72 lines
2.4 KiB
Bash
Executable File
72 lines
2.4 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Copyright 2020 The gVisor Authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
|
|
# Generates the a CA cert, a server key, and a server cert signed by the CA.
|
|
# reference:
|
|
# https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testcerts/gencerts.sh
|
|
set -euo pipefail
|
|
|
|
# Do all the work in TMPDIR, then copy out generated code and delete TMPDIR.
|
|
declare -r OUTDIR="$(readlink -e .)"
|
|
declare -r TMPDIR="$(mktemp -d)"
|
|
cd "${TMPDIR}"
|
|
function cleanup() {
|
|
cd "${OUTDIR}"
|
|
rm -rf "${TMPDIR}"
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
declare -r CN_BASE="e2e"
|
|
declare -r CN="gvisor-injection-admission-webhook.e2e.svc"
|
|
|
|
cat > server.conf << EOF
|
|
[req]
|
|
req_extensions = v3_req
|
|
distinguished_name = req_distinguished_name
|
|
[req_distinguished_name]
|
|
[ v3_req ]
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
extendedKeyUsage = clientAuth, serverAuth
|
|
EOF
|
|
|
|
declare -r OUTFILE="${TMPDIR}/certs.go"
|
|
|
|
# We depend on OpenSSL being present.
|
|
|
|
# Create a certificate authority.
|
|
openssl genrsa -out caKey.pem 2048
|
|
openssl req -x509 -new -nodes -key caKey.pem -days 100000 -out caCert.pem -subj "/CN=${CN_BASE}_ca" -config server.conf
|
|
|
|
# Create a server certificate.
|
|
openssl genrsa -out serverKey.pem 2048
|
|
# Note the CN is the DNS name of the service of the webhook.
|
|
openssl req -new -key serverKey.pem -out server.csr -subj "/CN=${CN}" -config server.conf
|
|
openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf
|
|
|
|
echo "package injector" > "${OUTFILE}"
|
|
echo "" >> "${OUTFILE}"
|
|
echo "// This file was generated using openssl by the gencerts.sh script." >> "${OUTFILE}"
|
|
for file in caKey caCert serverKey serverCert; do
|
|
DATA=$(cat "${file}.pem")
|
|
echo "" >> "${OUTFILE}"
|
|
echo "var $file = []byte(\`$DATA\`)" >> "${OUTFILE}"
|
|
done
|
|
|
|
# Copy generated code into the output directory.
|
|
cp "${OUTFILE}" "${OUTDIR}/$1"
|