github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

create kubelet client cert with correct group

pull/6/head
deads2k 2016-12-20 08:18:01 -05:00
parent 25dd8cbd94
commit 8360bc1a9f
2 changed files with 46 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
cluster/common.sh
View File

@ -932,9 +932,20 @@ function generate-certs {
tar xzf easy-rsa.tar.gz tar xzf easy-rsa.tar.gz
cd easy-rsa-master/easyrsa3 cd easy-rsa-master/easyrsa3
./easyrsa init-pki ./easyrsa init-pki
# this puts the cert into pki/ca.crt and the key into pki/private/ca.key
./easyrsa --batch "--req-cn=${PRIMARY_CN}@$(date +%s)" build-ca nopass ./easyrsa --batch "--req-cn=${PRIMARY_CN}@$(date +%s)" build-ca nopass
./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass ./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass
./easyrsa build-client-full kubelet nopass
download-cfssl
# make the config for the signer
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]}}}' > "ca-config.json"
# create the kubelet client cert with the correct groups
echo '{"CN":"kubelet","names":[{"O":"system:nodes"}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${KUBE_TEMP}/cfssl/cfssl" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${KUBE_TEMP}/cfssl/cfssljson" -bare kubelet
mv "kubelet-key.pem" "pki/private/kubelet.key"
mv "kubelet.pem" "pki/issued/kubelet.crt"
rm -f "kubelet.csr"
./easyrsa build-client-full kubecfg nopass) &>${cert_create_debug_output} || { ./easyrsa build-client-full kubecfg nopass) &>${cert_create_debug_output} || {
# If there was an error in the subshell, just die. # If there was an error in the subshell, just die.
# TODO(roberthbailey): add better error handling here # TODO(roberthbailey): add better error handling here

54
cluster/gce/util.sh
View File

@ -726,6 +726,38 @@ function get-master-disk-size() {
fi fi
} }
# Downloads cfssl into ${KUBE_TEMP}/cfssl directory
#
# Assumed vars:
# KUBE_TEMP: temporary directory
#
function download-cfssl {
mkdir -p "${KUBE_TEMP}/cfssl"
pushd "${KUBE_TEMP}/cfssl"
kernel=$(uname -s)
case "${kernel}" in
Linux)
curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
;;
Darwin)
curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64
curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64
;;
*)
echo "Unknown, unsupported platform: ${kernel}." >&2
echo "Supported platforms: Linux, Darwin." >&2
exit 2
esac
chmod +x cfssl
chmod +x cfssljson
popd
}
# Generates SSL certificates for etcd cluster. Uses cfssl program. # Generates SSL certificates for etcd cluster. Uses cfssl program.
# #
# Assumed vars: # Assumed vars:
@ -749,28 +781,10 @@ function create-etcd-certs {
local ca_cert=${2:-} local ca_cert=${2:-}
local ca_key=${3:-} local ca_key=${3:-}
mkdir -p "${KUBE_TEMP}/cfssl" download-cfssl
pushd "${KUBE_TEMP}/cfssl" pushd "${KUBE_TEMP}/cfssl"
kernel=$(uname -s)
case "${kernel}" in
Linux)
curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
;;
Darwin)
curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64
curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64
;;
*)
echo "Unknown, unsupported platform: ${kernel}." >&2
echo "Supported platforms: Linux, Darwin." >&2
exit 2
esac
chmod +x cfssl
chmod +x cfssljson
cat >ca-config.json <<EOF cat >ca-config.json <<EOF
{ {
"signing": { "signing": {