k8s.io/apiserver@v0.31.1/pkg/util/webhook/gencerts.sh (about)

     1  #!/usr/bin/env bash
     2  
     3  # Copyright 2017 The Kubernetes Authors.
     4  #
     5  # Licensed under the Apache License, Version 2.0 (the "License");
     6  # you may not use this file except in compliance with the License.
     7  # You may obtain a copy of the License at
     8  #
     9  #     http://www.apache.org/licenses/LICENSE-2.0
    10  #
    11  # Unless required by applicable law or agreed to in writing, software
    12  # distributed under the License is distributed on an "AS IS" BASIS,
    13  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14  # See the License for the specific language governing permissions and
    15  # limitations under the License.
    16  
    17  set -e
    18  
    19  # gencerts.sh generates the certificates for the webhook tests.
    20  #
    21  # It is not expected to be run often (there is no go generate rule), and mainly
    22  # exists for documentation purposes.
    23  
    24  CN_BASE="webhook_tests"
    25  
    26  cat > intermediate_ca.conf << EOF
    27  [ v3_ca ]
    28  subjectKeyIdentifier=hash
    29  authorityKeyIdentifier=keyid:always,issuer
    30  basicConstraints = critical,CA:true
    31  keyUsage = cRLSign, keyCertSign
    32  EOF
    33  
    34  cat > server.conf << EOF
    35  [req]
    36  req_extensions = v3_req
    37  distinguished_name = req_distinguished_name
    38  [req_distinguished_name]
    39  [ v3_req ]
    40  basicConstraints = CA:FALSE
    41  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    42  extendedKeyUsage = clientAuth, serverAuth
    43  subjectAltName = @alt_names
    44  [alt_names]
    45  IP.1 = 127.0.0.1
    46  DNS.1 = localhost
    47  EOF
    48  
    49  cat > server_no_san.conf << EOF
    50  [req]
    51  req_extensions = v3_req
    52  distinguished_name = req_distinguished_name
    53  [req_distinguished_name]
    54  [ v3_req ]
    55  basicConstraints = CA:FALSE
    56  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    57  extendedKeyUsage = clientAuth, serverAuth
    58  EOF
    59  
    60  cat > client.conf << EOF
    61  [req]
    62  req_extensions = v3_req
    63  distinguished_name = req_distinguished_name
    64  [req_distinguished_name]
    65  [ v3_req ]
    66  basicConstraints = CA:FALSE
    67  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    68  extendedKeyUsage = clientAuth, serverAuth
    69  subjectAltName = @alt_names
    70  [alt_names]
    71  IP.1 = 127.0.0.1
    72  EOF
    73  
    74  # Create a certificate authority
    75  openssl genrsa -out caKey.pem 2048
    76  openssl req -x509 -new -nodes -key caKey.pem -days 100000 -out caCert.pem -subj "/CN=${CN_BASE}_ca"
    77  
    78  # Create a second certificate authority
    79  openssl genrsa -out badCAKey.pem 2048
    80  openssl req -x509 -new -nodes -key badCAKey.pem -days 100000 -out badCACert.pem -subj "/CN=${CN_BASE}_ca"
    81  
    82  # Create an intermediate certificate authority
    83  openssl genrsa -out caKeyInter.pem 2048
    84  openssl req -new -nodes -key caKeyInter.pem -days 100000 -out caCertInter.csr -subj "/CN=${CN_BASE}_intermediate_ca"
    85  openssl x509 -req -in caCertInter.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out caCertInter.pem -days 100000 -extensions v3_ca -extfile intermediate_ca.conf
    86  
    87  # Create an intermediate certificate authority with sha1 signature
    88  openssl req -new -nodes -key caKeyInter.pem -days 100000 -out caCertInterSHA1.csr -subj "/CN=${CN_BASE}_intermediate_ca"
    89  openssl x509 -sha1 -req -in caCertInterSHA1.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out caCertInterSHA1.pem -days 100000 -extensions v3_ca -extfile intermediate_ca.conf
    90  
    91  # Create a server certiticate
    92  openssl genrsa -out serverKey.pem 2048
    93  openssl req -new -key serverKey.pem -out server.csr -subj "/CN=${CN_BASE}_server" -config server.conf
    94  openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf
    95  
    96  # Create a server certiticate w/o SAN
    97  openssl req -new -key serverKey.pem -out serverNoSAN.csr -subj "/CN=localhost" -config server_no_san.conf
    98  openssl x509 -req -in serverNoSAN.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCertNoSAN.pem -days 100000 -extensions v3_req -extfile server_no_san.conf
    99  
   100  # Create a server certiticate with SHA1 signature signed by OK intermediate CA
   101  openssl req -new -key serverKey.pem -out serverSHA1.csr -subj "/CN=localhost" -config server.conf
   102  openssl x509 -sha1 -req -in serverSHA1.csr -CA caCertInter.pem -CAkey caKeyInter.pem -CAcreateserial -out sha1ServerCertInter.pem -days 100000 -extensions v3_req -extfile server.conf
   103  
   104  # Create a server certiticate signed by SHA1-signed intermediate CA
   105  openssl req -new -key serverKey.pem -out serverInterSHA1.csr -subj "/CN=localhost" -config server.conf
   106  openssl x509 -req -in serverInterSHA1.csr -CA caCertInterSHA1.pem -CAkey caKeyInter.pem -CAcreateserial -out serverCertInterSHA1.pem -days 100000 -extensions v3_req -extfile server.conf
   107  
   108  # Create a client certiticate
   109  openssl genrsa -out clientKey.pem 2048
   110  openssl req -new -key clientKey.pem -out client.csr -subj "/CN=${CN_BASE}_client" -config client.conf
   111  openssl x509 -req -in client.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out clientCert.pem -days 100000 -extensions v3_req -extfile client.conf
   112  
   113  outfile=certs_test.go
   114  
   115  cat > $outfile << EOF
   116  /*
   117  Copyright 2017 The Kubernetes Authors.
   118  
   119  Licensed under the Apache License, Version 2.0 (the "License");
   120  you may not use this file except in compliance with the License.
   121  You may obtain a copy of the License at
   122  
   123      http://www.apache.org/licenses/LICENSE-2.0
   124  
   125  Unless required by applicable law or agreed to in writing, software
   126  distributed under the License is distributed on an "AS IS" BASIS,
   127  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   128  See the License for the specific language governing permissions and
   129  limitations under the License.
   130  */
   131  
   132  // This file was generated using openssl by the gencerts.sh script
   133  // and holds raw certificates for the webhook tests.
   134  
   135  package webhook
   136  EOF
   137  
   138  for file in caKey caCert badCAKey badCACert caCertInter caCertInterSHA1 serverKey serverCert serverCertNoSAN clientKey clientCert sha1ServerCertInter serverCertInterSHA1; do
   139  	data=$(cat ${file}.pem)
   140  	echo "" >> $outfile
   141  	echo "var $file = []byte(\`$data\`)" >> $outfile
   142  done
   143  
   144  # Clean up after we're done.
   145  rm ./*.pem
   146  rm ./*.csr
   147  rm ./*.srl
   148  rm ./*.conf