Certificate Generation
The code snippet provided below must be saved as a file. For example, save this script as gencert.sh
.
An example invocation of this script looks like ./gencert.sh namespace
.
Where namespace
is the namespace where you install the Certifai Enterprise instance
#!/bin/bash -eu
rm -rf sslmkdir -p ssl
NAMESPACE=${1:-certifai}
cat << EOF > ssl/req.cnf[req]req_extensions = v3_reqdistinguished_name = req_distinguished_name[req_distinguished_name][ v3_req ]basicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEnciphermentsubjectAltName = @alt_names[alt_names]DNS.1 = dex.$NAMESPACE.svc.cluster.localDNS.2 = kubernetes.docker.internalEOF
cat ssl/req.cnf > ssl/dex.cnfDEX_INGRESS_IP=""; while [ -z $DEX_INGRESS_IP ] || [ "$DEX_INGRESS_IP" == "null" ]; do echo "Waiting for end point..." DEX_INGRESS_IP=$(kubectl get ingress dex -o json -n $NAMESPACE | jq -r '.status.loadBalancer.ingress[0].ip'); [ -z "$DEX_INGRESS_IP" ] || [ "$DEX_INGRESS_IP" == "null" ] && sleep 10; done echo "Dex end point ready-" && echo $DEX_INGRESS_IPecho "IP = $DEX_INGRESS_IP" >> ssl/dex.cnf
cat ssl/req.cnf > ssl/console.cnfsed -i.bak "s|dex.$NAMESPACE|console.$NAMESPACE|g" ssl/console.cnf && rm ssl/console.cnf.bakCONSOLE_INGRESS_IP=""while [ -z $CONSOLE_INGRESS_IP ] || [ "$CONSOLE_INGRESS_IP" == "null" ]; do echo "Waiting for end point..." CONSOLE_INGRESS_IP=$(kubectl get ingress console -o json -n $NAMESPACE | jq -r '.status.loadBalancer.ingress[0].ip'); [ -z "$CONSOLE_INGRESS_IP" ] || [ "$CONSOLE_INGRESS_IP" == "null" ] && sleep 10; done echo "Console end point ready-" && echo $CONSOLE_INGRESS_IPecho "IP = $CONSOLE_INGRESS_IP" >> ssl/console.cnf
cat ssl/req.cnf > ssl/policy.cnfsed -i.bak "s|dex.$NAMESPACE|policy.$NAMESPACE|g" ssl/policy.cnf && rm ssl/policy.cnf.bakPOLICY_INGRESS_IP=""while [ -z $POLICY_INGRESS_IP ] || [ "$POLICY_INGRESS_IP" == "null" ]; do echo "Waiting for end point..." POLICY_INGRESS_IP=$(kubectl get ingress policy -o json -n $NAMESPACE | jq -r '.status.loadBalancer.ingress[0].ip'); [ -z "$POLICY_INGRESS_IP" ] || [ "$POLICY_INGRESS_IP" == "null" ] && sleep 10; done echo "Policy end point ready-" && echo $POLICY_INGRESS_IPecho "IP = $POLICY_INGRESS_IP" >> ssl/policy.cnf
openssl genrsa -out ssl/ca-key.pem 2048openssl req -x509 -new -nodes -key ssl/ca-key.pem -days 398 -out ssl/ca.pem -subj "/CN=kube-ca"
openssl genrsa -out ssl/key.pem 2048openssl req -new -key ssl/key.pem -out ssl/dex_csr.pem -subj "/CN=kube-ca" -config ssl/dex.cnfopenssl x509 -req -in ssl/dex_csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/dex_cert.pem -days 398 -extensions v3_req -extfile ssl/dex.cnf
openssl req -new -key ssl/key.pem -out ssl/console_csr.pem -subj "/CN=kube-ca" -config ssl/console.cnfopenssl x509 -req -in ssl/console_csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/console_cert.pem -days 398 -extensions v3_req -extfile ssl/console.cnf
openssl req -new -key ssl/key.pem -out ssl/policy_csr.pem -subj "/CN=kube-ca" -config ssl/policy.cnfopenssl x509 -req -in ssl/policy_csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/policy_cert.pem -days 398 -extensions v3_req -extfile ssl/policy.cnf
kubectl delete secret --ignore-not-found dex-tls -n "$NAMESPACE"kubectl create secret tls dex-tls --cert=ssl/dex_cert.pem --key=ssl/key.pem -n "$NAMESPACE"kubectl delete secret --ignore-not-found certifai-console-tls -n "$NAMESPACE"kubectl create secret tls certifai-console-tls --cert=ssl/console_cert.pem --key=ssl/key.pem -n "$NAMESPACE"kubectl delete secret --ignore-not-found certifai-policy-tls -n "$NAMESPACE"kubectl create secret tls certifai-policy-tls --cert=ssl/policy_cert.pem --key=ssl/key.pem -n "$NAMESPACE"kubectl delete secret --ignore-not-found certifai-dex-ca -n "$NAMESPACE"kubectl create secret generic certifai-dex-ca --from-file=ssl/ca.pem -n "$NAMESPACE"
Wait for 10-15 minutes till all the pods come up in your namespace