Some of the repetitive violations were suppressed.
2.03KiB; Unix Shell | 2019-02-15 10:15:10+01 | SLOC 63
1
#!/bin/bash
2
3
set -o errexit
4
set -o pipefail
5
6
usage()
7
{
8
    cat << EOF
9
Create self signed certificates
10
11 1
Usage : $(basename $0) -f <config> [-d <ssldir>]
12
      -h | --help         : Show this message
13
      -e | --helm-home      : Helm home directory
14
      -d | --ssldir       : Directory where the certificates will be installed
15
EOF
16
}
17
18
# Options parsing
19
while (($#)); do
20
    case "$1" in
21
        -h | --help)   usage;   exit 0;;
22
        -e | --helm-home) HELM_HOME="${2}"; shift 2;;
23
        -d | --ssldir) SSLDIR="${2}"; shift 2;;
24
        *)
25
            usage
26
            echo "ERROR : Unknown option"
27
            exit 3
28
        ;;
29
    esac
30
done
31
32 1
if [ -z ${SSLDIR} ]; then
33
    SSLDIR="/etc/kubernetes/helm/ssl"
34
fi
35
36
tmpdir=$(mktemp -d /tmp/helm_cacert.XXXXXX)
37
trap 'rm -rf "${tmpdir}"' EXIT
38
cd "${tmpdir}"
39
40
mkdir -p "${SSLDIR}"
41
42
# Root CA
43
if [ -e "$SSLDIR/ca-key.pem" ]; then
44
    # Reuse existing CA
45
    cp $SSLDIR/{ca.pem,ca-key.pem} .
46
else
47
    openssl genrsa -out ca-key.pem 4096 > /dev/null 2>&1
48 4
    openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=tiller-ca" > /dev/null 2>&1
49
fi
50
51
gen_key_and_cert() {
52
    local name=$1
53
    local subject=$2
54 1
    openssl genrsa -out ${name}-key.pem 4096 > /dev/null 2>&1
55 2
    openssl req -new -key ${name}-key.pem -sha256 -out ${name}.csr -subj "${subject}" > /dev/null 2>&1
56 6
    openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} > /dev/null 2>&1
57
}
58
59
#Generate cert and key for Tiller if they don't exist
60
if ! [ -e "$SSLDIR/tiller.pem" ]; then
61
    gen_key_and_cert "tiller" "/CN=tiller-server"
62
fi
63
64
#Generate cert and key for Helm client if they dont exist
65
if ! [ -e "$SSLDIR/helm.pem" ]; then
66
    gen_key_and_cert "helm" "/CN=helm-client"
67
fi
68
69
# Secure certs to first master
70 1
mv *.pem ${SSLDIR}/
71
72
# Install Helm client certs to first master
73
# Copy using Helm default names for convenience
74 1
cp ${SSLDIR}/ca.pem ${HELM_HOME}/ca.pem
75 1
cp ${SSLDIR}/helm.pem ${HELM_HOME}/cert.pem
76 1
cp ${SSLDIR}/helm-key.pem ${HELM_HOME}/key.pem