k8x/ssl/create_master.sh

#!/bin/bash

HOME=$( cd "$(dirname "$0")" && pwd )
source $HOME/../config

cat <<EOF | tee $CA_DIR/master-openssl.cnf
[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]

[ v3_req_client ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth

[ v3_req_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ v3_req_apiserver ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names_cluster

[ alt_names_cluster ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = ${CLUSTER_NAME}.virtual.local
DNS.6 = ${CLUSTER_NAME}-api.virtual.local
DNS.7 = ${MASTER_1_NAME}.virtual.local
DNS.8 = ${MASTER_2_NAME}.virtual.local
DNS.9 = ${MASTER_3_NAME}.virtual.local
DNS.10 = ${MASTER_1_NAME}
DNS.11 = ${MASTER_2_NAME}
DNS.12 = ${MASTER_3_NAME}
DNS.13 = ${CLUSTER_NAME}.${CLUSTER_DOMAIN}
DNS.14 = ${MASTER_1_NAME}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}
DNS.15 = ${MASTER_2_NAME}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}
DNS.16 = ${MASTER_3_NAME}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}
DNS.17 = localhost
DNS.18 = ${MASTERS_DOMAIN}
IP.1 = 127.0.0.1
IP.2 = ${SERVICE_FIP}
IP.3 = ${MASTER_LB_IP}
IP.4 = ${MASTER_1_IP}
IP.5 = ${MASTER_2_IP}
IP.6 = ${MASTER_3_IP}
EOF

#include all known tokens into the master
rm ${CA_DIR}/known_tokens.csv
for object in admin kube-proxy kubelet kube-controller-manager kube-scheduler
do
   TOKEN=`cat ${CA_DIR}/${object}.token`
   echo "$TOKEN,$object,$object" >> ${CA_DIR}/known_tokens.csv
done

#create cert for kube-apiserver
openssl ecparam -name secp521r1 -genkey -noout -out ${CA_DIR}/kube-apiserver.key
chmod 0600 ${CA_DIR}/kube-apiserver.key
openssl req -new -key ${CA_DIR}/kube-apiserver.key -subj "/CN=kube-apiserver" -out ${CA_DIR}/kube-apiserver.csr -config ${CA_DIR}/master-openssl.cnf
openssl x509 -req -in ${CA_DIR}/kube-apiserver.csr -CA ${CA_DIR}/ca.crt -CAkey ${CA_DIR}/ca.key -CAcreateserial -out ${CA_DIR}/kube-apiserver.crt -days 20000 -extensions v3_req_apiserver -extfile ${CA_DIR}/master-openssl.cnf

#create cert for kube-apiserver kubelet client
openssl ecparam -name secp521r1 -genkey -noout -out ${CA_DIR}/kube-apiserver-kubelet-client.key
chmod 0600 ${CA_DIR}/kube-apiserver-kubelet-client.key
openssl req -new -key ${CA_DIR}/kube-apiserver-kubelet-client.key -subj "/CN=kube-apiserver-kubelet-client/O=system:masters" -out ${CA_DIR}/kube-apiserver-kubelet-client.csr
openssl x509 -req -in ${CA_DIR}/kube-apiserver-kubelet-client.csr -CA ${CA_DIR}/ca.crt -CAkey ${CA_DIR}/ca.key -CAcreateserial -out ${CA_DIR}/kube-apiserver-kubelet-client.crt -days 20000 -extensions v3_req_client -extfile ${CA_DIR}/master-openssl.cnf

#create cert for kube-scheduler
openssl ecparam -name secp521r1 -genkey -noout -out ${CA_DIR}/kube-scheduler.key
chmod 0600 ${CA_DIR}/kube-scheduler.key
openssl req -new -key ${CA_DIR}/kube-scheduler.key -subj "/CN=system:kube-scheduler" -out ${CA_DIR}/kube-scheduler.csr
openssl x509 -req -in ${CA_DIR}/kube-scheduler.csr -CA ${CA_DIR}/ca.crt -CAkey ${CA_DIR}/ca.key -CAcreateserial -out ${CA_DIR}/kube-scheduler.crt -days 20000 -extensions v3_req_client -extfile ${CA_DIR}/master-openssl.cnf

#create cert for kube-controller-manager with service account key
cp -av ${CA_DIR}/sa.key ${CA_DIR}/kube-controller-manager.key
chmod 0600 ${CA_DIR}/kube-controller-manager.key
openssl req -new -key ${CA_DIR}/kube-controller-manager.key -subj "/CN=system:kube-controller-manager" -out ${CA_DIR}/kube-controller-manager.csr
openssl x509 -req -in ${CA_DIR}/kube-controller-manager.csr -CA ${CA_DIR}/ca.crt -CAkey ${CA_DIR}/ca.key -CAcreateserial -out ${CA_DIR}/kube-controller-manager.crt -days 20000 -extensions v3_req_client -extfile ${CA_DIR}/master-openssl.cnf