bazel: add utility functions to generate certificates

redpanda-data · Dec 3, 2024 · 8cf9e87 · 8cf9e87
1 parent e41337e
commit 8cf9e87
Showing 1 changed file with 128 additions and 0 deletions.
diff --git a/bazel/cert.bzl b/bazel/cert.bzl
@@ -0,0 +1,128 @@
+"""
+This module contains functions to generate a simple CA
+"""
+
+# buildifier: disable=function-docstring-args
+def _redpanda_private_key(name, certificate):
+    private_key = certificate + ".key"
+
+    pr_key_gen = name + "_key_gen"
+    native.genrule(
+        name = pr_key_gen,
+        srcs = [],
+        outs = [private_key],
+        cmd = "$(execpath @openssl//:openssl_exe) ecparam " +
+              "-name prime256v1 " +
+              "-genkey " +
+              "-noout " +
+              "-out \"$@\"",
+        tools = [
+            "@openssl//:openssl_exe",
+        ],
+    )
+
+    return pr_key_gen
+
+def redpanda_selfsigned_cert(name, certificate, common_name, visibility = None):
+    """
+    Generate a Redpanda self-signed certificate.
+
+    Args:
+      name: name of the target
+      certificate: name to use for output files (crt, key, and csr)
+      common_name: the CN to use when setting the subject name
+      visibility: visibility setting
+    """
+
+    cert = certificate + ".crt"
+    subj = "/C=US/ST=California/L=San Francisco/O=Redpanda Data/OU=Core/CN=" + common_name
+
+    pr_key_gen = _redpanda_private_key(name, certificate)
+
+    crt_gen = name + "_crt_gen"
+    native.genrule(
+        name = crt_gen,
+        srcs = [
+            pr_key_gen,
+        ],
+        outs = [cert],
+        cmd = "$(execpath @openssl//:openssl_exe) req " +
+              "-new -x509 -sha256 " +
+              "-key $(SRCS) " +
+              "-out \"$@\" " +
+              "-subj \"{}\" ".format(subj) +
+              "-addext \"subjectAltName = IP:127.0.0.1\"",
+        tools = [
+            "@openssl//:openssl_exe",
+        ],
+    )
+
+    native.filegroup(
+        name = name,
+        srcs = [pr_key_gen, crt_gen],
+        visibility = visibility,
+    )
+
+def redpanda_signed_cert(name, certificate, common_name, ca, serial_number, visibility = None):
+    """
+    Generate a Redpanda signed certificate.
+
+    Args:
+      name: name of the target
+      certificate: name to use for output files (crt, key, and csr)
+      common_name: the CN to use when setting the subject name
+      ca: the certificate to be used as the signing CA
+      serial_number: the serial number of cert when issued by CA
+      visibility: visibility setting
+    """
+
+    subj = "/C=US/ST=California/L=San Francisco/O=Redpanda Data/OU=Core/CN=" + common_name
+
+    pr_key_gen = _redpanda_private_key(name, certificate)
+
+    req_gen = name + "_csr_gen"
+    native.genrule(
+        name = req_gen,
+        srcs = [
+            pr_key_gen,
+        ],
+        outs = [certificate + ".csr"],
+        cmd = "$(execpath @openssl//:openssl_exe) req " +
+              "-new -sha256 " +
+              "-key $(SRCS) " +
+              "-out \"$@\" " +
+              "-subj \"{}\" ".format(subj),
+        tools = [
+            "@openssl//:openssl_exe",
+        ],
+    )
+
+    ca_cert = ca + ".crt"
+    ca_private_key = ca + ".key"
+
+    crt_gen = name + "_crt_gen"
+    native.genrule(
+        name = crt_gen,
+        srcs = [
+            ca_cert,
+            ca_private_key,
+            req_gen,
+        ],
+        outs = [certificate + ".crt"],
+        cmd = "$(execpath @openssl//:openssl_exe) x509 " +
+              "-req -days 1000 -sha256 " +
+              "-set_serial {} ".format(serial_number) +
+              "-in $(execpath {}) ".format(req_gen) +
+              "-CA $(execpaths :{}) ".format(ca_cert) +
+              "-CAkey $(execpaths :{}) ".format(ca_private_key) +
+              "-out \"$@\" ",
+        tools = [
+            "@openssl//:openssl_exe",
+        ],
+    )
+
+    native.filegroup(
+        name = name,
+        srcs = [pr_key_gen, req_gen, crt_gen],
+        visibility = visibility,
+    )