istio.io/istio@v0.0.0-20240520182934-d79c90f27776/samples/certs/generate-workload.sh (about) 1 #!/bin/bash 2 # 3 # Copyright Istio Authors 4 # 5 # Licensed under the Apache License, Version 2.0 (the "License"); 6 # you may not use this file except in compliance with the License. 7 # You may obtain a copy of the License at 8 # 9 # http://www.apache.org/licenses/LICENSE-2.0 10 # 11 # Unless required by applicable law or agreed to in writing, software 12 # distributed under the License is distributed on an "AS IS" BASIS, 13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 # See the License for the specific language governing permissions and 15 # limitations under the License. 16 17 set -euo pipefail 18 19 name=${1:-foo} 20 ns=${2:-$name} 21 sa=${3:-$name} 22 tmp=${4:-""} 23 rootselect=${5:-""} 24 san="spiffe://trust-domain-$name/ns/$ns/sa/$sa" 25 26 DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 27 28 FINAL_DIR=$DIR 29 if [ -n "$tmp" ]; then 30 if [ -d "$tmp" ]; then 31 FINAL_DIR=$tmp 32 cp "$DIR"/root-cert.pem "$FINAL_DIR" 33 cp "$DIR"/ca-cert.pem "$FINAL_DIR" 34 cp "$DIR"/ca-key.pem "$FINAL_DIR" 35 cp "$DIR"/cert-chain.pem "$FINAL_DIR" 36 37 cp "$DIR"/root-cert-alt.pem "$FINAL_DIR" 38 cp "$DIR"/ca-cert-alt.pem "$FINAL_DIR" 39 cp "$DIR"/ca-key-alt.pem "$FINAL_DIR" 40 cp "$DIR"/cert-chain-alt.pem "$FINAL_DIR" 41 42 else 43 echo "tmp argument is not a directory: $tmp" 44 exit 1 45 fi 46 fi 47 48 function cleanup() { 49 if [ -f "$FINAL_DIR"/.srl ]; then 50 rm "$FINAL_DIR"/.srl 51 fi 52 if [ -f "$FINAL_DIR"/ca-cert.srl ]; then 53 rm "$FINAL_DIR"/ca-cert.srl 54 fi 55 if [ -f "$FINAL_DIR"/ca-cert-alt.srl ]; then 56 rm "$FINAL_DIR"/ca-cert-alt.srl 57 fi 58 if [ -f "$FINAL_DIR"/workload.cfg ]; then 59 rm "$FINAL_DIR"/workload.cfg 60 fi 61 if [ -f "$FINAL_DIR"/workload.csr ]; then 62 rm "$FINAL_DIR"/workload.csr 63 fi 64 } 65 66 trap cleanup EXIT 67 68 openssl genrsa -out "$FINAL_DIR/workload-$sa-key.pem" 2048 69 70 cat > "$FINAL_DIR"/workload.cfg <<EOF 71 [req] 72 distinguished_name = req_distinguished_name 73 req_extensions = v3_req 74 x509_extensions = v3_req 75 prompt = no 76 [req_distinguished_name] 77 countryName = US 78 [v3_req] 79 keyUsage = critical, digitalSignature, keyEncipherment 80 extendedKeyUsage = serverAuth, clientAuth 81 basicConstraints = critical, CA:FALSE 82 subjectAltName = critical, @alt_names 83 [alt_names] 84 URI = $san 85 EOF 86 87 certchain="$FINAL_DIR"/cert-chain.pem 88 cacert="$FINAL_DIR"/ca-cert.pem 89 cakey="$FINAL_DIR"/ca-key.pem 90 rootcert="$FINAL_DIR"/root-cert.pem 91 92 if [[ "$rootselect" = "use-alternative-root" ]] ; then 93 certchain="$FINAL_DIR"/cert-chain-alt.pem 94 cacert="$FINAL_DIR"/ca-cert-alt.pem 95 cakey="$FINAL_DIR"/ca-key-alt.pem 96 rootcert="$FINAL_DIR"/root-cert-alt.pem 97 fi 98 99 openssl req -new -key "$FINAL_DIR/workload-$sa-key.pem" -subj "/" -out "$FINAL_DIR"/workload.csr -config "$FINAL_DIR"/workload.cfg 100 101 openssl x509 -req -in "$FINAL_DIR"/workload.csr -CA "$cacert" -CAkey "$cakey" -CAcreateserial \ 102 -out "$FINAL_DIR/leaf-workload-$sa-cert.pem" -days 3650 -extensions v3_req -extfile "$FINAL_DIR"/workload.cfg 103 104 cp "$FINAL_DIR/leaf-workload-$sa-cert.pem" "$FINAL_DIR/workload-$sa-cert.pem" 105 cat "$certchain" >> "$FINAL_DIR/workload-$sa-cert.pem" 106 cp "$certchain" "$FINAL_DIR/workload-$sa-root-certs.pem" 107 cat "$rootcert" >> "$FINAL_DIR/workload-$sa-root-certs.pem" 108 109 echo "Generated workload-$sa-[cert|key].pem with URI SAN $san" 110 openssl verify -CAfile <(cat "$certchain" "$rootcert") "$FINAL_DIR/workload-$sa-cert.pem" 111