k8x/ssl/create_worker.sh

#!/bin/bash

HOME=$( cd "$(dirname "$0")" && pwd )
source $HOME/../config

#DOCKER_IP=$(ip addr show dev docker0 | grep 'inet ' | cut -d: -f2 | awk '{print $2}' | cut -d '/' -f 1)

cat <<EOF | tee $CA_DIR/node-openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = ${NODE_NAME}
DNS.2 = ${NODE_NAME_SHORT}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}
DNS.3 = ${NODE_NAME_SHORT}
DNS.4 = ${NODE_NAME_SHORT}.virtual.local
IP.1 = ${NODE_IP}
EOF
#IP.2 = ${DOCKER_IP}

#generate cert for kubelet
openssl ecparam -name secp521r1 -genkey -noout -out ${CA_DIR}/kubelet.key
chmod 0600 ${CA_DIR}/kubelet.key
#openssl req -new -key $CA_DIR/kubelet.key -subj "/CN=system:node:${NODE_NAME_SHORT}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}/O=system:nodes" -out $CA_DIR/kubelet.csr -config ${CA_DIR}/node-openssl.cnf
openssl req -new -key $CA_DIR/kubelet.key -subj "/CN=system:node:${NODE_NAME_SHORT}/O=system:nodes" -out $CA_DIR/kubelet.csr -config ${CA_DIR}/node-openssl.cnf
openssl x509 -req -in $CA_DIR/kubelet.csr -CA $CA_DIR/ca.crt -CAkey $CA_DIR/ca.key -CAcreateserial -out $CA_DIR/kubelet.crt -days 20000 -extensions v3_req -extfile $CA_DIR/node-openssl.cnf

#generate cert for kube-proxy
openssl ecparam -name secp521r1 -genkey -noout -out ${CA_DIR}/kube-proxy.key
chmod 0600 ${CA_DIR}/kube-proxy.key
openssl req -new -key ${CA_DIR}/kube-proxy.key -subj "/CN=system:kube-proxy/O=system:node-proxier" -out ${CA_DIR}/kube-proxy.csr -config ${CA_DIR}/node-openssl.cnf
openssl x509 -req -in ${CA_DIR}/kube-proxy.csr -CA ${CA_DIR}/ca.crt -CAkey ${CA_DIR}/ca.key -CAcreateserial -out ${CA_DIR}/kube-proxy.crt -days 20000 -extensions v3_req -extfile ${CA_DIR}/node-openssl.cnf