github.com/verrazzano/verrazzano@v1.7.1/platform-operator/scripts/install/create-istio-cert.sh

github.com/verrazzano/verrazzano@v1.7.1/platform-operator/scripts/install/create-istio-cert.sh (about)

     1  #!/usr/bin/env bash
     2  #
     3  # Copyright (c) 2021, 2022, Oracle and/or its affiliates.
     4  # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
     5  #
     6  SCRIPT_DIR=$(cd $(dirname "$0"); pwd -P)
     7  
     8  . ${SCRIPT_DIR}/logging.sh
     9  
    10  CONFIG_DIR=$SCRIPT_DIR/config
    11  TMP_DIR=$(mktemp -d)
    12  trap 'rc=$?; rm -rf ${TMP_DIR} || true; _logging_exit_handler $rc' EXIT
    13  
    14  set -ueo pipefail
    15  
    16  function create_istio_cert_secret {
    17    CERTS_OUT=$SCRIPT_DIR/build/istio-certs
    18  
    19    rm -rf $CERTS_OUT || true
    20    rm -f ./index.txt* serial serial.old || true
    21  
    22    mkdir -p $CERTS_OUT
    23    touch ./index.txt
    24    echo 1000 > ./serial
    25  
    26    log "Generating CA bundle for Istio"
    27  
    28    # Create the private key for the root CA
    29    openssl genrsa -out $CERTS_OUT/root-key.pem 4096 || return $?
    30  
    31    # Generate a root CA with the private key
    32    openssl req -config $CONFIG_DIR/istio_root_ca_config.txt -key $CERTS_OUT/root-key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out $CERTS_OUT/root-cert.pem || return $?
    33  
    34    # Create the private key for the intermediate CA
    35    openssl genrsa -out $CERTS_OUT/ca-key.pem 4096 || return $?
    36  
    37    # Generate certificate signing request (CSR)
    38    openssl req -config $CONFIG_DIR/istio_intermediate_ca_config.txt -new -sha256 -key $CERTS_OUT/ca-key.pem -out $CERTS_OUT/intermediate-csr.pem || return $?
    39  
    40    # create intermediate cert using the root CA
    41    openssl ca -batch -config $CONFIG_DIR/istio_root_ca_config.txt -extensions v3_intermediate_ca -days 3650 -notext -md sha256 \
    42        -keyfile $CERTS_OUT/root-key.pem \
    43        -cert $CERTS_OUT/root-cert.pem \
    44        -in $CERTS_OUT/intermediate-csr.pem \
    45        -out $CERTS_OUT/ca-cert.pem \
    46        -outdir $CERTS_OUT || return $?
    47  
    48    # Create certificate chain file
    49    cat $CERTS_OUT/ca-cert.pem $CERTS_OUT/root-cert.pem > $CERTS_OUT/cert-chain.pem || return $?
    50  
    51    kubectl create secret generic cacerts -n istio-system \
    52        --from-file=$CERTS_OUT/ca-cert.pem \
    53        --from-file=$CERTS_OUT/ca-key.pem  \
    54        --from-file=$CERTS_OUT/root-cert.pem \
    55        --from-file=$CERTS_OUT/cert-chain.pem || return $?
    56  
    57    rm -rf $CERTS_OUT
    58    rm -f ./index.txt* serial serial.old
    59  
    60    return 0
    61  }
    62  
    63  # Create certificates and istio secret to hold certificates if we haven't already
    64  if ! kubectl get secret cacerts -n istio-system > /dev/null 2>&1 ; then
    65    echo "Creating Istio secret"
    66    create_istio_cert_secret
    67    if [ $? -ne 0 ]; then
    68      echo "Failed to create Istio certificate"
    69      exit 1
    70    fi
    71  fi