| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| : ${1?'missing output directory'} |
| |
| CONF_FILE="configs.properties" |
| |
| if [ ! -f ${CONF_FILE} ]; then |
| echo "${CONF_FILE} is missing in current directory!" |
| exit 1 |
| fi |
| |
| tmpdir="$1" |
| if [ -z "$SERVICE" ]; then |
| SERVICE=`cat ${CONF_FILE} | grep ^service | cut -d "=" -f 2` |
| fi |
| if [ -z "$NAMESPACE" ]; then |
| NAMESPACE=`cat ${CONF_FILE} | grep ^namespace | cut -d "=" -f 2` |
| fi |
| service=$SERVICE |
| namespace=$NAMESPACE |
| |
| if [ ! -x "$(command -v openssl)" ]; then |
| echo "openssl not found" |
| exit 1 |
| fi |
| |
| csrName=${service}.${namespace} |
| echo "creating certs in tmpdir ${tmpdir} " |
| |
| cat <<EOF >> ${tmpdir}/csr.conf |
| [req] |
| req_extensions = v3_req |
| distinguished_name = req_distinguished_name |
| [req_distinguished_name] |
| [ v3_req ] |
| basicConstraints = CA:FALSE |
| keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
| extendedKeyUsage = serverAuth |
| subjectAltName = @alt_names |
| [alt_names] |
| DNS.1 = ${service} |
| DNS.2 = ${service}.${namespace} |
| DNS.3 = ${service}.${namespace}.svc |
| EOF |
| |
| openssl genrsa -out ${tmpdir}/server-key.pem 2048 |
| openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf |
| |
| # clean-up any previously created CSR for our service. Ignore errors if not present. |
| kubectl delete csr ${csrName} 2>/dev/null || true |
| |
| # send to K8s |
| cat <<EOF | kubectl create -f - |
| apiVersion: certificates.k8s.io/v1beta1 |
| kind: CertificateSigningRequest |
| metadata: |
| name: ${csrName} |
| spec: |
| groups: |
| - system:authenticated |
| request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n') |
| usages: |
| - digital signature |
| - key encipherment |
| - server auth |
| EOF |
| |
| # verify CSR has been created |
| for x in $(seq 10); do |
| kubectl get csr ${csrName} |
| if [ "$?" -eq 0 ]; then |
| break |
| fi |
| sleep 1 |
| done |
| |
| # approve and fetch the signed certificate |
| kubectl certificate approve ${csrName} |
| # verify certificate has been signed |
| for x in $(seq 10); do |
| serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}') |
| if [[ ${serverCert} != '' ]]; then |
| break |
| fi |
| sleep 1 |
| done |
| if [[ ${serverCert} == '' ]]; then |
| echo "ERROR: After approving csr ${csrName}, the signed certificate did not appear on the resource. Giving up after 10 attempts." >&2 |
| exit 1 |
| fi |
| echo ${serverCert} | openssl base64 -d -A -out ${tmpdir}/server-cert.pem |