forked from TykTechnologies/tyk-operator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
create_self_signed_cert.sh
96 lines (89 loc) · 2.54 KB
/
create_self_signed_cert.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/bin/bash
while getopts "s:c:n:" OPTION
do
case $OPTION in
s)
service=$OPTARG
;;
c)
secret=$OPTARG
;;
n)
namespace=$OPTARG
;;
esac
done
[ -z ${service} ] && service=tyk-operator-webhook-service
[ -z ${secret} ] && secret=tyk-operator-webhook-service
[ -z ${namespace} ] && namespace=tyk-operator-system
csrName=${service}.${namespace}
tmpdir=$(mktemp -d)
tmpdir=/tmp/k8s-webhook-server/serving-certs
mkdir -p $tmpdir
echo "creating certs in tmpdir ${tmpdir} "
cat <<EOF >> ${tmpdir}/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${service}
DNS.2 = ${service}.${namespace}
DNS.3 = ${service}.${namespace}.svc
EOF
openssl genrsa -out ${tmpdir}/tls.key 2048
openssl req -new -key ${tmpdir}/tls.key -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/tls.crt -config ${tmpdir}/csr.conf
## clean-up any previously created CSR for our service. Ignore errors if not present.
kubectl delete csr ${csrName} 2>/dev/null || true
#
## create server cert/key CSR and send to k8s API
#cat <<EOF | kubectl create -f -
#apiVersion: certificates.k8s.io/v1beta1
#kind: CertificateSigningRequest
#metadata:
# name: ${csrName}
#spec:
# groups:
# - system:authenticated
# request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n')
# usages:
# - digital signature
# - key encipherment
# - server auth
#EOF
#
## verify CSR has been created
#while true; do
# kubectl get csr ${csrName}
# if [ "$?" -eq 0 ]; then
# break
# fi
#done
#
## approve and fetch the signed certificate
#kubectl certificate approve ${csrName}
## verify certificate has been signed
#for x in $(seq 10); do
# serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}')
# if [[ ${serverCert} != '' ]]; then
# break
# fi
# sleep 1
#done
#if [[ ${serverCert} == '' ]]; then
# echo "ERROR: After approving csr ${csrName}, the signed certificate did not appear on the resource. Giving up after 10 attempts." >&2
# exit 1
#fi
#echo ${serverCert} | openssl base64 -d -A -out ${tmpdir}/server-cert.pem
#
## create the secret with CA cert and server cert/key
#kubectl create secret generic ${secret} \
# --from-file=key.pem=${tmpdir}/server-key.pem \
# --from-file=cert.pem=${tmpdir}/server-cert.pem \
# --dry-run -o yaml |
# kubectl -n ${namespace} apply -f -