Istio support (#30)

* adding istio files * fix the envoy CMakList file * fix the envoy CMakList file * adding the .mod file * adding the webhook injector image * adding istio files * adding istio files * fix the envoy CMakList file * fix the envoy CMakList file * adding the .mod file * adding the webhook injector image * adding istio files * pulling from dev * fix the envoy CMakList file * adding istio files * fix missing header * fix wrong name of library * fix envoy CMakeLists * remove cloud guard names * remove cloud guard names * adding istio files * adding istio files * [JIRA] INXT-44274: test agent image * add Daniel fixes * remove zlib library * remove nano attachment ut
2025-12-31 13:49:09 +03:00 · 2025-02-11 12:01:51 +02:00
parent 26e2a38713
commit 23dbf06cd0
60 changed files with 11245 additions and 0 deletions
--- a/docker/openappsec-waf-webhook/keygen.py
+++ b/docker/openappsec-waf-webhook/keygen.py
@@ -0,0 +1,85 @@
+#!/usr/bin/python3
+import base64
+import os
+import argparse
+import subprocess
+from shutil import which
+from pathlib import Path
+
+def generate_keys(service, namespace, directory="generated"):
+	"Generate key material and configuration for Kubernetes admission controllers"
+
+	if not which("openssl"):
+		raise click.UsageError("Unable to detect the openssl CLI tool on the path")
+
+	if not os.path.exists(directory):
+		os.makedirs(directory)
+
+	print("==> Generating CA")
+
+	command = """openssl genrsa -out ca.key 2048
+openssl req -x509 -new -nodes -key ca.key -days 100000 -out ca.crt -subj '/CN=admission_ca'"""
+
+	subprocess.run(command, cwd=directory, shell=True, stderr=subprocess.DEVNULL)
+
+	print("==> Creating configuration")
+
+	with open(os.path.sep.join((directory, "server.conf")), "w") as f:
+		f.write(
+			"""[req]
+default_bits   = 2048
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+prompt = no
+[ req_distinguished_name ]
+CN  = {service}.{namespace}.svc
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+[ req_ext ]
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = {service}
+DNS.2 = {service}.{namespace}
+DNS.3 = {service}.{namespace}.svc
+""".format(service = service, namespace = namespace)
+		)
+
+	print("==> Generating private key and certificate")
+
+	address = "{}.{}.svc".format(service, namespace)
+
+	command = """openssl genrsa -out server.key 2048
+openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config server.conf
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 100000 -extensions req_ext -extfile server.conf""".format(
+		ADDRESS = address
+	)
+
+	subprocess.run(command, cwd=directory, shell=True, stderr=subprocess.DEVNULL)
+
+	print("==> Key material generated")
+
+	with open(os.path.sep.join((directory, "ca.crt")), "rb") as f:
+		ca_cert = f.read()
+		print("Use this as the caBundle:")
+		print(base64.b64encode(ca_cert).decode("ascii"))
+
+	print("==> Command to create secret")
+	print("Run this to upload the key material to a Kubernetes secret")
+	print()
+
+	print(
+		"kubectl --namespace={0} create secret tls {1}-certs --cert={2}/server.crt --key={2}/server.key".format(
+			namespace, service, directory
+		)
+	)
+
+if __name__ == "__main__":
+	parser = argparse.ArgumentParser(description = 'Check Point Webhooks K8s Webhook Keygen')
+	parser.add_argument("namespace", help = "Destination namespace")
+
+	args = parser.parse_args()
+
+	generate_keys("envoy-injector", args.namespace)