Container Infrastructure Management Service for OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

make-cert.sh 3.9KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129
  1. #!/bin/sh
  2. # Copyright 2014 The Kubernetes Authors All rights reserved.
  3. #
  4. # Licensed under the Apache License, Version 2.0 (the "License");
  5. # you may not use this file except in compliance with the License.
  6. # You may obtain a copy of the License at
  7. #
  8. # http://www.apache.org/licenses/LICENSE-2.0
  9. #
  10. # Unless required by applicable law or agreed to in writing, software
  11. # distributed under the License is distributed on an "AS IS" BASIS,
  12. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13. # See the License for the specific language governing permissions and
  14. # limitations under the License.
  15. . /etc/sysconfig/heat-params
  16. set -o errexit
  17. set -o nounset
  18. set -o pipefail
  19. if [ "$TLS_DISABLED" == "True" ]; then
  20. exit 0
  21. fi
  22. if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
  23. KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
  24. fi
  25. if [[ -z "${KUBE_NODE_IP}" ]]; then
  26. KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
  27. fi
  28. sans="IP:${KUBE_NODE_PUBLIC_IP},IP:${KUBE_NODE_IP}"
  29. if [ "${KUBE_NODE_PUBLIC_IP}" != "${KUBE_API_PUBLIC_ADDRESS}" ] \
  30. && [ -n "${KUBE_API_PUBLIC_ADDRESS}" ]; then
  31. sans="${sans},IP:${KUBE_API_PUBLIC_ADDRESS}"
  32. fi
  33. if [ "${KUBE_NODE_IP}" != "${KUBE_API_PRIVATE_ADDRESS}" ] \
  34. && [ -n "${KUBE_API_PRIVATE_ADDRESS}" ]; then
  35. sans="${sans},IP:${KUBE_API_PRIVATE_ADDRESS}"
  36. fi
  37. MASTER_HOSTNAME=${MASTER_HOSTNAME:-}
  38. if [[ -n "${MASTER_HOSTNAME}" ]]; then
  39. sans="${sans},DNS:${MASTER_HOSTNAME}"
  40. fi
  41. sans="${sans},IP:127.0.0.1"
  42. cert_dir=/srv/kubernetes
  43. cert_conf_dir=${cert_dir}/conf
  44. mkdir -p "$cert_dir"
  45. mkdir -p "$cert_conf_dir"
  46. CA_CERT=$cert_dir/ca.crt
  47. SERVER_CERT=$cert_dir/server.crt
  48. SERVER_CSR=$cert_dir/server.csr
  49. SERVER_KEY=$cert_dir/server.key
  50. #Get a token by user credentials and trust
  51. auth_json=$(cat << EOF
  52. {
  53. "auth": {
  54. "identity": {
  55. "methods": [
  56. "password"
  57. ],
  58. "password": {
  59. "user": {
  60. "id": "$TRUSTEE_USER_ID",
  61. "password": "$TRUSTEE_PASSWORD"
  62. }
  63. }
  64. }
  65. }
  66. }
  67. EOF
  68. )
  69. content_type='Content-Type: application/json'
  70. url="$AUTH_URL/auth/tokens"
  71. USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \
  72. | grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`
  73. # Get CA certificate for this cluster
  74. curl -k -X GET \
  75. -H "X-Auth-Token: $USER_TOKEN" \
  76. -H "OpenStack-API-Version: container-infra latest" \
  77. $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CA_CERT}
  78. # Create config for server's csr
  79. cat > ${cert_conf_dir}/server.conf <<EOF
  80. [req]
  81. distinguished_name = req_distinguished_name
  82. req_extensions = req_ext
  83. prompt = no
  84. [req_distinguished_name]
  85. CN = kubernetes.invalid
  86. [req_ext]
  87. subjectAltName = ${sans}
  88. extendedKeyUsage = clientAuth,serverAuth
  89. EOF
  90. # Generate server's private key and csr
  91. openssl genrsa -out "${SERVER_KEY}" 4096
  92. chmod 400 "${SERVER_KEY}"
  93. openssl req -new -days 1000 \
  94. -key "${SERVER_KEY}" \
  95. -out "${SERVER_CSR}" \
  96. -reqexts req_ext \
  97. -config "${cert_conf_dir}/server.conf"
  98. # Send csr to Magnum to have it signed
  99. csr_req=$(python -c "import json; fp = open('${SERVER_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
  100. curl -k -X POST \
  101. -H "X-Auth-Token: $USER_TOKEN" \
  102. -H "OpenStack-API-Version: container-infra latest" \
  103. -H "Content-Type: application/json" \
  104. -d "$csr_req" \
  105. $MAGNUM_URL/certificates | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${SERVER_CERT}
  106. # Common certs and key are created for both etcd and kubernetes services.
  107. # Both etcd and kube user should have permission to access the certs and key.
  108. groupadd kube_etcd
  109. usermod -a -G kube_etcd etcd
  110. usermod -a -G kube_etcd kube
  111. chmod 550 "${cert_dir}"
  112. chown -R kube:kube_etcd "${cert_dir}"
  113. chmod 440 $SERVER_KEY