1#!/usr/bin/env bash
2
3# Copyright 2016 The Kubernetes Authors.
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17set -e
18
19# gencerts.sh generates the certificates for the webhook authz plugin tests.
20#
21# It is not expected to be run often (there is no go generate rule), and mainly
22# exists for documentation purposes.
23
24cat > server.conf << EOF
25[req]
26req_extensions = v3_req
27distinguished_name = req_distinguished_name
28[req_distinguished_name]
29[ v3_req ]
30basicConstraints = CA:FALSE
31keyUsage = nonRepudiation, digitalSignature, keyEncipherment
32extendedKeyUsage = serverAuth
33subjectAltName = @alt_names
34[alt_names]
35IP.1 = 127.0.0.1
36EOF
37
38cat > client.conf << EOF
39[req]
40req_extensions = v3_req
41distinguished_name = req_distinguished_name
42[req_distinguished_name]
43[ v3_req ]
44basicConstraints = CA:FALSE
45keyUsage = nonRepudiation, digitalSignature, keyEncipherment
46extendedKeyUsage = clientAuth
47EOF
48
49# Create a certificate authority
50openssl genrsa -out caKey.pem 2048
51openssl req -x509 -new -nodes -key caKey.pem -days 100000 -out caCert.pem -subj "/CN=webhook_imagepolicy_ca"
52
53# Create a second certificate authority
54openssl genrsa -out badCAKey.pem 2048
55openssl req -x509 -new -nodes -key badCAKey.pem -days 100000 -out badCACert.pem -subj "/CN=webhook_imagepolicy_ca"
56
57# Create a server certiticate
58openssl genrsa -out serverKey.pem 2048
59openssl req -new -key serverKey.pem -out server.csr -subj "/CN=webhook_imagepolicy_server" -config server.conf
60openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf
61
62# Create a client certiticate
63openssl genrsa -out clientKey.pem 2048
64openssl req -new -key clientKey.pem -out client.csr -subj "/CN=webhook_imagepolicy_client" -config client.conf
65openssl x509 -req -in client.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out clientCert.pem -days 100000 -extensions v3_req -extfile client.conf
66
67outfile=certs_test.go
68
69cat > $outfile << EOF
70/*
71Copyright 2016 The Kubernetes Authors.
72
73Licensed under the Apache License, Version 2.0 (the "License");
74you may not use this file except in compliance with the License.
75You may obtain a copy of the License at
76
77 http://www.apache.org/licenses/LICENSE-2.0
78
79Unless required by applicable law or agreed to in writing, software
80distributed under the License is distributed on an "AS IS" BASIS,
81WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
82See the License for the specific language governing permissions and
83limitations under the License.
84*/
85
86// This file was generated using openssl by the gencerts.sh script
87// and holds raw certificates for the imagepolicy webhook tests.
88
89//lint:file-ignore U1000 Ignore all unused code, it's generated
90
91package imagepolicy
92EOF
93
94for file in caKey caCert badCAKey badCACert serverKey serverCert clientKey clientCert; do
95 data=$(cat ${file}.pem)
96 echo "" >> $outfile
97 echo "var $file = []byte(\`$data\`)" >> $outfile
98done
99
100# Clean up after we're done.
101rm ./*.pem
102rm ./*.csr
103rm ./*.srl
104rm ./*.conf
View as plain text