k8s.io/apiserver@v0.31.1/pkg/util/webhook/gencerts.sh (about) 1 #!/usr/bin/env bash 2 3 # Copyright 2017 The Kubernetes Authors. 4 # 5 # Licensed under the Apache License, Version 2.0 (the "License"); 6 # you may not use this file except in compliance with the License. 7 # You may obtain a copy of the License at 8 # 9 # http://www.apache.org/licenses/LICENSE-2.0 10 # 11 # Unless required by applicable law or agreed to in writing, software 12 # distributed under the License is distributed on an "AS IS" BASIS, 13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 # See the License for the specific language governing permissions and 15 # limitations under the License. 16 17 set -e 18 19 # gencerts.sh generates the certificates for the webhook tests. 20 # 21 # It is not expected to be run often (there is no go generate rule), and mainly 22 # exists for documentation purposes. 23 24 CN_BASE="webhook_tests" 25 26 cat > intermediate_ca.conf << EOF 27 [ v3_ca ] 28 subjectKeyIdentifier=hash 29 authorityKeyIdentifier=keyid:always,issuer 30 basicConstraints = critical,CA:true 31 keyUsage = cRLSign, keyCertSign 32 EOF 33 34 cat > server.conf << EOF 35 [req] 36 req_extensions = v3_req 37 distinguished_name = req_distinguished_name 38 [req_distinguished_name] 39 [ v3_req ] 40 basicConstraints = CA:FALSE 41 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 42 extendedKeyUsage = clientAuth, serverAuth 43 subjectAltName = @alt_names 44 [alt_names] 45 IP.1 = 127.0.0.1 46 DNS.1 = localhost 47 EOF 48 49 cat > server_no_san.conf << EOF 50 [req] 51 req_extensions = v3_req 52 distinguished_name = req_distinguished_name 53 [req_distinguished_name] 54 [ v3_req ] 55 basicConstraints = CA:FALSE 56 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 57 extendedKeyUsage = clientAuth, serverAuth 58 EOF 59 60 cat > client.conf << EOF 61 [req] 62 req_extensions = v3_req 63 distinguished_name = req_distinguished_name 64 [req_distinguished_name] 65 [ v3_req ] 66 basicConstraints = CA:FALSE 67 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 68 extendedKeyUsage = clientAuth, serverAuth 69 subjectAltName = @alt_names 70 [alt_names] 71 IP.1 = 127.0.0.1 72 EOF 73 74 # Create a certificate authority 75 openssl genrsa -out caKey.pem 2048 76 openssl req -x509 -new -nodes -key caKey.pem -days 100000 -out caCert.pem -subj "/CN=${CN_BASE}_ca" 77 78 # Create a second certificate authority 79 openssl genrsa -out badCAKey.pem 2048 80 openssl req -x509 -new -nodes -key badCAKey.pem -days 100000 -out badCACert.pem -subj "/CN=${CN_BASE}_ca" 81 82 # Create an intermediate certificate authority 83 openssl genrsa -out caKeyInter.pem 2048 84 openssl req -new -nodes -key caKeyInter.pem -days 100000 -out caCertInter.csr -subj "/CN=${CN_BASE}_intermediate_ca" 85 openssl x509 -req -in caCertInter.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out caCertInter.pem -days 100000 -extensions v3_ca -extfile intermediate_ca.conf 86 87 # Create an intermediate certificate authority with sha1 signature 88 openssl req -new -nodes -key caKeyInter.pem -days 100000 -out caCertInterSHA1.csr -subj "/CN=${CN_BASE}_intermediate_ca" 89 openssl x509 -sha1 -req -in caCertInterSHA1.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out caCertInterSHA1.pem -days 100000 -extensions v3_ca -extfile intermediate_ca.conf 90 91 # Create a server certiticate 92 openssl genrsa -out serverKey.pem 2048 93 openssl req -new -key serverKey.pem -out server.csr -subj "/CN=${CN_BASE}_server" -config server.conf 94 openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf 95 96 # Create a server certiticate w/o SAN 97 openssl req -new -key serverKey.pem -out serverNoSAN.csr -subj "/CN=localhost" -config server_no_san.conf 98 openssl x509 -req -in serverNoSAN.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCertNoSAN.pem -days 100000 -extensions v3_req -extfile server_no_san.conf 99 100 # Create a server certiticate with SHA1 signature signed by OK intermediate CA 101 openssl req -new -key serverKey.pem -out serverSHA1.csr -subj "/CN=localhost" -config server.conf 102 openssl x509 -sha1 -req -in serverSHA1.csr -CA caCertInter.pem -CAkey caKeyInter.pem -CAcreateserial -out sha1ServerCertInter.pem -days 100000 -extensions v3_req -extfile server.conf 103 104 # Create a server certiticate signed by SHA1-signed intermediate CA 105 openssl req -new -key serverKey.pem -out serverInterSHA1.csr -subj "/CN=localhost" -config server.conf 106 openssl x509 -req -in serverInterSHA1.csr -CA caCertInterSHA1.pem -CAkey caKeyInter.pem -CAcreateserial -out serverCertInterSHA1.pem -days 100000 -extensions v3_req -extfile server.conf 107 108 # Create a client certiticate 109 openssl genrsa -out clientKey.pem 2048 110 openssl req -new -key clientKey.pem -out client.csr -subj "/CN=${CN_BASE}_client" -config client.conf 111 openssl x509 -req -in client.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out clientCert.pem -days 100000 -extensions v3_req -extfile client.conf 112 113 outfile=certs_test.go 114 115 cat > $outfile << EOF 116 /* 117 Copyright 2017 The Kubernetes Authors. 118 119 Licensed under the Apache License, Version 2.0 (the "License"); 120 you may not use this file except in compliance with the License. 121 You may obtain a copy of the License at 122 123 http://www.apache.org/licenses/LICENSE-2.0 124 125 Unless required by applicable law or agreed to in writing, software 126 distributed under the License is distributed on an "AS IS" BASIS, 127 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 128 See the License for the specific language governing permissions and 129 limitations under the License. 130 */ 131 132 // This file was generated using openssl by the gencerts.sh script 133 // and holds raw certificates for the webhook tests. 134 135 package webhook 136 EOF 137 138 for file in caKey caCert badCAKey badCACert caCertInter caCertInterSHA1 serverKey serverCert serverCertNoSAN clientKey clientCert sha1ServerCertInter serverCertInterSHA1; do 139 data=$(cat ${file}.pem) 140 echo "" >> $outfile 141 echo "var $file = []byte(\`$data\`)" >> $outfile 142 done 143 144 # Clean up after we're done. 145 rm ./*.pem 146 rm ./*.csr 147 rm ./*.srl 148 rm ./*.conf