istio.io/istio@v0.0.0-20240520182934-d79c90f27776/samples/certs/generate-workload.sh (about)

     1  #!/bin/bash
     2  #
     3  # Copyright Istio Authors
     4  #
     5  #   Licensed under the Apache License, Version 2.0 (the "License");
     6  #   you may not use this file except in compliance with the License.
     7  #   You may obtain a copy of the License at
     8  #
     9  #       http://www.apache.org/licenses/LICENSE-2.0
    10  #
    11  #   Unless required by applicable law or agreed to in writing, software
    12  #   distributed under the License is distributed on an "AS IS" BASIS,
    13  #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14  #   See the License for the specific language governing permissions and
    15  #   limitations under the License.
    16  
    17  set -euo pipefail
    18  
    19  name=${1:-foo}
    20  ns=${2:-$name}
    21  sa=${3:-$name}
    22  tmp=${4:-""}
    23  rootselect=${5:-""}
    24  san="spiffe://trust-domain-$name/ns/$ns/sa/$sa"
    25  
    26  DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
    27  
    28  FINAL_DIR=$DIR
    29  if [ -n "$tmp" ]; then
    30    if [ -d "$tmp" ]; then
    31      FINAL_DIR=$tmp
    32      cp "$DIR"/root-cert.pem "$FINAL_DIR"
    33      cp "$DIR"/ca-cert.pem "$FINAL_DIR"
    34      cp "$DIR"/ca-key.pem "$FINAL_DIR"
    35      cp "$DIR"/cert-chain.pem "$FINAL_DIR"
    36  
    37      cp "$DIR"/root-cert-alt.pem "$FINAL_DIR"
    38      cp "$DIR"/ca-cert-alt.pem "$FINAL_DIR"
    39      cp "$DIR"/ca-key-alt.pem "$FINAL_DIR"
    40      cp "$DIR"/cert-chain-alt.pem "$FINAL_DIR"
    41  
    42    else
    43      echo "tmp argument is not a directory: $tmp"
    44      exit 1
    45    fi
    46  fi
    47  
    48  function cleanup() {
    49    if [ -f "$FINAL_DIR"/.srl ]; then
    50      rm "$FINAL_DIR"/.srl
    51    fi
    52    if [ -f "$FINAL_DIR"/ca-cert.srl ]; then
    53      rm "$FINAL_DIR"/ca-cert.srl
    54    fi
    55    if [ -f "$FINAL_DIR"/ca-cert-alt.srl ]; then
    56      rm "$FINAL_DIR"/ca-cert-alt.srl
    57    fi
    58    if [ -f "$FINAL_DIR"/workload.cfg ]; then
    59      rm "$FINAL_DIR"/workload.cfg
    60    fi
    61    if [ -f "$FINAL_DIR"/workload.csr ]; then
    62      rm "$FINAL_DIR"/workload.csr
    63    fi
    64  }
    65  
    66  trap cleanup EXIT
    67  
    68  openssl genrsa -out "$FINAL_DIR/workload-$sa-key.pem" 2048
    69  
    70  cat > "$FINAL_DIR"/workload.cfg <<EOF
    71  [req]
    72  distinguished_name = req_distinguished_name
    73  req_extensions = v3_req
    74  x509_extensions = v3_req
    75  prompt = no
    76  [req_distinguished_name]
    77  countryName = US
    78  [v3_req]
    79  keyUsage = critical, digitalSignature, keyEncipherment
    80  extendedKeyUsage = serverAuth, clientAuth
    81  basicConstraints = critical, CA:FALSE
    82  subjectAltName = critical, @alt_names
    83  [alt_names]
    84  URI = $san
    85  EOF
    86  
    87  certchain="$FINAL_DIR"/cert-chain.pem
    88  cacert="$FINAL_DIR"/ca-cert.pem
    89  cakey="$FINAL_DIR"/ca-key.pem
    90  rootcert="$FINAL_DIR"/root-cert.pem
    91  
    92  if [[ "$rootselect" = "use-alternative-root" ]] ; then
    93    certchain="$FINAL_DIR"/cert-chain-alt.pem
    94    cacert="$FINAL_DIR"/ca-cert-alt.pem
    95    cakey="$FINAL_DIR"/ca-key-alt.pem
    96    rootcert="$FINAL_DIR"/root-cert-alt.pem
    97  fi
    98  
    99  openssl req -new -key "$FINAL_DIR/workload-$sa-key.pem" -subj "/" -out "$FINAL_DIR"/workload.csr -config "$FINAL_DIR"/workload.cfg
   100  
   101  openssl x509 -req -in "$FINAL_DIR"/workload.csr -CA "$cacert" -CAkey "$cakey" -CAcreateserial \
   102  -out "$FINAL_DIR/leaf-workload-$sa-cert.pem" -days 3650 -extensions v3_req -extfile "$FINAL_DIR"/workload.cfg
   103  
   104  cp "$FINAL_DIR/leaf-workload-$sa-cert.pem" "$FINAL_DIR/workload-$sa-cert.pem"
   105  cat "$certchain" >> "$FINAL_DIR/workload-$sa-cert.pem"
   106  cp "$certchain" "$FINAL_DIR/workload-$sa-root-certs.pem"
   107  cat "$rootcert" >> "$FINAL_DIR/workload-$sa-root-certs.pem"
   108  
   109  echo "Generated workload-$sa-[cert|key].pem with URI SAN $san"
   110  openssl verify -CAfile <(cat "$certchain" "$rootcert") "$FINAL_DIR/workload-$sa-cert.pem"
   111