generated from ministryofjustice/hmpps-template-kotlin
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathgenerate.sh
executable file
·73 lines (62 loc) · 2.62 KB
/
generate.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/bin/bash
set -e
clean() {
rm -fr *.pem *.key *.csr
}
read_certificate_arguments() {
echo "Environment: (dev, preprod or prod)"
read environment
echo "Client organisation: e.g. Home Office"
read organisation
echo "Client region: e.g. London"
read region
echo "Client identifier (no spaces, lowercase) that will be used for authorisation: e.g. mapps"
read client
}
get_ca() {
private_key=`kubectl get secret mutual-tls-auth -n hmpps-integration-api-$environment -o json |jq -r '.data."truststore-private-key"'`
echo -n $private_key | base64 --decode > truststore.key
public_key=`kubectl get secret mutual-tls-auth -n hmpps-integration-api-$environment -o json |jq -r '.data."truststore-public-key"'`
echo -n $public_key | base64 --decode > truststore.pem
}
generate_client() {
openssl genrsa -out $environment-$client-client.key 2048
openssl req -new -key $environment-$client-client.key -out $environment-$client-client.csr -subj "/C=GB/ST=$region/L=$region/O=$organisation/CN=$client"
openssl x509 -req -in $environment-$client-client.csr -CA truststore.pem -CAkey truststore.key -set_serial 01 -out $environment-$client-client.pem -days 365 -sha256
}
clean_ca() {
rm -fr truststore.pem truststore.key
}
success_message() {
echo
echo "Success: your client certificates have been generated in ./scripts/client_certificates"
}
upload_backup() {
access_key_id=$(kubectl get secret aws-services -n hmpps-integration-api-$environment -o json | jq -r '.data."api-gateway"' | base64 --decode | jq -r '."access-credentials"."access-key-id"')
secret_access_key=$(kubectl get secret aws-services -n hmpps-integration-api-$environment -o json | jq -r '.data."api-gateway"' | base64 --decode | jq -r '."access-credentials"."secret-access-key"')
aws configure set aws_access_key_id $access_key_id
aws configure set aws_secret_access_key $secret_access_key
bucket="hmpps-integration-api-$environment-certificates-backup"
client_folder="$client"
path="$bucket/$client_folder"
file_path="./${environment}-${client}-client.pem"
aws s3api put-object --bucket "$bucket" --key "$client_folder/" --acl private
aws s3 cp "$file_path" "s3://$path/client.pem"
aws s3 cp ./"$environment"-"$client"-client.pem "s3://$path/client.pem"
aws s3 cp ./"$environment"-"$client"-client.csr "s3://$path/client.csr"
aws s3 cp ./"$environment"-"$client"-client.key "s3://$path/client.key"
aws configure set aws_access_key_id ""
aws configure set aws_secret_access_key ""
}
main() {
clean
read_certificate_arguments
get_ca
generate_client
success_message
upload_backup
clean_ca
trap clean_ca EXIT
trap clean_ca SIGINT
}
main