使用terraform 生成自签名证书
terraform 是一个很不错的基础设施工具,我们可以用来做关于基础设施部署的事情,可以实现基础设施即代码
以下演示一个简单的自签名证书的生成(使用tls provider)
main.tf 文件
resource "tls_private_key" "example" {
algorithm = "RSA"
}
resource "tls_self_signed_cert" "example" {
key_algorithm = "${tls_private_key.example.algorithm}"
private_key_pem = "${tls_private_key.example.private_key_pem}"
# Certificate expires after 12 hours.
validity_period_hours = 120000000
# Generate a new certificate if Terraform is run within three
# hours of the certificate's expiration time.
early_renewal_hours = 30000000
is_ca_certificate = true
# Reasonable set of uses for a server SSL certificate.
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
ip_addresses = ["127.0.0.1","192.168.0.111","10.10.18.119"]
dns_names = ["api.example.com", "k8sapi.example.com"]
subject {
common_name = "example.com"
organization = "example, Inc"
}
}
data "archive_file" "userinfos" {
type = "zip"
output_path = "tf-result/cert.zip"
source {
content = tls_private_key.example.private_key_pem
filename = "private_key_pem"
}
source {
content = tls_private_key.example.public_key_pem
filename = "public_key_pem"
}
source {
content = tls_self_signed_cert.example.cert_pem
filename = "cert_pem"
}
}
resource 说明
以上代码使用了archive
provider 进行生成文件压缩,使用tls_private_key
生成私钥
使用tls_self_signed_cert
生成自签名证书
运行
- init 下载插件
terraform init
- 查看计划
terraform plan
效果
Refreshing Terraform state in-memory prior to plan
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:
# data.archive_file.userinfos will be read during apply
# (config refers to values not yet known)
<= data "archive_file" "userinfos" {
+ id = (known after apply)
+ output_base64sha256 = (known after apply)
+ output_md5 = (known after apply)
+ output_path = "tf-result/cert.zip"
+ output_sha = (known after apply)
+ output_size = (known after apply)
+ type = "zip"
+ source {
+ content = (known after apply)
+ filename = "cert_pem"
}
+ source {
+ content = (known after apply)
+ filename = "private_key_pem"
}
+ source {
+ content = (known after apply)
+ filename = "public_key_pem"
}
}
# tls_private_key.example will be created
+ resource "tls_private_key" "example" {
+ algorithm = "RSA"
+ ecdsa_curve = "P224"
+ id = (known after apply)
+ private_key_pem = (known after apply)
+ public_key_fingerprint_md5 = (known after apply)
+ public_key_openssh = (known after apply)
+ public_key_pem = (known after apply)
+ rsa_bits = 2048
}
# tls_self_signed_cert.example will be created
+ resource "tls_self_signed_cert" "example" {
+ allowed_uses = [
+ "key_encipherment",
+ "digital_signature",
+ "server_auth",
]
+ cert_pem = (known after apply)
+ dns_names = [
+ "api.example.com",
+ "k8sapi.example.com",
]
+ early_renewal_hours = 30000000
+ id = (known after apply)
+ ip_addresses = [
+ "127.0.0.1",
+ "192.168.0.111",
+ "10.10.18.119",
]
+ is_ca_certificate = true
+ key_algorithm = "RSA"
+ private_key_pem = (known after apply)
+ validity_end_time = (known after apply)
+ validity_period_hours = 120000000
+ validity_start_time = (known after apply)
+ subject {
+ common_name = "example.com"
+ organization = "example, Inc"
}
}
Plan: 2 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
- apply
terraform apply
效果
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:
# data.archive_file.userinfos will be read during apply
# (config refers to values not yet known)
<= data "archive_file" "userinfos" {
+ id = (known after apply)
+ output_base64sha256 = (known after apply)
+ output_md5 = (known after apply)
+ output_path = "tf-result/cert.zip"
+ output_sha = (known after apply)
+ output_size = (known after apply)
+ type = "zip"
+ source {
+ content = (known after apply)
+ filename = "cert_pem"
}
+ source {
+ content = (known after apply)
+ filename = "private_key_pem"
}
+ source {
+ content = (known after apply)
+ filename = "public_key_pem"
}
}
# tls_private_key.example will be created
+ resource "tls_private_key" "example" {
+ algorithm = "RSA"
+ ecdsa_curve = "P224"
+ id = (known after apply)
+ private_key_pem = (known after apply)
+ public_key_fingerprint_md5 = (known after apply)
+ public_key_openssh = (known after apply)
+ public_key_pem = (known after apply)
+ rsa_bits = 2048
}
# tls_self_signed_cert.example will be created
+ resource "tls_self_signed_cert" "example" {
+ allowed_uses = [
+ "key_encipherment",
+ "digital_signature",
+ "server_auth",
]
+ cert_pem = (known after apply)
+ dns_names = [
+ "api.example.com",
+ "k8sapi.example.com",
]
+ early_renewal_hours = 30000000
+ id = (known after apply)
+ ip_addresses = [
+ "127.0.0.1",
+ "192.168.0.111",
+ "10.10.18.119",
]
+ is_ca_certificate = true
+ key_algorithm = "RSA"
+ private_key_pem = (known after apply)
+ validity_end_time = (known after apply)
+ validity_period_hours = 120000000
+ validity_start_time = (known after apply)
+ subject {
+ common_name = "example.com"
+ organization = "example, Inc"
}
}
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
tls_private_key.example: Creating
tls_private_key.example: Creation complete after 0s [id=4bb57b583566785ce23a003432515e07fcebfdba]
tls_self_signed_cert.example: Creating
tls_self_signed_cert.example: Creation complete after 0s [id=132700825268662052341550768328847386301]
data.archive_file.userinfos: Refreshing state
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
- 文件内容
unzip cert.zip
Archive: cert.zip
inflating: cert_pem
inflating: private_key_pem
inflating: public_key_pem
说明
我们可以结合vault 的tls 管理以及tf 方便的进行证书管理——基础设施即代码
参考资料
https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html
https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine