#cloud-config write_files: - path: /etc/systemd/system/make-cert.service owner: "root:root" permissions: "0644" content: | [Unit] Description=Make TLS certificates [Service] Type=oneshot EnvironmentFile=/etc/sysconfig/heat-params ExecStart=/etc/sysconfig/make-cert.sh [Install] WantedBy=multi-user.target - path: /etc/sysconfig/make-cert.sh owner: "root:root" permissions: "0755" content: | #!/bin/bash # Parse the JSON response that contains the TLS certificate, and print # out the certificate content. function parse_json_response { json_response=$1 # {..,"pem": "ABCD",..} -> ABCD key=$(echo "$json_response" | sed 's/^.*"pem": "\([^"]*\)".*$/\1/') # decode newline characters key=$(echo "$key" | sed 's/\\n/\n/g') echo "$key" } set -o errexit set -o nounset set -o pipefail if [ "$TLS_DISABLED" == "True" ]; then exit 0 fi if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) fi if [[ -z "${KUBE_NODE_IP}" ]]; then KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) fi sans="IP:${KUBE_NODE_PUBLIC_IP},IP:${KUBE_NODE_IP}" if [ "${KUBE_NODE_PUBLIC_IP}" != "${KUBE_API_PUBLIC_ADDRESS}" ] \ && [ -n "${KUBE_API_PUBLIC_ADDRESS}" ]; then sans="${sans},IP:${KUBE_API_PUBLIC_ADDRESS}" fi if [ "${KUBE_NODE_IP}" != "${KUBE_API_PRIVATE_ADDRESS}" ] \ && [ -n "${KUBE_API_PRIVATE_ADDRESS}" ]; then sans="${sans},IP:${KUBE_API_PRIVATE_ADDRESS}" fi MASTER_HOSTNAME=${MASTER_HOSTNAME:-} if [[ -n "${MASTER_HOSTNAME}" ]]; then sans="${sans},DNS:${MASTER_HOSTNAME}" fi sans="${sans},IP:127.0.0.1" KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}') sans="${sans},IP:${KUBE_SERVICE_IP}" cert_conf_dir=${KUBE_CERTS_PATH}/conf mkdir -p ${cert_conf_dir} CA_CERT=${KUBE_CERTS_PATH}/ca.pem SERVER_CERT=${KUBE_CERTS_PATH}/apiserver.pem SERVER_CSR=${KUBE_CERTS_PATH}/apiserver.pem SERVER_KEY=${KUBE_CERTS_PATH}/apiserver-key.pem #Get a token by user credentials and trust cat > auth.json << EOF { "auth": { "identity": { "methods": [ "password" ], "password": { "user": { "id": "$TRUSTEE_USER_ID", "password": "$TRUSTEE_PASSWORD" } } } } } EOF USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \ $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'` rm -rf auth.json # Get CA certificate for this cluster ca_cert_json=$(curl -k -X GET \ -H "X-Auth-Token: $USER_TOKEN" \ -H "OpenStack-API-Version: container-infra latest" \ $MAGNUM_URL/certificates/$CLUSTER_UUID) parse_json_response "${ca_cert_json}" > ${CA_CERT} # Create config for server's csr cat > ${cert_conf_dir}/openssl.cnf < ${SERVER_CERT} chmod 600 ${KUBE_CERTS_PATH}/*-key.pem # Certs will also be used by etcd service chown -R etcd:etcd ${KUBE_CERTS_PATH}