Container Infrastructure Management Service for OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

make-cert.yaml 4.5KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142
  1. #cloud-config
  2. write_files:
  3. - path: /etc/systemd/system/make-cert.service
  4. owner: "root:root"
  5. permissions: "0644"
  6. content: |
  7. [Unit]
  8. Description=Make TLS certificates
  9. [Service]
  10. Type=oneshot
  11. EnvironmentFile=/etc/sysconfig/heat-params
  12. ExecStart=/etc/sysconfig/make-cert.sh
  13. [Install]
  14. WantedBy=multi-user.target
  15. - path: /etc/sysconfig/make-cert.sh
  16. owner: "root:root"
  17. permissions: "0755"
  18. content: |
  19. #!/bin/bash
  20. # Parse the JSON response that contains the TLS certificate, and print
  21. # out the certificate content.
  22. function parse_json_response {
  23. json_response=$1
  24. # {..,"pem": "ABCD",..} -> ABCD
  25. key=$(echo "$json_response" | sed 's/^.*"pem": "\([^"]*\)".*$/\1/')
  26. # decode newline characters
  27. key=$(echo "$key" | sed 's/\\n/\n/g')
  28. echo "$key"
  29. }
  30. set -o errexit
  31. set -o nounset
  32. set -o pipefail
  33. if [ "$TLS_DISABLED" == "True" ]; then
  34. exit 0
  35. fi
  36. if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
  37. KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
  38. fi
  39. if [[ -z "${KUBE_NODE_IP}" ]]; then
  40. KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
  41. fi
  42. sans="IP:${KUBE_NODE_PUBLIC_IP},IP:${KUBE_NODE_IP}"
  43. if [ "${KUBE_NODE_PUBLIC_IP}" != "${KUBE_API_PUBLIC_ADDRESS}" ] \
  44. && [ -n "${KUBE_API_PUBLIC_ADDRESS}" ]; then
  45. sans="${sans},IP:${KUBE_API_PUBLIC_ADDRESS}"
  46. fi
  47. if [ "${KUBE_NODE_IP}" != "${KUBE_API_PRIVATE_ADDRESS}" ] \
  48. && [ -n "${KUBE_API_PRIVATE_ADDRESS}" ]; then
  49. sans="${sans},IP:${KUBE_API_PRIVATE_ADDRESS}"
  50. fi
  51. MASTER_HOSTNAME=${MASTER_HOSTNAME:-}
  52. if [[ -n "${MASTER_HOSTNAME}" ]]; then
  53. sans="${sans},DNS:${MASTER_HOSTNAME}"
  54. fi
  55. sans="${sans},IP:127.0.0.1"
  56. cert_conf_dir=${KUBE_CERTS_PATH}/conf
  57. mkdir -p ${cert_conf_dir}
  58. CA_CERT=${KUBE_CERTS_PATH}/ca.pem
  59. SERVER_CERT=${KUBE_CERTS_PATH}/apiserver.pem
  60. SERVER_CSR=${KUBE_CERTS_PATH}/apiserver.pem
  61. SERVER_KEY=${KUBE_CERTS_PATH}/apiserver-key.pem
  62. #Get a token by user credentials and trust
  63. cat > auth.json << EOF
  64. {
  65. "auth": {
  66. "identity": {
  67. "methods": [
  68. "password"
  69. ],
  70. "password": {
  71. "user": {
  72. "id": "$TRUSTEE_USER_ID",
  73. "password": "$TRUSTEE_PASSWORD"
  74. }
  75. }
  76. }
  77. }
  78. }
  79. EOF
  80. USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
  81. $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
  82. rm -rf auth.json
  83. # Get CA certificate for this cluster
  84. ca_cert_json=$(curl -k -X GET \
  85. -H "X-Auth-Token: $USER_TOKEN" \
  86. -H "OpenStack-API-Version: container-infra latest" \
  87. $MAGNUM_URL/certificates/$CLUSTER_UUID)
  88. parse_json_response "${ca_cert_json}" > ${CA_CERT}
  89. # Create config for server's csr
  90. cat > ${cert_conf_dir}/openssl.cnf <<EOF
  91. [req]
  92. distinguished_name = req_distinguished_name
  93. req_extensions = req_ext
  94. prompt = no
  95. [req_distinguished_name]
  96. CN = kube-apiserver
  97. [req_ext]
  98. subjectAltName = ${sans}
  99. extendedKeyUsage = clientAuth,serverAuth
  100. EOF
  101. # Generate server's private key and csr
  102. openssl genrsa -out "${SERVER_KEY}" 4096
  103. chmod 400 "${SERVER_KEY}"
  104. openssl req -new -days 10000 \
  105. -key "${SERVER_KEY}" \
  106. -out "${SERVER_CSR}" \
  107. -reqexts req_ext \
  108. -config "${cert_conf_dir}/openssl.cnf"
  109. # encode newline (\n) characters
  110. csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
  111. csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
  112. # Send csr to Magnum to have it signed
  113. server_cert_json=$(curl -k -X POST \
  114. -H "X-Auth-Token: $USER_TOKEN" \
  115. -H "OpenStack-API-Version: container-infra latest" \
  116. -H "Content-Type: application/json" \
  117. -d "$csr_req" \
  118. $MAGNUM_URL/certificates)
  119. parse_json_response "${server_cert_json}" > ${SERVER_CERT}
  120. chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
  121. # Certs will also be used by etcd service
  122. chown -R etcd:etcd ${KUBE_CERTS_PATH}