I needed a set of resources for managing a simple PKI chain for setting up consul with TLS/SSL.
It stores all PKI resources in S3 under a single prefix, e.g. my-bucket/my-pki/root-ca.pem, etc.
I’ve created a set of resources to do such that, and since I thought it’d be easier to use with concourse if they were available on docker hub, I’ve also made it open source (under the MIT license).
Warning: I’m fairly new to python, and there aren’t any proper unit tests yet, so consider this somewhat alpha.
However, it’s got a fairly useful feature set I think so far, including:
- supports alternative s3 provider (minio) in addition to AWS
- uses metadata keys to store file checksums, and uses that to calculate versioning
- since it only reads metadata it doesn’t need to download keys to check version
- can optionally not download keys at all on an ‘in’ phase, supporting it as a pure trigger
- supports one click renewal for root, intermediate, and leaf certs, while keeping the existing private key
How are you managing PKI with concourse, and what challenges have you ran into?