openstack-helm-infra/tools/gate/tls-ca-boostrapper/01-setup.sh
Gage Hugo d14d826b26 Remove OSH Authors copyright
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.

This change removes all references to this copyright by the
non-existent group and any blank lines underneath.

Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
2020-05-07 02:11:15 +00:00

90 lines
2.3 KiB
Bash

#!/bin/bash
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
CFSSLURL=https://pkg.cfssl.org/R1.2
for CFSSL_BIN in cfssl cfssljson; do
if ! type -p "${CFSSL_BIN}"; then
sudo curl -sSL -o "/usr/local/bin/${CFSSL_BIN}" "${CFSSLURL}/${CFSSL_BIN}_linux-amd64"
sudo chmod +x "/usr/local/bin/${CFSSL_BIN}"
ls "/usr/local/bin/${CFSSL_BIN}"
fi
done
OSH_CONFIG_ROOT="/etc/openstack-helm"
OSH_CA_ROOT="${OSH_CONFIG_ROOT}/certs/ca"
OSH_SERVER_TLS_ROOT="${OSH_CONFIG_ROOT}/certs/server"
sudo mkdir -p ${OSH_CONFIG_ROOT}
sudo chown $(whoami): -R ${OSH_CONFIG_ROOT}
mkdir -p "${OSH_CA_ROOT}"
tee ${OSH_CA_ROOT}/ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "1y"
},
"profiles": {
"server": {
"expiry": "1y",
"usages": [
"signing",
"key encipherment",
"server auth"
]
}
}
}
}
EOF
tee ${OSH_CA_ROOT}/ca-csr.json << EOF
{
"CN": "ACME Company",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "SomeState",
"ST": "SomeCity",
"O": "SomeOrg",
"OU": "SomeUnit"
}
]
}
EOF
cfssl gencert -initca ${OSH_CA_ROOT}/ca-csr.json | cfssljson -bare ${OSH_CA_ROOT}/ca -
function check_cert_and_key () {
TLS_CERT=$1
TLS_KEY=$2
openssl x509 -inform pem -in ${TLS_CERT} -noout -text
CERT_MOD="$(openssl x509 -noout -modulus -in ${TLS_CERT})"
KEY_MOD="$(openssl rsa -noout -modulus -in ${TLS_KEY})"
if ! [ "${CERT_MOD}" = "${KEY_MOD}" ]; then
echo "Failure: TLS private key does not match this certificate."
exit 1
else
CERT_MOD=""
KEY_MOD=""
echo "Pass: ${TLS_CERT} is valid with ${TLS_KEY}"
fi
}
check_cert_and_key ${OSH_CA_ROOT}/ca.pem ${OSH_CA_ROOT}/ca-key.pem