41 lines
1.8 KiB
Bash
41 lines
1.8 KiB
Bash
|
#!/bin/bash
|
||
|
|
||
|
HOME=$( cd "$(dirname "$0")" && pwd )
|
||
|
source $HOME/../config
|
||
|
|
||
|
#DOCKER_IP=$(ip addr show dev docker0 | grep 'inet ' | cut -d: -f2 | awk '{print $2}' | cut -d '/' -f 1)
|
||
|
|
||
|
cat <<EOF | tee $CA_DIR/node-openssl.cnf
|
||
|
[req]
|
||
|
req_extensions = v3_req
|
||
|
distinguished_name = req_distinguished_name
|
||
|
|
||
|
[req_distinguished_name]
|
||
|
|
||
|
[ v3_req ]
|
||
|
basicConstraints = CA:FALSE
|
||
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||
|
subjectAltName = @alt_names
|
||
|
|
||
|
[alt_names]
|
||
|
DNS.1 = ${NODE_NAME}
|
||
|
DNS.2 = ${NODE_NAME_SHORT}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}
|
||
|
DNS.3 = ${NODE_NAME_SHORT}
|
||
|
DNS.4 = ${NODE_NAME_SHORT}.virtual.local
|
||
|
IP.1 = ${NODE_IP}
|
||
|
EOF
|
||
|
#IP.2 = ${DOCKER_IP}
|
||
|
|
||
|
#generate cert for kubelet
|
||
|
openssl ecparam -name secp521r1 -genkey -noout -out ${CA_DIR}/kubelet.key
|
||
|
chmod 0600 ${CA_DIR}/kubelet.key
|
||
|
#openssl req -new -key $CA_DIR/kubelet.key -subj "/CN=system:node:${NODE_NAME_SHORT}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}/O=system:nodes" -out $CA_DIR/kubelet.csr -config ${CA_DIR}/node-openssl.cnf
|
||
|
openssl req -new -key $CA_DIR/kubelet.key -subj "/CN=system:node:${NODE_NAME_SHORT}/O=system:nodes" -out $CA_DIR/kubelet.csr -config ${CA_DIR}/node-openssl.cnf
|
||
|
openssl x509 -req -in $CA_DIR/kubelet.csr -CA $CA_DIR/ca.crt -CAkey $CA_DIR/ca.key -CAcreateserial -out $CA_DIR/kubelet.crt -days 20000 -extensions v3_req -extfile $CA_DIR/node-openssl.cnf
|
||
|
|
||
|
#generate cert for kube-proxy
|
||
|
openssl ecparam -name secp521r1 -genkey -noout -out ${CA_DIR}/kube-proxy.key
|
||
|
chmod 0600 ${CA_DIR}/kube-proxy.key
|
||
|
openssl req -new -key ${CA_DIR}/kube-proxy.key -subj "/CN=system:kube-proxy/O=system:node-proxier" -out ${CA_DIR}/kube-proxy.csr -config ${CA_DIR}/node-openssl.cnf
|
||
|
openssl x509 -req -in ${CA_DIR}/kube-proxy.csr -CA ${CA_DIR}/ca.crt -CAkey ${CA_DIR}/ca.key -CAcreateserial -out ${CA_DIR}/kube-proxy.crt -days 20000 -extensions v3_req -extfile ${CA_DIR}/node-openssl.cnf
|