k8s.io/apiserver@v0.31.1/plugin/pkg/authorizer/webhook/gencerts.sh (about) 1 #!/usr/bin/env bash 2 3 # Copyright 2016 The Kubernetes Authors. 4 # 5 # Licensed under the Apache License, Version 2.0 (the "License"); 6 # you may not use this file except in compliance with the License. 7 # You may obtain a copy of the License at 8 # 9 # http://www.apache.org/licenses/LICENSE-2.0 10 # 11 # Unless required by applicable law or agreed to in writing, software 12 # distributed under the License is distributed on an "AS IS" BASIS, 13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 # See the License for the specific language governing permissions and 15 # limitations under the License. 16 17 set -e 18 19 # gencerts.sh generates the certificates for the webhook authz plugin tests. 20 # 21 # It is not expected to be run often (there is no go generate rule), and mainly 22 # exists for documentation purposes. 23 24 cat > server.conf << EOF 25 [req] 26 req_extensions = v3_req 27 distinguished_name = req_distinguished_name 28 [req_distinguished_name] 29 [ v3_req ] 30 basicConstraints = CA:FALSE 31 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 32 extendedKeyUsage = serverAuth 33 subjectAltName = @alt_names 34 [alt_names] 35 IP.1 = 127.0.0.1 36 EOF 37 38 cat > client.conf << EOF 39 [req] 40 req_extensions = v3_req 41 distinguished_name = req_distinguished_name 42 [req_distinguished_name] 43 [ v3_req ] 44 basicConstraints = CA:FALSE 45 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 46 extendedKeyUsage = clientAuth 47 EOF 48 49 # Create a certificate authority 50 openssl genrsa -out caKey.pem 2048 51 openssl req -x509 -new -nodes -key caKey.pem -days 100000 -out caCert.pem -subj "/CN=webhook_authz_ca" 52 53 # Create a second certificate authority 54 openssl genrsa -out badCAKey.pem 2048 55 openssl req -x509 -new -nodes -key badCAKey.pem -days 100000 -out badCACert.pem -subj "/CN=webhook_authz_ca" 56 57 # Create a server certiticate 58 openssl genrsa -out serverKey.pem 2048 59 openssl req -new -key serverKey.pem -out server.csr -subj "/CN=webhook_authz_server" -config server.conf 60 openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf 61 62 # Create a client certiticate 63 openssl genrsa -out clientKey.pem 2048 64 openssl req -new -key clientKey.pem -out client.csr -subj "/CN=webhook_authz_client" -config client.conf 65 openssl x509 -req -in client.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out clientCert.pem -days 100000 -extensions v3_req -extfile client.conf 66 67 outfile=certs_test.go 68 69 cat > $outfile << EOF 70 /* 71 Copyright 2016 The Kubernetes Authors. 72 73 Licensed under the Apache License, Version 2.0 (the "License"); 74 you may not use this file except in compliance with the License. 75 You may obtain a copy of the License at 76 77 http://www.apache.org/licenses/LICENSE-2.0 78 79 Unless required by applicable law or agreed to in writing, software 80 distributed under the License is distributed on an "AS IS" BASIS, 81 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 82 See the License for the specific language governing permissions and 83 limitations under the License. 84 */ 85 86 // This file was generated using openssl by the gencerts.sh script 87 // and holds raw certificates for the webhook tests. 88 89 package webhook 90 EOF 91 92 for file in caKey caCert badCAKey badCACert serverKey serverCert clientKey clientCert; do 93 data=$(cat ${file}.pem) 94 echo "" >> $outfile 95 echo "var $file = []byte(\`$data\`)" >> $outfile 96 done 97 98 # Clean up after we're done. 99 rm ./*.pem 100 rm ./*.csr 101 rm ./*.srl 102 rm ./*.conf