#!/bin/bash # Copyright 2018 The Openstack-Helm Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. set -xe CURRENT_DIR=$(pwd) CFSSLURL=https://pkg.cfssl.org/R1.2 TDIR=/tmp/certs rm -rf $TDIR mkdir -p $TDIR/bin cd $TDIR curl -sSL -o bin/cfssl $CFSSLURL/cfssl_linux-amd64 curl -sSL -o bin/cfssljson $CFSSLURL/cfssljson_linux-amd64 chmod +x bin/{cfssl,cfssljson} export PATH=$PATH:./bin OSH_CONFIG_ROOT="/etc/openstack-helm" OSH_CA_ROOT="${OSH_CONFIG_ROOT}/certs/ca" OSH_SERVER_TLS_ROOT="${OSH_CONFIG_ROOT}/certs/server" sudo mkdir -p ${OSH_CONFIG_ROOT} sudo chown $(whoami): -R ${OSH_CONFIG_ROOT} mkdir -p "${OSH_CA_ROOT}" tee ${OSH_CA_ROOT}/ca-config.json << EOF { "signing": { "default": { "expiry": "24h" }, "profiles": { "server": { "expiry": "24h", "usages": [ "signing", "key encipherment", "server auth" ] } } } } EOF tee ${OSH_CA_ROOT}/ca-csr.json << EOF { "CN": "ACME Company", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "US", "L": "SomeState", "ST": "SomeCity", "O": "SomeOrg", "OU": "SomeUnit" } ] } EOF cfssl gencert -initca ${OSH_CA_ROOT}/ca-csr.json | cfssljson -bare ${OSH_CA_ROOT}/ca - function check_cert_and_key () { TLS_CERT=$1 TLS_KEY=$2 openssl x509 -inform pem -in ${TLS_CERT} -noout -text CERT_MOD="$(openssl x509 -noout -modulus -in ${TLS_CERT})" KEY_MOD="$(openssl rsa -noout -modulus -in ${TLS_KEY})" if ! [ "${CERT_MOD}" = "${KEY_MOD}" ]; then echo "Failure: TLS private key does not match this certificate." exit 1 else CERT_MOD="" KEY_MOD="" echo "Pass: ${TLS_CERT} is valid with ${TLS_KEY}" fi } check_cert_and_key ${OSH_CA_ROOT}/ca.pem ${OSH_CA_ROOT}/ca-key.pem DOMAIN=openstackhelm.test for HOSTNAME in "swift" "keystone" "heat" "cloudformation" "horizon" "glance" "cinder" "nova" "placement" "novnc" "metadata" "neutron" "barbican"; do FQDN="${HOSTNAME}.${DOMAIN}" OSH_SERVER_CERTS="${OSH_SERVER_TLS_ROOT}/${HOSTNAME}" mkdir -p "${OSH_SERVER_CERTS}" tee ${OSH_SERVER_CERTS}/server-csr-${HOSTNAME}.json <