k8s.io/apiserver@v0.31.1/pkg/admission/plugin/webhook/testcerts/gencerts.sh (about) 1 #!/usr/bin/env bash 2 3 # Copyright 2017 The Kubernetes Authors. 4 # 5 # Licensed under the Apache License, Version 2.0 (the "License"); 6 # you may not use this file except in compliance with the License. 7 # You may obtain a copy of the License at 8 # 9 # http://www.apache.org/licenses/LICENSE-2.0 10 # 11 # Unless required by applicable law or agreed to in writing, software 12 # distributed under the License is distributed on an "AS IS" BASIS, 13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 # See the License for the specific language governing permissions and 15 # limitations under the License. 16 17 set -e 18 19 # gencerts.sh generates the certificates for the generic webhook admission plugin tests. 20 # 21 # It is not expected to be run often (there is no go generate rule), and mainly 22 # exists for documentation purposes. 23 24 CN_BASE="generic_webhook_admission_plugin_tests" 25 26 cat > server.conf << EOF 27 [req] 28 req_extensions = v3_req 29 distinguished_name = req_distinguished_name 30 [req_distinguished_name] 31 [ v3_req ] 32 basicConstraints = CA:FALSE 33 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 34 extendedKeyUsage = clientAuth, serverAuth 35 subjectAltName = @alt_names 36 [alt_names] 37 IP.1 = 127.0.0.1 38 DNS.1 = webhook-test.default.svc 39 EOF 40 41 cat > client.conf << EOF 42 [req] 43 req_extensions = v3_req 44 distinguished_name = req_distinguished_name 45 [req_distinguished_name] 46 [ v3_req ] 47 basicConstraints = CA:FALSE 48 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 49 extendedKeyUsage = clientAuth, serverAuth 50 subjectAltName = @alt_names 51 [alt_names] 52 IP.1 = 127.0.0.1 53 DNS.1 = webhook-test.default.svc 54 EOF 55 56 # Create a certificate authority 57 openssl genrsa -out CAKey.pem 2048 58 openssl req -x509 -new -nodes -key CAKey.pem -days 100000 -out CACert.pem -subj "/CN=${CN_BASE}_ca" 59 60 # Create a second certificate authority 61 openssl genrsa -out BadCAKey.pem 2048 62 openssl req -x509 -new -nodes -key BadCAKey.pem -days 100000 -out BadCACert.pem -subj "/CN=${CN_BASE}_ca" 63 64 # Create a server certiticate 65 openssl genrsa -out ServerKey.pem 2048 66 openssl req -new -key ServerKey.pem -out server.csr -subj "/CN=webhook-test.default.svc" -config server.conf 67 openssl x509 -req -in server.csr -CA CACert.pem -CAkey CAKey.pem -CAcreateserial -out ServerCert.pem -days 100000 -extensions v3_req -extfile server.conf 68 69 # Create a client certiticate 70 openssl genrsa -out ClientKey.pem 2048 71 openssl req -new -key ClientKey.pem -out client.csr -subj "/CN=${CN_BASE}_client" -config client.conf 72 openssl x509 -req -in client.csr -CA CACert.pem -CAkey CAKey.pem -CAcreateserial -out ClientCert.pem -days 100000 -extensions v3_req -extfile client.conf 73 74 outfile=certs.go 75 76 cat > $outfile << EOF 77 /* 78 Copyright 2017 The Kubernetes Authors. 79 80 Licensed under the Apache License, Version 2.0 (the "License"); 81 you may not use this file except in compliance with the License. 82 You may obtain a copy of the License at 83 84 http://www.apache.org/licenses/LICENSE-2.0 85 86 Unless required by applicable law or agreed to in writing, software 87 distributed under the License is distributed on an "AS IS" BASIS, 88 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 89 See the License for the specific language governing permissions and 90 limitations under the License. 91 */ 92 93 // This file was generated using openssl by the gencerts.sh script 94 // and holds raw certificates for the webhook tests. 95 96 package testcerts 97 EOF 98 99 for file in CAKey CACert BadCAKey BadCACert ServerKey ServerCert ClientKey ClientCert; do 100 data=$(cat ${file}.pem) 101 echo "" >> $outfile 102 echo "var $file = []byte(\`$data\`)" >> $outfile 103 done 104 105 # Clean up after we're done. 106 rm ./*.pem 107 rm ./*.csr 108 rm ./*.srl 109 rm ./*.conf