refact：update script of generate-self-signed-cert-and-k8secrets.sh to supports custom namespace (#4758)

Signed-off-by: hackerboy01 <penglei031303@gmail.com>
2025-04-08 18:15:48 +00:00 · 2022-10-03 20:51:46 +08:00 · 2022-10-03 20:51:46 +08:00 · c6da0a7800
commit c6da0a7800
parent 3971376814
1 changed files with 18 additions and 8 deletions
--- a/scripts/generate-self-signed-cert-and-k8secrets.sh
+++ b/scripts/generate-self-signed-cert-and-k8secrets.sh
@ -8,6 +8,10 @@ case $i in
    service="${i#*=}"
    shift
    ;;
+    --namespace=*)
+    namespace="${i#*=}"
+    shift
+    ;;
 esac
 done

@ -15,30 +19,36 @@ if [ "$service" == "" ]; then
    service="kyverno-svc"
 fi

+
+if [ "$namespace" == "" ]; then
+    namespace="kyverno"
+fi
+
 echo "service is $service"
+echo "namespace is $namespace"

 echo "Generating self-signed certificate"
 # generate priv key for root CA
-openssl genrsa -out rootCA.key 4096 
+openssl genrsa -out rootCA.key 4096
 # generate root CA
-openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=US/ST=test/L=test /O=test /OU=PIB/CN=*.kyverno.svc/emailAddress=test@test.com"
+openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=US/ST=test/L=test /O=test /OU=PIB/CN=*.${namespace}.svc/emailAddress=test@test.com"
 # generate priv key
 openssl genrsa -out webhook.key 4096
 # generate certificate
-openssl req -new -key webhook.key -out webhook.csr -subj "/C=US/ST=test /L=test /O=test /OU=PIB/CN=${service}.kyverno.svc/emailAddress=test@test.com"
+openssl req -new -key webhook.key -out webhook.csr -subj "/C=US/ST=test /L=test /O=test /OU=PIB/CN=${service}.${namespace}.svc/emailAddress=test@test.com"

 # generate SANs
-echo "subjectAltName = DNS:kyverno-svc,DNS:kyverno-svc.kyverno,DNS:kyverno-svc.kyverno.svc" >> webhook.ext
+echo "subjectAltName = DNS:kyverno-svc,DNS:${service}.${namespace},DNS:${service}.${namespace}.svc" >> webhook.ext

 # sign the certificate using the root CA
 openssl x509 -req -in webhook.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out webhook.crt -days 1024 -sha256

 echo "Generating corresponding kubernetes secrets for TLS pair and root CA"
 # create project namespace
-kubectl create ns kyverno
+kubectl create ns ${namespace}
 # create tls pair secret
-kubectl -n kyverno create secret tls ${service}.kyverno.svc.kyverno-tls-pair --cert=webhook.crt --key=webhook.key
+kubectl -n ${namespace} create secret tls ${service}.${namespace}.svc.kyverno-tls-pair --cert=webhook.crt --key=webhook.key
 # annotate tls pair secret to specify use of self-signed certificates and check if root CA is created as secret
-kubectl annotate secret ${service}.kyverno.svc.kyverno-tls-pair -n kyverno self-signed-cert=true
+kubectl annotate secret ${service}.${namespace}.svc.kyverno-tls-pair -n ${namespace} self-signed-cert=true
 # create root CA secret
-kubectl -n kyverno create secret generic ${service}.kyverno.svc.kyverno-tls-ca --from-file=rootCA.crt
+kubectl -n ${namespace} create secret generic ${service}.${namespace}.svc.kyverno-tls-ca --from-file=rootCA.crt