github.com/pachyderm/pachyderm@v1.13.4/etc/deploy/gen_pachd_tls.sh

github.com/pachyderm/pachyderm@v1.13.4/etc/deploy/gen_pachd_tls.sh (about)

     1  #!/bin/bash
     2  # This script generates a self-signed TLS cert to be used by pachd in tests
     3  
     4  hostport=$1
     5  output_prefix=${2:-pachd}
     6  # shellcheck disable=SC2001
     7  host="$(echo "$hostport" | sed -e 's,:.*,,g')"
     8  if [[ "${host}" =~ [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ ]]; then
     9    ip=${host}
    10  else
    11    dns=${host}
    12  fi
    13  
    14  # Define a minimal openssl config for our micro-CA
    15  read -d '' -r tls_config <<EOF
    16  [ req ]
    17  default_md         = sha256 # MD = message digest. md5 is the openSSL default in 1.1.0 (see 'man req')
    18  prompt             = no     # use values in [dn] directly
    19  distinguished_name = dn
    20  x509_extensions    = exn    # Since we're making self-signed certs. For CSRs, use req_extensions
    21  
    22  [ dn ]
    23  CN = ${dns:-localhost}
    24  
    25  [ exn ]
    26  EOF
    27  
    28  if [[ -n "${ip}" ]]; then
    29    tls_config+=$'\n'"subjectAltName = IP:${ip}"
    30  fi
    31  
    32  echo "${tls_config}"
    33  
    34  # Set other openssl options
    35  tls_opts=(
    36    # Immediately self-sign the generated CSR and output that, instead of
    37    # outputting the CSR itself
    38    -x509
    39  
    40    # Don't encrypt (DES) the resulting cert (dangerous, non-prod only)
    41    -nodes
    42  
    43    # signed cert should be valid for 1 year
    44    -days 365
    45  
    46    # Generate the cert's private key as well (instead of receiving one)
    47    -newkey rsa:2048
    48  
    49    # Output the private key here # Output the private key here
    50    -keyout "${output_prefix}.key"
    51  
    52    # Output PEM-encoded cert (this is the default, and this flag is unnecessary,
    53    # but PEM is required by kubernetes and this makes explicit the fact that
    54    # we're meeting that requirement
    55    -outform PEM
    56  
    57    # Output path for the self-signed cert
    58    -out "${output_prefix}.pem"
    59  )
    60  
    61  # Generate self-signed cert
    62  openssl req "${tls_opts[@]}" -config <(echo "${tls_config}")
    63  
    64  # Print instructions for using new cert and key
    65  echo "New cert and key are in '${output_prefix}.pem' and '${output_prefix}.key'"
    66  echo "Deploy pachd to present the new self-signed cert and key by running:"
    67  echo ""
    68  echo "  pachctl undeploy # remove any existing cluster"
    69  echo "  pachctl deploy <destination> --tls=\"${output_prefix}.pem,${output_prefix}.key\""
    70  echo ""