github.com/SagerNet/gvisor@v0.0.0-20210707092255-7731c139d75c/webhook/pkg/injector/gencerts.sh

github.com/SagerNet/gvisor@v0.0.0-20210707092255-7731c139d75c/webhook/pkg/injector/gencerts.sh (about)

     1  #!/bin/bash
     2  
     3  # Copyright 2020 The gVisor Authors.
     4  #
     5  # Licensed under the Apache License, Version 2.0 (the "License");
     6  # you may not use this file except in compliance with the License.
     7  # You may obtain a copy of the License at
     8  #
     9  #   http://www.apache.org/licenses/LICENSE-2.0
    10  #
    11  # Unless required by applicable law or agreed to in writing, software
    12  # distributed under the License is distributed on an "AS IS" BASIS,
    13  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14  # See the License for the specific language governing permissions and
    15  # limitations under the License.
    16  
    17  
    18  # Generates the a CA cert, a server key, and a server cert signed by the CA.
    19  # reference:
    20  # https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testcerts/gencerts.sh
    21  set -euo pipefail
    22  
    23  # Do all the work in TMPDIR, then copy out generated code and delete TMPDIR.
    24  declare -r OUTDIR="$(readlink -e .)"
    25  declare -r TMPDIR="$(mktemp -d)"
    26  cd "${TMPDIR}"
    27  function cleanup() {
    28    cd "${OUTDIR}"
    29    rm -rf "${TMPDIR}"
    30  }
    31  trap cleanup EXIT
    32  
    33  declare -r CN_BASE="e2e"
    34  declare -r CN="gvisor-injection-admission-webhook.e2e.svc"
    35  
    36  cat > server.conf << EOF
    37  [req]
    38  req_extensions = v3_req
    39  distinguished_name = req_distinguished_name
    40  [req_distinguished_name]
    41  [ v3_req ]
    42  basicConstraints = CA:FALSE
    43  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    44  extendedKeyUsage = clientAuth, serverAuth
    45  EOF
    46  
    47  declare -r OUTFILE="${TMPDIR}/certs.go"
    48  
    49  # We depend on OpenSSL being present.
    50  
    51  # Create a certificate authority.
    52  openssl genrsa -out caKey.pem 2048
    53  openssl req -x509 -new -nodes -key caKey.pem -days 100000 -out caCert.pem -subj "/CN=${CN_BASE}_ca" -config server.conf
    54  
    55  # Create a server certificate.
    56  openssl genrsa -out serverKey.pem 2048
    57  # Note the CN is the DNS name of the service of the webhook.
    58  openssl req -new -key serverKey.pem -out server.csr -subj "/CN=${CN}" -config server.conf
    59  openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf
    60  
    61  echo "package injector" > "${OUTFILE}"
    62  echo "" >> "${OUTFILE}"
    63  echo "// This file was generated using openssl by the gencerts.sh script." >> "${OUTFILE}"
    64  for file in caKey caCert serverKey serverCert; do
    65    DATA=$(cat "${file}.pem")
    66    echo "" >> "${OUTFILE}"
    67    echo "var $file = []byte(\`$DATA\`)" >> "${OUTFILE}"
    68  done
    69  
    70  # Copy generated code into the output directory.
    71  cp "${OUTFILE}" "${OUTDIR}/$1"