github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/cluster/mesos/docker/util-ssl.sh

121 lines
4.2 KiB
Bash
Raw Blame History

#!/bin/bash
# Copyright 2015 The Kubernetes Authors All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Sourcable SSL functions
set -o errexit
set -o nounset
set -o pipefail
script_dir=$(cd "$(dirname ${BASH_SOURCE})" && pwd -P)
source "${script_dir}/util-temp-dir.sh"
function cluster::mesos::docker::find_openssl_config {
for candidate in "/etc/ssl/openssl.cnf" "/System/Library/OpenSSL/openssl.cnf"; do
if [ -f "${candidate}" ]; then
echo "${candidate}"
return 0
fi
done
echo "ERROR: cannot find openssl.cnf" 1>&2
return 1
}
function cluster::mesos::docker::create_root_certificate_authority {
local certdir="$1"
openssl req -nodes -newkey rsa:2048 \
-keyout "${certdir}/root-ca.key" \
-out "${certdir}/root-ca.csr" \
-subj "/C=GB/ST=London/L=London/O=example/OU=IT/CN=example.com"
openssl x509 -req -days 3650 \
-in "${certdir}/root-ca.csr" \
-out "${certdir}/root-ca.crt" \
-signkey "${certdir}/root-ca.key"
}
# Creates an apiserver key and certificate with the given IPs & kubernetes.* domain names.
# Uses the current dir for scratch work.
function cluster::mesos::docker::create_apiserver_cert_inner {
local in_dir="$1" # must contain root-ca.crt & root-ca.key
local out_dir="$2"
local apiserver_ip="$3"
local service_ip="$4"
local workspace="$(pwd)"
mkdir -p "${out_dir}"
local OPENSSL_CNF=$(cluster::mesos::docker::find_openssl_config)
# create apiserver key and certificate sign request
local SANS="IP:${apiserver_ip},IP:${service_ip},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local"
openssl req -nodes -newkey rsa:2048 \
-keyout "${workspace}/apiserver.key" -out "${workspace}/apiserver.csr" \
-reqexts SAN -config <(cat "${OPENSSL_CNF}"; echo -e "[SAN]\nsubjectAltName=$SANS") \
-subj "/C=GB/ST=London/L=London/O=example/OU=IT/CN=example.com"
# sign with root-ca
mkdir -p ${workspace}/demoCA/newcerts
touch ${workspace}/demoCA/index.txt
echo 1000 > ${workspace}/demoCA/serial
openssl ca -cert "${in_dir}/root-ca.crt" -keyfile "${in_dir}/root-ca.key" \
-batch -days 3650 -in "${workspace}/apiserver.csr" \
-config <(sed 's/.*\(copy_extensions = copy\)/\1/' ${OPENSSL_CNF}) >/dev/null
# check certificate for subjectAltName extension
if ! openssl x509 -in "${workspace}/demoCA/newcerts/1000.pem" -text -noout | grep -q kubernetes.default.svc.cluster.local; then
echo "ERROR: openssl failed to add subjectAltName extension" 1>&2
return 1
fi
# write to out_dir
cp "${workspace}/demoCA/newcerts/1000.pem" "${out_dir}/apiserver.crt"
cp "${workspace}/apiserver.key" "${out_dir}/"
}
# Creates an apiserver key and certificate with the given IPs & kubernetes.* domain names.
function cluster::mesos::docker::create_apiserver_cert {
local in_dir="$1" # must contain root-ca.crt & root-ca.key
local out_dir="$2"
local apiserver_ip="$3"
local service_ip="$4"
cluster::mesos::docker::run_in_temp_dir "k8sm-certs" \
"cluster::mesos::docker::create_apiserver_cert_inner" \
"${in_dir}" "${out_dir}" "${apiserver_ip}" "${service_ip}"
}
# Creates an rsa key (for signing service accounts).
function cluster::mesos::docker::create_rsa_key {
local key_file_path="$1"
openssl genrsa -out "${key_file_path}" 2048
}
# Creates a k8s token auth user file.
# See /docs/admin/authentication.md
function cluster::mesos::docker::create_token_user {
local user_name="$1"
echo "$(openssl rand -hex 32),${user_name},${user_name}"
}
# Creates a k8s basic auth user file.
# See /docs/admin/authentication.md
function cluster::mesos::docker::create_basic_user {
local user_name="$1"
local password="$2"
echo "${password},${user_name},${user_name}"
}
Reference in New Issue View Git Blame Copy Permalink