From 3db47ba37c1902ec93e6a36d11f78c8ca72de545 Mon Sep 17 00:00:00 2001
From: Aaron Schlesinger <arschles@gmail.com>
Date: Mon, 7 Dec 2015 15:03:26 -0800
Subject: [PATCH 1/7] feat(Makefile, genssl/gen.sh): add script and makefile
 target for generating SSL certs

---
 .gitignore    |  3 +++
 Makefile      |  3 +++
 genssl/gen.sh | 10 ++++++++++
 3 files changed, 16 insertions(+)
 create mode 100755 genssl/gen.sh

diff --git a/.gitignore b/.gitignore
index b4d8ee8..1f7ba75 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,6 @@
 rootfs/bin/minio
 rootfs/bin/boot
 vendor/
+genssl/server.crt
+genssl/server.csr
+genssl/server.key
diff --git a/Makefile b/Makefile
index 3aaad00..1fcb6a0 100644
--- a/Makefile
+++ b/Makefile
@@ -41,6 +41,9 @@ docker-push: docker-build
 
 deploy: build docker-build docker-push kube-rc
 
+ssl-cert:
+	docker run --rm -v "${PWD}/genssl":/ssl -w /ssl alpine:3.1 /bin/ash gen.sh
+
 kube-rc: kube-service
 	kubectl create -f ${RC}
 
diff --git a/genssl/gen.sh b/genssl/gen.sh
new file mode 100755
index 0000000..6ea6d0a
--- /dev/null
+++ b/genssl/gen.sh
@@ -0,0 +1,10 @@
+# this script intended to be run inside alpine linux. see the "ssl-cert" build target in the Makefile (one directory above)
+
+apk add --update-cache openssl
+rm -rf /var/cache/apk/*
+
+openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
+openssl rsa -passin pass:x -in server.pass.key -out server.key
+rm server.pass.key
+openssl req -new -key server.key -subj "/C=US/ST=California/L=San Francisco/O=Engine Yard" -out server.csr
+openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

From 2b1b6029ce965465a64ce5992b7423ba25df7095 Mon Sep 17 00:00:00 2001
From: Aaron Schlesinger <arschles@gmail.com>
Date: Mon, 7 Dec 2015 15:12:03 -0800
Subject: [PATCH 2/7] fix(Makefile,gen.sh): writing certs to rootfs

---
 .gitignore    | 4 +---
 Makefile      | 2 +-
 genssl/gen.sh | 6 +++++-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/.gitignore b/.gitignore
index 1f7ba75..ab969ad 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,4 @@
 rootfs/bin/minio
 rootfs/bin/boot
 vendor/
-genssl/server.crt
-genssl/server.csr
-genssl/server.key
+rootfs/certs
diff --git a/Makefile b/Makefile
index 1fcb6a0..afedc15 100644
--- a/Makefile
+++ b/Makefile
@@ -42,7 +42,7 @@ docker-push: docker-build
 deploy: build docker-build docker-push kube-rc
 
 ssl-cert:
-	docker run --rm -v "${PWD}/genssl":/ssl -w /ssl alpine:3.1 /bin/ash gen.sh
+	docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash /pwd/genssl/gen.sh
 
 kube-rc: kube-service
 	kubectl create -f ${RC}
diff --git a/genssl/gen.sh b/genssl/gen.sh
index 6ea6d0a..bd8b258 100755
--- a/genssl/gen.sh
+++ b/genssl/gen.sh
@@ -1,8 +1,12 @@
-# this script intended to be run inside alpine linux. see the "ssl-cert" build target in the Makefile (one directory above)
+# this script intended to be run inside an alpine:3.2 Docker container, inside a /bin/ash shell.
+# it expects that its parent directory is a volume mounted at /pwd and its current working directory is /pwd also
 
 apk add --update-cache openssl
 rm -rf /var/cache/apk/*
 
+mkdir -p ./rootfs/certs
+cd ./rootfs/certs
+
 openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
 openssl rsa -passin pass:x -in server.pass.key -out server.key
 rm server.pass.key

From 9075b6bdaf382fd589deca88594050ef89d49f1a Mon Sep 17 00:00:00 2001
From: Aaron Schlesinger <arschles@gmail.com>
Date: Mon, 7 Dec 2015 15:18:11 -0800
Subject: [PATCH 3/7] fix(boot.go): rename template name

---
 boot.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/boot.go b/boot.go
index 24ab040..5b1cdfb 100644
--- a/boot.go
+++ b/boot.go
@@ -103,7 +103,7 @@ func main() {
 			AccessKey: access,
 		},
 	}
-	t := template.New("Secret template")
+	t := template.New("MinioTpl")
 
 	t, err = t.Parse(templv2)
 

From bc1ef21a880f5402c05978140ab6493266c0d822 Mon Sep 17 00:00:00 2001
From: Aaron Schlesinger <arschles@gmail.com>
Date: Mon, 7 Dec 2015 16:36:15 -0800
Subject: [PATCH 4/7] fix(Makefile,gen.sh,manifest-replace.sh): put certs into
 secrets file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

the manifests/deis-minio-secretssl.yaml manifest is a “template” which
genssl/manifest-replace.sh writes values into.

still some issues with alpine linux’s ash shell, this is almost
working.
---
 .gitignore                          |  6 +++++-
 Makefile                            |  5 ++++-
 genssl/gen.sh                       | 16 +++++++---------
 genssl/manifest-replace.sh          | 11 +++++++++++
 manifests/deis-minio-secretssl.yaml | 10 +++++++---
 5 files changed, 34 insertions(+), 14 deletions(-)
 create mode 100755 genssl/manifest-replace.sh

diff --git a/.gitignore b/.gitignore
index ab969ad..f8d52bc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,8 @@
 rootfs/bin/minio
 rootfs/bin/boot
 vendor/
-rootfs/certs
+genssl/server.cert
+genssl/server.csr
+genssl/server.key
+genssl/server.pem
+manifests/deis-minio-secretssl-final.yaml
diff --git a/Makefile b/Makefile
index afedc15..28d6141 100644
--- a/Makefile
+++ b/Makefile
@@ -42,7 +42,10 @@ docker-push: docker-build
 deploy: build docker-build docker-push kube-rc
 
 ssl-cert:
-	docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash /pwd/genssl/gen.sh
+	# generate ssl certs
+	docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash ./genssl/gen.sh && ./genssl/manifest-replace.sh
+	# replace values in ssl secrets file
+	docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash ./genssl/manifest-replace.sh
 
 kube-rc: kube-service
 	kubectl create -f ${RC}
diff --git a/genssl/gen.sh b/genssl/gen.sh
index bd8b258..1c4d761 100755
--- a/genssl/gen.sh
+++ b/genssl/gen.sh
@@ -1,14 +1,12 @@
 # this script intended to be run inside an alpine:3.2 Docker container, inside a /bin/ash shell.
-# it expects that its parent directory is a volume mounted at /pwd and its current working directory is /pwd also
+# it expects that its parent directory (minio/) is mounted to this container and also is its current working directory.
 
 apk add --update-cache openssl
 rm -rf /var/cache/apk/*
 
-mkdir -p ./rootfs/certs
-cd ./rootfs/certs
-
-openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
-openssl rsa -passin pass:x -in server.pass.key -out server.key
-rm server.pass.key
-openssl req -new -key server.key -subj "/C=US/ST=California/L=San Francisco/O=Engine Yard" -out server.csr
-openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
+openssl genrsa -des3 -passout pass:x -out ./genssl/server.pass.key 2048
+openssl rsa -passin pass:x -in ./genssl/server.pass.key -out ./genssl/server.pem
+rm ./genssl/server.pass.key
+openssl req -new -key ./genssl/server.key -subj "/C=US/ST=California/L=San Francisco/O=Engine Yard" -out ./genssl/server.csr
+# generate the cert
+openssl x509 -req -days 365 -in ./genssl/server.csr -signkey ./genssl/server.key -out ./genssl/server.cert
diff --git a/genssl/manifest-replace.sh b/genssl/manifest-replace.sh
new file mode 100755
index 0000000..5de57e0
--- /dev/null
+++ b/genssl/manifest-replace.sh
@@ -0,0 +1,11 @@
+# this script intended to be run inside an alpine:3.2 Docker container, inside a /bin/ash shell.
+# it expects that its parent directory (minio/) is mounted to this container and also is its current working directory.
+# finally, it also expects that a 'server.cert' and 'server.pem' in ./genssl. it uses those as the SSL cert and PEM files, respectively
+
+FILE_CONTENTS="$(cat ./manifests/deis-minio-secretssl.yaml)"
+CERT=`base64 ./genssl/server.cert`
+PEM=`base64 ./genssl/server.pem`
+
+FILE_CONTENTS="${FILE_CONTENTS/ACCESS_CERT/$CERT}"
+FILE_CONTENTS="${FILE_CONTENTS/ACCESS_PEM/$PEM}"
+echo $FILE_CONTENTS > ./manifests/deis-minio-secretssl-final.yaml
diff --git a/manifests/deis-minio-secretssl.yaml b/manifests/deis-minio-secretssl.yaml
index 7001a69..2eaccc8 100644
--- a/manifests/deis-minio-secretssl.yaml
+++ b/manifests/deis-minio-secretssl.yaml
@@ -1,9 +1,13 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: minio-user
+  name: minio-ssl
   heritage: deis
 type: Opaque
 data:
-  access-cert: OFRaUlkySlJXTVBUNlVNWFI2STUK
-  access-pem: Z2JzdHJPdm90TU1jZzJzTWZHVWhBNWE2RXQvRUk1QUx0SUhzb2JZawo=
+  # generated by make ssl-cert
+  access-cert: |
+    ACCESS_CERT
+  # generated by make ssl-cert
+  access-pem: |
+    ACCESS_PEM

From f2a1b6ecd387a2e76821e4c614e5320656a27218 Mon Sep 17 00:00:00 2001
From: Aaron Schlesinger <arschles@gmail.com>
Date: Mon, 7 Dec 2015 16:50:26 -0800
Subject: [PATCH 5/7] fix(manifest-replace.sh): write cert and pem correctly to
 final file

---
 genssl/{manifest-replace.sh => manifest_replace.sh} | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename genssl/{manifest-replace.sh => manifest_replace.sh} (78%)

diff --git a/genssl/manifest-replace.sh b/genssl/manifest_replace.sh
similarity index 78%
rename from genssl/manifest-replace.sh
rename to genssl/manifest_replace.sh
index 5de57e0..1f586c2 100755
--- a/genssl/manifest-replace.sh
+++ b/genssl/manifest_replace.sh
@@ -3,9 +3,9 @@
 # finally, it also expects that a 'server.cert' and 'server.pem' in ./genssl. it uses those as the SSL cert and PEM files, respectively
 
 FILE_CONTENTS="$(cat ./manifests/deis-minio-secretssl.yaml)"
-CERT=`base64 ./genssl/server.cert`
-PEM=`base64 ./genssl/server.pem`
+CERT="$(base64 ./genssl/server.cert)"
+PEM="$(base64 ./genssl/server.pem)"
 
 FILE_CONTENTS="${FILE_CONTENTS/ACCESS_CERT/$CERT}"
 FILE_CONTENTS="${FILE_CONTENTS/ACCESS_PEM/$PEM}"
-echo $FILE_CONTENTS > ./manifests/deis-minio-secretssl-final.yaml
+echo "$FILE_CONTENTS" > ./manifests/deis-minio-secretssl-final.yaml

From 189d40dde0db58e974803b6af01dd6fae8dbc2e0 Mon Sep 17 00:00:00 2001
From: Aaron Schlesinger <arschles@gmail.com>
Date: Mon, 7 Dec 2015 17:02:02 -0800
Subject: [PATCH 6/7] fix(gen.sh,manifest_replace.sh): use .key instead of .pem
 extension
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Heroku’s instructions for creating a self-signed cert are very clear
and easy to follow. using ‘.key’ to follow those instructions more
closely
---
 genssl/gen.sh              | 4 +++-
 genssl/manifest_replace.sh | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/genssl/gen.sh b/genssl/gen.sh
index 1c4d761..d9612e0 100755
--- a/genssl/gen.sh
+++ b/genssl/gen.sh
@@ -4,8 +4,10 @@
 apk add --update-cache openssl
 rm -rf /var/cache/apk/*
 
+# these commands are adapted from the very clear and extensive Heroku documents on creating a self-signed SSL certificate: https://devcenter.heroku.com/articles/ssl-certificate-self#generate-private-key-and-certificate-signing-request
+
 openssl genrsa -des3 -passout pass:x -out ./genssl/server.pass.key 2048
-openssl rsa -passin pass:x -in ./genssl/server.pass.key -out ./genssl/server.pem
+openssl rsa -passin pass:x -in ./genssl/server.pass.key -out ./genssl/server.key
 rm ./genssl/server.pass.key
 openssl req -new -key ./genssl/server.key -subj "/C=US/ST=California/L=San Francisco/O=Engine Yard" -out ./genssl/server.csr
 # generate the cert
diff --git a/genssl/manifest_replace.sh b/genssl/manifest_replace.sh
index 1f586c2..df554bc 100755
--- a/genssl/manifest_replace.sh
+++ b/genssl/manifest_replace.sh
@@ -1,10 +1,10 @@
 # this script intended to be run inside an alpine:3.2 Docker container, inside a /bin/ash shell.
 # it expects that its parent directory (minio/) is mounted to this container and also is its current working directory.
-# finally, it also expects that a 'server.cert' and 'server.pem' in ./genssl. it uses those as the SSL cert and PEM files, respectively
+# finally, it also expects that a 'server.cert' and 'server.key' in ./genssl. it uses those as the SSL cert and private key (AKA .pem) files, respectively
 
 FILE_CONTENTS="$(cat ./manifests/deis-minio-secretssl.yaml)"
 CERT="$(base64 ./genssl/server.cert)"
-PEM="$(base64 ./genssl/server.pem)"
+PEM="$(base64 ./genssl/server.key)"
 
 FILE_CONTENTS="${FILE_CONTENTS/ACCESS_CERT/$CERT}"
 FILE_CONTENTS="${FILE_CONTENTS/ACCESS_PEM/$PEM}"

From 8b66bada3ad43a44819149ce6d79fc80e645629d Mon Sep 17 00:00:00 2001
From: Aaron Schlesinger <arschles@gmail.com>
Date: Mon, 7 Dec 2015 17:02:21 -0800
Subject: [PATCH 7/7] fix(Makefile): call the correct replace file

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 28d6141..b70454e 100644
--- a/Makefile
+++ b/Makefile
@@ -45,7 +45,7 @@ ssl-cert:
 	# generate ssl certs
 	docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash ./genssl/gen.sh && ./genssl/manifest-replace.sh
 	# replace values in ssl secrets file
-	docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash ./genssl/manifest-replace.sh
+	docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash ./genssl/manifest_replace.sh
 
 kube-rc: kube-service
 	kubectl create -f ${RC}