remove the CA certificate from the server certificate bundle

a server certificate must not include its CA certificate.

the CA certificate must already be installed/trusted by the clients.

Signed-off-by: Rui Lopes <[email protected]>

Author: rgl

deploy/compose/docker-compose.yml

@@ -217,7 +217,7 @@ services:
       REGISTRY_AUTH: htpasswd
       REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
       REGISTRY_AUTH_HTPASSWD_PATH: /auth/.htpasswd
-      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/${FACILITY:-onprem}/bundle.pem
+      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/${FACILITY:-onprem}/server-crt.pem
       REGISTRY_HTTP_TLS_KEY: /certs/${FACILITY:-onprem}/server-key.pem
       REGISTRY_HTTP_ADDR: $TINKERBELL_HOST_IP:443
     volumes:

deploy/compose/tls/generate.sh

@@ -1,8 +1,10 @@
 #!/usr/bin/env bash
 # This script handles the generation of the TLS certificates.
-# The output is 2 files:
-# 1. /certs/${FACILITY:-onprem}/server-key.pem (TLS private key)
-# 2. /certs/${FACILITY:-onprem}/bundle.pem (TLS public certificate)
+# The output is 4 files:
+# 1. /certs/${FACILITY:-onprem}/ca-crt.pem (CA TLS public certificate)
+# 2. /certs/${FACILITY:-onprem}/server-crt.pem (server TLS certificate)
+# 3. /certs/${FACILITY:-onprem}/server-key.pem (server TLS private key)
+# 4. /certs/${FACILITY:-onprem}/bundle.pem (server TLS certificate; backward compat)
 
 set -xo pipefail
 
@@ -18,32 +20,40 @@ cleanup() {
 	rm -rf ca-key.pem ca.csr ca.pem server.csr server.pem
 }
 
-# gen will generate the key and bundle
+# gen will generate the key and certificate
 gen() {
-	local bundle_destination="$1"
-	local key_destination="$2"
+	local ca_crt_destination="$1"
+	local server_crt_destination="$2"
+	local server_key_destination="$3"
 	cfssl gencert -initca /code/tls/csr.json | cfssljson -bare ca -
 	cfssl gencert -config /code/tls/ca-config.json -ca ca.pem -ca-key ca-key.pem -profile server /code/tls/csr.json | cfssljson -bare server
-	cat server.pem ca.pem >"${bundle_destination}"
-	mv server-key.pem "${key_destination}"
+	mv ca.pem "${ca_crt_destination}"
+	mv server.pem "${server_crt_destination}"
+	mv server-key.pem "${server_key_destination}"
 }
 
 # main orchestrates the process
 main() {
 	local sans_ip="$1"
 	local csr_file="/code/tls/csr.json"
-	local bundle_file="/certs/${FACILITY:-onprem}/bundle.pem"
+	local ca_crt_file="/certs/${FACILITY:-onprem}/ca-crt.pem"
+	local server_crt_file="/certs/${FACILITY:-onprem}/server-crt.pem"
 	local server_key_file="/certs/${FACILITY:-onprem}/server-key.pem"
+	# NB this is required for backward compat.
+	# TODO once the other think-* services use server-crt.pem this should
+	#      be removed.
+	local bundle_crt_file="/certs/${FACILITY:-onprem}/bundle.pem"
 
 	if ! grep -q "${sans_ip}" "${csr_file}"; then
 		update_csr "${sans_ip}" "${csr_file}"
 	else
 		echo "IP ${sans_ip} already in ${csr_file}"
 	fi
-	if [ ! -f "${bundle_file}" ] && [ ! -f "${server_key_file}" ]; then
-		gen "${bundle_file}" "${server_key_file}"
+	if [ ! -f "${ca_crt_file}" ] && [ ! -f "${server_crt_file}" ] && [ ! -f "${server_key_file}" ]; then
+		gen "${ca_crt_file}" "${server_crt_file}" "${server_key_file}"
+		cp "${server_crt_file}" "${bundle_crt_file}"
 	else
-		echo "Files [${bundle_file}, ${server_key_file}] already exist"
+		echo "Files [${ca_crt_file}, ${server_crt_file}, ${server_key_file}] already exist"
 	fi
 	cleanup
 }