mirror of
https://github.com/genuinetools/reg.git
synced 2024-06-30 19:14:16 -04:00
cleanup
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
This commit is contained in:
parent
74ab433f76
commit
d69fce34a7
|
@ -1,85 +0,0 @@
|
||||||
HOME = /etc/docker/ssl
|
|
||||||
RANDFILE = $ENV::HOME/.rnd
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ ca ]
|
|
||||||
default_ca = CA_default # The default ca section
|
|
||||||
|
|
||||||
[ CA_default ]
|
|
||||||
|
|
||||||
default_days = 365 # how long to certify for
|
|
||||||
default_crl_days= 30 # how long before next CRL
|
|
||||||
default_md = sha256 # use public key default MD
|
|
||||||
preserve = no # keep passed DN ordering
|
|
||||||
|
|
||||||
x509_extensions = ca_extensions # The extensions to add to the cert
|
|
||||||
|
|
||||||
email_in_dn = no # Don't concat the email in the DN
|
|
||||||
copy_extensions = copy # Required to copy SANs from CSR to cert
|
|
||||||
|
|
||||||
base_dir = /etc/docker/ssl
|
|
||||||
certificate = $base_dir/ca.pem # The CA certifcate
|
|
||||||
private_key = $base_dir/cakey.pem # The CA private key
|
|
||||||
new_certs_dir = $base_dir # Location for new certs after signing
|
|
||||||
database = $base_dir/index.txt # Database index file
|
|
||||||
serial = $base_dir/serial.txt # The current serial number
|
|
||||||
|
|
||||||
unique_subject = no # Set to 'no' to allow creation of
|
|
||||||
# several certificates with same subject.
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ req ]
|
|
||||||
default_bits = 4096
|
|
||||||
default_keyfile = $HOME/cakey.pem
|
|
||||||
distinguished_name = ca_distinguished_name
|
|
||||||
x509_extensions = ca_extensions
|
|
||||||
string_mask = utf8only
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ ca_distinguished_name ]
|
|
||||||
countryName = Country Name (2 letter code)
|
|
||||||
countryName_default = US
|
|
||||||
|
|
||||||
stateOrProvinceName = State or Province Name (full name)
|
|
||||||
stateOrProvinceName_default = New York
|
|
||||||
|
|
||||||
localityName = Locality Name (eg, city)
|
|
||||||
localityName_default = New York City
|
|
||||||
|
|
||||||
organizationName = Organization Name (eg, company)
|
|
||||||
organizationName_default = Contained.AF
|
|
||||||
|
|
||||||
organizationalUnitName = Organizational Unit (eg, division)
|
|
||||||
organizationalUnitName_default = Tupperware Hackers
|
|
||||||
|
|
||||||
commonName = Common Name (e.g. server FQDN or YOUR name)
|
|
||||||
commonName_default = Contained.AF CA
|
|
||||||
|
|
||||||
emailAddress = Email Address
|
|
||||||
emailAddress_default = no-reply@contained.af
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ ca_extensions ]
|
|
||||||
|
|
||||||
subjectKeyIdentifier=hash
|
|
||||||
authorityKeyIdentifier=keyid:always, issuer
|
|
||||||
basicConstraints = critical, CA:true
|
|
||||||
keyUsage = keyCertSign, cRLSign
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ signing_policy ]
|
|
||||||
countryName = optional
|
|
||||||
stateOrProvinceName = optional
|
|
||||||
localityName = optional
|
|
||||||
organizationName = optional
|
|
||||||
organizationalUnitName = optional
|
|
||||||
commonName = supplied
|
|
||||||
emailAddress = optional
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ signing_req ]
|
|
||||||
subjectKeyIdentifier=hash
|
|
||||||
authorityKeyIdentifier=keyid,issuer
|
|
||||||
|
|
||||||
basicConstraints = CA:FALSE
|
|
||||||
keyUsage = digitalSignature, keyEncipherment
|
|
|
@ -1,49 +0,0 @@
|
||||||
HOME = /etc/docker/ssl
|
|
||||||
RANDFILE = $ENV::HOME/.rnd
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ req ]
|
|
||||||
default_bits = 2048
|
|
||||||
default_keyfile = $HOME/client.key
|
|
||||||
distinguished_name = server_distinguished_name
|
|
||||||
req_extensions = server_req_extensions
|
|
||||||
string_mask = utf8only
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ server_distinguished_name ]
|
|
||||||
countryName = Country Name (2 letter code)
|
|
||||||
countryName_default = US
|
|
||||||
|
|
||||||
stateOrProvinceName = State or Province Name (full name)
|
|
||||||
stateOrProvinceName_default = New York
|
|
||||||
|
|
||||||
localityName = Locality Name (eg, city)
|
|
||||||
localityName_default = New York City
|
|
||||||
|
|
||||||
organizationName = Organization Name (eg, company)
|
|
||||||
organizationName_default = Contained.AF
|
|
||||||
|
|
||||||
organizationalUnitName = Organizational Unit (eg, division)
|
|
||||||
organizationalUnitName_default = Tupperware Hackers
|
|
||||||
|
|
||||||
commonName = Common Name (e.g. server FQDN or YOUR name)
|
|
||||||
commonName_default = Contained.AF CA
|
|
||||||
|
|
||||||
emailAddress = Email Address
|
|
||||||
emailAddress_default = no-reply@contained.af
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ server_req_extensions ]
|
|
||||||
|
|
||||||
subjectKeyIdentifier = hash
|
|
||||||
basicConstraints = CA:FALSE
|
|
||||||
keyUsage = digitalSignature, keyEncipherment
|
|
||||||
extendedKeyUsage = clientAuth
|
|
||||||
subjectAltName = @alternate_names
|
|
||||||
nsComment = "OpenSSL Generated Certificate"
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ alternate_names ]
|
|
||||||
|
|
||||||
DNS.1 = localhost
|
|
||||||
IP.1 = 127.0.0.1
|
|
|
@ -1,48 +0,0 @@
|
||||||
HOME = /etc/docker/ssl
|
|
||||||
RANDFILE = $ENV::HOME/.rnd
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ req ]
|
|
||||||
default_bits = 2048
|
|
||||||
default_keyfile = $HOME/key.pem
|
|
||||||
distinguished_name = server_distinguished_name
|
|
||||||
req_extensions = server_req_extensions
|
|
||||||
string_mask = utf8only
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ server_distinguished_name ]
|
|
||||||
countryName = Country Name (2 letter code)
|
|
||||||
countryName_default = US
|
|
||||||
|
|
||||||
stateOrProvinceName = State or Province Name (full name)
|
|
||||||
stateOrProvinceName_default = New York
|
|
||||||
|
|
||||||
localityName = Locality Name (eg, city)
|
|
||||||
localityName_default = New York City
|
|
||||||
|
|
||||||
organizationName = Organization Name (eg, company)
|
|
||||||
organizationName_default = Contained.AF
|
|
||||||
|
|
||||||
organizationalUnitName = Organizational Unit (eg, division)
|
|
||||||
organizationalUnitName_default = Tupperware Hackers
|
|
||||||
|
|
||||||
commonName = Common Name (e.g. server FQDN or YOUR name)
|
|
||||||
commonName_default = Contained.AF CA
|
|
||||||
|
|
||||||
emailAddress = Email Address
|
|
||||||
emailAddress_default = no-reply@contained.af
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ server_req_extensions ]
|
|
||||||
|
|
||||||
subjectKeyIdentifier = hash
|
|
||||||
basicConstraints = CA:FALSE
|
|
||||||
keyUsage = digitalSignature, keyEncipherment
|
|
||||||
subjectAltName = @alternate_names
|
|
||||||
nsComment = "OpenSSL Generated Certificate"
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ alternate_names ]
|
|
||||||
|
|
||||||
DNS.1 = localhost
|
|
||||||
IP.1 = 127.0.0.1
|
|
|
@ -1,65 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
CONFIGS_DIR=/etc/docker/daemon/config
|
|
||||||
CERT_DIR=/etc/docker/ssl
|
|
||||||
|
|
||||||
CERT_SUBJ="/C=US/ST=New York/L=New York City/O=Contained.AF/CN=Contained.AF CA"
|
|
||||||
|
|
||||||
if [ ! -f "${CERT_DIR}/ca.pem" ]; then
|
|
||||||
mkdir -p "${CERT_DIR}"
|
|
||||||
|
|
||||||
# create the root CA
|
|
||||||
openssl req -x509 \
|
|
||||||
-config "${CONFIGS_DIR}/openssl-ca.cnf" \
|
|
||||||
-newkey rsa:4096 -sha256 \
|
|
||||||
-subj "${CERT_SUBJ}" \
|
|
||||||
-nodes -out "${CERT_DIR}/ca.pem" -outform PEM
|
|
||||||
|
|
||||||
openssl x509 -noout -text -in "${CERT_DIR}/ca.pem"
|
|
||||||
|
|
||||||
# create the server certificate signing request
|
|
||||||
openssl req \
|
|
||||||
-config "${CONFIGS_DIR}/openssl-server.cnf" \
|
|
||||||
-newkey rsa:2048 -sha256 \
|
|
||||||
-subj "/CN=localhost" \
|
|
||||||
-nodes -out "${CERT_DIR}/server.csr" -outform PEM
|
|
||||||
openssl req -text -noout -verify -in "${CERT_DIR}/server.csr"
|
|
||||||
|
|
||||||
touch "${CERT_DIR}/index.txt"
|
|
||||||
echo 01 > "${CERT_DIR}/serial.txt"
|
|
||||||
|
|
||||||
# create the server cert
|
|
||||||
openssl ca -batch \
|
|
||||||
-config "${CONFIGS_DIR}/openssl-ca.cnf" \
|
|
||||||
-policy signing_policy -extensions signing_req \
|
|
||||||
-out "${CERT_DIR}/cert.pem" -infiles "${CERT_DIR}/server.csr"
|
|
||||||
|
|
||||||
openssl x509 -noout -text -in "${CERT_DIR}/cert.pem"
|
|
||||||
|
|
||||||
# create the client certificate signing request
|
|
||||||
openssl req \
|
|
||||||
-config "${CONFIGS_DIR}/openssl-client.cnf" \
|
|
||||||
-newkey rsa:2048 -sha256 \
|
|
||||||
-subj "/CN=client" \
|
|
||||||
-nodes -out "${CERT_DIR}/client.csr" -outform PEM
|
|
||||||
openssl req -text -noout -verify -in "${CERT_DIR}/client.csr"
|
|
||||||
|
|
||||||
touch "${CERT_DIR}/index.txt"
|
|
||||||
echo 02 > "${CERT_DIR}/serial.txt"
|
|
||||||
|
|
||||||
# create the client cert
|
|
||||||
openssl ca -batch \
|
|
||||||
-config "${CONFIGS_DIR}/openssl-ca.cnf" \
|
|
||||||
-policy signing_policy -extensions signing_req \
|
|
||||||
-out "${CERT_DIR}/client.cert" -infiles "${CERT_DIR}/client.csr"
|
|
||||||
|
|
||||||
openssl x509 -noout -text -in "${CERT_DIR}/client.cert"
|
|
||||||
|
|
||||||
|
|
||||||
# remove the signing requests
|
|
||||||
rm -rf "${CERT_DIR}/client.csr" "${CERT_DIR}/server.csr" "${CERT_DIR}/"*.attr "${CERT_DIR}/"*.old
|
|
||||||
|
|
||||||
fi
|
|
||||||
|
|
||||||
set -- sh "$(which dind)" "$@"
|
|
||||||
exec "$@"
|
|
45
main_test.go
45
main_test.go
|
@ -4,16 +4,12 @@ import (
|
||||||
"flag"
|
"flag"
|
||||||
"fmt"
|
"fmt"
|
||||||
"log"
|
"log"
|
||||||
"net/http"
|
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"path/filepath"
|
|
||||||
"runtime"
|
"runtime"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/docker/docker/api"
|
|
||||||
"github.com/docker/docker/client"
|
"github.com/docker/docker/client"
|
||||||
"github.com/docker/go-connections/tlsconfig"
|
|
||||||
"github.com/jessfraz/reg/testutils"
|
"github.com/jessfraz/reg/testutils"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -61,7 +57,7 @@ func TestMain(m *testing.M) {
|
||||||
defer os.Remove("testreg" + exeSuffix)
|
defer os.Remove("testreg" + exeSuffix)
|
||||||
|
|
||||||
// create the docker client
|
// create the docker client
|
||||||
dcli, err := newEnvDockerClient()
|
dcli, err := client.NewEnvClient()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(fmt.Errorf("could not connect to docker: %v", err))
|
panic(fmt.Errorf("could not connect to docker: %v", err))
|
||||||
}
|
}
|
||||||
|
@ -113,42 +109,3 @@ alpine latest
|
||||||
t.Fatalf("expected: %s\ngot: %s", expected, out)
|
t.Fatalf("expected: %s\ngot: %s", expected, out)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func newEnvDockerClient() (*client.Client, error) {
|
|
||||||
var hc *http.Client
|
|
||||||
|
|
||||||
if dockerCertPath := os.Getenv("DOCKER_CERT_PATH"); dockerCertPath != "" {
|
|
||||||
options := tlsconfig.Options{
|
|
||||||
CAFile: filepath.Join(dockerCertPath, "cacert.pem"),
|
|
||||||
CertFile: filepath.Join(dockerCertPath, "server.cert"),
|
|
||||||
KeyFile: filepath.Join(dockerCertPath, "server.key"),
|
|
||||||
InsecureSkipVerify: os.Getenv("DOCKER_TLS_VERIFY") == "",
|
|
||||||
}
|
|
||||||
tlsc, err := tlsconfig.Client(options)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
hc = &http.Client{
|
|
||||||
Transport: &http.Transport{
|
|
||||||
TLSClientConfig: tlsc,
|
|
||||||
},
|
|
||||||
CheckRedirect: client.CheckRedirect,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
host := os.Getenv("DOCKER_HOST")
|
|
||||||
if host == "" {
|
|
||||||
host = client.DefaultDockerHost
|
|
||||||
}
|
|
||||||
version := os.Getenv("DOCKER_API_VERSION")
|
|
||||||
if version == "" {
|
|
||||||
version = api.DefaultVersion
|
|
||||||
}
|
|
||||||
|
|
||||||
cli, err := client.NewClient(host, version, hc, nil)
|
|
||||||
if err != nil {
|
|
||||||
return cli, err
|
|
||||||
}
|
|
||||||
return cli, nil
|
|
||||||
}
|
|
||||||
|
|
Loading…
Reference in a new issue