| #------------------------------------------------------------------------ |
| # variables: root CA |
| ROOTCA_DAYS ?= 3650 |
| ROOTCA_KEYSZ ?= 4096 |
| ROOTCA_ORG ?= Istio |
| ROOTCA_CN ?= Root CA |
| KUBECONFIG ?= $(HOME)/.kube/config |
| ISTIO_NAMESPACE ?= dubbo-system |
| # Additional variables are defined in root-ca.conf target below. |
| |
| #------------------------------------------------------------------------ |
| # variables: intermediate CA |
| INTERMEDIATE_DAYS ?= 730 |
| INTERMEDIATE_KEYSZ ?= 4096 |
| INTERMEDIATE_ORG ?= Istio |
| INTERMEDIATE_CN ?= Intermediate CA |
| INTERMEDIATE_SAN_DNS ?= istiod.dubbo-system.svc |
| # Additional variables are defined in %/intermediate.conf target below. |
| |
| #------------------------------------------------------------------------ |
| # variables: workload certs: eg VM |
| WORKLOAD_DAYS ?= 1 |
| SERVICE_ACCOUNT ?= default |
| WORKLOAD_CN ?= Workload |
| |
| #------------------------------------------------------------------------ |
| # variables: files to clean |
| FILES_TO_CLEAN+=k8s-root-cert.pem \ |
| k8s-root-cert.srl \ |
| k8s-root-key.pem root-ca.conf root-cert.csr root-cert.pem root-cert.srl root-key.pem |
| #------------------------------------------------------------------------ |
| # clean |
| .PHONY: clean |
| |
| clean: ## Cleans all the intermediate files and folders previously generated. |
| @rm -f $(FILES_TO_CLEAN) |
| |
| root-ca.conf: |
| @echo "[ req ]" > $@ |
| @echo "encrypt_key = no" >> $@ |
| @echo "prompt = no" >> $@ |
| @echo "utf8 = yes" >> $@ |
| @echo "default_md = sha256" >> $@ |
| @echo "default_bits = $(ROOTCA_KEYSZ)" >> $@ |
| @echo "req_extensions = req_ext" >> $@ |
| @echo "x509_extensions = req_ext" >> $@ |
| @echo "distinguished_name = req_dn" >> $@ |
| @echo "[ req_ext ]" >> $@ |
| @echo "subjectKeyIdentifier = hash" >> $@ |
| @echo "basicConstraints = critical, CA:true" >> $@ |
| @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ |
| @echo "[ req_dn ]" >> $@ |
| @echo "O = $(ROOTCA_ORG)" >> $@ |
| @echo "CN = $(ROOTCA_CN)" >> $@ |
| |
| %/intermediate.conf: L=$(dir $@) |
| %/intermediate.conf: |
| @echo "[ req ]" > $@ |
| @echo "encrypt_key = no" >> $@ |
| @echo "prompt = no" >> $@ |
| @echo "utf8 = yes" >> $@ |
| @echo "default_md = sha256" >> $@ |
| @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ |
| @echo "req_extensions = req_ext" >> $@ |
| @echo "x509_extensions = req_ext" >> $@ |
| @echo "distinguished_name = req_dn" >> $@ |
| @echo "[ req_ext ]" >> $@ |
| @echo "subjectKeyIdentifier = hash" >> $@ |
| @echo "basicConstraints = critical, CA:true, pathlen:0" >> $@ |
| @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ |
| @echo "subjectAltName=@san" >> $@ |
| @echo "[ san ]" >> $@ |
| @echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@ |
| @echo "[ req_dn ]" >> $@ |
| @echo "O = $(INTERMEDIATE_ORG)" >> $@ |
| @echo "CN = $(INTERMEDIATE_CN)" >> $@ |
| @echo "L = $(L:/=)" >> $@ |
| |
| %/workload.conf: L=$(dir $@) |
| %/workload.conf: |
| @echo "[ req ]" > $@ |
| @echo "encrypt_key = no" >> $@ |
| @echo "prompt = no" >> $@ |
| @echo "utf8 = yes" >> $@ |
| @echo "default_md = sha256" >> $@ |
| @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ |
| @echo "req_extensions = req_ext" >> $@ |
| @echo "x509_extensions = req_ext" >> $@ |
| @echo "distinguished_name = req_dn" >> $@ |
| @echo "[ req_ext ]" >> $@ |
| @echo "subjectKeyIdentifier = hash" >> $@ |
| @echo "basicConstraints = critical, CA:false" >> $@ |
| @echo "keyUsage = digitalSignature, keyEncipherment" >> $@ |
| @echo "extendedKeyUsage = serverAuth, clientAuth" >> $@ |
| @echo "subjectAltName=@san" >> $@ |
| @echo "[ san ]" >> $@ |
| @echo "URI.1 = spiffe://cluster.local/ns/$(L)sa/$(SERVICE_ACCOUNT)" >> $@ |
| @echo "[ req_dn ]" >> $@ |
| @echo "O = $(INTERMEDIATE_ORG)" >> $@ |
| @echo "CN = $(WORKLOAD_CN)" >> $@ |
| @echo "L = $(L:/=)" >> $@ |