Some of the repetitive violations were suppressed.
5.22KiB; Unix Shell | 2019-02-15 10:15:10+01 | SLOC 130
1
#!/bin/bash
2
3
# Author: Smana smainklh@gmail.com
4
#
5
# Licensed under the Apache License, Version 2.0 (the "License");
6
# you may not use this file except in compliance with the License.
7
# You may obtain a copy of the License at
8
#
9
#     http://www.apache.org/licenses/LICENSE-2.0
10
#
11
# Unless required by applicable law or agreed to in writing, software
12
# distributed under the License is distributed on an "AS IS" BASIS,
13
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
# See the License for the specific language governing permissions and
15
# limitations under the License.
16
17
set -o errexit
18
set -o pipefail
19
20
usage()
21
{
22
    cat << EOF
23
Create self signed certificates
24
25 1
Usage : $(basename $0) -f <config> [-d <ssldir>]
26
      -h | --help         : Show this message
27
      -f | --config       : Openssl configuration file
28
      -d | --ssldir       : Directory where the certificates will be installed
29
30
      Environmental variables MASTERS and HOSTS should be set to generate keys
31
      for each host.
32
33
           ex :
34 1
           MASTERS=node1 HOSTS="node1 node2" $(basename $0) -f openssl.conf -d /srv/ssl
35
EOF
36
}
37
38
# Options parsing
39
while (($#)); do
40
    case "$1" in
41
        -h | --help)   usage;   exit 0;;
42
        -f | --config) CONFIG=${2}; shift 2;;
43
        -d | --ssldir) SSLDIR="${2}"; shift 2;;
44
        *)
45
            usage
46
            echo "ERROR : Unknown option"
47
            exit 3
48
        ;;
49
    esac
50
done
51
52 1
if [ -z ${CONFIG} ]; then
53
    echo "ERROR: the openssl configuration file is missing. option -f"
54
    exit 1
55
fi
56 1
if [ -z ${SSLDIR} ]; then
57
    SSLDIR="/etc/kubernetes/certs"
58
fi
59
60
tmpdir=$(mktemp -d /tmp/kubernetes_cacert.XXXXXX)
61
trap 'rm -rf "${tmpdir}"' EXIT
62
cd "${tmpdir}"
63
64
mkdir -p "${SSLDIR}"
65
66
# Root CA
67
if [ -e "$SSLDIR/ca-key.pem" ]; then
68
    # Reuse existing CA
69
    cp $SSLDIR/{ca.pem,ca-key.pem} .
70
else
71 4
    openssl genrsa -out ca-key.pem {{certificates_key_size}} > /dev/null 2>&1
72 4
    openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
73
fi
74
75
# Front proxy client CA
76
if [ -e "$SSLDIR/front-proxy-ca-key.pem" ]; then
77
    # Reuse existing front proxy CA
78
    cp $SSLDIR/{front-proxy-ca.pem,front-proxy-ca-key.pem} .
79
else
80 2
    openssl genrsa -out front-proxy-ca-key.pem {{certificates_key_size}} > /dev/null 2>&1
81
    openssl req -x509 -new -nodes -key front-proxy-ca-key.pem -days {{certificates_duration}} -out front-proxy-ca.pem -subj "/CN=front-proxy-ca" > /dev/null 2>&1
82
fi
83
84
gen_key_and_cert() {
85
    local name=$1
86
    local subject=$2
87 1
    openssl genrsa -out ${name}-key.pem {{certificates_key_size}} > /dev/null 2>&1
88 3
    openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1
89 2
    openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
90
}
91
92
gen_key_and_cert_front_proxy() {
93
    local name=$1
94
    local subject=$2
95
    openssl genrsa -out ${name}-key.pem {{certificates_key_size}} > /dev/null 2>&1
96
    openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1
97
    openssl x509 -req -in ${name}.csr -CA front-proxy-ca.pem -CAkey front-proxy-ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
98
}
99
100
# Admins
101
if [ -n "$MASTERS" ]; then
102
103
    # service-account
104
    # If --service-account-private-key-file was previously configured to use apiserver-key.pem then copy that to the new dedicated service-account signing key location to avoid disruptions
105
    if [ -e "$SSLDIR/apiserver-key.pem" ] && ! [ -e "$SSLDIR/service-account-key.pem" ]; then
106
       cp $SSLDIR/apiserver-key.pem $SSLDIR/service-account-key.pem
107
    fi
108
    # Generate dedicated service account signing key if one doesn't exist
109
    if ! [ -e "$SSLDIR/apiserver-key.pem" ] && ! [ -e "$SSLDIR/service-account-key.pem" ]; then
110
        openssl genrsa -out service-account-key.pem {{certificates_key_size}} > /dev/null 2>&1
111
    fi
112
113
    # kube-apiserver
114
    # Generate only if we don't have existing ca and apiserver certs
115
    if ! [ -e "$SSLDIR/ca-key.pem" ] || ! [ -e "$SSLDIR/apiserver-key.pem" ]; then
116
      gen_key_and_cert "apiserver" "/CN=kube-apiserver"
117
      cat ca.pem >> apiserver.pem
118
    fi
119
    # If any host requires new certs, just regenerate scheduler and controller-manager master certs
120
    # kube-scheduler
121
    gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler"
122
    # kube-controller-manager
123
    gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"
124
    # metrics aggregator
125
    gen_key_and_cert_front_proxy "front-proxy-client" "/CN=front-proxy-client"
126
127
    for host in $MASTERS; do
128
        cn="${host}"
129
        # admin
130
        gen_key_and_cert "admin-${host}" "/CN=kube-admin-${cn}/O=system:masters"
131
    done
132
fi
133
134
# Nodes
135
if [ -n "$HOSTS" ]; then
136
    for host in $HOSTS; do
137
        cn="${host}"
138
        gen_key_and_cert "node-${host}" "/CN=system:node:${cn,,}/O=system:nodes"
139
    done
140
fi
141
142
# system:node-proxier
143
if [ -n "$HOSTS" ]; then
144
    for host in $HOSTS; do
145
        # kube-proxy
146
        gen_key_and_cert "kube-proxy-${host}" "/CN=system:kube-proxy/O=system:node-proxier"
147
    done
148
fi
149
150
# Install certs
151 1
mv *.pem ${SSLDIR}/