kubernetes/platform/components/oom-cert-service/Makefile - onap/oom - Gitiles

 CERTS_DIR = resources
 CURRENT_DIR := ${CURDIR}
 DOCKER_CONTAINER = generate-certs
 DOCKER_EXEC = docker exec ${DOCKER_CONTAINER}

 all: start_docker \
      clear_all \
      root_generate_keys \
      root_create_certificate \
      root_self_sign_certificate \
      client_generate_keys \
      client_generate_csr \
      client_sign_certificate_by_root \
      client_import_root_certificate \
      client_convert_certificate_to_jks \
      server_generate_keys \
      server_generate_csr \
      server_sign_certificate_by_root \
      server_import_root_certificate \
      server_convert_certificate_to_jks \
      server_convert_certificate_to_p12 \
      clear_unused_files \
      stop_docker

 .PHONY: all

 # Starts docker container for generating certificates - deletes first, if already running
 start_docker:
 	@make stop_docker
 	$(eval REPOSITORY := $(shell cat ./values.yaml | grep -i "^[ \t]*repository" -m1 | xargs | cut -d ' ' -f2))
 	$(eval JAVA_IMAGE := $(shell cat ./values.yaml | grep -i "^[ \t]*certificateGenerationImage" -m1 | xargs | cut -d ' ' -f2))
 	$(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE))
 	$(eval USER :=$(shell id -u))
 	$(eval GROUP :=$(shell id -g))
 	docker run --rm --name ${DOCKER_CONTAINER} --user "$(USER):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/app -w /app --entrypoint "sh" -td $(FULL_JAVA_IMAGE)

 # Stops docker container for generating  certificates. 'true' is used to return 0 status code, if container is already deleted
 stop_docker:
 	docker rm ${DOCKER_CONTAINER} -f 1>/dev/null || true

 #Clear all files related to certificates
 clear_all:
 	@make clear_existing_certificates
 	@make clear_unused_files

 #Clear certificates
 clear_existing_certificates:
 	@echo "Clear certificates"
 	${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12
 	@echo "#####done#####"

 #Generate root private and public keys
 root_generate_keys:
 	@echo "Generate root private and public keys"
 	${DOCKER_EXEC} keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \
     -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \
     -storepass secret -ext BasicConstraints:critical="ca:true"
 	@echo "#####done#####"

 #Export public key as certificate
 root_create_certificate:
 	@echo "(Export public key as certificate)"
 	${DOCKER_EXEC} keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc
 	@echo "#####done#####"

 #Self-signed root (import root certificate into truststore)
 root_self_sign_certificate:
 	@echo "(Self-signed root (import root certificate into truststore))"
 	${DOCKER_EXEC} keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt
 	@echo "#####done#####"

 #Generate certService's client private and public keys
 client_generate_keys:
 	@echo "Generate certService's client private and public keys"
 	${DOCKER_EXEC} keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 365 \
     -keystore certServiceClient-keystore.jks -storetype JKS \
     -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \
     -keypass secret -storepass secret
 	@echo "####done####"

 #Generate certificate signing request for certService's client
 client_generate_csr:
 	@echo "Generate certificate signing request for certService's client"
 	${DOCKER_EXEC} keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr
 	@echo "####done####"

 #Sign certService's client certificate by root CA
 client_sign_certificate_by_root:
 	@echo "Sign certService's client certificate by root CA"
 	${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \
     -outfile certServiceClientByRoot.crt -rfc -ext bc=0  -ext ExtendedkeyUsage="serverAuth,clientAuth"
 	@echo "####done####"

 #Import root certificate into client
 client_import_root_certificate:
 	@echo "Import root certificate into intermediate"
 	${DOCKER_EXEC} sh -c "cat root.crt >> certServiceClientByRoot.crt"
 	@echo "####done####"

 #Import signed certificate into certService's client
 client_convert_certificate_to_jks:
 	@echo "Import signed certificate into certService's client"
 	${DOCKER_EXEC} keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt
 	@echo "####done####"

 #Generate certService private and public keys
 server_generate_keys:
 	@echo "Generate certService private and public keys"
 	${DOCKER_EXEC} keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 365 \
     -keystore certServiceServer-keystore.jks -storetype JKS \
     -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \
     -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false"
 	@echo "####done####"

 #Generate certificate signing request for certService
 server_generate_csr:
 	@echo "Generate certificate signing request for certService"
 	${DOCKER_EXEC} keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr
 	@echo "####done####"

 #Sign certService certificate by root CA
 server_sign_certificate_by_root:
 	@echo "Sign certService certificate by root CA"
 	${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \
     -outfile certServiceServerByRoot.crt -rfc -ext bc=0  -ext ExtendedkeyUsage="serverAuth,clientAuth" \
     -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost"
 	@echo "####done####"

 #Import root certificate into server
 server_import_root_certificate:
 	@echo "Import root certificate into intermediate(server)"
 	${DOCKER_EXEC} sh -c "cat root.crt >> certServiceServerByRoot.crt"
 	@echo "####done####"

 #Import signed certificate into certService
 server_convert_certificate_to_jks:
 	@echo "Import signed certificate into certService"
 	${DOCKER_EXEC} keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \
     -storepass secret -noprompt
 	@echo "####done####"

 #Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)
 server_convert_certificate_to_p12:
 	@echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
 	${DOCKER_EXEC} keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \
         -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
 	@echo "#####done#####"

 #Clear unused certificates
 clear_unused_files:
 	@echo "Clear unused certificates"
 	${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt  certServiceServer.csr
 	@echo "#####done#####"
	CERTS_DIR = resources
	CURRENT_DIR := ${CURDIR}
	DOCKER_CONTAINER = generate-certs
	DOCKER_EXEC = docker exec ${DOCKER_CONTAINER}

	all: start_docker \
	clear_all \
	root_generate_keys \
	root_create_certificate \
	root_self_sign_certificate \
	client_generate_keys \
	client_generate_csr \
	client_sign_certificate_by_root \
	client_import_root_certificate \
	client_convert_certificate_to_jks \
	server_generate_keys \
	server_generate_csr \
	server_sign_certificate_by_root \
	server_import_root_certificate \
	server_convert_certificate_to_jks \
	server_convert_certificate_to_p12 \
	clear_unused_files \
	stop_docker

	.PHONY: all

	# Starts docker container for generating certificates - deletes first, if already running
	start_docker:
	@make stop_docker
	$(eval REPOSITORY := $(shell cat ./values.yaml \| grep -i "^[ \t]*repository" -m1 \| xargs \| cut -d ' ' -f2))
	$(eval JAVA_IMAGE := $(shell cat ./values.yaml \| grep -i "^[ \t]*certificateGenerationImage" -m1 \| xargs \| cut -d ' ' -f2))
	$(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE))
	$(eval USER :=$(shell id -u))
	$(eval GROUP :=$(shell id -g))
	docker run --rm --name ${DOCKER_CONTAINER} --user "$(USER):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/app -w /app --entrypoint "sh" -td $(FULL_JAVA_IMAGE)

	# Stops docker container for generating certificates. 'true' is used to return 0 status code, if container is already deleted
	stop_docker:
	docker rm ${DOCKER_CONTAINER} -f 1>/dev/null \|\| true

	#Clear all files related to certificates
	clear_all:
	@make clear_existing_certificates
	@make clear_unused_files

	#Clear certificates
	clear_existing_certificates:
	@echo "Clear certificates"
	${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12
	@echo "#####done#####"

	#Generate root private and public keys
	root_generate_keys:
	@echo "Generate root private and public keys"
	${DOCKER_EXEC} keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \
	-dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \
	-storepass secret -ext BasicConstraints:critical="ca:true"
	@echo "#####done#####"

	#Export public key as certificate
	root_create_certificate:
	@echo "(Export public key as certificate)"
	${DOCKER_EXEC} keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc
	@echo "#####done#####"

	#Self-signed root (import root certificate into truststore)
	root_self_sign_certificate:
	@echo "(Self-signed root (import root certificate into truststore))"
	${DOCKER_EXEC} keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt
	@echo "#####done#####"

	#Generate certService's client private and public keys
	client_generate_keys:
	@echo "Generate certService's client private and public keys"
	${DOCKER_EXEC} keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 365 \
	-keystore certServiceClient-keystore.jks -storetype JKS \
	-dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \
	-keypass secret -storepass secret
	@echo "####done####"

	#Generate certificate signing request for certService's client
	client_generate_csr:
	@echo "Generate certificate signing request for certService's client"
	${DOCKER_EXEC} keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr
	@echo "####done####"

	#Sign certService's client certificate by root CA
	client_sign_certificate_by_root:
	@echo "Sign certService's client certificate by root CA"
	${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \
	-outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth"
	@echo "####done####"

	#Import root certificate into client
	client_import_root_certificate:
	@echo "Import root certificate into intermediate"
	${DOCKER_EXEC} sh -c "cat root.crt >> certServiceClientByRoot.crt"
	@echo "####done####"

	#Import signed certificate into certService's client
	client_convert_certificate_to_jks:
	@echo "Import signed certificate into certService's client"
	${DOCKER_EXEC} keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt
	@echo "####done####"

	#Generate certService private and public keys
	server_generate_keys:
	@echo "Generate certService private and public keys"
	${DOCKER_EXEC} keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 365 \
	-keystore certServiceServer-keystore.jks -storetype JKS \
	-dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \
	-keypass secret -storepass secret -ext BasicConstraints:critical="ca:false"
	@echo "####done####"

	#Generate certificate signing request for certService
	server_generate_csr:
	@echo "Generate certificate signing request for certService"
	${DOCKER_EXEC} keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr
	@echo "####done####"

	#Sign certService certificate by root CA
	server_sign_certificate_by_root:
	@echo "Sign certService certificate by root CA"
	${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \
	-outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \
	-ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost"
	@echo "####done####"

	#Import root certificate into server
	server_import_root_certificate:
	@echo "Import root certificate into intermediate(server)"
	${DOCKER_EXEC} sh -c "cat root.crt >> certServiceServerByRoot.crt"
	@echo "####done####"

	#Import signed certificate into certService
	server_convert_certificate_to_jks:
	@echo "Import signed certificate into certService"
	${DOCKER_EXEC} keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \
	-storepass secret -noprompt
	@echo "####done####"

	#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)
	server_convert_certificate_to_p12:
	@echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
	${DOCKER_EXEC} keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \
	-destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
	@echo "#####done#####"

	#Clear unused certificates
	clear_unused_files:
	@echo "Clear unused certificates"
	${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr
	@echo "#####done#####"