|
1 | 1 | #!/bin/bash |
2 | | -# Script to generate TLS assets and patch the ValidatingWebhookConfiguration |
3 | | -set -eo pipefail |
| 2 | +# Generate TLS certificates for testing environment using cfssl. |
| 3 | +set -euo pipefail |
4 | 4 |
|
5 | | -WEBHOOK_SVC="rhtas-controller-manager-webhook-service" |
| 5 | +CERT_DIR="${1:-/tmp}" |
| 6 | + |
| 7 | +WEBHOOK_SVC_NAME="controller-manager-webhook-service" |
6 | 8 | WEBHOOK_NS="openshift-rhtas-operator" |
7 | | -WEBHOOK_DNS="${WEBHOOK_SVC}.${WEBHOOK_NS}.svc" |
8 | | -CERT_DIR="/tmp/k8s-webhook-certs" |
9 | | - |
10 | | -mkdir -p ${CERT_DIR} |
11 | | -cd ${CERT_DIR} |
12 | | - |
13 | | -cat > openssl.cnf <<EOF |
14 | | -[req] |
15 | | -distinguished_name = req_distinguished_name |
16 | | -commonName = Webhook-Server |
17 | | -commonName_max = 64 |
18 | | -prompt = no |
19 | | -[SAN] |
20 | | -subjectAltName = DNS:${WEBHOOK_DNS} |
| 9 | +WEBHOOK_FQDN_1="${WEBHOOK_SVC_NAME}.${WEBHOOK_NS}.svc" |
| 10 | +WEBHOOK_FQDN_2="${WEBHOOK_SVC_NAME}.${WEBHOOK_NS}.svc.cluster.local" |
| 11 | +WEBHOOK_CONFIG_NAME="rhtas-validation.securesigns.rhtas.redhat.com" |
| 12 | +SECRET_NAME="webhook-server-tls" |
| 13 | + |
| 14 | +echo "Generating TLS certificates for webhook in ${CERT_DIR}..." |
| 15 | + |
| 16 | +mkdir -p "${CERT_DIR}" |
| 17 | + |
| 18 | +cat > "${CERT_DIR}/ca-config.json" <<EOF |
| 19 | +{ |
| 20 | + "signing": { |
| 21 | + "default": { |
| 22 | + "expiry": "175200h" |
| 23 | + }, |
| 24 | + "profiles": { |
| 25 | + "default": { |
| 26 | + "usages": ["signing", "key encipherment", "server auth", "client auth"], |
| 27 | + "expiry": "175200h" |
| 28 | + } |
| 29 | + } |
| 30 | + } |
| 31 | +} |
21 | 32 | EOF |
22 | 33 |
|
23 | | -openssl genrsa -out ca.key 4096 |
24 | | -openssl req -new -x509 -key ca.key -out ca.crt -days 365 -subj "/CN=Admission-Webhook-CA" |
| 34 | +cat > "${CERT_DIR}/ca-csr.json" <<EOF |
| 35 | +{ |
| 36 | + "hosts": [ |
| 37 | + "${WEBHOOK_FQDN_1}", |
| 38 | + "${WEBHOOK_FQDN_2}", |
| 39 | + "localhost", |
| 40 | + "127.0.0.1" |
| 41 | + ], |
| 42 | + "key": { |
| 43 | + "algo": "rsa", |
| 44 | + "size": 2048 |
| 45 | + }, |
| 46 | + "names": [ |
| 47 | + { |
| 48 | + "C": "AU", |
| 49 | + "L": "Melbourne", |
| 50 | + "O": "Example", |
| 51 | + "OU": "CA", |
| 52 | + "ST": "Example" |
| 53 | + } |
| 54 | + ] |
| 55 | +} |
| 56 | +EOF |
| 57 | + |
| 58 | +cfssl gencert -initca "${CERT_DIR}/ca-csr.json" | cfssljson -bare "${CERT_DIR}/ca" |
| 59 | + |
| 60 | +cfssl gencert \ |
| 61 | + -ca="${CERT_DIR}/ca.pem" \ |
| 62 | + -ca-key="${CERT_DIR}/ca-key.pem" \ |
| 63 | + -config="${CERT_DIR}/ca-config.json" \ |
| 64 | + -hostname="${WEBHOOK_FQDN_1},${WEBHOOK_FQDN_2},localhost,127.0.0.1" \ |
| 65 | + -profile=default \ |
| 66 | + "${CERT_DIR}/ca-csr.json" | cfssljson -bare "${CERT_DIR}/example-webhook" |
25 | 67 |
|
26 | | -openssl req -new -newkey rsa:4096 -keyout tls.key -out tls.csr -nodes -config openssl.cnf -extensions SAN |
| 68 | +cp "${CERT_DIR}/example-webhook.pem" "${CERT_DIR}/tls.crt" |
| 69 | +cp "${CERT_DIR}/example-webhook-key.pem" "${CERT_DIR}/tls.key" |
| 70 | +cp "${CERT_DIR}/ca.pem" "${CERT_DIR}/ca.crt" |
27 | 71 |
|
28 | | -openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt -days 365 -extfile openssl.cnf -extensions SAN |
| 72 | +echo "TLS certificates generated:" |
| 73 | +echo " - CA certificate: ${CERT_DIR}/ca.crt" |
| 74 | +echo " - TLS certificate: ${CERT_DIR}/tls.crt" |
| 75 | +echo " - TLS private key: ${CERT_DIR}/tls.key" |
29 | 76 |
|
30 | | -kubectl create secret tls webhook-server-tls \ |
| 77 | +echo "Creating TLS Secret '${SECRET_NAME}' in namespace '${WEBHOOK_NS}'..." |
| 78 | +kubectl create secret tls "${SECRET_NAME}" \ |
31 | 79 | --cert=tls.crt \ |
32 | 80 | --key=tls.key \ |
33 | | - -n ${WEBHOOK_NS} --dry-run=client -o yaml | kubectl apply -f - |
| 81 | + -n "${WEBHOOK_NS}" --dry-run=client -o yaml | kubectl apply -f - |
0 commit comments