-
Notifications
You must be signed in to change notification settings - Fork 0
/
init-cert.sh
executable file
·133 lines (116 loc) · 2.35 KB
/
init-cert.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/usr/bin/env bash
set -e
DIR="$(cd "$(dirname "$0")" && pwd)"
domains=$(echo $SNI | tr ";" "\n")
str_tmp="";
for addr in $domains
do
echo "> [$addr]"
str_tmp=$str_tmp"\""$addr"\",";
done
echo $str_tmp;
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "876000h"
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "root-ca",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "opsnull"
}
],
"ca": {
"expiry": "876000h"
}
}
EOF
cat > harbor-csr.json <<EOF
{
"CN": "harbor.local",
"hosts": [
"127.0.0.1",
"192.168.1.10",$str_tmp
"harbor",
"harbor.default",
"harbor.default.svc",
"harbor.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "opsnull"
}
]
}
EOF
cat harbor-csr.json;
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes harbor-csr.json | cfssljson -bare harbor
openssl genrsa -out private_key.pem 4096
openssl req -new -x509 -key private_key.pem -out root.crt -days 36500 -subj "/"
openssl genrsa -out notary-signer-ca.key 4096
openssl req -new -x509 -key notary-signer-ca.key -out notary-signer-ca.crt -days 36500 -subj "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=Self-signed by GoHarbor"
cat > notary-signer-csr.json <<EOF
{
"CN": "notarysigner",
"hosts": [
"127.0.0.1",
"notarysigner",
"notarysigner.default",
"notarysigner.default.svc",
"notarysigner.local"
],
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "opsnull"
}
]
}
EOF
cfssl gencert -ca-key=notary-signer-ca.key -ca=notary-signer-ca.crt -config=ca-config.json -profile=kubernetes notary-signer-csr.json | cfssljson -bare notary-signer
cp ca.pem ca.crt
cp harbor.pem server.crt
cp harbor-key.pem server.key
mv notary-signer.pem notary-signer.crt
mv notary-signer-key.pem notary-signer.key