Versions Compared

Version Old Version 5 New Version 6
Changes made by

Francesco Davide Lapenta

Francesco Davide Lapenta

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
kubectl $KUBECONFIG logs vault-0 -n ocf-vault
kubectl $KUBECONFIG exec -tiit vault-0 -n ocf-vault -- vault operator unseal 19zgCoVzIC4665WfRAD7gJmHTTXtqRfYrltjJ7u77AA=

...

Manually Retrieve a Bearer Token

  1. Login as an admin (admin:password123 or encoded “YWRtaW46cGFzc3dvcmQxMjM=“) and retrieve a TOKEN

  2. Use the TOKEN to create a normal user

  3. Get Authorization and ACCESS_TOKEN for the user and the CA_ROOT

  4. Prepare a PROVIDER with keys in body and authenticate with the ACCESS_TOKEN

  5. ONBOARD that PROVIDER

Code Block
#!/bin/bash

if ! command -v "jq" >/dev/null 2>&1; then
  echo "Error: jq is not installed. Please install jq and try again."
  exit 1
fi

export INGRESS_IP=$(kubectl get svc -n ingress-nginx ingress-nginx-controller | grep ingress | awk '{print $3}')
echo "INGRESS_IP: $INGRESS_IP"
CAPIF_HOSTNAME=$INGRESS_IP

# Retrieve the REGISTER_IP
export REGISTER_IP=$(kubectl get svc -n ocf-capif register | grep register | awk '{print $3}')
echo "REGISTER_IP: $REGISTER_IP"

# Retrieve the NGINX_IP
export NGINX_IP=$(kubectl get svc -n ocf-capif nginx | grep nginx | awk '{print $3}')
echo "NGINX_IP: $NGINX_IP"

echo "###############################################################"
echo "###################ADMIN LOGIN#################################"
echo "###############################################################"
# Log in and extract the Bearer token
LOGIN_RESPONSE=$(curl -s -k -X POST https://$REGISTER_IP:8084/login \
  --header 'Authorization: Basic YWRtaW46cGFzc3dvcmQxMjM=')
BEARER_TOKEN=$(echo $LOGIN_RESPONSE | jq -r .access_token)
echo "Bearer Token: $BEARER_TOKEN"

echo "###############################################################"
echo "###################CREATE A USER###############################"
echo "###############################################################"
# Create a new user
curl -k --location https://$REGISTER_IP:8084/createUser \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer $BEARER_TOKEN" \
  --data-raw '{
    "username": "custom_user",
    "password": "user_pass",
    "enterprise": "EST",
    "country": "Ireland",
    "email": "est@est.tech",
    "purpose": "Use OpenCAPIF",
    "phone_number": "+123456789",
    "company_web": "www.est.com",
    "description": "UserDescription"
}'

echo "###############################################################"
echo "###################GET AUTH####################################"
echo "###############################################################"
# Retrieve auth credentials for the newly created user
GET_AUTH_RESPONSE=$(curl -s -k --location https://$REGISTER_IP:8084/getauth \
  --header 'Authorization: Basic Y3VzdG9tX3VzZXI6dXNlcl9wYXNz')

# Parse and set environment variables from the response
CA_ROOT=$(echo $GET_AUTH_RESPONSE | jq -r .ca_root)
ACCESS_TOKEN=$(echo $GET_AUTH_RESPONSE | jq -r .access_token)
ONBOARDING_URL=$(echo $GET_AUTH_RESPONSE | jq -r .ccf_api_onboarding_url)
PUBLISH_URL=$(echo $GET_AUTH_RESPONSE | jq -r .ccf_publish_url)
DISCOVER_URL=$(echo $GET_AUTH_RESPONSE | jq -r .ccf_discover_url)
SECURITY_URL=$(echo $GET_AUTH_RESPONSE | jq -r .ccf_security_url)
ONBOARDING_URL_INVOKER=$(echo $GET_AUTH_RESPONSE | jq -r .ccf_onboarding_url)

# Print extracted values
echo "CA_ROOT: $CA_ROOT"
echo "ACCESS_TOKEN: $ACCESS_TOKEN"
echo "ONBOARDING_URL: $ONBOARDING_URL"
echo "PUBLISH_URL: $PUBLISH_URL"
echo "DISCOVER_URL: $DISCOVER_URL"
echo "SECURITY_URL: $SECURITY_URL"
echo "ONBOARDING_URL_INVOKER: $ONBOARDING_URL_INVOKER"

# Save CA_ROOT to a file (manual extraction)
CA_CERT_PATH="./ca_cert.pem"
echo "$CA_ROOT" > $CA_CERT_PATH
echo "CA Root Certificate saved to $CA_CERT_PATH"

# Extract OpenSSL command for the CAPIF_HOSTNAME
if [[ "$CAPIF_HOSTNAME" == *:* ]]; then
  OPENSSL_COMMAND="openssl s_client -connect $CAPIF_HOSTNAME | openssl x509 -text > $CA_CERT_PATH"
else
  OPENSSL_COMMAND="openssl s_client -connect $CAPIF_HOSTNAME:443 | openssl x509 -text > $CA_CERT_PATH"
fi

# Execute the OpenSSL command
echo "###############################################################"
echo "###################OPENSSL COMMAND TO EXTRACT CAROOT###########"
echo "###############################################################"
echo "Executing OpenSSL command to fetch CA root certificate:"
eval $OPENSSL_COMMAND
echo "OpenSSL command executed. Certificate updated."

echo "###############################################################"
echo "###################PREPARE PROVIDER############################"
echo "###############################################################"

# Initial payload
EMPTY_PAYLOAD='{
  "apiProvFuncs": [
      {
      "regInfo": {
          "apiProvPubKey": ""
      },
      "apiProvFuncRole": "AEF",
      "apiProvFuncInfo": "dummy_aef"
      },
      {
      "regInfo": {
          "apiProvPubKey": ""
      },
      "apiProvFuncRole": "APF",
      "apiProvFuncInfo": "dummy_apf"
      },
      {
      "regInfo": {
          "apiProvPubKey": ""
      },
      "apiProvFuncRole": "AMF",
      "apiProvFuncInfo": "dummy_amf"
      }
  ],
  "apiProvDomInfo": "This is provider",
  "suppFeat": "fff",
  "failReason": "string",
  "regSec": "'"$ACCESS_TOKEN"'"
}'

# Extract the list of API Provider functions as an array
API_PROV_FUNCS=$(echo "$EMPTY_PAYLOAD" | jq -c '.apiProvFuncs[]')

# Initialize an updated functions array
UPDATED_FUNCS_JSON="[]"

# Iterate over each API Provider function
for FUNC in $API_PROV_FUNCS; do
  ROLE=$(echo "$FUNC" | jq -r '.apiProvFuncRole')
  FUNC_INFO=$(echo "$FUNC" | jq -r '.apiProvFuncInfo')

  # Generate a private key and save it to a file
  PRIVATE_KEY_FILE="${ROLE}_key.pem"
  openssl genpkey -algorithm RSA -out "$PRIVATE_KEY_FILE" -pkeyopt rsa_keygen_bits:2048

  # Generate a CSR using the private key
  CSR_FILE="${ROLE}_csr.pem"
  openssl req -new -key "$PRIVATE_KEY_FILE" -out "$CSR_FILE" -subj "/CN=${FUNC_INFO}/O=Provider/OU=${ROLE}"

  # Read the CSR content
  #CSR=$(cat "$CSR_FILE" | base64 | tr -d '\n')
  CSR=$(cat "$CSR_FILE")

  # Update the function's Public Key with the CSR content
  UPDATED_FUNC=$(echo "$FUNC" | jq --arg csr "$CSR" '.regInfo.apiProvPubKey = $csr')

  # Add the updated function to the array
  UPDATED_FUNCS_JSON=$(echo "$UPDATED_FUNCS_JSON" | jq --argjson func "$UPDATED_FUNC" '. + [$func]')
done

# Create the final payload
FINAL_PAYLOAD=$(echo "$EMPTY_PAYLOAD" | jq --argjson funcs "$UPDATED_FUNCS_JSON" '.apiProvFuncs = $funcs')

# Print the final payload
echo "Final Payload: $FINAL_PAYLOAD"

echo "###############################################################"
echo "###################ONBOARD PROVIDER############################"
echo "###############################################################"

curl -k --location https://$NGINX_IP/api-provider-management/v1/registrations \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer $ACCESS_TOKEN" \
  --data "$FINAL_PAYLOAD"
  
echo "###############################################################"
echo "###################K8S PROVIDER LOGS###########################"
echo "###############################################################"

kubectl logs -n ocf-capif -l app.kubernetes.io/name=ocf-api-provider-management