Skip to content

Instantly share code, notes, and snippets.

@ildarusmanov

ildarusmanov/main.go

Created June 19, 2023 12:26
Show Gist options
  • Save ildarusmanov/002159431f55aa8d903065ea5ae2a6aa to your computer and use it in GitHub Desktop.
Save ildarusmanov/002159431f55aa8d903065ea5ae2a6aa to your computer and use it in GitHub Desktop.
Download ZIP
Generate self-signed certificates for k8s DAC WebHooks
Raw
main.go
package main
import (
"bytes"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/base64"
"encoding/pem"
"fmt"
"io/ioutil"
"math/big"
"net"
"net/http"
"net/http/httptest"
"os"
"strings"
"time"
)
func main() {
// get our ca and server certificate
serverTLSConf, clientTLSConf, err := certsetup()
if err != nil {
panic(err)
}
// set up the httptest.Server using our certificate signed by our CA
server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintln(w, "success!")
}))
server.TLS = serverTLSConf
server.StartTLS()
defer server.Close()
// communicate with the server using an http.Client configured to trust our CA
transport := &http.Transport{
TLSClientConfig: clientTLSConf,
}
http := http.Client{
Transport: transport,
}
resp, err := http.Get(server.URL)
if err != nil {
panic(err)
}
// verify the response
respBodyBytes, err := ioutil.ReadAll(resp.Body)
if err != nil {
panic(err)
}
body := strings.TrimSpace(string(respBodyBytes[:]))
if body == "success!" {
fmt.Println(body)
} else {
panic("not successful!")
}
}
func certsetup() (serverTLSConf *tls.Config, clientTLSConf *tls.Config, err error) {
// set up our CA certificate
ca := &x509.Certificate{
SerialNumber: big.NewInt(2019),
Subject: pkix.Name{
Organization: []string{"TEST"},
Country: []string{"US"},
},
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(10, 0, 0),
IsCA: true,
IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv4allsys, net.IPv4allrouter, net.IPv4zero, net.IPv6loopback},
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
}
// create our private and public key
caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return nil, nil, err
}
// create the CA
caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
if err != nil {
return nil, nil, err
}
// pem encode
caPEM := new(bytes.Buffer)
pem.Encode(caPEM, &pem.Block{
Type: "CERTIFICATE",
Bytes: caBytes,
})
_ = os.WriteFile("ca.pem", caPEM.Bytes(), 0644)
renderKey("caPEM", caPEM.Bytes())
caPrivKeyPEM := new(bytes.Buffer)
pem.Encode(caPrivKeyPEM, &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey),
})
_ = os.WriteFile("ca.key", caPrivKeyPEM.Bytes(), 0644)
renderKey("caPrivateKeyPEM", caPrivKeyPEM.Bytes())
// set up our server certificate
cert := &x509.Certificate{
SerialNumber: big.NewInt(2019),
Subject: pkix.Name{
Organization: []string{"TEST"},
Country: []string{"US"},
},
IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv4allsys, net.IPv4allrouter, net.IPv4zero, net.IPv6loopback},
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(10, 0, 0),
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
KeyUsage: x509.KeyUsageDigitalSignature,
BasicConstraintsValid: true,
}
certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return nil, nil, err
}
certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, &certPrivKey.PublicKey, caPrivKey)
if err != nil {
return nil, nil, err
}
certPEM := new(bytes.Buffer)
pem.Encode(certPEM, &pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
})
_ = os.WriteFile("cert.pem", certPEM.Bytes(), 0644)
renderKey("certPEM", certPEM.Bytes())
certPrivKeyPEM := new(bytes.Buffer)
pem.Encode(certPrivKeyPEM, &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
})
_ = os.WriteFile("cert.key", certPrivKeyPEM.Bytes(), 0644)
renderKey("certPrivateKeyPEM", certPrivKeyPEM.Bytes())
serverCert, err := tls.X509KeyPair(certPEM.Bytes(), certPrivKeyPEM.Bytes())
if err != nil {
return nil, nil, err
}
serverTLSConf = &tls.Config{
Certificates: []tls.Certificate{serverCert},
}
certpool := x509.NewCertPool()
certpool.AppendCertsFromPEM(caPEM.Bytes())
clientTLSConf = &tls.Config{
RootCAs: certpool,
}
return
}
const (
CaOrganization = "XIMI"
CaCountry = "RU"
)
type Certs struct {
CABase64 string
CAPrivKeyBase64 string
CertBase64 string
CertPrivKeyBase64 string
}
func GenerateCerts() (*Certs, error) {
ca := &x509.Certificate{
SerialNumber: big.NewInt(2019),
Subject: pkix.Name{
Organization: []string{CaOrganization},
Country: []string{CaCountry},
Province: []string{""},
Locality: []string{""},
StreetAddress: []string{""},
PostalCode: []string{""},
},
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(10, 0, 0),
IsCA: true,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
}
// create our private and public key
caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return nil, err
}
// create the CA
caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
if err != nil {
return nil, err
}
// pem encode
caPEM := new(bytes.Buffer)
pem.Encode(caPEM, &pem.Block{
Type: "CERTIFICATE",
Bytes: caBytes,
})
caPrivKeyPEM := new(bytes.Buffer)
pem.Encode(caPrivKeyPEM, &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey),
})
// set up our server certificate
cert := &x509.Certificate{
SerialNumber: big.NewInt(2019),
Subject: pkix.Name{
Organization: []string{CaOrganization},
Country: []string{CaCountry},
Province: []string{""},
Locality: []string{""},
StreetAddress: []string{""},
PostalCode: []string{""},
},
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(10, 0, 0),
SubjectKeyId: []byte{1, 2, 3, 4, 6},
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature,
}
certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return nil, err
}
certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, &certPrivKey.PublicKey, caPrivKey)
if err != nil {
return nil, err
}
certPEM := new(bytes.Buffer)
pem.Encode(certPEM, &pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
})
certPrivKeyPEM := new(bytes.Buffer)
pem.Encode(certPrivKeyPEM, &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
})
return &Certs{
CABase64: base64.StdEncoding.EncodeToString(caPEM.Bytes()),
CAPrivKeyBase64: base64.StdEncoding.EncodeToString(caPrivKeyPEM.Bytes()),
CertBase64: base64.StdEncoding.EncodeToString(certPEM.Bytes()),
CertPrivKeyBase64: base64.StdEncoding.EncodeToString(certPrivKeyPEM.Bytes()),
}, nil
}
func renderKey(certName string, data []byte) {
certBase64 := base64.StdEncoding.EncodeToString(data)
fmt.Printf("\r\n%s:\r\n%s\r\n\r\n", certName, certBase64)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment