richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5416 Commits
29 Branches
81 Tags
147 MiB
Tree: 91f1edbdd4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '91f1edbdd4'
${ noResults }
kubespray/roles/network_plugin/calico/files/make-ssl-typha.sh

89 lines
2.8 KiB
Raw Normal View History

Generate TLS certs for calico typha (#5258) * Generate TLS certs for calico typha Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707 * Add group vars note Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
5 years ago
Raise delay and retry for rotate tokens (#5304) Change-Id: I87844b43b9a18064e7a99567ce57c1ca1ffcc4a8
5 years ago
Generate TLS certs for calico typha (#5258) * Generate TLS certs for calico typha Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707 * Add group vars note Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
5 years ago
  1. #!/bin/bash
  3. # Author: Smana smainklh@gmail.com
  4. #
  5. # Licensed under the Apache License, Version 2.0 (the "License");
  6. # you may not use this file except in compliance with the License.
  7. # You may obtain a copy of the License at
  8. #
  9. # http://www.apache.org/licenses/LICENSE-2.0
  10. #
  11. # Unless required by applicable law or agreed to in writing, software
  12. # distributed under the License is distributed on an "AS IS" BASIS,
  13. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14. # See the License for the specific language governing permissions and
  15. # limitations under the License.
  17. set -o errexit
  18. set -o pipefail
  19. usage()
  20. {
  21. cat << EOF
  22. Create self signed certificates
  24. Usage : $(basename $0) -f <config> [-d <ssldir>]
  25. -h | --help : Show this message
  26. -f | --config : Openssl configuration file
  27. -d | --ssldir : Directory where the certificates will be installed
  28. -c | --cadir : Directory where the existing CA is located
  30. ex :
  31. $(basename $0) -f openssl.conf -d /srv/ssl
  32. EOF
  33. }
  35. # Options parsing
  36. while (($#)); do
  37. case "$1" in
  38. -h | --help) usage; exit 0;;
  39. -f | --config) CONFIG=${2}; shift 2;;
  40. -d | --ssldir) SSLDIR="${2}"; shift 2;;
  41. -c | --cadir) CADIR="${2}"; shift 2;;
  42. *)
  43. usage
  44. echo "ERROR : Unknown option"
  45. exit 3
  46. ;;
  47. esac
  48. done
  50. if [ -z ${CONFIG} ]; then
  51. echo "ERROR: the openssl configuration file is missing. option -f"
  52. exit 1
  53. fi
  54. if [ -z ${SSLDIR} ]; then
  55. SSLDIR="/etc/calico/certs"
  56. fi
  58. tmpdir=$(mktemp -d /tmp/calico_typha_certs.XXXXXX)
  59. trap 'rm -rf "${tmpdir}"' EXIT
  60. cd "${tmpdir}"
  62. mkdir -p ${SSLDIR} ${CADIR}
  64. # Root CA
  65. if [ -e "$CADIR/ca.key" ]; then
  66. # Reuse existing CA
  67. cp $CADIR/{ca.crt,ca.key} .
  68. else
  69. openssl genrsa -out ca.key 2048 > /dev/null 2>&1
  70. openssl req -x509 -new -nodes -key ca.key -days 3650 -out ca.crt -subj "/CN=calico-typha-ca" > /dev/null 2>&1
  71. fi
  73. # Typha server
  74. openssl genrsa -out typha-server.key 2048 > /dev/null 2>&1
  75. openssl req -new -key typha-server.key -out typha-server.csr -subj "/CN=typha-server" -config ${CONFIG} > /dev/null 2>&1
  76. openssl x509 -req -in typha-server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out typha-server.crt -days 3650 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
  78. # Typha client
  79. openssl genrsa -out typha-client.key 2048 > /dev/null 2>&1
  80. openssl req -new -key typha-client.key -out typha-client.csr -subj "/CN=typha-client" -config ${CONFIG} > /dev/null 2>&1
  81. openssl x509 -req -in typha-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out typha-client.crt -days 3650 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
  83. # Install certs
  84. if [ -e "$CADIR/ca.key" ]; then
  85. # No pass existing CA
  86. rm -f ca.crt ca.key
  87. fi
  89. mv {*.crt,*.key} ${SSLDIR}/