openstack/magnum
Code Issues Proposed changes
Files
3f773f1fd045a507c3962ae509fcd57352cdc9ae
magnum/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
Kirsten G b07b6f34d5 Add verify_ca configuration parameter 
Added configuration parameter, verify_ca, to magnum.conf with default
value of True. This parameter is passed to the heat templates to
indicate whether the cluster nodes validate the Certificate Authority
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
This configuration parameter can be set to False to disable CA
validation.

Co-Authored-By: Vijendar Komalla <vijendar.komalla@rackspace.com>

Change-Id: Iab02cb1338b811dac0c147378dbd0e63c83f0413
Partial-Bug: #1663757
2017-11-21 10:25:32 -08:00

133 lines
3.9 KiB
YAML
Raw Blame History

#cloud-config
write_files:
- path: /etc/systemd/system/make-cert.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Make TLS certificates
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/make-cert.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/make-cert.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/bash
# Parse the JSON response that contains the TLS certificate, and print
# out the certificate content.
function parse_json_response {
json_response=$1
# {..,"pem": "ABCD",..} -> ABCD
key=$(echo "$json_response" | sed 's/^.*"pem": "\([^"]*\)".*$/\1/')
# decode newline characters
key=$(echo "$key" | sed 's/\\n/\n/g')
echo "$key"
}
set -o errexit
set -o nounset
set -o pipefail
if [ "$TLS_DISABLED" == "True" ]; then
exit 0
fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
cert_conf_dir=${KUBE_CERTS_PATH}/conf
mkdir -p ${cert_conf_dir}
CA_CERT=${KUBE_CERTS_PATH}/ca.pem
CLIENT_CERT=${KUBE_CERTS_PATH}/worker.pem
CLIENT_CSR=${KUBE_CERTS_PATH}/worker.csr
CLIENT_KEY=${KUBE_CERTS_PATH}/worker-key.pem
if [ -f ${CLIENT_CERT} ] || [ -f ${CLIENT_KEY} ] || [ -f ${CLIENT_CSR} ]; then
exit 0
fi
#Get a token by user credentials and trust
cat > auth.json << EOF
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"id": "$TRUSTEE_USER_ID",
"password": "$TRUSTEE_PASSWORD"
}
}
}
}
}
EOF
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
rm -rf auth.json
ca_cert_json=$(curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID)
parse_json_response "${ca_cert_json}" > ${CA_CERT}
# Create config for client's csr
cat > ${cert_conf_dir}/worker-openssl.conf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
CN = kubernetes.invalid
[req_ext]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth
subjectAltName=dirName:kubelet,dirName:kubeproxy
[kubelet]
CN=kubelet
[kubeproxy]
CN=kube-proxy
EOF
# Generate client's private key and csr
openssl genrsa -out "${CLIENT_KEY}" 4096
chmod 400 "${CLIENT_KEY}"
openssl req -new -days 1000 \
-key "${CLIENT_KEY}" \
-out "${CLIENT_CSR}" \
-reqexts req_ext \
-config "${cert_conf_dir}/worker-openssl.conf"
# encode newline (\n) characters
csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
# Send csr to Magnum to have it signed
client_cert_json=$(curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \
-d "$csr_req" \
$MAGNUM_URL/certificates)
parse_json_response "${client_cert_json}" > ${CLIENT_CERT}
chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
chown root:root ${KUBE_CERTS_PATH}/*-key.pem
View Git Blame Copy Permalink