133 lines
4.2 KiB
PowerShell
133 lines
4.2 KiB
PowerShell
param(
|
|
[string]$DockerSshAlias = "docker-test",
|
|
[string]$RemoteOutputDir = "/tmp/rap-p3-5-platform-ca",
|
|
[string]$LocalCaOutputPath = "artifacts/p3-5-platform-ca.crt",
|
|
[string]$WorkerHost = "192.168.200.61",
|
|
[string]$WorkerDnsName = "",
|
|
[string]$ClusterId = "default",
|
|
[string]$WorkerId = "rdp-worker-1",
|
|
[int]$Days = 30
|
|
)
|
|
|
|
Set-StrictMode -Version Latest
|
|
$ErrorActionPreference = "Stop"
|
|
|
|
function Quote-Bash {
|
|
param([string]$Value)
|
|
return "'" + $Value.Replace("'", "'\''") + "'"
|
|
}
|
|
|
|
$remoteDir = Quote-Bash $RemoteOutputDir
|
|
$workerHost = Quote-Bash $WorkerHost
|
|
$workerDnsName = Quote-Bash $WorkerDnsName
|
|
$clusterId = Quote-Bash $ClusterId
|
|
$workerId = Quote-Bash $WorkerId
|
|
|
|
$remoteScript = @"
|
|
set -euo pipefail
|
|
|
|
REMOTE_DIR=$remoteDir
|
|
WORKER_HOST=$workerHost
|
|
WORKER_DNS_NAME=$workerDnsName
|
|
CLUSTER_ID=$clusterId
|
|
WORKER_ID=$workerId
|
|
DAYS=$Days
|
|
|
|
mkdir -p "`$REMOTE_DIR"
|
|
chmod 700 "`$REMOTE_DIR"
|
|
rm -f "`$REMOTE_DIR"/ca.crt "`$REMOTE_DIR"/ca.key "`$REMOTE_DIR"/ca.srl \
|
|
"`$REMOTE_DIR"/worker.crt "`$REMOTE_DIR"/worker.key "`$REMOTE_DIR"/worker.csr \
|
|
"`$REMOTE_DIR"/ca-openssl.cnf "`$REMOTE_DIR"/worker-openssl.cnf
|
|
|
|
cat >"`$REMOTE_DIR/ca-openssl.cnf" <<'EOF_CA'
|
|
[req]
|
|
distinguished_name = dn
|
|
x509_extensions = v3_ca
|
|
prompt = no
|
|
|
|
[dn]
|
|
CN = RAP Test Platform Root CA
|
|
|
|
[v3_ca]
|
|
basicConstraints = critical,CA:true,pathlen:1
|
|
keyUsage = critical,keyCertSign,cRLSign
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always,issuer
|
|
EOF_CA
|
|
|
|
cat >"`$REMOTE_DIR/worker-openssl.cnf" <<EOF_WORKER
|
|
[req]
|
|
distinguished_name = dn
|
|
req_extensions = v3_req
|
|
prompt = no
|
|
|
|
[dn]
|
|
CN = `$WORKER_ID
|
|
|
|
[v3_req]
|
|
basicConstraints = critical,CA:false
|
|
keyUsage = critical,digitalSignature,keyEncipherment
|
|
extendedKeyUsage = serverAuth
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
IP.1 = `$WORKER_HOST
|
|
URI.1 = spiffe://rap/cluster/`$CLUSTER_ID/worker/`$WORKER_ID
|
|
EOF_WORKER
|
|
|
|
if [ -n "`$WORKER_DNS_NAME" ]; then
|
|
printf 'DNS.1 = %s\n' "`$WORKER_DNS_NAME" >>"`$REMOTE_DIR/worker-openssl.cnf"
|
|
fi
|
|
|
|
openssl genrsa -out "`$REMOTE_DIR/ca.key" 3072 >/dev/null 2>&1
|
|
openssl req -x509 -new -nodes -key "`$REMOTE_DIR/ca.key" -sha256 -days "`$DAYS" \
|
|
-out "`$REMOTE_DIR/ca.crt" -config "`$REMOTE_DIR/ca-openssl.cnf" >/dev/null 2>&1
|
|
|
|
openssl genrsa -out "`$REMOTE_DIR/worker.key" 3072 >/dev/null 2>&1
|
|
openssl req -new -key "`$REMOTE_DIR/worker.key" -out "`$REMOTE_DIR/worker.csr" \
|
|
-config "`$REMOTE_DIR/worker-openssl.cnf" >/dev/null 2>&1
|
|
openssl x509 -req -in "`$REMOTE_DIR/worker.csr" -CA "`$REMOTE_DIR/ca.crt" -CAkey "`$REMOTE_DIR/ca.key" \
|
|
-CAcreateserial -out "`$REMOTE_DIR/worker.crt" -days "`$DAYS" -sha256 \
|
|
-extensions v3_req -extfile "`$REMOTE_DIR/worker-openssl.cnf" >/dev/null 2>&1
|
|
|
|
if [ -f /tmp/rap-dp1d1/dp-public.pem ]; then
|
|
cp /tmp/rap-dp1d1/dp-public.pem "`$REMOTE_DIR/dp-public.pem"
|
|
elif [ -f /tmp/rap-dp1c/dp-public.pem ]; then
|
|
cp /tmp/rap-dp1c/dp-public.pem "`$REMOTE_DIR/dp-public.pem"
|
|
fi
|
|
|
|
chmod 600 "`$REMOTE_DIR"/ca.key "`$REMOTE_DIR"/worker.key
|
|
chmod 644 "`$REMOTE_DIR"/ca.crt "`$REMOTE_DIR"/worker.crt
|
|
|
|
echo "remote_dir=`$REMOTE_DIR"
|
|
echo "ca_cert=`$REMOTE_DIR/ca.crt"
|
|
echo "worker_cert=`$REMOTE_DIR/worker.crt"
|
|
echo "worker_key=`$REMOTE_DIR/worker.key"
|
|
openssl x509 -in "`$REMOTE_DIR/worker.crt" -noout -subject -ext subjectAltName
|
|
"@
|
|
|
|
$remoteScript | & ssh $DockerSshAlias "bash -s"
|
|
if ($LASTEXITCODE -ne 0) {
|
|
throw "Failed to prepare platform CA and worker certificate on SSH alias '$DockerSshAlias'."
|
|
}
|
|
|
|
$localCaPsPath = if ([System.IO.Path]::IsPathRooted($LocalCaOutputPath)) {
|
|
$LocalCaOutputPath
|
|
} else {
|
|
Join-Path (Resolve-Path -LiteralPath ".").Path $LocalCaOutputPath
|
|
}
|
|
$resolvedLocalCaPath = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($localCaPsPath)
|
|
$localCaDirectory = Split-Path -Parent $resolvedLocalCaPath
|
|
if (-not [string]::IsNullOrWhiteSpace($localCaDirectory)) {
|
|
New-Item -ItemType Directory -Force -Path $localCaDirectory | Out-Null
|
|
}
|
|
|
|
$remoteCaSource = "$DockerSshAlias`:$RemoteOutputDir/ca.crt"
|
|
& scp $remoteCaSource $resolvedLocalCaPath
|
|
if ($LASTEXITCODE -ne 0) {
|
|
throw "Failed to copy platform CA certificate from '$remoteCaSource'."
|
|
}
|
|
|
|
Write-Host "Local platform CA bundle: $resolvedLocalCaPath"
|
|
Write-Host "Remote worker TLS directory: $RemoteOutputDir"
|