istio

1
#------------------------------------------------------------------------
2
# variables: root CA
3
ROOTCA_DAYS ?= 3650
4
ROOTCA_KEYSZ ?= 4096
5
ROOTCA_ORG ?= Istio
6
ROOTCA_CN ?= Root CA
7
KUBECONFIG ?= $(HOME)/.kube/config
8
ISTIO_NAMESPACE ?= istio-system
9
# Additional variables are defined in root-ca.conf target below.
10

11
#------------------------------------------------------------------------
12
# variables: intermediate CA
13
INTERMEDIATE_DAYS ?= 3650
14
INTERMEDIATE_KEYSZ ?= 4096
15
INTERMEDIATE_ORG ?= Istio
16
INTERMEDIATE_CN ?= Intermediate CA
17
INTERMEDIATE_SAN_DNS ?= istiod.istio-system.svc
18
# Additional variables are defined in %/intermediate.conf target below.
19

20
#------------------------------------------------------------------------
21
# variables: workload certs: eg VM
22
WORKLOAD_DAYS ?= 1
23
SERVICE_ACCOUNT ?= default
24
WORKLOAD_CN ?= Workload
25

26
#------------------------------------------------------------------------
27
# variables: files to clean
28
FILES_TO_CLEAN+=k8s-root-cert.pem \
29
                 k8s-root-cert.srl  \
30
                 k8s-root-key.pem root-ca.conf root-cert.csr root-cert.pem root-cert.srl root-key.pem
31
#------------------------------------------------------------------------
32
# clean
33
.PHONY: clean
34

35
clean: ## Cleans all the intermediate files and folders previously generated.
36
	@rm -f $(FILES_TO_CLEAN)
37

38
root-ca.conf:
39
	@echo "[ req ]" > $@
40
	@echo "encrypt_key = no" >> $@
41
	@echo "prompt = no" >> $@
42
	@echo "utf8 = yes" >> $@
43
	@echo "default_md = sha256" >> $@
44
	@echo "default_bits = $(ROOTCA_KEYSZ)" >> $@
45
	@echo "req_extensions = req_ext" >> $@
46
	@echo "x509_extensions = req_ext" >> $@
47
	@echo "distinguished_name = req_dn" >> $@
48
	@echo "[ req_ext ]" >> $@
49
	@echo "subjectKeyIdentifier = hash" >> $@
50
	@echo "basicConstraints = critical, CA:true" >> $@
51
	@echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@
52
	@echo "[ req_dn ]" >> $@
53
	@echo "O = $(ROOTCA_ORG)" >> $@
54
	@echo "CN = $(ROOTCA_CN)" >> $@
55

56
%/intermediate.conf: L=$(dir $@)
57
%/intermediate.conf:
58
	@echo "[ req ]" > $@
59
	@echo "encrypt_key = no" >> $@
60
	@echo "prompt = no" >> $@
61
	@echo "utf8 = yes" >> $@
62
	@echo "default_md = sha256" >> $@
63
	@echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@
64
	@echo "req_extensions = req_ext" >> $@
65
	@echo "x509_extensions = req_ext" >> $@
66
	@echo "distinguished_name = req_dn" >> $@
67
	@echo "[ req_ext ]" >> $@
68
	@echo "subjectKeyIdentifier = hash" >> $@
69
	@echo "basicConstraints = critical, CA:true, pathlen:0" >> $@
70
	@echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@
71
	@echo "subjectAltName=@san" >> $@
72
	@echo "[ san ]" >> $@
73
	@echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@
74
	@echo "[ req_dn ]" >> $@
75
	@echo "O = $(INTERMEDIATE_ORG)" >> $@
76
	@echo "CN = $(INTERMEDIATE_CN)" >> $@
77
	@echo "L = $(L:/=)" >> $@
78

79
%/workload.conf: L=$(dir $@)
80
%/workload.conf:
81
	@echo "[ req ]" > $@
82
	@echo "encrypt_key = no" >> $@
83
	@echo "prompt = no" >> $@
84
	@echo "utf8 = yes" >> $@
85
	@echo "default_md = sha256" >> $@
86
	@echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@
87
	@echo "req_extensions = req_ext" >> $@
88
	@echo "x509_extensions = req_ext" >> $@
89
	@echo "distinguished_name = req_dn" >> $@
90
	@echo "[ req_ext ]" >> $@
91
	@echo "subjectKeyIdentifier = hash" >> $@
92
	@echo "basicConstraints = critical, CA:false" >> $@
93
	@echo "keyUsage = digitalSignature, keyEncipherment" >> $@
94
	@echo "extendedKeyUsage = serverAuth, clientAuth" >> $@
95
	@echo "subjectAltName=@san" >> $@
96
	@echo "[ san ]" >> $@
97
	@echo "URI.1 = spiffe://cluster.local/ns/$(L)sa/$(SERVICE_ACCOUNT)" >> $@
98
	@echo "[ req_dn ]" >> $@
99
	@echo "O = $(INTERMEDIATE_ORG)" >> $@
100
	@echo "CN = $(WORKLOAD_CN)" >> $@
101
	@echo "L = $(L:/=)" >> $@
102