mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-04-28 11:44:38 +00:00
4c58478536
Move the f15be37d9bef58a0128bcba006f8abb3ea13e8da version of scripts required for openshift-ci from "kata-containers/tests/.ci/openshift-ci" into "kata-containers/kata-containers/ci/openshift-ci" and required webhook+libs into "kata-containers/kata-containers/tools/testing" as is to simplify verification, the different location handling will be added in following commit. Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
82 lines
2.1 KiB
Bash
Executable File
82 lines
2.1 KiB
Bash
Executable File
#! /bin/bash
|
|
# Copyright (c) 2019 Intel Corporation
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
set -o errexit
|
|
set -o nounset
|
|
set -o pipefail
|
|
set -o errtrace
|
|
|
|
webhook_dir=$(dirname $0)
|
|
source "${webhook_dir}/common.bash"
|
|
|
|
[ -n "${1:-}" ] && WEBHOOK_NS="$1"
|
|
[ -n "${2:-}" ] && WEBHOOK_NAME="$2"
|
|
|
|
if ! command -v openssl &>/dev/null; then
|
|
echo "ERROR: command 'openssl' not found."
|
|
exit 1
|
|
elif ! command -v kubectl &>/dev/null; then
|
|
echo "ERROR: command 'kubectl' not found."
|
|
exit 1
|
|
fi
|
|
|
|
cleanup() {
|
|
rm -rf *.key *.crt *.csr *.srl
|
|
[ -n "${CSR_CONFIG_FILE:-}" ] && rm -f ${CSR_CONFIG_FILE}
|
|
}
|
|
|
|
trap cleanup EXIT
|
|
|
|
# Create certs for our webhook
|
|
touch $HOME/.rnd
|
|
|
|
# Create a Certificate Signing Request configuration file.
|
|
CSR_CONFIG_FILE="$(mktemp)"
|
|
cat << EOF >$CSR_CONFIG_FILE
|
|
[ req ]
|
|
default_bits = 2048
|
|
prompt = no
|
|
default_md = sha256
|
|
req_extensions = req_ext
|
|
distinguished_name = dn
|
|
|
|
[ dn ]
|
|
CN = "Kata Containers Webhook"
|
|
|
|
[ req_ext ]
|
|
subjectAltName = @alt_names
|
|
|
|
[ alt_names ]
|
|
DNS.1 = ${WEBHOOK_SVC}.${WEBHOOK_NS}.svc
|
|
|
|
[ v3_ext ]
|
|
authorityKeyIdentifier=keyid,issuer:always
|
|
basicConstraints=CA:FALSE
|
|
keyUsage=keyEncipherment,dataEncipherment
|
|
extendedKeyUsage=serverAuth,clientAuth
|
|
subjectAltName=@alt_names
|
|
EOF
|
|
|
|
openssl genrsa -out webhookCA.key 2048
|
|
openssl req -x509 -new -nodes -key webhookCA.key \
|
|
-subj "/CN=Kata Containers Webhook" -days 365 -out webhookCA.crt
|
|
openssl genrsa -out webhook.key 2048
|
|
openssl req -new -key webhook.key -out webhook.csr -config "${CSR_CONFIG_FILE}"
|
|
openssl x509 -req -in webhook.csr -CA webhookCA.crt -CAkey webhookCA.key \
|
|
-CAcreateserial -out webhook.crt -days 365 \
|
|
-extensions v3_ext -extfile "${CSR_CONFIG_FILE}"
|
|
|
|
# Create certs secrets for k8s
|
|
kubectl create secret generic \
|
|
${WEBHOOK_SVC}-certs \
|
|
--from-file=key.pem=./webhook.key \
|
|
--from-file=cert.pem=./webhook.crt \
|
|
--dry-run=client -o yaml > ./deploy/webhook-certs.yaml
|
|
|
|
# Set the CABundle on the webhook registration
|
|
CA_BUNDLE=$(cat ./webhookCA.crt ./webhook.crt | base64 -w0)
|
|
sed "s/CA_BUNDLE/${CA_BUNDLE}/" ./deploy/webhook-registration.yaml.tpl > ./deploy/webhook-registration.yaml
|
|
|