feat(beamdev): add option to start beam cert manager (#243)

Threated · web-flow · commit 4af4e1692b46 · 2025-10-10T10:48:50.000+02:00
Also generate CSRs for testing in beamdev
diff --git a/dev/beamdev b/dev/beamdev
@@ -167,7 +167,7 @@ function stop {
 }
 
 function clean {
-    docker compose down
+    docker compose --profile "*" down
     rm -fv pki/*.pem pki/*.json pki/pki.secret
     pki/pki clean
 }
@@ -275,6 +275,14 @@ case "$1" in
     shift
     start_bg $@
     ;;
+  start_cert_manager)
+    shift
+    clean
+    pki/pki devsetup
+    echo "$VAULT_TOKEN" > ./pki/pki.secret
+    build $@
+    docker compose --profile "cert-manager" up --no-build --no-recreate
+    ;;
   restart)
     shift
     build $@
@@ -296,6 +304,6 @@ case "$1" in
     defaults
     ;;
   *)
-    echo "Usage: $0 [--tag SOMETAG, e.g. develop, to use an existing image] build|start|start_bg|restart|stop|clean|defaults|demo|noop"
+    echo "Usage: $0 [--tag SOMETAG, e.g. develop, to use an existing image] build|start|start_bg|start_cert_manager|restart|stop|clean|defaults|demo|noop"
     ;;
 esac
diff --git a/dev/docker-compose.yml b/dev/docker-compose.yml
@@ -86,6 +86,43 @@ services:
     secrets:
       - proxy2.pem
       - root.crt.pem
+
+  mailhog:
+    image: mailhog/mailhog
+    ports:
+      - "1025:1025" # SMTP port
+      - "8025:8025" # Web UI
+    profiles:
+      - cert-manager
+
+  cert-ui:
+    image: samply/beam-cert-manager
+    ports:
+      - 8000:8000
+      - 3000:3000
+    environment:
+      BROKER_URL: http://broker:8080
+      VAULT_URL: http://vault:8200
+      CSR_DIR: /pki
+      SMTP_URL: smtp://mailhog:1025
+      DB_DIR: /pki/db
+      BROKER_MONITORING_KEY: ${BROKER_MONITORING_KEY}
+      PKI_DEFAULT_ROLE: hd-dot-dktk-dot-com
+      PUBLIC_BASE_URL: http://localhost:3000
+      ADMIN_ADDR: 0.0.0.0:8000
+      BROKER_ID: broker
+      RUST_LOG: ${RUST_LOG}
+    volumes:
+      - ./pki:/pki
+    secrets:
+      - pki.secret
+    depends_on:
+      - vault
+      - broker
+      - mailhog
+    profiles:
+      - cert-manager
+
 secrets:
   pki.secret:
     file: ./pki/pki.secret
diff --git a/dev/pki/pki b/dev/pki/pki
@@ -17,7 +17,7 @@ function start() {
 }
 
 function clean() {
-     rm -vf *.pem *.json *.secret
+     rm -vf *.pem *.json *.secret *.csr
      docker compose down
 }
 
@@ -95,17 +95,14 @@ function request() {
      application=$1
      cn=$2
      ttl=$3
-     data="{\"common_name\": \"$cn\", \"ttl\": \"$ttl\"}"
-     echo $data
+     openssl req -new -newkey rsa:2048 -nodes -keyout ${application}.priv.pem -out ${application}.csr -subj "/CN=${cn}" 2>/dev/null
+     data=$(jq -Rs '{common_name: "'$cn'", ttl: "'$ttl'", csr: .}' < ${application}.csr)
      echo "Creating Certificate for domain $cn"
      curl --header "X-Vault-Token: $VAULT_TOKEN" \
           --request POST \
           --data "$data" \
           --no-progress-meter \
-     $VAULT_ADDR/v1/samply_pki/issue/hd-dot-dktk-dot-com | jq > ${application}.json
-     cat ${application}.json | jq -r .data.certificate > ${application}.crt.pem
-     cat ${application}.json | jq -r .data.ca_chain[] > ${application}.chain.pem
-     cat ${application}.json | jq -r .data.private_key > ${application}.priv.pem
+     $VAULT_ADDR/v1/samply_pki/sign/hd-dot-dktk-dot-com | jq > ${application}.json
      echo "Success: PEM files stored to ${application}*.pem"
 }
 
@@ -118,7 +115,7 @@ function setup() {
     #touch root.crt.pem # see https://github.com/docker/compose/issues/8305
     start
     while ! [ "$(curl -s $VAULT_ADDR/v1/sys/health | jq -r .sealed)" == "false" ]; do echo "Waiting ..."; sleep 0.1; done
-    docker compose exec -T vault sh -c "https_proxy=$http_proxy apk add --no-cache bash curl jq"
+    docker compose exec -T vault sh -c "https_proxy=$http_proxy apk add --no-cache bash curl jq openssl"
     docker compose exec -T vault sh -c "VAULT_TOKEN=$VAULT_TOKEN http_proxy= HTTP_PROXY= PROXY1_ID=$PROXY1_ID PROXY2_ID=$PROXY2_ID /pki/pki init"
     docker compose exec -T vault sh -c "VAULT_TOKEN=$VAULT_TOKEN http_proxy= HTTP_PROXY= PROXY1_ID=$PROXY1_ID PROXY2_ID=$PROXY2_ID /pki/pki request_proxy $PROXY1_ID_SHORT" "24h"
     docker compose exec -T vault sh -c "VAULT_TOKEN=$VAULT_TOKEN http_proxy= HTTP_PROXY= PROXY1_ID=$PROXY1_ID PROXY2_ID=$PROXY2_ID /pki/pki request_proxy $PROXY2_ID_SHORT" "24h"
