#!/bin/bash set -eux : ${CERT_MANAGER_VERSION:="v1.8.0"} cert_path="/etc/openstack-helm" ca_cert_root="$cert_path/certs/ca" function check_cert { # $1: the certificate file, e.g. ca.pem # $2: the key file, e.g. ca-key.pem local cert="$(openssl x509 -noout -modulus -in $1)" local key="$(openssl rsa -noout -modulus -in $2)" if ! [ "$cert" = "$key" ]; then echo "Failure: tls private key does not match cert" exit 1 else echo "Pass: $cert is valid with $key" fi } # Download cfssl and cfssljson if they are not available on the system if type cfssl && type cfssljson; then echo "cfssl and cfssljson found - skipping installation" else echo "installing cfssl and cfssljson" temp_bin=$(mktemp --directory) cd $temp_bin CFSSLURL=https://pkg.cfssl.org/R1.2 curl --retry 3 --retry-connrefused -sSL -o cfssl $CFSSLURL/cfssl_linux-amd64 curl --retry 3 --retry-connrefused -sSL -o cfssljson $CFSSLURL/cfssljson_linux-amd64 chmod +x {cfssl,cfssljson} export PATH=$PATH:$temp_bin fi # Sets up a directory for the certs sudo rm -rf $cert_path sudo mkdir -p $ca_cert_root sudo chmod -R go+w $cert_path cd $ca_cert_root cat > ca-csr.json < cfssl.json < intermediate-ca.json < /tmp/ca-issuers.yaml <