d14d826b26
The current copyright refers to a non-existent group "openstack helm authors" with often out-of-date references that are confusing when adding a new file to the repo. This change removes all references to this copyright by the non-existent group and any blank lines underneath. Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
90 lines
2.3 KiB
Bash
90 lines
2.3 KiB
Bash
#!/bin/bash
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
set -xe
|
|
|
|
CFSSLURL=https://pkg.cfssl.org/R1.2
|
|
for CFSSL_BIN in cfssl cfssljson; do
|
|
if ! type -p "${CFSSL_BIN}"; then
|
|
sudo curl -sSL -o "/usr/local/bin/${CFSSL_BIN}" "${CFSSLURL}/${CFSSL_BIN}_linux-amd64"
|
|
sudo chmod +x "/usr/local/bin/${CFSSL_BIN}"
|
|
ls "/usr/local/bin/${CFSSL_BIN}"
|
|
fi
|
|
done
|
|
|
|
OSH_CONFIG_ROOT="/etc/openstack-helm"
|
|
OSH_CA_ROOT="${OSH_CONFIG_ROOT}/certs/ca"
|
|
OSH_SERVER_TLS_ROOT="${OSH_CONFIG_ROOT}/certs/server"
|
|
|
|
sudo mkdir -p ${OSH_CONFIG_ROOT}
|
|
sudo chown $(whoami): -R ${OSH_CONFIG_ROOT}
|
|
|
|
mkdir -p "${OSH_CA_ROOT}"
|
|
tee ${OSH_CA_ROOT}/ca-config.json << EOF
|
|
{
|
|
"signing": {
|
|
"default": {
|
|
"expiry": "1y"
|
|
},
|
|
"profiles": {
|
|
"server": {
|
|
"expiry": "1y",
|
|
"usages": [
|
|
"signing",
|
|
"key encipherment",
|
|
"server auth"
|
|
]
|
|
}
|
|
}
|
|
}
|
|
}
|
|
EOF
|
|
|
|
tee ${OSH_CA_ROOT}/ca-csr.json << EOF
|
|
{
|
|
"CN": "ACME Company",
|
|
"key": {
|
|
"algo": "rsa",
|
|
"size": 2048
|
|
},
|
|
"names": [
|
|
{
|
|
"C": "US",
|
|
"L": "SomeState",
|
|
"ST": "SomeCity",
|
|
"O": "SomeOrg",
|
|
"OU": "SomeUnit"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
|
|
cfssl gencert -initca ${OSH_CA_ROOT}/ca-csr.json | cfssljson -bare ${OSH_CA_ROOT}/ca -
|
|
|
|
function check_cert_and_key () {
|
|
TLS_CERT=$1
|
|
TLS_KEY=$2
|
|
openssl x509 -inform pem -in ${TLS_CERT} -noout -text
|
|
CERT_MOD="$(openssl x509 -noout -modulus -in ${TLS_CERT})"
|
|
KEY_MOD="$(openssl rsa -noout -modulus -in ${TLS_KEY})"
|
|
if ! [ "${CERT_MOD}" = "${KEY_MOD}" ]; then
|
|
echo "Failure: TLS private key does not match this certificate."
|
|
exit 1
|
|
else
|
|
CERT_MOD=""
|
|
KEY_MOD=""
|
|
echo "Pass: ${TLS_CERT} is valid with ${TLS_KEY}"
|
|
fi
|
|
}
|
|
check_cert_and_key ${OSH_CA_ROOT}/ca.pem ${OSH_CA_ROOT}/ca-key.pem
|