summaryrefslogtreecommitdiffhomepage
path: root/webhook/pkg/injector/gencerts.sh
blob: f7fda4b63f38958efea61b5dddffabdcd137358d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/bin/bash

# Copyright 2020 The gVisor Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.


# Generates the a CA cert, a server key, and a server cert signed by the CA.
# reference:
# https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testcerts/gencerts.sh
set -euo pipefail

# Do all the work in TMPDIR, then copy out generated code and delete TMPDIR.
declare -r OUTDIR="$(readlink -e .)"
declare -r TMPDIR="$(mktemp -d)"
cd "${TMPDIR}"
function cleanup() {
  cd "${OUTDIR}"
  rm -rf "${TMPDIR}"
}
trap cleanup EXIT

declare -r CN_BASE="e2e"
declare -r CN="gvisor-injection-admission-webhook.e2e.svc"

cat > server.conf << EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
EOF

declare -r OUTFILE="${TMPDIR}/certs.go"

# We depend on OpenSSL being present.

# Create a certificate authority.
openssl genrsa -out caKey.pem 2048
openssl req -x509 -new -nodes -key caKey.pem -days 100000 -out caCert.pem -subj "/CN=${CN_BASE}_ca" -config server.conf

# Create a server certificate.
openssl genrsa -out serverKey.pem 2048
# Note the CN is the DNS name of the service of the webhook.
openssl req -new -key serverKey.pem -out server.csr -subj "/CN=${CN}" -config server.conf
openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf

echo "package injector" > "${OUTFILE}"
echo "" >> "${OUTFILE}"
echo "// This file was generated using openssl by the gencerts.sh script." >> "${OUTFILE}"
for file in caKey caCert serverKey serverCert; do
  DATA=$(cat "${file}.pem")
  echo "" >> "${OUTFILE}"
  echo "var $file = []byte(\`$DATA\`)" >> "${OUTFILE}"
done

# Copy generated code into the output directory.
cp "${OUTFILE}" "${OUTDIR}/$1"