tools/certs/common.mk - dubbo-go-pixiu - Git at Google

 #------------------------------------------------------------------------
 # variables: root CA
 ROOTCA_DAYS ?= 3650
 ROOTCA_KEYSZ ?= 4096
 ROOTCA_ORG ?= Istio
 ROOTCA_CN ?= Root CA
 KUBECONFIG ?= $(HOME)/.kube/config
 ISTIO_NAMESPACE ?= dubbo-system
 # Additional variables are defined in root-ca.conf target below.

 #------------------------------------------------------------------------
 # variables: intermediate CA
 INTERMEDIATE_DAYS ?= 730
 INTERMEDIATE_KEYSZ ?= 4096
 INTERMEDIATE_ORG ?= Istio
 INTERMEDIATE_CN ?= Intermediate CA
 INTERMEDIATE_SAN_DNS ?= istiod.dubbo-system.svc
 # Additional variables are defined in %/intermediate.conf target below.

 #------------------------------------------------------------------------
 # variables: workload certs: eg VM
 WORKLOAD_DAYS ?= 1
 SERVICE_ACCOUNT ?= default
 WORKLOAD_CN ?= Workload

 #------------------------------------------------------------------------
 # variables: files to clean
 FILES_TO_CLEAN+=k8s-root-cert.pem \
                  k8s-root-cert.srl  \
                  k8s-root-key.pem root-ca.conf root-cert.csr root-cert.pem root-cert.srl root-key.pem
 #------------------------------------------------------------------------
 # clean
 .PHONY: clean

 clean: ## Cleans all the intermediate files and folders previously generated.
 	@rm -f $(FILES_TO_CLEAN)

 root-ca.conf:
 	@echo "[ req ]" > $@
 	@echo "encrypt_key = no" >> $@
 	@echo "prompt = no" >> $@
 	@echo "utf8 = yes" >> $@
 	@echo "default_md = sha256" >> $@
 	@echo "default_bits = $(ROOTCA_KEYSZ)" >> $@
 	@echo "req_extensions = req_ext" >> $@
 	@echo "x509_extensions = req_ext" >> $@
 	@echo "distinguished_name = req_dn" >> $@
 	@echo "[ req_ext ]" >> $@
 	@echo "subjectKeyIdentifier = hash" >> $@
 	@echo "basicConstraints = critical, CA:true" >> $@
 	@echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@
 	@echo "[ req_dn ]" >> $@
 	@echo "O = $(ROOTCA_ORG)" >> $@
 	@echo "CN = $(ROOTCA_CN)" >> $@

 %/intermediate.conf: L=$(dir $@)
 %/intermediate.conf:
 	@echo "[ req ]" > $@
 	@echo "encrypt_key = no" >> $@
 	@echo "prompt = no" >> $@
 	@echo "utf8 = yes" >> $@
 	@echo "default_md = sha256" >> $@
 	@echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@
 	@echo "req_extensions = req_ext" >> $@
 	@echo "x509_extensions = req_ext" >> $@
 	@echo "distinguished_name = req_dn" >> $@
 	@echo "[ req_ext ]" >> $@
 	@echo "subjectKeyIdentifier = hash" >> $@
 	@echo "basicConstraints = critical, CA:true, pathlen:0" >> $@
 	@echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@
 	@echo "subjectAltName=@san" >> $@
 	@echo "[ san ]" >> $@
 	@echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@
 	@echo "[ req_dn ]" >> $@
 	@echo "O = $(INTERMEDIATE_ORG)" >> $@
 	@echo "CN = $(INTERMEDIATE_CN)" >> $@
 	@echo "L = $(L:/=)" >> $@

 %/workload.conf: L=$(dir $@)
 %/workload.conf:
 	@echo "[ req ]" > $@
 	@echo "encrypt_key = no" >> $@
 	@echo "prompt = no" >> $@
 	@echo "utf8 = yes" >> $@
 	@echo "default_md = sha256" >> $@
 	@echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@
 	@echo "req_extensions = req_ext" >> $@
 	@echo "x509_extensions = req_ext" >> $@
 	@echo "distinguished_name = req_dn" >> $@
 	@echo "[ req_ext ]" >> $@
 	@echo "subjectKeyIdentifier = hash" >> $@
 	@echo "basicConstraints = critical, CA:false" >> $@
 	@echo "keyUsage = digitalSignature, keyEncipherment" >> $@
 	@echo "extendedKeyUsage = serverAuth, clientAuth" >> $@
 	@echo "subjectAltName=@san" >> $@
 	@echo "[ san ]" >> $@
 	@echo "URI.1 = spiffe://cluster.local/ns/$(L)sa/$(SERVICE_ACCOUNT)" >> $@
 	@echo "[ req_dn ]" >> $@
 	@echo "O = $(INTERMEDIATE_ORG)" >> $@
 	@echo "CN = $(WORKLOAD_CN)" >> $@
 	@echo "L = $(L:/=)" >> $@
	#------------------------------------------------------------------------
	# variables: root CA
	ROOTCA_DAYS ?= 3650
	ROOTCA_KEYSZ ?= 4096
	ROOTCA_ORG ?= Istio
	ROOTCA_CN ?= Root CA
	KUBECONFIG ?= $(HOME)/.kube/config
	ISTIO_NAMESPACE ?= dubbo-system
	# Additional variables are defined in root-ca.conf target below.

	#------------------------------------------------------------------------
	# variables: intermediate CA
	INTERMEDIATE_DAYS ?= 730
	INTERMEDIATE_KEYSZ ?= 4096
	INTERMEDIATE_ORG ?= Istio
	INTERMEDIATE_CN ?= Intermediate CA
	INTERMEDIATE_SAN_DNS ?= istiod.dubbo-system.svc
	# Additional variables are defined in %/intermediate.conf target below.

	#------------------------------------------------------------------------
	# variables: workload certs: eg VM
	WORKLOAD_DAYS ?= 1
	SERVICE_ACCOUNT ?= default
	WORKLOAD_CN ?= Workload

	#------------------------------------------------------------------------
	# variables: files to clean
	FILES_TO_CLEAN+=k8s-root-cert.pem \
	k8s-root-cert.srl \
	k8s-root-key.pem root-ca.conf root-cert.csr root-cert.pem root-cert.srl root-key.pem
	#------------------------------------------------------------------------
	# clean
	.PHONY: clean

	clean: ## Cleans all the intermediate files and folders previously generated.
	@rm -f $(FILES_TO_CLEAN)

	root-ca.conf:
	@echo "[ req ]" > $@
	@echo "encrypt_key = no" >> $@
	@echo "prompt = no" >> $@
	@echo "utf8 = yes" >> $@
	@echo "default_md = sha256" >> $@
	@echo "default_bits = $(ROOTCA_KEYSZ)" >> $@
	@echo "req_extensions = req_ext" >> $@
	@echo "x509_extensions = req_ext" >> $@
	@echo "distinguished_name = req_dn" >> $@
	@echo "[ req_ext ]" >> $@
	@echo "subjectKeyIdentifier = hash" >> $@
	@echo "basicConstraints = critical, CA:true" >> $@
	@echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@
	@echo "[ req_dn ]" >> $@
	@echo "O = $(ROOTCA_ORG)" >> $@
	@echo "CN = $(ROOTCA_CN)" >> $@

	%/intermediate.conf: L=$(dir $@)
	%/intermediate.conf:
	@echo "[ req ]" > $@
	@echo "encrypt_key = no" >> $@
	@echo "prompt = no" >> $@
	@echo "utf8 = yes" >> $@
	@echo "default_md = sha256" >> $@
	@echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@
	@echo "req_extensions = req_ext" >> $@
	@echo "x509_extensions = req_ext" >> $@
	@echo "distinguished_name = req_dn" >> $@
	@echo "[ req_ext ]" >> $@
	@echo "subjectKeyIdentifier = hash" >> $@
	@echo "basicConstraints = critical, CA:true, pathlen:0" >> $@
	@echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@
	@echo "subjectAltName=@san" >> $@
	@echo "[ san ]" >> $@
	@echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@
	@echo "[ req_dn ]" >> $@
	@echo "O = $(INTERMEDIATE_ORG)" >> $@
	@echo "CN = $(INTERMEDIATE_CN)" >> $@
	@echo "L = $(L:/=)" >> $@

	%/workload.conf: L=$(dir $@)
	%/workload.conf:
	@echo "[ req ]" > $@
	@echo "encrypt_key = no" >> $@
	@echo "prompt = no" >> $@
	@echo "utf8 = yes" >> $@
	@echo "default_md = sha256" >> $@
	@echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@
	@echo "req_extensions = req_ext" >> $@
	@echo "x509_extensions = req_ext" >> $@
	@echo "distinguished_name = req_dn" >> $@
	@echo "[ req_ext ]" >> $@
	@echo "subjectKeyIdentifier = hash" >> $@
	@echo "basicConstraints = critical, CA:false" >> $@
	@echo "keyUsage = digitalSignature, keyEncipherment" >> $@
	@echo "extendedKeyUsage = serverAuth, clientAuth" >> $@
	@echo "subjectAltName=@san" >> $@
	@echo "[ san ]" >> $@
	@echo "URI.1 = spiffe://cluster.local/ns/$(L)sa/$(SERVICE_ACCOUNT)" >> $@
	@echo "[ req_dn ]" >> $@
	@echo "O = $(INTERMEDIATE_ORG)" >> $@
	@echo "CN = $(WORKLOAD_CN)" >> $@
	@echo "L = $(L:/=)" >> $@