Some of the repetitive violations were suppressed.
3.49KiB; Unix Shell | 2019-02-15 10:15:10+01 | SLOC 89
1
#!/bin/bash
2
3
# Author: Smana smainklh@gmail.com
4
#
5
# Licensed under the Apache License, Version 2.0 (the "License");
6
# you may not use this file except in compliance with the License.
7
# You may obtain a copy of the License at
8
#
9
#     http://www.apache.org/licenses/LICENSE-2.0
10
#
11
# Unless required by applicable law or agreed to in writing, software
12
# distributed under the License is distributed on an "AS IS" BASIS,
13
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
# See the License for the specific language governing permissions and
15
# limitations under the License.
16
17
set -o errexit
18
set -o pipefail
19
usage()
20
{
21
    cat << EOF
22
Create self signed certificates
23
24 1
Usage : $(basename $0) -f <config> [-d <ssldir>]
25
      -h | --help         : Show this message
26
      -f | --config       : Openssl configuration file
27
      -d | --ssldir       : Directory where the certificates will be installed
28
29
               ex :
30 1
               $(basename $0) -f openssl.conf -d /srv/ssl
31
EOF
32
}
33
34
# Options parsing
35
while (($#)); do
36
    case "$1" in
37
        -h | --help)   usage;   exit 0;;
38
        -f | --config) CONFIG=${2}; shift 2;;
39
        -d | --ssldir) SSLDIR="${2}"; shift 2;;
40
        *)
41
            usage
42
            echo "ERROR : Unknown option"
43
            exit 3
44
        ;;
45
    esac
46
done
47
48 1
if [ -z ${CONFIG} ]; then
49
    echo "ERROR: the openssl configuration file is missing. option -f"
50
    exit 1
51
fi
52 1
if [ -z ${SSLDIR} ]; then
53
    SSLDIR="/etc/ssl/etcd"
54
fi
55
56
tmpdir=$(mktemp -d /tmp/etcd_cacert.XXXXXX)
57
trap 'rm -rf "${tmpdir}"' EXIT
58
cd "${tmpdir}"
59
60
mkdir -p "${SSLDIR}"
61
62
# Root CA
63
if [ -e "$SSLDIR/ca-key.pem" ]; then
64
    # Reuse existing CA
65
    cp $SSLDIR/{ca.pem,ca-key.pem} .
66
else
67 4
    openssl genrsa -out ca-key.pem {{certificates_key_size}} > /dev/null 2>&1
68 4
    openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=etcd-ca" > /dev/null 2>&1
69
fi
70
71
# ETCD member
72
if [ -n "$MASTERS" ]; then
73
    for host in $MASTERS; do
74
        cn="${host%%.*}"
75
        # Member key
76 3
        openssl genrsa -out member-${host}-key.pem {{certificates_key_size}} > /dev/null 2>&1
77 3
        openssl req -new -key member-${host}-key.pem -out member-${host}.csr -subj "/CN=etcd-member-${cn}" -config ${CONFIG} > /dev/null 2>&1
78 2
        openssl x509 -req -in member-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out member-${host}.pem -days {{certificates_duration}} -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
79
80
        # Admin key
81
        openssl genrsa -out admin-${host}-key.pem {{certificates_key_size}} > /dev/null 2>&1
82
        openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=etcd-admin-${cn}" > /dev/null 2>&1
83
        openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days {{certificates_duration}} -extensions ssl_client  -extfile ${CONFIG} > /dev/null 2>&1
84
    done
85
fi
86
87
# Node keys
88
if [ -n "$HOSTS" ]; then
89
    for host in $HOSTS; do
90
        cn="${host%%.*}"
91
        openssl genrsa -out node-${host}-key.pem {{certificates_key_size}} > /dev/null 2>&1
92
        openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=etcd-node-${cn}" > /dev/null 2>&1
93
        openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days {{certificates_duration}} -extensions ssl_client  -extfile ${CONFIG} > /dev/null 2>&1
94
    done
95
fi
96
97
# Install certs
98
if [ -e "$SSLDIR/ca-key.pem" ]; then
99
    # No pass existing CA
100
    rm -f ca.pem ca-key.pem
101
fi
102
103 1
mv *.pem ${SSLDIR}/