openstack/openstack-helm-infra
Code Issues Proposed changes
5e3f729ffe
openstack-helm-infra/tools/gate/tls-ca-boostrapper/01-setup.sh
Pete Birley 96703649a5 Helm-Toolkit: TLS cert generator 
This PS adds a function to generate tls certificates from a
CA. It also adds a script to generate a snakeoil ca for dev
and future gating work.

Change-Id: Ic94a9ab5fa3ebb912b507008a6b2f78e16dade67
Signed-off-by: Pete Birley <pete@port.direct>
2018-08-29 11:26:44 -05:00

92 lines
2.4 KiB
Bash
Raw Blame History

#!/bin/bash
# Copyright 2018 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
CFSSLURL=https://pkg.cfssl.org/R1.2
for CFSSL_BIN in cfssl cfssljson; do
if ! type -p "${CFSSL_BIN}"; then
sudo curl -sSL -o "/usr/local/bin/${CFSSL_BIN}" "${CFSSLURL}/${CFSSL_BIN}_linux-amd64"
sudo chmod +x "/usr/local/bin/${CFSSL_BIN}"
ls "/usr/local/bin/${CFSSL_BIN}"
fi
done
OSH_CONFIG_ROOT="/etc/openstack-helm"
OSH_CA_ROOT="${OSH_CONFIG_ROOT}/certs/ca"
OSH_SERVER_TLS_ROOT="${OSH_CONFIG_ROOT}/certs/server"
sudo mkdir -p ${OSH_CONFIG_ROOT}
sudo chown $(whoami): -R ${OSH_CONFIG_ROOT}
mkdir -p "${OSH_CA_ROOT}"
tee ${OSH_CA_ROOT}/ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "1y"
},
"profiles": {
"server": {
"expiry": "1y",
"usages": [
"signing",
"key encipherment",
"server auth"
]
}
}
}
}
EOF
tee ${OSH_CA_ROOT}/ca-csr.json << EOF
{
"CN": "ACME Company",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "SomeState",
"ST": "SomeCity",
"O": "SomeOrg",
"OU": "SomeUnit"
}
]
}
EOF
cfssl gencert -initca ${OSH_CA_ROOT}/ca-csr.json | cfssljson -bare ${OSH_CA_ROOT}/ca -
function check_cert_and_key () {
TLS_CERT=$1
TLS_KEY=$2
openssl x509 -inform pem -in ${TLS_CERT} -noout -text
CERT_MOD="$(openssl x509 -noout -modulus -in ${TLS_CERT})"
KEY_MOD="$(openssl rsa -noout -modulus -in ${TLS_KEY})"
if ! [ "${CERT_MOD}" = "${KEY_MOD}" ]; then
echo "Failure: TLS private key does not match this certificate."
exit 1
else
CERT_MOD=""
KEY_MOD=""
echo "Pass: ${TLS_CERT} is valid with ${TLS_KEY}"
fi
}
check_cert_and_key ${OSH_CA_ROOT}/ca.pem ${OSH_CA_ROOT}/ca-key.pem
View Git Blame Copy Permalink