From d66aebb15a5804f84240dccac55cd56b1dde15e5 Mon Sep 17 00:00:00 2001 From: Kevin Krakauer Date: Fri, 30 Oct 2020 12:00:11 -0700 Subject: Add the gVisor admission webhook PiperOrigin-RevId: 339913577 --- webhook/pkg/injector/gencerts.sh | 71 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100755 webhook/pkg/injector/gencerts.sh (limited to 'webhook/pkg/injector/gencerts.sh') diff --git a/webhook/pkg/injector/gencerts.sh b/webhook/pkg/injector/gencerts.sh new file mode 100755 index 000000000..f7fda4b63 --- /dev/null +++ b/webhook/pkg/injector/gencerts.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +# Copyright 2020 The gVisor Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# Generates the a CA cert, a server key, and a server cert signed by the CA. +# reference: +# https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testcerts/gencerts.sh +set -euo pipefail + +# Do all the work in TMPDIR, then copy out generated code and delete TMPDIR. +declare -r OUTDIR="$(readlink -e .)" +declare -r TMPDIR="$(mktemp -d)" +cd "${TMPDIR}" +function cleanup() { + cd "${OUTDIR}" + rm -rf "${TMPDIR}" +} +trap cleanup EXIT + +declare -r CN_BASE="e2e" +declare -r CN="gvisor-injection-admission-webhook.e2e.svc" + +cat > server.conf << EOF +[req] +req_extensions = v3_req +distinguished_name = req_distinguished_name +[req_distinguished_name] +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +EOF + +declare -r OUTFILE="${TMPDIR}/certs.go" + +# We depend on OpenSSL being present. + +# Create a certificate authority. +openssl genrsa -out caKey.pem 2048 +openssl req -x509 -new -nodes -key caKey.pem -days 100000 -out caCert.pem -subj "/CN=${CN_BASE}_ca" -config server.conf + +# Create a server certificate. +openssl genrsa -out serverKey.pem 2048 +# Note the CN is the DNS name of the service of the webhook. +openssl req -new -key serverKey.pem -out server.csr -subj "/CN=${CN}" -config server.conf +openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf + +echo "package injector" > "${OUTFILE}" +echo "" >> "${OUTFILE}" +echo "// This file was generated using openssl by the gencerts.sh script." >> "${OUTFILE}" +for file in caKey caCert serverKey serverCert; do + DATA=$(cat "${file}.pem") + echo "" >> "${OUTFILE}" + echo "var $file = []byte(\`$DATA\`)" >> "${OUTFILE}" +done + +# Copy generated code into the output directory. +cp "${OUTFILE}" "${OUTDIR}/$1" -- cgit v1.2.3