Add default openssl.cnf and script fixes

hack/clean_oai_on_k8s

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-NAMESPACE={$NAMESPACE:-oai}
+NAMESPACE=${NAMESPACE:-oai}
 
 info() {
     local MESSAGE=$1

hack/generate_certs

@@ -19,6 +19,7 @@ generate_certs() {
     local FQDN=$1
     local PREFIX=$2
     local DIR=$3
+    local REPO_DIR=$(pwd)
 
     TMP=$(mktemp -d)
     function cleanup {
@@ -29,7 +30,12 @@ generate_certs() {
 
     echo "01" > serial
     touch index.txt index.txt.attr
-    cat /etc/pki/tls/openssl.cnf | sed "s|/etc/pki/CA|${TMP}|" > openssl.cnf
+    if [ -f "/etc/pki/tls/openssl.cnf" ]; then
+        cat /etc/pki/tls/openssl.cnf | sed "s|/etc/pki/CA|${TMP}|" > openssl.cnf
+    else
+        dd if=/dev/urandom of=".rnd" bs=256 count=1
+        cp "${REPO_DIR}/openssl.cnf.default" openssl.cnf
+    fi
 
     info "Creating Root CA certificate for '${FQDN}'"
     openssl req -new -batch -x509 -days 3650 -nodes -newkey rsa:1024 \

openssl.cnf.default

@@ -0,0 +1,77 @@
+# File based on example available here: https://www.phcomp.co.uk/Tutorials/Web-Technologies/Understanding-and-generating-OpenSSL.cnf-files.html
+
+RANDFILE		= ./.rnd
+
+[ req ]
+default_bits		= 2048
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+
+# Stop confirmation prompts. All information is contained below.
+prompt			= no
+
+# The extensions to add to a certificate request - see [ v3_req ]
+req_extensions		= v3_req
+
+[ req_distinguished_name ]
+# Describe the Subject (ie the origanisation).
+# The short names are what are shown when the certificate is displayed.
+
+# Leave as long names as it helps documentation
+
+countryName=            FR
+stateOrProvinceName=    PACA
+localityName=           Aix
+organizationName=       Eurecom
+organizationalUnitName= CM
+
+[ req_attributes ]
+# None. Could put Challenge Passwords, don't want them, leave empty
+
+[ v3_req ]
+
+# X509v3 extensions to add to a certificate request
+# See x509v3_config
+
+# What the key can/cannot be used for:
+#basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth,serverAuth
+
+# The subjectAltName is where you give the names of extra web sites.
+# You may have more than one of these, so put in the section [ alt_names ]
+# If you do not have any extra names, comment the next line out.
+#subjectAltName = @alt_names
+
+# List of all the other DNS names that the certificate should work for.
+# alt_names is a name of my own invention
+#[ alt_names ]
+#DNS.1 = devel.example.com
+#DNS.2 = ipv6.example.com
+#DNS.3 = ipv4.example.com
+#DNS.4 = test.example.com
+#DNS.5 = party.example.com
+
+[ ca ]
+default_ca = default_ca_opts
+
+[ default_ca_opts ]
+serial = ./serial
+database = ./index.txt
+new_certs_dir = .
+default_md = sha1
+default_days = 365
+# a section with a set of variables corresponding to DN fields
+policy = my_policy
+
+[ my_policy ]
+# if the value is "match" then the field value must match the same field in the
+# CA certificate. If the value is "supplied" then it must be present.
+# Optional means it may be present. Any fields not mentioned are silently
+# deleted.
+countryName = match
+stateOrProvinceName = supplied
+organizationName = supplied
+commonName = supplied
+organizationalUnitName = optional
+commonName = supplied