"Fossies" - the Fresh Open Source Software Archive

Member "magnum-8.2.0/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh" (6 Dec 2019, 4143 Bytes) of package /linux/misc/openstack/magnum-8.2.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "make-cert-client.sh": 8.1.0_vs_8.2.0.

    1 #!/bin/sh
    2 
    3 # Copyright 2014 The Kubernetes Authors All rights reserved.
    4 #
    5 # Licensed under the Apache License, Version 2.0 (the "License");
    6 # you may not use this file except in compliance with the License.
    7 # You may obtain a copy of the License at
    8 #
    9 #     http://www.apache.org/licenses/LICENSE-2.0
   10 #
   11 # Unless required by applicable law or agreed to in writing, software
   12 # distributed under the License is distributed on an "AS IS" BASIS,
   13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   14 # See the License for the specific language governing permissions and
   15 # limitations under the License.
   16 
   17 . /etc/sysconfig/heat-params
   18 
   19 set -o errexit
   20 set -o nounset
   21 set -o pipefail
   22 
   23 if [ "$TLS_DISABLED" == "True" ]; then
   24     exit 0
   25 fi
   26 
   27 if [ "$VERIFY_CA" == "True" ]; then
   28     VERIFY_CA=""
   29 else
   30     VERIFY_CA="-k"
   31 fi
   32 
   33 if [ -z "${KUBE_NODE_IP}" ]; then
   34     KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
   35 fi
   36 
   37 cert_dir=/etc/kubernetes/certs
   38 
   39 mkdir -p "$cert_dir"
   40 
   41 CA_CERT=$cert_dir/ca.crt
   42 
   43 function generate_certificates {
   44     _CERT=$cert_dir/${1}.crt
   45     _CSR=$cert_dir/${1}.csr
   46     _KEY=$cert_dir/${1}.key
   47     _CONF=$2
   48     #Get a token by user credentials and trust
   49     auth_json=$(cat << EOF
   50 {
   51     "auth": {
   52         "identity": {
   53             "methods": [
   54                 "password"
   55             ],
   56             "password": {
   57                 "user": {
   58                     "id": "$TRUSTEE_USER_ID",
   59                     "password": "$TRUSTEE_PASSWORD"
   60                 }
   61             }
   62         }
   63     }
   64 }
   65 EOF
   66 )
   67 
   68     content_type='Content-Type: application/json'
   69     url="$AUTH_URL/auth/tokens"
   70     USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "$content_type" -d "$auth_json" $url \
   71         | grep -i X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`
   72 
   73     # Get CA certificate for this cluster
   74     curl $VERIFY_CA -X GET \
   75         -H "X-Auth-Token: $USER_TOKEN" \
   76         -H "OpenStack-API-Version: container-infra latest" \
   77         $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > $CA_CERT
   78 
   79     # Generate client's private key and csr
   80     openssl genrsa -out "${_KEY}" 4096
   81     chmod 400 "${_KEY}"
   82     openssl req -new -days 1000 \
   83             -key "${_KEY}" \
   84             -out "${_CSR}" \
   85             -reqexts req_ext \
   86             -config "${_CONF}"
   87 
   88     # Send csr to Magnum to have it signed
   89     csr_req=$(python -c "import json; fp = open('${_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
   90     curl  $VERIFY_CA -X POST \
   91         -H "X-Auth-Token: $USER_TOKEN" \
   92         -H "OpenStack-API-Version: container-infra latest" \
   93         -H "Content-Type: application/json" \
   94         -d "$csr_req" \
   95         $MAGNUM_URL/certificates | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${_CERT}
   96 }
   97 
   98 #Kubelet Certs
   99 HOSTNAME=$(cat /etc/hostname | head -1)
  100 
  101 cat > ${cert_dir}/kubelet.conf <<EOF
  102 [req]
  103 distinguished_name = req_distinguished_name
  104 req_extensions     = req_ext
  105 prompt = no
  106 [req_distinguished_name]
  107 CN = system:node:${INSTANCE_NAME}
  108 O=system:nodes
  109 OU=OpenStack/Magnum
  110 C=US
  111 ST=TX
  112 L=Austin
  113 [req_ext]
  114 subjectAltName = IP:${KUBE_NODE_IP},DNS:${INSTANCE_NAME},DNS:${HOSTNAME}
  115 keyUsage=critical,digitalSignature,keyEncipherment
  116 extendedKeyUsage=clientAuth,serverAuth
  117 EOF
  118 
  119 #kube-proxy Certs
  120 cat > ${cert_dir}/proxy.conf <<EOF
  121 [req]
  122 distinguished_name = req_distinguished_name
  123 req_extensions     = req_ext
  124 prompt = no
  125 [req_distinguished_name]
  126 CN = system:kube-proxy
  127 O=system:node-proxier
  128 OU=OpenStack/Magnum
  129 C=US
  130 ST=TX
  131 L=Austin
  132 [req_ext]
  133 keyUsage=critical,digitalSignature,keyEncipherment
  134 extendedKeyUsage=clientAuth
  135 EOF
  136 
  137 generate_certificates kubelet ${cert_dir}/kubelet.conf
  138 generate_certificates proxy ${cert_dir}/proxy.conf
  139 
  140 # Common certs and key are created for both etcd and kubernetes services.
  141 # Both etcd and kube user should have permission to access the certs and key.
  142 groupadd kube_etcd
  143 usermod -a -G kube_etcd etcd
  144 usermod -a -G kube_etcd kube
  145 chmod 550 "${cert_dir}"
  146 chown -R kube:kube_etcd "${cert_dir}"
  147 chmod 440 ${cert_dir}/kubelet.key
  148 chmod 440 ${cert_dir}/proxy.key