2015-12-11 10:32:13 +00:00
#!/bin/bash
2016-02-11 22:08:16 +00:00
# Author: Smana smainklh@gmail.com
2015-12-11 10:32:13 +00:00
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -o errexit
set -o pipefail
usage( )
{
cat << EOF
Create self signed certificates
2016-02-11 22:08:16 +00:00
Usage : $( basename $0 ) -f <config> [ -d <ssldir>]
2015-12-11 10:32:13 +00:00
-h | --help : Show this message
-f | --config : Openssl configuration file
-d | --ssldir : Directory where the certificates will be installed
2016-09-28 11:05:08 +00:00
2016-12-27 11:02:45 +00:00
Environmental variables MASTERS and HOSTS should be set to generate keys
for each host.
ex :
MASTERS = node1 HOSTS = "node1 node2" $( basename $0 ) -f openssl.conf -d /srv/ssl
2015-12-11 10:32:13 +00:00
EOF
}
# Options parsing
while ( ( $# ) ) ; do
case " $1 " in
-h | --help) usage; exit 0; ;
-f | --config) CONFIG = ${ 2 } ; shift 2; ;
2016-09-28 11:05:08 +00:00
-d | --ssldir) SSLDIR = " ${ 2 } " ; shift 2; ;
2015-12-11 10:32:13 +00:00
*)
usage
echo "ERROR : Unknown option"
exit 3
; ;
esac
done
if [ -z ${ CONFIG } ] ; then
echo "ERROR: the openssl configuration file is missing. option -f"
exit 1
fi
if [ -z ${ SSLDIR } ] ; then
SSLDIR = "/etc/kubernetes/certs"
fi
2016-02-18 20:56:10 +00:00
tmpdir = $( mktemp -d /tmp/kubernetes_cacert.XXXXXX)
2015-12-11 10:32:13 +00:00
trap 'rm -rf "${tmpdir}"' EXIT
cd " ${ tmpdir } "
mkdir -p " ${ SSLDIR } "
# Root CA
2016-12-27 11:02:45 +00:00
if [ -e " $SSLDIR /ca-key.pem " ] ; then
# Reuse existing CA
cp $SSLDIR /{ ca.pem,ca-key.pem} .
else
openssl genrsa -out ca-key.pem 2048 > /dev/null 2>& 1
2018-03-14 10:33:36 +00:00
openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>& 1
2016-12-27 11:02:45 +00:00
fi
2018-04-05 19:32:12 +00:00
# Front proxy client CA
if [ -e " $SSLDIR /front-proxy-ca-key.pem " ] ; then
# Reuse existing front proxy CA
cp $SSLDIR /{ front-proxy-ca.pem,front-proxy-ca-key.pem} .
else
openssl genrsa -out front-proxy-ca-key.pem 2048 > /dev/null 2>& 1
openssl req -x509 -new -nodes -key front-proxy-ca-key.pem -days 36500 -out front-proxy-ca.pem -subj "/CN=front-proxy-ca" > /dev/null 2>& 1
fi
2017-06-27 04:27:25 +00:00
gen_key_and_cert( ) {
local name = $1
local subject = $2
openssl genrsa -out ${ name } -key.pem 2048 > /dev/null 2>& 1
openssl req -new -key ${ name } -key.pem -out ${ name } .csr -subj " ${ subject } " -config ${ CONFIG } > /dev/null 2>& 1
2018-03-14 10:33:36 +00:00
openssl x509 -req -in ${ name } .csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${ name } .pem -days 36500 -extensions v3_req -extfile ${ CONFIG } > /dev/null 2>& 1
2017-06-27 04:27:25 +00:00
}
2018-04-05 19:32:12 +00:00
gen_key_and_cert_front_proxy( ) {
local name = $1
local subject = $2
openssl genrsa -out ${ name } -key.pem 2048 > /dev/null 2>& 1
openssl req -new -key ${ name } -key.pem -out ${ name } .csr -subj " ${ subject } " -config ${ CONFIG } > /dev/null 2>& 1
openssl x509 -req -in ${ name } .csr -CA front-proxy-ca.pem -CAkey front-proxy-ca-key.pem -CAcreateserial -out ${ name } .pem -days 36500 -extensions v3_req -extfile ${ CONFIG } > /dev/null 2>& 1
}
2017-08-18 12:46:22 +00:00
# Admins
if [ -n " $MASTERS " ] ; then
2018-03-29 14:35:28 +00:00
# service-account
# If --service-account-private-key-file was previously configured to use apiserver-key.pem then copy that to the new dedicated service-account signing key location to avoid disruptions
if [ -e " $SSLDIR /apiserver-key.pem " ] && ! [ -e " $SSLDIR /service-account-key.pem " ] ; then
cp $SSLDIR /apiserver-key.pem $SSLDIR /service-account-key.pem
fi
# Generate dedicated service account signing key if one doesn't exist
if ! [ -e " $SSLDIR /apiserver-key.pem " ] && ! [ -e " $SSLDIR /service-account-key.pem " ] ; then
openssl genrsa -out service-account-key.pem 2048 > /dev/null 2>& 1
fi
2017-06-27 04:27:25 +00:00
# kube-apiserver
2017-08-29 18:35:27 +00:00
# Generate only if we don't have existing ca and apiserver certs
if ! [ -e " $SSLDIR /ca-key.pem " ] || ! [ -e " $SSLDIR /apiserver-key.pem " ] ; then
gen_key_and_cert "apiserver" "/CN=kube-apiserver"
cat ca.pem >> apiserver.pem
fi
# If any host requires new certs, just regenerate scheduler and controller-manager master certs
2017-06-27 04:27:25 +00:00
# kube-scheduler
gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler"
# kube-controller-manager
gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"
2018-02-05 09:37:36 +00:00
# metrics aggregator
2018-04-05 19:32:12 +00:00
gen_key_and_cert_front_proxy "front-proxy-client" "/CN=front-proxy-client"
2017-01-13 11:03:20 +00:00
2016-12-27 11:02:45 +00:00
for host in $MASTERS ; do
2017-01-13 16:02:23 +00:00
cn = " ${ host %%.* } "
2017-06-27 04:27:25 +00:00
# admin
gen_key_and_cert " admin- ${ host } " " /CN=kube-admin- ${ cn } /O=system:masters "
done
fi
# Nodes
if [ -n " $HOSTS " ] ; then
for host in $HOSTS ; do
2017-10-16 13:09:24 +00:00
cn = " ${ host %%.* } "
2017-10-27 14:58:25 +00:00
gen_key_and_cert " node- ${ host } " " /CN=system:node: ${ cn ,, } /O=system:nodes "
2016-12-27 11:02:45 +00:00
done
fi
2015-12-11 10:32:13 +00:00
2017-10-05 09:51:21 +00:00
# system:node-proxier
2016-12-27 11:02:45 +00:00
if [ -n " $HOSTS " ] ; then
for host in $HOSTS ; do
2017-06-27 04:27:25 +00:00
# kube-proxy
2017-10-05 09:51:21 +00:00
gen_key_and_cert " kube-proxy- ${ host } " "/CN=system:kube-proxy/O=system:node-proxier"
2016-12-27 11:02:45 +00:00
done
fi
2015-12-11 10:32:13 +00:00
# Install certs
mv *.pem ${ SSLDIR } /
