VMware vSphere Integrated Containers provider (#206)

* Add Virtual Kubelet provider for VIC

Initial virtual kubelet provider for VMware VIC.  This provider currently
handles creating and starting of a pod VM via the VIC portlayer and persona
server.  Image store handling via the VIC persona server.  This provider
currently requires the feature/wolfpack branch of VIC.

* Added pod stop and delete.  Also added node capacity.

Added the ability to stop and delete pod VMs via VIC.  Also retrieve
node capacity information from the VCH.

* Cleanup and readme file

Some file clean up and added a Readme.md markdown file for the VIC
provider.

* Cleaned up errors, added function comments, moved operation code

1. Cleaned up error handling.  Set standard for creating errors.
2. Added method prototype comments for all interface functions.
3. Moved PodCreator, PodStarter, PodStopper, and PodDeleter to a new folder.

* Add mocking code and unit tests for podcache, podcreator, and podstarter

Used the unit test framework used in VIC to handle assertions in the provider's
unit test.  Mocking code generated using OSS project mockery, which is compatible
with the testify assertion framework.

* Vendored packages for the VIC provider

Requires feature/wolfpack branch of VIC and a few specific commit sha of
projects used within VIC.

* Implementation of POD Stopper and Deleter unit tests (#4)

* Updated files for initial PR

vendor/github.com/vmware/vic/infra/integration-image/scripts/README.md

@@ -0,0 +1,29 @@
+# scripts
+
+
+Integration image MUST be rebuilt after updates to scripts in this directory to be included in CI 
+
+
+### ca-test.sh
+
+Generate a root CA and a server certificate
+
+### intermediate-ca-test.sh
+
+Generate a root CA, intermediate CA, and a server certificate
+
+### ubuntu-install-ca.sh
+
+Installs the generated root CA into the system root store
+
+### ubuntu-install-intermediate-ca.sh
+
+Installs the generated intermediate CA into the system root store
+
+### ubuntu-remove-ca.sh
+
+Removes the generated root CA from the system root store
+
+### ubuntu-remove-intermediate-ca.sh
+
+Removes the generated intermediate CA from the system root store

vendor/github.com/vmware/vic/infra/integration-image/scripts/bundle-certs.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# Copyright 2016-2017 VMware, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Generate a CA and server certificate bundle
+
+set -euf -o pipefail
+
+CA_DIR="/root/ca"
+CA_NAME="STARK_ENTERPRISES_ROOT_CA"
+OUT_DIR="/root/ca/bundle"
+OUT_FILE="/root/ca/cert-bundle.tgz"
+SERVER_CERT_CN="starkenterprises.io"
+
+while getopts ":c:d:f:n:o:" opt; do
+  case $opt in
+    c) CA_NAME="$OPTARG"
+    ;;
+    d) CA_DIR="$OPTARG"
+    ;;
+    f) OUT_FILE="$OPTARG"
+    ;;
+    n) SERVER_CERT_CN="$OPTARG"
+    ;;
+    o) OUT_DIR="$OPTARG"
+    ;;
+    \?) echo "Invalid option -$OPTARG" >&2
+    ;;
+  esac
+done
+
+mkdir -p $OUT_DIR
+cd $CA_DIR
+cp certs/$CA_NAME.crt $OUT_DIR
+cp private/${SERVER_CERT_CN}.key.pem $OUT_DIR
+cp certs/${SERVER_CERT_CN}.cert.pem $OUT_DIR
+dir=$(dirname $OUT_DIR)
+bundle_dir=$(basename $OUT_DIR)
+tar cvf $OUT_FILE -C $dir $bundle_dir

vendor/github.com/vmware/vic/infra/integration-image/scripts/ca-test.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+# Copyright 2016-2017 VMware, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Generate a root CA and a server certificate
+
+##### Default configuration options
+SERVER_CERT_CN="starkenterprises.io"
+#####
+
+while getopts ":s:" opt; do
+  case $opt in
+    s) SERVER_CERT_CN="$OPTARG"
+    ;;
+    \?) echo "Invalid option -$OPTARG" >&2
+    ;;
+  esac
+done
+
+
+### Create root CA
+mkdir -p /root/ca
+cp openssl.cnf /root/ca
+cd /root/ca
+mkdir certs crl csr newcerts private
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+
+# Generate root CA key
+# Private key is not encrypted - use -aes256 to specify a password
+openssl genrsa -out private/ca.key.pem 4096
+chmod 400 private/ca.key.pem
+
+# Generate root CA CSR
+openssl req -config openssl.cnf \
+    -new -sha256 \
+    -key private/ca.key.pem \
+    -out csr/ca.csr.pem \
+    -extensions v3_ca \
+    -subj "/C=US/ST=California/L=Los Angeles/O=Stark Enterprises/OU=Stark Enterprises Certificate Authority/CN=Stark Enterprises Global CA"
+
+# Self sign for root CA certificate
+openssl x509 -req -extfile openssl.cnf \
+    -extensions v3_ca \
+    -days 7300 -in csr/ca.csr.pem -signkey private/ca.key.pem -out certs/ca.cert.pem
+
+chmod 444 certs/ca.cert.pem
+openssl x509 -noout -text -in certs/ca.cert.pem
+
+# Output CRT format
+openssl x509 -in certs/ca.cert.pem -inform PEM -out certs/ca.cert.crt
+
+
+### Create server certificate
+cd /root/ca
+# Generate server key
+# Private key is not encrypted - use -aes256 to specify a password
+openssl genrsa -out private/${SERVER_CERT_CN}.key.pem 4096
+chmod 400 private/${SERVER_CERT_CN}.key.pem
+
+# Generate server CSR
+openssl req -config openssl.cnf \
+    -new -sha256 \
+    -key private/${SERVER_CERT_CN}.key.pem \
+    -out csr/${SERVER_CERT_CN}.csr.pem \
+    -subj "/C=US/ST=California/L=Los Angeles/O=Stark Enterprises/OU=Stark Enterprises Web Services/CN=${SERVER_CERT_CN}"
+
+# Sign CSR with CA key, output server certificate
+openssl ca -config openssl.cnf \
+    -batch \
+    -extensions server_cert \
+    -days 365 -notext -md sha256 \
+    -in csr/${SERVER_CERT_CN}.csr.pem \
+    -out certs/${SERVER_CERT_CN}.cert.pem
+
+chmod 444 certs/${SERVER_CERT_CN}.cert.pem
+openssl x509 -noout -text -in certs/${SERVER_CERT_CN}.cert.pem
+
+# Test certificate
+openssl verify -CAfile certs/ca.cert.pem certs/${SERVER_CERT_CN}.cert.pem
+
+
+### Bundle output
+mkdir bundle
+cp certs/ca.cert.crt bundle
+cp private/${SERVER_CERT_CN}.key.pem bundle
+cp certs/${SERVER_CERT_CN}.cert.pem bundle
+tar cvf cert-bundle.tgz bundle

vendor/github.com/vmware/vic/infra/integration-image/scripts/generate-ca.sh

@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+# Copyright 2016-2017 VMware, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Generate a CA
+
+set -euf -o pipefail
+
+OUTDIR="/root/ca"
+CA_NAME="STARK_ENTERPRISES_ROOT_CA"
+
+while getopts ":c:d:" opt; do
+  case $opt in
+    c) CA_NAME="$OPTARG"
+    ;;
+    d) OUTDIR="$OPTARG"
+    ;;
+    \?) echo "Invalid option -$OPTARG" >&2
+    ;;
+  esac
+done
+
+CONF_DIR=`dirname $0`
+### Create root CA
+mkdir -p $OUTDIR
+cp $CONF_DIR/openssl.cnf $OUTDIR
+cd $OUTDIR
+mkdir certs crl csr newcerts private
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+
+# Generate root CA key
+# Private key is not encrypted - use -aes256 to specify a password
+openssl genrsa -out private/ca.key.pem 4096
+chmod 400 private/ca.key.pem
+
+# Generate root CA CSR
+openssl req -config $CONF_DIR/openssl.cnf \
+    -new -sha256 \
+    -key private/ca.key.pem \
+    -out csr/ca.csr.pem \
+    -extensions v3_ca \
+    -subj "/C=US/ST=California/L=Los Angeles/O=Stark Enterprises/OU=Stark Enterprises Certificate Authority/CN=Stark Enterprises Global CA"
+
+# Self sign for root CA certificate
+openssl x509 -req -extfile $CONF_DIR/openssl.cnf \
+    -extensions v3_ca \
+    -days 7300 -in csr/ca.csr.pem -signkey private/ca.key.pem -out certs/ca.cert.pem
+
+chmod 444 certs/ca.cert.pem
+openssl x509 -noout -text -in certs/ca.cert.pem
+
+# Output CRT format
+openssl x509 -in certs/ca.cert.pem -inform PEM -out certs/$CA_NAME.crt

vendor/github.com/vmware/vic/infra/integration-image/scripts/generate-server-key-csr.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# Copyright 2016-2017 VMware, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Generate a server key and CSR for specified CN
+
+set -euf -o pipefail
+
+OUTDIR="/root/ca"
+SERVER_CERT_CN="starkenterprises.io"
+
+while getopts ":d:n:" opt; do
+  case $opt in
+    d) OUTDIR="$OPTARG"
+    ;;
+    n) SERVER_CERT_CN="$OPTARG"
+    ;;
+    \?) echo "Invalid option -$OPTARG" >&2
+    ;;
+  esac
+done
+
+
+cd $OUTDIR
+# Generate server key
+# Private key is not encrypted - use -aes256 to specify a password
+openssl genrsa -out private/${SERVER_CERT_CN}.key.pem 4096
+chmod 400 private/${SERVER_CERT_CN}.key.pem
+
+# Generate server CSR
+openssl req -config openssl.cnf \
+    -new -sha256 \
+    -key private/${SERVER_CERT_CN}.key.pem \
+    -out csr/${SERVER_CERT_CN}.csr.pem \
+    -subj "/C=US/ST=California/L=Los Angeles/O=Stark Enterprises/OU=Stark Enterprises Web Services/CN=${SERVER_CERT_CN}"

vendor/github.com/vmware/vic/infra/integration-image/scripts/intermediate-ca-test.sh

@@ -0,0 +1,146 @@
+#!/usr/bin/env bash
+# Copyright 2016-2017 VMware, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Generate a root CA, intermediate CA, and a server certificate
+
+##### Configuration options
+SERVER_CERT_CN="starkenterprises.io"
+#####
+
+while getopts ":s:" opt; do
+  case $opt in
+    s) SERVER_CERT_CN="$OPTARG"
+    ;;
+    \?) echo "Invalid option -$OPTARG" >&2
+    ;;
+  esac
+done
+
+
+### Create root CA
+mkdir -p /root/ca
+cp openssl.cnf /root/ca
+cd /root/ca
+mkdir certs crl csr newcerts private
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+
+# Generate root CA key
+# Private key is not encrypted - use -aes256 to specify a password
+openssl genrsa -out private/ca.key.pem 4096
+chmod 400 private/ca.key.pem
+
+# Generate root CA CSR
+openssl req -config openssl.cnf \
+    -new -sha256 \
+    -key private/ca.key.pem \
+    -out csr/ca.csr.pem \
+    -extensions v3_ca \
+    -subj "/C=US/ST=California/L=Los Angeles/O=Stark Enterprises/OU=Stark Enterprises Certificate Authority/CN=Stark Enterprises Global CA"
+
+# Self sign for root CA certificate
+openssl x509 -req -extfile openssl.cnf \
+    -extensions v3_ca \
+    -days 7300 -in csr/ca.csr.pem -signkey private/ca.key.pem -out certs/ca.cert.pem
+
+chmod 444 certs/ca.cert.pem
+openssl x509 -noout -text -in certs/ca.cert.pem
+
+# Output CRT format
+openssl x509 -in certs/ca.cert.pem -inform PEM -out certs/ca.cert.crt
+
+
+### Create intermediate CA
+cd -
+mkdir -p /root/ca/intermediate
+cp openssl-intermediate.cnf /root/ca/intermediate
+cd /root/ca/intermediate
+mkdir certs crl csr newcerts private
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+echo 1000 > crlnumber
+
+# Generate intermediate CA key
+cd /root/ca
+# Private key is not encrypted - use -aes256 to specify a password
+openssl genrsa -out intermediate/private/intermediate.key.pem 4096
+chmod 400 intermediate/private/intermediate.key.pem
+
+# Generate intermediate CA CSR
+openssl req -config intermediate/openssl-intermediate.cnf\
+    -new -sha256 \
+    -key intermediate/private/intermediate.key.pem \
+    -out intermediate/csr/intermediate.csr.pem \
+    -extensions v3_intermediate_ca \
+    -subj "/C=US/ST=California/L=Los Angeles/O=Stark Enterprises/OU=Stark Enterprises Certificate Authority/CN=Stark Enterprises Intermediate CA"
+
+# Sign CSR with root CA key
+openssl ca -config openssl.cnf \
+    -batch \
+    -extensions v3_intermediate_ca \
+    -days 3650 -notext -md sha256 \
+    -in intermediate/csr/intermediate.csr.pem \
+    -out intermediate/certs/intermediate.cert.pem
+
+chmod 444 intermediate/certs/intermediate.cert.pem
+openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem
+
+# Create certificate chain
+cat intermediate/certs/intermediate.cert.pem \
+    certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
+chmod 444 intermediate/certs/ca-chain.cert.pem
+
+# Output CRT format
+openssl x509 -in intermediate/certs/intermediate.cert.pem -inform PEM -out intermediate/certs/intermediate.cert.crt
+
+### Create server certificate
+cd /root/ca
+# Generate server key
+# Private key is not encrypted - use -aes256 to specify a password
+openssl genrsa -out intermediate/private/${SERVER_CERT_CN}.key.pem 4096
+chmod 400 intermediate/private/${SERVER_CERT_CN}.key.pem
+
+# Generate server CSR
+openssl req -config intermediate/openssl-intermediate.cnf \
+    -new -sha256 \
+    -key intermediate/private/${SERVER_CERT_CN}.key.pem \
+    -out intermediate/csr/${SERVER_CERT_CN}.csr.pem \
+    -subj "/C=US/ST=California/L=Los Angeles/O=Stark Enterprises/OU=Stark Enterprises Web Services/CN=${SERVER_CERT_CN}"
+
+# Sign CSR with intermediate CA key, output server certificate
+openssl ca -config intermediate/openssl-intermediate.cnf \
+    -batch \
+    -extensions server_cert \
+    -days 365 -notext -md sha256 \
+    -in intermediate/csr/${SERVER_CERT_CN}.csr.pem \
+    -out intermediate/certs/${SERVER_CERT_CN}.cert.pem
+
+chmod 444 intermediate/certs/${SERVER_CERT_CN}.cert.pem
+openssl x509 -noout -text -in intermediate/certs/${SERVER_CERT_CN}.cert.pem
+
+# Test certificate
+openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/${SERVER_CERT_CN}.cert.pem
+
+
+### Bundle output
+mkdir bundle
+cp certs/ca.cert.crt bundle
+cp intermediate/certs/intermediate.cert.crt bundle
+cp intermediate/certs/ca-chain.cert.pem bundle
+cp intermediate/private/${SERVER_CERT_CN}.key.pem bundle
+cp intermediate/certs/${SERVER_CERT_CN}.cert.pem bundle
+tar cvf cert-bundle.tgz bundle

vendor/github.com/vmware/vic/infra/integration-image/scripts/openssl-intermediate.cnf

@@ -0,0 +1,132 @@
+# OpenSSL intermediate CA configuration file.
+# Copy to `/root/ca/intermediate/openssl.cnf`.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /root/ca/intermediate
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/intermediate.key.pem
+certificate       = $dir/certs/intermediate.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/intermediate.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = US
+stateOrProvinceName_default     =
+localityName_default            =
+0.organizationName_default      =
+organizationalUnitName_default  =
+emailAddress_default            =
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning

vendor/github.com/vmware/vic/infra/integration-image/scripts/openssl.cnf

@@ -0,0 +1,132 @@
+# OpenSSL root CA configuration file.
+# Copy to `/root/ca/openssl.cnf`.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /root/ca
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/ca.key.pem
+certificate       = $dir/certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = US
+stateOrProvinceName_default     =
+localityName_default            =
+0.organizationName_default      =
+organizationalUnitName_default  =
+emailAddress_default            =
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning

vendor/github.com/vmware/vic/infra/integration-image/scripts/sign-csr.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+# Copyright 2016-2017 VMware, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Sign a CSR with specified CA
+
+set -euf -o pipefail
+
+CA_NAME="STARK_ENTERPRISES_ROOT_CA" # used to verify cert signature
+OUTDIR="/root/ca"
+SERVER_CERT_CN="starkenterprises.io"
+
+while getopts ":c:d:n:" opt; do
+  case $opt in
+    c) CA_NAME="$OPTARG"
+    ;;
+    d) OUTDIR="$OPTARG"
+    ;;
+    n) SERVER_CERT_CN="$OPTARG"
+    ;;
+    \?) echo "Invalid option -$OPTARG" >&2
+    ;;
+  esac
+done
+
+
+CONF_DIR=`dirname $0`
+cd $OUTDIR
+openssl ca -config $CONF_DIR/openssl.cnf \
+    -batch \
+    -extensions server_cert \
+    -days 365 -notext -md sha256 \
+    -in csr/${SERVER_CERT_CN}.csr.pem \
+    -out certs/${SERVER_CERT_CN}.cert.pem
+
+chmod 444 certs/${SERVER_CERT_CN}.cert.pem
+openssl x509 -noout -text -in certs/${SERVER_CERT_CN}.cert.pem
+
+# Test certificate
+openssl verify -CAfile certs/$CA_NAME.crt certs/${SERVER_CERT_CN}.cert.pem

vendor/github.com/vmware/vic/infra/integration-image/scripts/ubuntu-install-ca.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# Copyright 2016-2017 VMware, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Install CA into root store
+
+CERT_FILE="/root/ca/certs/STARK_ENTERPRISES_ROOT_CA.crt"
+
+while getopts ":f:" opt; do
+  case $opt in
+    f) CERT_FILE="$OPTARG"
+    ;;
+    \?) echo "Invalid option -$OPTARG" >&2
+    ;;
+  esac
+done
+
+cp $CERT_FILE /usr/local/share/ca-certificates
+
+dpkg-reconfigure --frontend=noninteractive ca-certificates

vendor/github.com/vmware/vic/infra/integration-image/scripts/ubuntu-install-intermediate-ca.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# Copyright 2016-2017 VMware, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+cp /root/ca/intermediate/certs/intermediate.cert.crt /usr/local/share/ca-certificates
+
+dpkg-reconfigure --frontend=noninteractive ca-certificates

vendor/github.com/vmware/vic/infra/integration-image/scripts/ubuntu-reload-cas.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# Copyright 2016-2017 VMware, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Reload default CAs to remove ALL user installed root certificates
+
+update-ca-certificates --fresh

vendor/github.com/vmware/vic/infra/integration-image/scripts/ubuntu-remove-intermediate-ca.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# Copyright 2016-2017 VMware, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+rm /usr/local/share/ca-certificates/intermediate.cert.crt
+
+dpkg-reconfigure --frontend=noninteractive ca-certificates