forked from fidencio/kata-webhook
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcreate-certs.sh
executable file
·28 lines (22 loc) · 986 Bytes
/
create-certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#! /bin/bash
# Copyright (c) 2019 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
WEBHOOK_NS=${1:-"default"}
WEBHOOK_NAME=${2:-"pod-annotate"}
WEBHOOK_SVC="${WEBHOOK_NAME}-webhook"
# Create certs for our webhook
openssl genrsa -out webhookCA.key 2048
openssl req -new -key ./webhookCA.key -subj "/CN=${WEBHOOK_SVC}.${WEBHOOK_NS}.svc" -out ./webhookCA.csr
openssl x509 -req -days 365 -in webhookCA.csr -signkey webhookCA.key -out webhook.crt
# Create certs secrets for k8s
kubectl create -n ${WEBHOOK_NS} secret generic \
${WEBHOOK_SVC}-certs \
--from-file=key.pem=./webhookCA.key \
--from-file=cert.pem=./webhook.crt \
--dry-run -o yaml > ./deploy/webhook-certs.yaml
# Set the CABundle on the webhook registration
CA_BUNDLE=$(cat ./webhook.crt | base64 -w0)
sed -e "s/PROJECT_NAMESPACE/${WEBHOOK_NS}/" -e "s/CA_BUNDLE/${CA_BUNDLE}/" ./deploy/webhook-registration.yaml.tpl > ./deploy/webhook-registration.yaml
# Clean
rm ./webhookCA* && rm ./webhook.crt