Container Infrastructure Management Service for OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

122 lines
3.7 KiB

#cloud-config
write_files:
- path: /etc/systemd/system/make-cert.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Make TLS certificates
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/make-cert.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/make-cert.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/bash
# Parse the JSON response that contains the TLS certificate, and print
# out the certificate content.
function parse_json_response {
json_response=$1
# {..,"pem": "ABCD",..} -> ABCD
key=$(echo "$json_response" | sed 's/^.*"pem": "\([^"]*\)".*$/\1/')
# decode newline characters
key=$(echo "$key" | sed 's/\\n/\n/g')
echo "$key"
}
set -o errexit
set -o nounset
set -o pipefail
if [ "$TLS_DISABLED" == "True" ]; then
exit 0
fi
cert_conf_dir=${KUBE_CERTS_PATH}/conf
mkdir -p ${cert_conf_dir}
CA_CERT=${KUBE_CERTS_PATH}/ca.pem
CLIENT_CERT=${KUBE_CERTS_PATH}/worker.pem
CLIENT_CSR=${KUBE_CERTS_PATH}/worker.csr
CLIENT_KEY=${KUBE_CERTS_PATH}/worker-key.pem
#Get a token by user credentials and trust
cat > auth.json << EOF
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"id": "$TRUSTEE_USER_ID",
"password": "$TRUSTEE_PASSWORD"
}
}
}
}
}
EOF
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
rm -rf auth.json
ca_cert_json=$(curl -k -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID)
parse_json_response "${ca_cert_json}" > ${CA_CERT}
# Create config for client's csr
cat > ${cert_conf_dir}/worker-openssl.conf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
CN = kubernetes.invalid
[req_ext]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth
subjectAltName=dirName:kubelet,dirName:kubeproxy
[kubelet]
CN=kubelet
[kubeproxy]
CN=kube-proxy
EOF
# Generate client's private key and csr
openssl genrsa -out "${CLIENT_KEY}" 4096
chmod 400 "${CLIENT_KEY}"
openssl req -new -days 1000 \
-key "${CLIENT_KEY}" \
-out "${CLIENT_CSR}" \
-reqexts req_ext \
-config "${cert_conf_dir}/worker-openssl.conf"
# encode newline (\n) characters
csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
# Send csr to Magnum to have it signed
client_cert_json=$(curl -k -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \
-d "$csr_req" \
$MAGNUM_URL/certificates)
parse_json_response "${client_cert_json}" > ${CLIENT_CERT}
chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
chown root:root ${KUBE_CERTS_PATH}/*-key.pem