+ id = (known after apply)
+ output_base64sha256 = (known after apply)
+ output_md5 = (known after apply)
+ output_path = "tf-result/cert.zip"
+ output_sha = (known after apply)
+ output_size = (known after apply)
+ type = "zip"
+ source {
+ content = (known after apply)
+ filename = "cert_pem"
}
+ source {
+ content = (known after apply)
+ filename = "private_key_pem"
}
+ source {
+ content = (known after apply)
+ filename = "public_key_pem"
}
}
# tls_private_key.example will be created
+ resource "tls_private_key" "example" {
+ algorithm = "RSA"
+ ecdsa_curve = "P224"
+ id = (known after apply)
+ private_key_pem = (known after apply)
+ public_key_fingerprint_md5 = (known after apply)
+ public_key_openssh = (known after apply)
+ public_key_pem = (known after apply)
+ rsa_bits = 2048
}
# tls_self_signed_cert.example will be created
+ resource "tls_self_signed_cert" "example" {
+ allowed_uses = [
+ "key_encipherment",
+ "digital_signature",
+ "server_auth",
]
+ cert_pem = (known after apply)
+ dns_names = [
+ "api.example.com",
+ "k8sapi.example.com",
]
+ early_renewal_hours = 30000000
+ id = (known after apply)
+ ip_addresses = [
+ "127.0.0.1",
+ "192.168.0.111",
+ "10.10.18.119",
]
+ is_ca_certificate = true
+ key_algorithm = "RSA"
+ private_key_pem = (known after apply)
+ validity_end_time = (known after apply)
+ validity_period_hours = 120000000
+ validity_start_time = (known after apply)
+ subject {
+ common_name = "example.com"
+ organization = "example, Inc"
}
}
Plan: 2 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
- apply
terraform apply
效果
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:
# data.archive_file.userinfos will be read during apply
# (config refers to values not yet known)
<= data "archive_file" "userinfos" {
+ id = (known after apply)
+ output_base64sha256 = (known after apply)
+ output_md5 = (known after apply)
+ output_path = "tf-result/cert.zip"
+ output_sha = (known after apply)
+ output_size = (known after apply)
+ type = "zip"
+ source {
+ content = (known after apply)
+ filename = "cert_pem"
}
+ source {
+ content = (known after apply)
+ filename = "private_key_pem"
}
+ source {
+ content = (known after apply)
+ filename = "public_key_pem"
}
}
# tls_private_key.example will be created
+ resource "tls_private_key" "example" {
+ algorithm = "RSA"
+ ecdsa_curve = "P224"
+ id = (known after apply)
+ private_key_pem = (known after apply)
+ public_key_fingerprint_md5 = (known after apply)
+ public_key_openssh = (known after apply)
+ public_key_pem = (known after apply)
+ rsa_bits = 2048
}
# tls_self_signed_cert.example will be created
+ resource "tls_self_signed_cert" "example" {
+ allowed_uses = [
+ "key_encipherment",
+ "digital_signature",
+ "server_auth",
]
+ cert_pem = (known after apply)
+ dns_names = [
+ "api.example.com",
+ "k8sapi.example.com",
]
+ early_renewal_hours = 30000000
+ id = (known after apply)
+ ip_addresses = [
+ "127.0.0.1",
+ "192.168.0.111",
+ "10.10.18.119",
]
+ is_ca_certificate = true
+ key_algorithm = "RSA"
+ private_key_pem = (known after apply)
+ validity_end_time = (known after apply)
+ validity_period_hours = 120000000
+ validity_start_time = (known after apply)
+ subject {
+ common_name = "example.com"
+ organization = "example, Inc"
}
}
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
tls_private_key.example: Creating...
tls_private_key.example: Creation complete after 0s [id=4bb57b583566785ce23a003432515e07fcebfdba]
tls_self_signed_cert.example: Creating...
tls_self_signed_cert.example: Creation complete after 0s [id=132700825268662052341550768328847386301]
data.archive_file.userinfos: Refreshing state...
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
- 文件内容
unzip cert.zip
Archive: cert.zip
inflating: cert_pem
inflating: private_key_pem
inflating: public_key_pem
说明
我们可以结合vault 的tls 管理以及tf 方便的进行证书管理——基础设施即代码
参考资料
https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html
https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine
使用terraform 生成自签名证书的更多相关文章
- cmd命令生成android签名证书
cmd命令生成android签名证书,有空在写一篇eclipse导出带签名的apk,这里面包括生成新的签名.现在还是讲讲在cmd怎么操作生成签名证书. 1.dos下进入JDK的bin目录 运行如下命令 ...
- windows下使用makecert命令生成自签名证书
1.makecert命令路径 C:\Program Files (x86)\Windows Kits\8.1\bin\x64 2.生成一个自签名证书 makecert -r -pe -n " ...
- openssl生成自签名证书
1.生成x509格式的CA自签名证书 openssl req -new -x509 -keyout ca.key -out ca.crt 2.生成服务端的私钥(key文件)及申请证书文件csr文件 o ...
- 用OpenSSL生成自签名证书在IIS上搭建Https站点(用于iOS的https访问)
前提: 先安装openssl,安装有两种方式,第一种直接下载安装包,装上就可运行:第二种可以自己下载源码,自己编译.这里推荐第一种. 安装包:http://slproweb.com/products/ ...
- [ipsec][strongswan] 用strongswan pki工具生成自签名证书
如题.我在实验环境里,分别要为两个endpoint(T9和T129)生成证书. 证书是如何生成的呢? 证书是由根证书机构签发的.申请证书的人将request提交给根证书机构,然后根证书机构根据requ ...
- ios生成自签名证书,实现web下载安装app
抄自http://beyondvincent.com/blog/2014/03/17/five-tips-for-using-self-signed-ssl-certificates-with-ios ...
- 生成自签名证书-开启https
1.生成CA证书 # 生成 CA 私钥 openssl genrsa -out ca.key 2048 # X.509 Certificate Signing Request (CSR) Manage ...
- OpenSSL使用1(用OpenSSL生成自签名证书在IIS上搭建Https站点)(用于iOS的https访问)
前提: 先安装openssl,安装有两种方式,第一种直接下载安装包,装上就可运行:第二种可以自己下载源码,自己编译.这里推荐第一种. 安装包:http://slproweb.com/products/ ...
- Windows下生成自签名证书
最近通过openssl生成了自签名的证书,总结成下面这张图. 说明:下载openssl0.9.8之后解压,然后运行bin\openssl.exe进入openssl运行环境,然后按上图中顺序执行命令.( ...
随机推荐
- react-navigation 的抽屉效果 createDrawerNavigator (DrawerNavigator)
一.前言: react-navigation 3.x 版本中, 使用createDrawerNavigator 替换 原先的DrawerNavigator 方法: 那么,当前createBottom ...
- MMKV 多进程K-V组件 MD
Markdown版本笔记 我的GitHub首页 我的博客 我的微信 我的邮箱 MyAndroidBlogs baiqiantao baiqiantao bqt20094 baiqiantao@sina ...
- springboot使用HttpSessionListener 监听器统计当前在线人数
概括: request.getSession(true):若存在会话则返回该会话,否则新建一个会话. request.getSession(false):若存在会话则返回该会话,否则返回NULL ht ...
- 2. matplotlib绘制散点图
与绘制直线图的唯一区别:plt.scatter # coding=utf-8 from matplotlib import pyplot as plt from matplotlib import f ...
- SSO实现机制
引言 单点登录有许多开发商提供解决方案,本文以yale大学SSO开源项目CAS为例,介绍单点登录实现机制. 术语解释 SSO-Single Sign On,单点登录 TGT-Ticket Granti ...
- 2019年Amazon AWS-Solutions-Architect-Professional考试最新题库(AWS SAP题库)带考试模拟器
大家好,由于最近自己备考Amazon AWS-Solutions-Architect-Professional考试,购买了以下链接的题库,并通过了考试 https://www.kaoguti.gq/A ...
- 换个语言学一下 Golang (9)——结构体和接口
基本上到这里的时候,就是上了一个台阶了.Go的精华特点即将展开. 结构体定义 上面我们说过Go的指针和C的不同,结构体也是一样的.Go是一门删繁就简的语言,一切令人困惑的特性都必须去掉. 简单来讲,G ...
- java-Java实现mysql事务处理操作
数据库事务(简称:事务)是数据库管理系统执行过程中的一个逻辑单位,由一个有限的数据库操作序列构成. 并非任意的对数据库的操作序列都是数据库事务.数据库事务拥有以下四个特性,习惯上被称之为ACID特性. ...
- 【知识点整理】Oracle中NOLOGGING、APPEND、ARCHIVE和PARALLEL下,REDO、UNDO和执行速度的比较
[知识点整理]Oracle中NOLOGGING.APPEND.ARCHIVE和PARALLEL下,REDO.UNDO和执行速度的比较 1 BLOG文档结构图 2 前言部分 2.1 导读和注意事项 ...
- gps示例代码
/* main.c */ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #incl ...