86 lines
3.8 KiB
Bash
Executable file
86 lines
3.8 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
HOME=$( cd "$(dirname "$0")" && pwd )
|
|
source $HOME/../config
|
|
|
|
cat <<EOF | tee $CA_DIR/master-openssl.cnf
|
|
[req]
|
|
distinguished_name = req_distinguished_name
|
|
|
|
[req_distinguished_name]
|
|
|
|
[ v3_req_client ]
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
extendedKeyUsage = clientAuth
|
|
|
|
[ v3_req_server ]
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
extendedKeyUsage = serverAuth
|
|
|
|
[ v3_req_apiserver ]
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = critical, digitalSignature, keyEncipherment
|
|
extendedKeyUsage = serverAuth
|
|
subjectAltName = @alt_names_cluster
|
|
|
|
[ alt_names_cluster ]
|
|
DNS.1 = kubernetes
|
|
DNS.2 = kubernetes.default
|
|
DNS.3 = kubernetes.default.svc
|
|
DNS.4 = kubernetes.default.svc.cluster.local
|
|
DNS.5 = ${CLUSTER_NAME}.virtual.local
|
|
DNS.6 = ${CLUSTER_NAME}-api.virtual.local
|
|
DNS.7 = ${MASTER_1_NAME}.virtual.local
|
|
DNS.8 = ${MASTER_2_NAME}.virtual.local
|
|
DNS.9 = ${MASTER_3_NAME}.virtual.local
|
|
DNS.10 = ${MASTER_1_NAME}
|
|
DNS.11 = ${MASTER_2_NAME}
|
|
DNS.12 = ${MASTER_3_NAME}
|
|
DNS.13 = ${CLUSTER_NAME}.${CLUSTER_DOMAIN}
|
|
DNS.14 = ${MASTER_1_NAME}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}
|
|
DNS.15 = ${MASTER_2_NAME}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}
|
|
DNS.16 = ${MASTER_3_NAME}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}
|
|
DNS.17 = localhost
|
|
DNS.18 = ${MASTERS_DOMAIN}
|
|
IP.1 = 127.0.0.1
|
|
IP.2 = ${SERVICE_FIP}
|
|
IP.3 = ${MASTER_LB_IP}
|
|
IP.4 = ${MASTER_1_IP}
|
|
IP.5 = ${MASTER_2_IP}
|
|
IP.6 = ${MASTER_3_IP}
|
|
EOF
|
|
|
|
#include all known tokens into the master
|
|
rm ${CA_DIR}/known_tokens.csv
|
|
for object in admin kube-proxy kubelet kube-controller-manager kube-scheduler
|
|
do
|
|
TOKEN=`cat ${CA_DIR}/${object}.token`
|
|
echo "$TOKEN,$object,$object" >> ${CA_DIR}/known_tokens.csv
|
|
done
|
|
|
|
#create cert for kube-apiserver
|
|
openssl ecparam -name secp521r1 -genkey -noout -out ${CA_DIR}/kube-apiserver.key
|
|
chmod 0600 ${CA_DIR}/kube-apiserver.key
|
|
openssl req -new -key ${CA_DIR}/kube-apiserver.key -subj "/CN=kube-apiserver" -out ${CA_DIR}/kube-apiserver.csr -config ${CA_DIR}/master-openssl.cnf
|
|
openssl x509 -req -in ${CA_DIR}/kube-apiserver.csr -CA ${CA_DIR}/ca.crt -CAkey ${CA_DIR}/ca.key -CAcreateserial -out ${CA_DIR}/kube-apiserver.crt -days 20000 -extensions v3_req_apiserver -extfile ${CA_DIR}/master-openssl.cnf
|
|
|
|
#create cert for kube-apiserver kubelet client
|
|
openssl ecparam -name secp521r1 -genkey -noout -out ${CA_DIR}/kube-apiserver-kubelet-client.key
|
|
chmod 0600 ${CA_DIR}/kube-apiserver-kubelet-client.key
|
|
openssl req -new -key ${CA_DIR}/kube-apiserver-kubelet-client.key -subj "/CN=kube-apiserver-kubelet-client/O=system:masters" -out ${CA_DIR}/kube-apiserver-kubelet-client.csr
|
|
openssl x509 -req -in ${CA_DIR}/kube-apiserver-kubelet-client.csr -CA ${CA_DIR}/ca.crt -CAkey ${CA_DIR}/ca.key -CAcreateserial -out ${CA_DIR}/kube-apiserver-kubelet-client.crt -days 20000 -extensions v3_req_client -extfile ${CA_DIR}/master-openssl.cnf
|
|
|
|
#create cert for kube-scheduler
|
|
openssl ecparam -name secp521r1 -genkey -noout -out ${CA_DIR}/kube-scheduler.key
|
|
chmod 0600 ${CA_DIR}/kube-scheduler.key
|
|
openssl req -new -key ${CA_DIR}/kube-scheduler.key -subj "/CN=system:kube-scheduler" -out ${CA_DIR}/kube-scheduler.csr
|
|
openssl x509 -req -in ${CA_DIR}/kube-scheduler.csr -CA ${CA_DIR}/ca.crt -CAkey ${CA_DIR}/ca.key -CAcreateserial -out ${CA_DIR}/kube-scheduler.crt -days 20000 -extensions v3_req_client -extfile ${CA_DIR}/master-openssl.cnf
|
|
|
|
#create cert for kube-controller-manager with service account key
|
|
cp -av ${CA_DIR}/sa.key ${CA_DIR}/kube-controller-manager.key
|
|
chmod 0600 ${CA_DIR}/kube-controller-manager.key
|
|
openssl req -new -key ${CA_DIR}/kube-controller-manager.key -subj "/CN=system:kube-controller-manager" -out ${CA_DIR}/kube-controller-manager.csr
|
|
openssl x509 -req -in ${CA_DIR}/kube-controller-manager.csr -CA ${CA_DIR}/ca.crt -CAkey ${CA_DIR}/ca.key -CAcreateserial -out ${CA_DIR}/kube-controller-manager.crt -days 20000 -extensions v3_req_client -extfile ${CA_DIR}/master-openssl.cnf
|