1
#------------------------------------------------------------------------
7
KUBECONFIG ?= $(HOME)/.kube/config
8
ISTIO_NAMESPACE ?= istio-system
9
# Additional variables are defined in root-ca.conf target below.
11
#------------------------------------------------------------------------
12
# variables: intermediate CA
13
INTERMEDIATE_DAYS ?= 3650
14
INTERMEDIATE_KEYSZ ?= 4096
15
INTERMEDIATE_ORG ?= Istio
16
INTERMEDIATE_CN ?= Intermediate CA
17
INTERMEDIATE_SAN_DNS ?= istiod.istio-system.svc
18
# Additional variables are defined in %/intermediate.conf target below.
20
#------------------------------------------------------------------------
21
# variables: workload certs: eg VM
23
SERVICE_ACCOUNT ?= default
24
WORKLOAD_CN ?= Workload
26
#------------------------------------------------------------------------
27
# variables: files to clean
28
FILES_TO_CLEAN+=k8s-root-cert.pem \
30
k8s-root-key.pem root-ca.conf root-cert.csr root-cert.pem root-cert.srl root-key.pem
31
#------------------------------------------------------------------------
35
clean: ## Cleans all the intermediate files and folders previously generated.
36
@rm -f $(FILES_TO_CLEAN)
40
@echo "encrypt_key = no" >> $@
41
@echo "prompt = no" >> $@
42
@echo "utf8 = yes" >> $@
43
@echo "default_md = sha256" >> $@
44
@echo "default_bits = $(ROOTCA_KEYSZ)" >> $@
45
@echo "req_extensions = req_ext" >> $@
46
@echo "x509_extensions = req_ext" >> $@
47
@echo "distinguished_name = req_dn" >> $@
48
@echo "[ req_ext ]" >> $@
49
@echo "subjectKeyIdentifier = hash" >> $@
50
@echo "basicConstraints = critical, CA:true" >> $@
51
@echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@
52
@echo "[ req_dn ]" >> $@
53
@echo "O = $(ROOTCA_ORG)" >> $@
54
@echo "CN = $(ROOTCA_CN)" >> $@
56
%/intermediate.conf: L=$(dir $@)
59
@echo "encrypt_key = no" >> $@
60
@echo "prompt = no" >> $@
61
@echo "utf8 = yes" >> $@
62
@echo "default_md = sha256" >> $@
63
@echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@
64
@echo "req_extensions = req_ext" >> $@
65
@echo "x509_extensions = req_ext" >> $@
66
@echo "distinguished_name = req_dn" >> $@
67
@echo "[ req_ext ]" >> $@
68
@echo "subjectKeyIdentifier = hash" >> $@
69
@echo "basicConstraints = critical, CA:true, pathlen:0" >> $@
70
@echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@
71
@echo "subjectAltName=@san" >> $@
73
@echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@
74
@echo "[ req_dn ]" >> $@
75
@echo "O = $(INTERMEDIATE_ORG)" >> $@
76
@echo "CN = $(INTERMEDIATE_CN)" >> $@
77
@echo "L = $(L:/=)" >> $@
79
%/workload.conf: L=$(dir $@)
82
@echo "encrypt_key = no" >> $@
83
@echo "prompt = no" >> $@
84
@echo "utf8 = yes" >> $@
85
@echo "default_md = sha256" >> $@
86
@echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@
87
@echo "req_extensions = req_ext" >> $@
88
@echo "x509_extensions = req_ext" >> $@
89
@echo "distinguished_name = req_dn" >> $@
90
@echo "[ req_ext ]" >> $@
91
@echo "subjectKeyIdentifier = hash" >> $@
92
@echo "basicConstraints = critical, CA:false" >> $@
93
@echo "keyUsage = digitalSignature, keyEncipherment" >> $@
94
@echo "extendedKeyUsage = serverAuth, clientAuth" >> $@
95
@echo "subjectAltName=@san" >> $@
97
@echo "URI.1 = spiffe://cluster.local/ns/$(L)sa/$(SERVICE_ACCOUNT)" >> $@
98
@echo "[ req_dn ]" >> $@
99
@echo "O = $(INTERMEDIATE_ORG)" >> $@
100
@echo "CN = $(WORKLOAD_CN)" >> $@
101
@echo "L = $(L:/=)" >> $@