#!/bin/bash

set -eux

### --start_docs
## Generating the overcloud SSL Certificates
## =========================================

## * Generate a private key
## ::

openssl genrsa 2048 > /home/zuul/overcloud-ca-privkey.pem 2> /dev/null

## * Generate a self-signed CA certificate
## ::

openssl req -new -x509 -key /home/zuul/overcloud-ca-privkey.pem \
    -out /home/zuul/overcloud-cacert.pem -days 365 \
    -subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN=overcloud"

## * Add the self-signed CA certificate to the undercloud's trusted certificate
##   store.
## ::

sudo cp /home/zuul/overcloud-cacert.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract

## * Generate the leaf certificate request and key that will be used for the
##   public VIP
## ::


openssl req -newkey rsa:2048 -days 365 \
    -nodes -keyout /home/zuul/server-key.pem \
    -out /home/zuul/server-req.pem \
    -subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN=2001:db8:fd00:1000::5" \
    -reqexts subjectAltName \
    -config <(printf "[subjectAltName]\nsubjectAltName=IP:2001:db8:fd00:1000::5\n[req]req_extensions = v3_req\ndistinguished_name=req_distinguished_name\n[req_distinguished_name]")

## * Process the server RSA key
## ::

openssl rsa -in /home/zuul/server-key.pem \
    -out /home/zuul/server-key.pem

## * Sign the leaf certificate with the CA certificate and generate
##   the certificate
## ::

openssl x509 -req -in /home/zuul/server-req.pem -days 365 \
    -CA /home/zuul/overcloud-cacert.pem \
    -CAkey /home/zuul/overcloud-ca-privkey.pem \
    -set_serial 01 -out /home/zuul/server-cert.pem \
    -extensions subjectAltName \
    -extfile <(printf "[subjectAltName]\nsubjectAltName=IP:2001:db8:fd00:1000::5\n[req]req_extensions = v3_req\ndistinguished_name=req_distinguished_name\n[req_distinguished_name]")

## --stop_docs