195 lines
8.5 KiB
Bash
Executable file
195 lines
8.5 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
echo "... ] BUILDING THE CRYPTOPACK.B64 FILE [ ..."
|
|
|
|
HOME=$( cd "$(dirname "$0")" && pwd )
|
|
source $HOME/config
|
|
|
|
apt update -q
|
|
apt install -y sharutils openssl
|
|
|
|
SSL_REPO=/tmp/k8x-cryptogen
|
|
mkdir -p ${SSL_REPO}
|
|
mkdir -p ${CONF_DIR}/{kube-controller-manager,kubelet,kube-proxy,kube-scheduler}
|
|
mkdir -p /var/lib/{kube-controller-manager,kubelet,kube-proxy,kube-scheduler}
|
|
|
|
#checks if we have the cryptopack file
|
|
if [ -f $HOME/cryptopack.b64 ]; then
|
|
echo "] cryptopack.b64 already generated. rebuilding..."
|
|
TSTAMP=`date +%s`
|
|
mv -v ${HOME}/cryptopack.b64 ${HOME}/cryptopack.b64.${TSTAMP}
|
|
fi
|
|
|
|
if [ -f ${CA_DIR}/ca-openssl.cnf ]; then
|
|
cp -v ${CA_DIR}/ca-openssl.cnf ${SSL_REPO}/ca-openssl.cnf
|
|
else
|
|
cat <<EOF | tee ${SSL_REPO}/ca-openssl.cnf
|
|
[req]
|
|
distinguished_name = req_distinguished_name
|
|
|
|
[req_distinguished_name]
|
|
|
|
[ v3_ca ]
|
|
basicConstraints = critical, CA:TRUE
|
|
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign
|
|
|
|
[ v3_req_helm ]
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
extendedKeyUsage = serverAuth, clientAuth
|
|
|
|
[ v3_req_etcd ]
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
extendedKeyUsage = serverAuth, clientAuth
|
|
subjectAltName = @alt_names_etcd
|
|
|
|
[ alt_names_etcd ]
|
|
DNS.1 = ${MASTER_1_NAME}
|
|
DNS.2 = ${MASTER_2_NAME}
|
|
DNS.3 = ${MASTER_3_NAME}
|
|
DNS.4 = ${CLUSTER_NAME}.${CLUSTER_DOMAIN}
|
|
DNS.5 = ${MASTER_1_NAME}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}
|
|
DNS.6 = ${MASTER_2_NAME}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}
|
|
DNS.7 = ${MASTER_3_NAME}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}
|
|
IP.1 = ${ETCD_1_IP}
|
|
IP.2 = ${ETCD_2_IP}
|
|
IP.3 = ${ETCD_3_IP}
|
|
EOF
|
|
fi
|
|
|
|
#generate tokens
|
|
for object in admin kubelet kube-proxy kube-controller-manager kube-scheduler
|
|
do
|
|
if [ -f ${CA_DIR}/${object}.token ]; then
|
|
cp -v ${CA_DIR}/${object}.token ${SSL_REPO}/${object}.token
|
|
else
|
|
dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 -w 0 | tr -d "=+/" | dd bs=256 count=1 2>/dev/null > ${SSL_REPO}/${object}.token
|
|
fi
|
|
done
|
|
|
|
printf "\n] generating certificate authorities..."
|
|
#generate kube certificate authority
|
|
if [ -f ${CA_DIR}/ca.key ] && [ -f ${CA_DIR}/ca.crt ]; then
|
|
cp -v ${CA_DIR}/ca.key ${SSL_REPO}/ca.key
|
|
cp -v ${CA_DIR}/ca.crt ${SSL_REPO}/ca.crt
|
|
else
|
|
openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/ca.key
|
|
chmod 0600 ${SSL_REPO}/ca.key
|
|
openssl req -x509 -new -nodes -key ${SSL_REPO}/ca.key -days 20000 -out ${SSL_REPO}/ca.crt -subj "/CN=kubernetes-ca" -extensions v3_ca -config ${SSL_REPO}/ca-openssl.cnf
|
|
fi
|
|
|
|
#generate helm certificate authority
|
|
if [ -f ${CA_DIR}/helm-ca.key ] && [ -f ${CA_DIR}/helm-ca.crt ]; then
|
|
cp -v ${CA_DIR}/helm-ca.key ${SSL_REPO}/helm-ca.key
|
|
cp -v ${CA_DIR}/helm-ca.crt ${SSL_REPO}/helm-ca.crt
|
|
else
|
|
openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/helm-ca.key
|
|
chmod 0600 ${SSL_REPO}/helm-ca.key
|
|
openssl req -x509 -new -nodes -key ${SSL_REPO}/helm-ca.key -days 20000 -out ${SSL_REPO}/helm-ca.crt -subj "/CN=helm-ca" -extensions v3_ca -config ${SSL_REPO}/ca-openssl.cnf
|
|
fi
|
|
|
|
#generate etcd certificate authority
|
|
if [ -f ${CA_DIR}/etcd-ca.key ] && [ -f ${CA_DIR}/etcd-ca.crt ]; then
|
|
cp -v ${CA_DIR}/etcd-ca.key ${SSL_REPO}/etcd-ca.key
|
|
cp -v ${CA_DIR}/etcd-ca.crt ${SSL_REPO}/etcd-ca.crt
|
|
else
|
|
openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/etcd-ca.key
|
|
chmod 0600 ${SSL_REPO}/etcd-ca.key
|
|
openssl req -x509 -new -nodes -key ${SSL_REPO}/etcd-ca.key -days 20000 -out ${SSL_REPO}/etcd-ca.crt -subj "/CN=etcd-ca" -extensions v3_ca -config ${SSL_REPO}/ca-openssl.cnf
|
|
fi
|
|
|
|
#generate aggregator certificate authority
|
|
if [ -f ${CA_DIR}/aggregator-ca.key ] && [ -f ${CA_DIR}/aggregator-ca.crt ]; then
|
|
cp -v ${CA_DIR}/aggregator-ca.key ${SSL_REPO}/aggregator-ca.key
|
|
cp -v ${CA_DIR}/aggregator-ca.crt ${SSL_REPO}/aggregator-ca.crt
|
|
else
|
|
openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/aggregator-ca.key
|
|
chmod 0600 ${SSL_REPO}/aggregator-ca.key
|
|
openssl req -x509 -new -nodes -key ${SSL_REPO}/aggregator-ca.key -days 20000 -out ${SSL_REPO}/aggregator-ca.crt -subj "/CN=aggregator-ca" -extensions v3_ca -config ${SSL_REPO}/ca-openssl.cnf
|
|
fi
|
|
|
|
printf "\n] generating certificates..."
|
|
#create etcd certificate
|
|
if [ -f ${CA_DIR}/etcd.key ] && [ -f ${CA_DIR}/etcd.crt ]; then
|
|
cp -v ${CA_DIR}/etcd.key ${SSL_REPO}/etcd.key
|
|
cp -v ${CA_DIR}/etcd.crt ${SSL_REPO}/etcd.crt
|
|
cp -v ${CA_DIR}/etcd.csr ${SSL_REPO}/etcd.csr
|
|
else
|
|
openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/etcd.key
|
|
chmod 0600 ${SSL_REPO}/etcd.key
|
|
openssl req -new -key ${SSL_REPO}/etcd.key -subj "/CN=etcd" -out ${SSL_REPO}/etcd.csr
|
|
openssl x509 -req -in ${SSL_REPO}/etcd.csr -CA ${SSL_REPO}/etcd-ca.crt -CAkey ${SSL_REPO}/etcd-ca.key -CAcreateserial -out ${SSL_REPO}/etcd.crt -days 20000 -extensions v3_req_etcd -extfile ${SSL_REPO}/ca-openssl.cnf
|
|
fi
|
|
|
|
#create etcd peer certificate
|
|
if [ -f ${CA_DIR}/etcd-peer.key ] && [ -f ${CA_DIR}/etcd-peer.crt ]; then
|
|
cp -v ${CA_DIR}/etcd-peer.key ${SSL_REPO}/etcd-peer.key
|
|
cp -v ${CA_DIR}/etcd-peer.crt ${SSL_REPO}/etcd-peer.crt
|
|
cp -v ${CA_DIR}/etcd-peer.csr ${SSL_REPO}/etcd-peer.csr
|
|
else
|
|
openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/etcd-peer.key
|
|
chmod 0600 ${SSL_REPO}/etcd-peer.key
|
|
openssl req -new -key ${SSL_REPO}/etcd-peer.key -subj "/CN=etcd-peer" -out ${SSL_REPO}/etcd-peer.csr
|
|
openssl x509 -req -in ${SSL_REPO}/etcd-peer.csr -CA ${SSL_REPO}/etcd-ca.crt -CAkey ${SSL_REPO}/etcd-ca.key -CAcreateserial -out ${SSL_REPO}/etcd-peer.crt -days 20000 -extensions v3_req_etcd -extfile ${SSL_REPO}/ca-openssl.cnf
|
|
fi
|
|
|
|
#create helm server (tiller) certificate
|
|
if [ -f ${CA_DIR}/tiller.key ] && [ -f ${CA_DIR}/tiller.crt ]; then
|
|
cp -v ${CA_DIR}/tiller.key ${SSL_REPO}/tiller.key
|
|
cp -v ${CA_DIR}/tiller.crt ${SSL_REPO}/tiller.crt
|
|
cp -v ${CA_DIR}/tiller.csr ${SSL_REPO}/tiller.csr
|
|
else
|
|
openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/tiller.key
|
|
chmod 0600 ${SSL_REPO}/tiller.key
|
|
openssl req -new -key ${SSL_REPO}/tiller.key -subj "/CN=tiller" -out ${SSL_REPO}/tiller.csr
|
|
openssl x509 -req -in ${SSL_REPO}/tiller.csr -CA ${SSL_REPO}/helm-ca.crt -CAkey ${SSL_REPO}/helm-ca.key -CAcreateserial -out ${SSL_REPO}/tiller.crt -days 20000 -extensions v3_req_helm -extfile ${SSL_REPO}/ca-openssl.cnf
|
|
fi
|
|
|
|
#create helm client certificate
|
|
if [ -f ${CA_DIR}/helm.key ] && [ -f ${CA_DIR}/helm.crt ]; then
|
|
cp -v ${CA_DIR}/helm.key ${SSL_REPO}/helm.key
|
|
cp -v ${CA_DIR}/helm.crt ${SSL_REPO}/helm.crt
|
|
cp -v ${CA_DIR}/helm.csr ${SSL_REPO}/helm.csr
|
|
else
|
|
openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/helm.key
|
|
chmod 0600 ${SSL_REPO}/helm.key
|
|
openssl req -new -key ${SSL_REPO}/helm.key -subj "/CN=helm" -out ${SSL_REPO}/helm.csr
|
|
openssl x509 -req -in ${SSL_REPO}/helm.csr -CA ${SSL_REPO}/helm-ca.crt -CAkey ${SSL_REPO}/helm-ca.key -CAcreateserial -out ${SSL_REPO}/helm.crt -days 20000 -extensions v3_req_helm -extfile ${SSL_REPO}/ca-openssl.cnf
|
|
fi
|
|
|
|
#create aggregator proxy certificate
|
|
if [ -f ${CA_DIR}/aggregator.key ] && [ -f ${CA_DIR}/aggregator.crt ]; then
|
|
cp -v ${CA_DIR}/aggregator.key ${SSL_REPO}/aggregator.key
|
|
cp -v ${CA_DIR}/aggregator.crt ${SSL_REPO}/aggregator.crt
|
|
cp -v ${CA_DIR}/aggregator.csr ${SSL_REPO}/aggregator.csr
|
|
else
|
|
openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/aggregator.key
|
|
chmod 0600 ${SSL_REPO}/aggregator.key
|
|
openssl req -new -key ${SSL_REPO}/aggregator.key -subj "/CN=aggregator" -out ${SSL_REPO}/aggregator.csr
|
|
openssl x509 -req -in ${SSL_REPO}/aggregator.csr -CA ${SSL_REPO}/aggregator-ca.crt -CAkey ${SSL_REPO}/aggregator-ca.key -CAcreateserial -out ${SSL_REPO}/aggregator.crt -days 20000 -extensions v3_req_helm -extfile ${SSL_REPO}/ca-openssl.cnf
|
|
fi
|
|
|
|
|
|
printf "\n] generating root service account keypair..."
|
|
#generate root ServiceAccount public and private key
|
|
if [ -f ${CA_DIR}/sa.key ] && [ -f ${CA_DIR}/sa.pub ]; then
|
|
cp -v ${CA_DIR}/sa.key ${SSL_REPO}/sa.key
|
|
cp -v ${CA_DIR}/sa.pub ${SSL_REPO}/sa.pub
|
|
else
|
|
openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/sa.key
|
|
openssl ec -in ${SSL_REPO}/sa.key -outform PEM -pubout -out ${SSL_REPO}/sa.pub
|
|
chmod 0600 ${SSL_REPO}/sa.key
|
|
fi
|
|
|
|
printf "\n] packing the crypto files..."
|
|
tar cvf $HOME/cryptopack.tar ${SSL_REPO}/*
|
|
gzip -9 $HOME/cryptopack.tar
|
|
cat $HOME/cryptopack.tar.gz | base64 -w 0 > $HOME/cryptopack.b64
|
|
rm $HOME/cryptopack.tar.gz
|
|
rm -fr ${SSL_REPO}
|
|
clear
|
|
echo "exec the following command on the rest of the nodes to distribute the keys"
|
|
echo ;
|
|
packdata=`cat ${HOME}/cryptopack.b64`
|
|
echo "echo \"${packdata}\" > cryptopack.b64"
|