juner417/test-cert-manager.sh

## test-cert-manager.sh
#!/bin/bash

CERTM_VER=${CERTM_VER:-"v1.13.1"}
CERTM_HN_PORT=${CERTM_HN_PORT:-"10443"}
SS_ISSUE=${SS_ISSUE:-"ss-issuer.yaml"}
EXAM_CERT=${EXAM_CERT:-"example-cert.yaml"}
YEL='\033[1;33m'
NC='\033[0m' # No Color


function delete_all() {
  [[ $(kubectl get Certificate example-com -n sandbox ) ]] && kubectl delete -f ${EXAM_CERT}
  [[ $(kubectl get secret example-com-tls -n sandbox ) ]] && kubectl delete secret example-com-tls -n sandbox
  [[ $(kubectl get ns sandbox) ]] &&  kubectl delete -f ${SS_ISSUE}
  [[ $(kubectl get secret root-secret -n cert-manager ) ]] && kubectl delete secret root-secret -n cert-manager
  [[ -n $(helm list -n cert-manager | grep cert-manager) ]] && helm delete cert-manager -n cert-manager
  exit
}

trap delete_all SIGINT

if [ -n $1 ] && [ "$1" == "delete" ]; then
  echo -e "${YEL}delete Tests${NC}"
  delete_all
fi

echo -e "${YEL}Install cert-manager ${CERTM_VER}${NC}"
# helm repo update
helm repo add jetstack https://charts.jetstack.io
helm repo update

# option1 - pre install crd
#kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.crds.yaml

# install cert-manager with helm chart
# https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml
# https://artifacthub.io/packages/helm/cert-manager/cert-manager
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version ${CERTM_VER} \
  --set installCRDs=true \
  --set prometheus.enabled=false \
  --set webhook.timeoutSeconds=4 \
  --set webhook.hostNetwork=true \
  --set webhook.securePort=${CERTM_HN_PORT}

sleep 15
echo -e "${YEL}NOTE) PLZ check you cluster security group to add ${CERTM_HN_PORT} rule${NC}"

# create selfsigned CA -> CA clusterissuer
cat <<EOF > ${SS_ISSUE}
apiVersion: v1
kind: Namespace
metadata:
  name: sandbox
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-selfsigned-ca
  namespace: cert-manager
spec:
  isCA: true
  commonName: my-selfsigned-ca
  secretName: root-secret
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: my-ca-issuer
spec:
  ca:
    secretName: root-secret
EOF
kubectl apply -f ${SS_ISSUE}

echo "check CA cert"
kubectl get secret -n cert-manager


# create certificate for a service
cat <<EOF > ${EXAM_CERT}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com
  namespace: sandbox
spec:
  # Secret names are always required.
  secretName: example-com-tls

  # secretTemplate is optional. If set, these annotations and labels will be
  # copied to the Secret named example-com-tls. These labels and annotations will
  # be re-reconciled if the Certificate's secretTemplate changes. secretTemplate
  # is also enforced, so relevant label and annotation changes on the Secret by a
  # third party will be overwriten by cert-manager to match the secretTemplate.
  secretTemplate:
    annotations:
      my-secret-annotation-1: "foo"
      my-secret-annotation-2: "bar"
    labels:
      my-secret-label: foo

  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
      - jetstack
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: example.com
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
    - client auth
  # At least one of a DNS Name, URI, or IP address is required.
  dnsNames:
    - example.com
    - www.example.com
  uris:
    - spiffe://cluster.local/ns/sandbox/sa/example
  ipAddresses:
    - 192.168.0.5
  # Issuer references are always required.
  issuerRef:
    name: my-ca-issuer
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer
    kind: ClusterIssuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
EOF
kubectl apply -f ${EXAM_CERT}
kubectl get CertificateRequest,secret -n sandbox

echo -e "${YEL}Test Done ${NC}"
	#!/bin/bash

	CERTM_VER=${CERTM_VER:-"v1.13.1"}
	CERTM_HN_PORT=${CERTM_HN_PORT:-"10443"}
	SS_ISSUE=${SS_ISSUE:-"ss-issuer.yaml"}
	EXAM_CERT=${EXAM_CERT:-"example-cert.yaml"}
	YEL='\033[1;33m'
	NC='\033[0m' # No Color


	function delete_all() {
	[[ $(kubectl get Certificate example-com -n sandbox ) ]] && kubectl delete -f ${EXAM_CERT}
	[[ $(kubectl get secret example-com-tls -n sandbox ) ]] && kubectl delete secret example-com-tls -n sandbox
	[[ $(kubectl get ns sandbox) ]] && kubectl delete -f ${SS_ISSUE}
	[[ $(kubectl get secret root-secret -n cert-manager ) ]] && kubectl delete secret root-secret -n cert-manager
	[[ -n $(helm list -n cert-manager \| grep cert-manager) ]] && helm delete cert-manager -n cert-manager
	exit
	}

	trap delete_all SIGINT

	if [ -n $1 ] && [ "$1" == "delete" ]; then
	echo -e "${YEL}delete Tests${NC}"
	delete_all
	fi

	echo -e "${YEL}Install cert-manager ${CERTM_VER}${NC}"
	# helm repo update
	helm repo add jetstack https://charts.jetstack.io
	helm repo update

	# option1 - pre install crd
	#kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.crds.yaml

	# install cert-manager with helm chart
	# https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml
	# https://artifacthub.io/packages/helm/cert-manager/cert-manager
	helm install \
	cert-manager jetstack/cert-manager \
	--namespace cert-manager \
	--create-namespace \
	--version ${CERTM_VER} \
	--set installCRDs=true \
	--set prometheus.enabled=false \
	--set webhook.timeoutSeconds=4 \
	--set webhook.hostNetwork=true \
	--set webhook.securePort=${CERTM_HN_PORT}

	sleep 15
	echo -e "${YEL}NOTE) PLZ check you cluster security group to add ${CERTM_HN_PORT} rule${NC}"

	# create selfsigned CA -> CA clusterissuer
	cat <<EOF > ${SS_ISSUE}
	apiVersion: v1
	kind: Namespace
	metadata:
	name: sandbox
	---
	apiVersion: cert-manager.io/v1
	kind: ClusterIssuer
	metadata:
	name: selfsigned-issuer
	spec:
	selfSigned: {}
	---
	apiVersion: cert-manager.io/v1
	kind: Certificate
	metadata:
	name: my-selfsigned-ca
	namespace: cert-manager
	spec:
	isCA: true
	commonName: my-selfsigned-ca
	secretName: root-secret
	privateKey:
	algorithm: ECDSA
	size: 256
	issuerRef:
	name: selfsigned-issuer
	kind: ClusterIssuer
	group: cert-manager.io
	---
	apiVersion: cert-manager.io/v1
	kind: ClusterIssuer
	metadata:
	name: my-ca-issuer
	spec:
	ca:
	secretName: root-secret
	EOF
	kubectl apply -f ${SS_ISSUE}

	echo "check CA cert"
	kubectl get secret -n cert-manager


	# create certificate for a service
	cat <<EOF > ${EXAM_CERT}
	apiVersion: cert-manager.io/v1
	kind: Certificate
	metadata:
	name: example-com
	namespace: sandbox
	spec:
	# Secret names are always required.
	secretName: example-com-tls

	# secretTemplate is optional. If set, these annotations and labels will be
	# copied to the Secret named example-com-tls. These labels and annotations will
	# be re-reconciled if the Certificate's secretTemplate changes. secretTemplate
	# is also enforced, so relevant label and annotation changes on the Secret by a
	# third party will be overwriten by cert-manager to match the secretTemplate.
	secretTemplate:
	annotations:
	my-secret-annotation-1: "foo"
	my-secret-annotation-2: "bar"
	labels:
	my-secret-label: foo

	duration: 2160h # 90d
	renewBefore: 360h # 15d
	subject:
	organizations:
	- jetstack
	# The use of the common name field has been deprecated since 2000 and is
	# discouraged from being used.
	commonName: example.com
	isCA: false
	privateKey:
	algorithm: RSA
	encoding: PKCS1
	size: 2048
	usages:
	- server auth
	- client auth
	# At least one of a DNS Name, URI, or IP address is required.
	dnsNames:
	- example.com
	- www.example.com
	uris:
	- spiffe://cluster.local/ns/sandbox/sa/example
	ipAddresses:
	- 192.168.0.5
	# Issuer references are always required.
	issuerRef:
	name: my-ca-issuer
	# We can reference ClusterIssuers by changing the kind here.
	# The default value is Issuer (i.e. a locally namespaced Issuer
	kind: ClusterIssuer
	# This is optional since cert-manager will default to this value however
	# if you are using an external issuer, change this to that issuer group.
	group: cert-manager.io
	EOF
	kubectl apply -f ${EXAM_CERT}
	kubectl get CertificateRequest,secret -n sandbox

	echo -e "${YEL}Test Done ${NC}"
No results found