istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tools/certs/Makefile.k8s.mk (about) 1 .SUFFIXES: .csr .pem .conf 2 .PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem 3 .PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem 4 .SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf 5 6 .DEFAULT_GOAL := help 7 8 SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) 9 10 include $(SELF_DIR)common.mk 11 12 #------------------------------------------------------------------------ 13 ##help: print this help message 14 .PHONY: help 15 16 help: 17 @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' 18 19 #------------------------------------------------------------------------ 20 ##fetch-root-ca: fetch root CA and key from a k8s cluster. 21 .PHONY: fetch-root-ca 22 rawcluster := $(shell kubectl config current-context) 23 cluster := $(subst /,-,$(rawcluster)) 24 pwd := $(shell pwd) 25 export KUBECONFIG 26 27 fetch-root-ca: 28 @echo "fetching root ca from k8s cluster: "$(cluster)"" 29 @mkdir -p $(pwd)/$(cluster) 30 @res=$$(kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) >/dev/null 2>&1; echo $$?); \ 31 if [ $$res -eq 1 ]; then \ 32 kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem; \ 33 kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem; \ 34 else \ 35 kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem; \ 36 kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem; \ 37 fi 38 39 k8s-root-cert.pem: 40 @cat $(cluster)/k8s-root-cert.pem > $@ 41 42 k8s-root-key.pem: 43 @cat $(cluster)/k8s-root-key.pem > $@ 44 #------------------------------------------------------------------------ 45 ##<name>-cacerts: generate intermediate certificates for a cluster or VM with <name> signed with istio root cert from the specified k8s cluster and store them under <name> directory 46 .PHONY: %-cacerts 47 48 %-cacerts: %/cert-chain.pem 49 @echo "done" 50 51 %/cert-chain.pem: %/ca-cert.pem k8s-root-cert.pem 52 @echo "generating $@" 53 @cat $^ > $@ 54 @echo "Intermediate certs stored in $(dir $<)" 55 @cp k8s-root-cert.pem $(dir $<)/root-cert.pem 56 57 %/ca-cert.pem: %/cluster-ca.csr k8s-root-key.pem k8s-root-cert.pem 58 @echo "generating $@" 59 @openssl x509 -req -days $(INTERMEDIATE_DAYS) \ 60 -CA k8s-root-cert.pem -CAkey k8s-root-key.pem -CAcreateserial\ 61 -extensions req_ext -extfile $(dir $<)/intermediate.conf \ 62 -in $< -out $@ 63 64 %/cluster-ca.csr: L=$(dir $@) 65 %/cluster-ca.csr: %/ca-key.pem %/intermediate.conf 66 @echo "generating $@" 67 @openssl req -new -config $(L)/intermediate.conf -key $< -out $@ 68 69 %/ca-key.pem: fetch-root-ca 70 @echo "generating $@" 71 @mkdir -p $(dir $@) 72 @openssl genrsa -out $@ 4096 73 74 #------------------------------------------------------------------------ 75 ##<namespace>-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace `<namespace> using serviceAccount `$SERVICE_ACCOUNT` using root cert from k8s cluster. 76 .PHONY: %-certs 77 78 %-certs: fetch-root-ca %/workload-cert-chain.pem k8s-root-cert.pem 79 @echo "done" 80 81 %/workload-cert-chain.pem: k8s-root-cert.pem %/ca-cert.pem %/workload-cert.pem 82 @echo "generating $@" 83 @cat $^ > $@ 84 @echo "Intermediate and workload certs stored in $(dir $<)" 85 @cp k8s-root-cert.pem $(dir $@)/root-cert.pem 86 87 %/workload-cert.pem: %/workload.csr 88 @echo "generating $@" 89 @openssl x509 -req -days $(WORKLOAD_DAYS) \ 90 -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ 91 -extensions req_ext -extfile $(dir $<)/workload.conf \ 92 -in $< -out $@ 93 94 %/workload.csr: L=$(dir $@) 95 %/workload.csr: %/key.pem %/workload.conf 96 @echo "generating $@" 97 @openssl req -new -config $(L)/workload.conf -key $< -out $@ 98 99 %/key.pem: 100 @echo "generating $@" 101 @mkdir -p $(dir $@) 102 @openssl genrsa -out $@ 4096