kyverno/scripts/generate-server-cert.sh

#!/bin/bash

for i in "$@"
do
case $i in
    --service=*)
    service="${i#*=}"
    shift
    ;;
    --namespace=*)
    namespace="${i#*=}"
    shift
    ;;
    --serverIp=*)
    serverIp="${i#*=}"
    shift
    ;;
esac
done

echo "service is $service"
echo "namespace is $namespace"
echo "serverIp is $serverIp"

destdir="certs"
if [ ! -d "$destdir" ]; then
  mkdir ${destdir} || exit 1
fi
tmpdir=$(mktemp -d)

cat <<EOF >> ${tmpdir}/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${service}
DNS.2 = ${service}.${namespace}
DNS.3 = ${service}.${namespace}.svc
DNS.4 = ${serverIp}
EOF

outKeyFile=${destdir}/server-key.pem
outCertFile=${destdir}/server.crt

openssl genrsa -out ${outKeyFile} 2048 || exit 2

if [ ! -z "${service}" ]; then
  if [ ! -z "${namespace}" ]; then
    subjectCN="${service}.${namespace}.svc"
  else
    subjectCN="${service}"
  fi
else
  subjectCN=${serverIp}
fi
echo "Generating certificate for CN=${subjectCN}"
openssl req -new -key ${destdir}/server-key.pem -subj "/CN=${subjectCN}" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf || exit 3

CSR_NAME=${service}.cert-request
kubectl delete csr ${CSR_NAME} 2>/dev/null

cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ${CSR_NAME}
spec:
  groups:
  - system:authenticated
  request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

kubectl certificate approve ${CSR_NAME} || exit 4
kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}' | base64 --decode > ${outCertFile} || exit 5

echo "Generated:"
echo ${outKeyFile}
echo ${outCertFile}
NK-8: Implemented basic HTTPS server with stub for mutation webhook. Implemented script for generating TLS key and certificate. Created MutatingWebhookConfiguration.yaml with declaration of future service. 2019-02-12 14:12:03 +00:00			`#!/bin/bash`
NK-8: Implemented deployment script for free (local) and in-cluster usage of the controller. Added readme file for scripts, improved scripts: implemented more convenient way to pass arguments. Removed hardcode from server.go. 2019-02-13 17:57:18 +00:00
			`for i in "$@"`
			`do`
			`case $i in`
			`--service=*)`
			`service="${i#*=}"`
			`shift`
			`;;`
			`--namespace=*)`
			`namespace="${i#*=}"`
			`shift`
			`;;`
			`--serverIp=*)`
			`serverIp="${i#*=}"`
			`shift`
			`;;`
			`esac`
			`done`

NK-8: Implemented script for generating webhook server certificates, script for building the Docker container with webserver executable, script for deploying webserver to the cluster. Provided YAMLS for webhooks service and deployment. Changed YAML for webhook configuration: now webhook server is configured as a service. 2019-02-13 13:28:16 +00:00			`echo "service is $service"`
			`echo "namespace is $namespace"`
			`echo "serverIp is $serverIp"`

NK-8: Implemented basic HTTPS server with stub for mutation webhook. Implemented script for generating TLS key and certificate. Created MutatingWebhookConfiguration.yaml with declaration of future service. 2019-02-12 14:12:03 +00:00			`destdir="certs"`
			`if [ ! -d "$destdir" ]; then`
NK-8: Implemented script for generating webhook server certificates, script for building the Docker container with webserver executable, script for deploying webserver to the cluster. Provided YAMLS for webhooks service and deployment. Changed YAML for webhook configuration: now webhook server is configured as a service. 2019-02-13 13:28:16 +00:00			`mkdir ${destdir} \|\| exit 1`
NK-8: Implemented basic HTTPS server with stub for mutation webhook. Implemented script for generating TLS key and certificate. Created MutatingWebhookConfiguration.yaml with declaration of future service. 2019-02-12 14:12:03 +00:00			`fi`
			`tmpdir=$(mktemp -d)`

			`cat <<EOF >> ${tmpdir}/csr.conf`
			`[req]`
			`req_extensions = v3_req`
			`distinguished_name = req_distinguished_name`
			`[req_distinguished_name]`
			`[ v3_req ]`
			`basicConstraints = CA:FALSE`
			`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`
			`extendedKeyUsage = serverAuth`
			`subjectAltName = @alt_names`
			`[alt_names]`
			`DNS.1 = ${service}`
			`DNS.2 = ${service}.${namespace}`
			`DNS.3 = ${service}.${namespace}.svc`
			`DNS.4 = ${serverIp}`
			`EOF`

			`outKeyFile=${destdir}/server-key.pem`
			`outCertFile=${destdir}/server.crt`

NK-8: Implemented script for generating webhook server certificates, script for building the Docker container with webserver executable, script for deploying webserver to the cluster. Provided YAMLS for webhooks service and deployment. Changed YAML for webhook configuration: now webhook server is configured as a service. 2019-02-13 13:28:16 +00:00			`openssl genrsa -out ${outKeyFile} 2048 \|\| exit 2`
NK-10: Small fixes after dev testing 2019-02-19 16:01:47 +00:00
NK-8: Implemented deployment script for free (local) and in-cluster usage of the controller. Added readme file for scripts, improved scripts: implemented more convenient way to pass arguments. Removed hardcode from server.go. 2019-02-13 17:57:18 +00:00			`if [ ! -z "${service}" ]; then`
NK-10: Small fixes after dev testing 2019-02-19 16:01:47 +00:00			`if [ ! -z "${namespace}" ]; then`
			`subjectCN="${service}.${namespace}.svc"`
			`else`
			`subjectCN="${service}"`
			`fi`
NK-8: Implemented deployment script for free (local) and in-cluster usage of the controller. Added readme file for scripts, improved scripts: implemented more convenient way to pass arguments. Removed hardcode from server.go. 2019-02-13 17:57:18 +00:00			`else`
			`subjectCN=${serverIp}`
			`fi`
NK-10: Small fixes after dev testing 2019-02-19 16:01:47 +00:00			`echo "Generating certificate for CN=${subjectCN}"`
Implemented test webhook, fixed script for certificate generation, fixed project dependencies 2019-02-21 16:13:21 +00:00			`openssl req -new -key ${destdir}/server-key.pem -subj "/CN=${subjectCN}" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf \|\| exit 3`
NK-8: Implemented basic HTTPS server with stub for mutation webhook. Implemented script for generating TLS key and certificate. Created MutatingWebhookConfiguration.yaml with declaration of future service. 2019-02-12 14:12:03 +00:00
			`CSR_NAME=${service}.cert-request`
			`kubectl delete csr ${CSR_NAME} 2>/dev/null`

			`cat <<EOF \| kubectl create -f -`
			`apiVersion: certificates.k8s.io/v1beta1`
			`kind: CertificateSigningRequest`
			`metadata:`
			`name: ${CSR_NAME}`
			`spec:`
			`groups:`
			`- system:authenticated`
			`request: $(cat ${tmpdir}/server.csr \| base64 \| tr -d '\n')`
			`usages:`
			`- digital signature`
			`- key encipherment`
			`- server auth`
			`EOF`

NK-8: Implemented script for generating webhook server certificates, script for building the Docker container with webserver executable, script for deploying webserver to the cluster. Provided YAMLS for webhooks service and deployment. Changed YAML for webhook configuration: now webhook server is configured as a service. 2019-02-13 13:28:16 +00:00			`kubectl certificate approve ${CSR_NAME} \|\| exit 4`
			`kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}' \| base64 --decode > ${outCertFile} \|\| exit 5`
NK-8: Implemented basic HTTPS server with stub for mutation webhook. Implemented script for generating TLS key and certificate. Created MutatingWebhookConfiguration.yaml with declaration of future service. 2019-02-12 14:12:03 +00:00
			`echo "Generated:"`
			`echo ${outKeyFile}`
			`echo ${outCertFile}`