Make server.key/client.key as private in k8s node

At this time, server.key and client.key which are used by
kubernetes related daemon are readable. These keys should
be private.

Change-Id: I52232001f6983845f8d7de75486fe5672a57949a
Closes-Bug: #1515844
changes/69/244969/2
OTSUKA, Yuanying 7 years ago
parent 58cbafdc87
commit 5b83aa1e12
  1. 4
      magnum/templates/kubernetes/fragments/make-cert-client.sh
  2. 4
      magnum/templates/kubernetes/fragments/make-cert.sh

@ -61,6 +61,7 @@ EOF
# Generate client's private key and csr
openssl genrsa -out "${CLIENT_KEY}" 4096
chmod 400 "${CLIENT_KEY}"
openssl req -new -days 1000 \
-key "${CLIENT_KEY}" \
-out "${CLIENT_CSR}" \
@ -75,6 +76,9 @@ curl -X POST \
-d "$csr_req" \
$MAGNUM_URL/certificates | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CLIENT_CERT}
chmod 500 "${cert_dir}"
chown -R kube:kube "${cert_dir}"
sed -i '
s|CA_CERT|'"$CA_CERT"'|
s|CLIENT_CERT|'"$CLIENT_CERT"'|

@ -63,6 +63,7 @@ EOF
# Generate server's private key and csr
openssl genrsa -out "${SERVER_KEY}" 4096
chmod 400 "${SERVER_KEY}"
openssl req -new -days 1000 \
-key "${SERVER_KEY}" \
-out "${SERVER_CSR}" \
@ -76,3 +77,6 @@ curl -X POST \
-H "Content-Type: application/json" \
-d "$csr_req" \
$MAGNUM_URL/certificates | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${SERVER_CERT}
chmod 500 "${cert_dir}"
chown -R kube:kube "${cert_dir}"

Loading…
Cancel
Save