k8s-sig-cluster-lifecycleawskubesprayhigh-availabilityansiblekubernetes-clustergcekubernetesbare-metal
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
76 lines
2.0 KiB
76 lines
2.0 KiB
#!/bin/bash
|
|
|
|
set -o errexit
|
|
set -o pipefail
|
|
|
|
usage()
|
|
{
|
|
cat << EOF
|
|
Create self signed certificates
|
|
|
|
Usage : $(basename $0) -f <config> [-d <ssldir>]
|
|
-h | --help : Show this message
|
|
-e | --helm-home : Helm home directory
|
|
-d | --ssldir : Directory where the certificates will be installed
|
|
EOF
|
|
}
|
|
|
|
# Options parsing
|
|
while (($#)); do
|
|
case "$1" in
|
|
-h | --help) usage; exit 0;;
|
|
-e | --helm-home) HELM_HOME="${2}"; shift 2;;
|
|
-d | --ssldir) SSLDIR="${2}"; shift 2;;
|
|
*)
|
|
usage
|
|
echo "ERROR : Unknown option"
|
|
exit 3
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [ -z ${SSLDIR} ]; then
|
|
SSLDIR="/etc/kubernetes/helm/ssl"
|
|
fi
|
|
|
|
tmpdir=$(mktemp -d /tmp/helm_cacert.XXXXXX)
|
|
trap 'rm -rf "${tmpdir}"' EXIT
|
|
cd "${tmpdir}"
|
|
|
|
mkdir -p "${SSLDIR}"
|
|
|
|
# Root CA
|
|
if [ -e "$SSLDIR/ca-key.pem" ]; then
|
|
# Reuse existing CA
|
|
cp $SSLDIR/{ca.pem,ca-key.pem} .
|
|
else
|
|
openssl genrsa -out ca-key.pem 4096 > /dev/null 2>&1
|
|
openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=tiller-ca" > /dev/null 2>&1
|
|
fi
|
|
|
|
gen_key_and_cert() {
|
|
local name=$1
|
|
local subject=$2
|
|
openssl genrsa -out ${name}-key.pem 4096 > /dev/null 2>&1
|
|
openssl req -new -key ${name}-key.pem -sha256 -out ${name}.csr -subj "${subject}" > /dev/null 2>&1
|
|
openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} > /dev/null 2>&1
|
|
}
|
|
|
|
#Generate cert and key for Tiller if they don't exist
|
|
if ! [ -e "$SSLDIR/tiller.pem" ]; then
|
|
gen_key_and_cert "tiller" "/CN=tiller-server"
|
|
fi
|
|
|
|
#Generate cert and key for Helm client if they dont exist
|
|
if ! [ -e "$SSLDIR/helm.pem" ]; then
|
|
gen_key_and_cert "helm" "/CN=helm-client"
|
|
fi
|
|
|
|
# Secure certs to first master
|
|
mv *.pem ${SSLDIR}/
|
|
|
|
# Install Helm client certs to first master
|
|
# Copy using Helm default names for convenience
|
|
cp ${SSLDIR}/ca.pem ${HELM_HOME}/ca.pem
|
|
cp ${SSLDIR}/helm.pem ${HELM_HOME}/cert.pem
|
|
cp ${SSLDIR}/helm-key.pem ${HELM_HOME}/key.pem
|