Container Infrastructure Management Service for OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

make-cert.sh 4.0KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133
  1. #!/bin/sh
  2. # Copyright 2014 The Kubernetes Authors All rights reserved.
  3. #
  4. # Licensed under the Apache License, Version 2.0 (the "License");
  5. # you may not use this file except in compliance with the License.
  6. # You may obtain a copy of the License at
  7. #
  8. # http://www.apache.org/licenses/LICENSE-2.0
  9. #
  10. # Unless required by applicable law or agreed to in writing, software
  11. # distributed under the License is distributed on an "AS IS" BASIS,
  12. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13. # See the License for the specific language governing permissions and
  14. # limitations under the License.
  15. . /etc/sysconfig/heat-params
  16. set -o errexit
  17. set -o nounset
  18. set -o pipefail
  19. if [ "$TLS_DISABLED" == "True" ]; then
  20. exit 0
  21. fi
  22. if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
  23. KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
  24. fi
  25. if [[ -z "${KUBE_NODE_IP}" ]]; then
  26. KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
  27. fi
  28. sans="IP:${KUBE_NODE_PUBLIC_IP},IP:${KUBE_NODE_IP}"
  29. if [ "${KUBE_NODE_PUBLIC_IP}" != "${KUBE_API_PUBLIC_ADDRESS}" ] \
  30. && [ -n "${KUBE_API_PUBLIC_ADDRESS}" ]; then
  31. sans="${sans},IP:${KUBE_API_PUBLIC_ADDRESS}"
  32. fi
  33. if [ "${KUBE_NODE_IP}" != "${KUBE_API_PRIVATE_ADDRESS}" ] \
  34. && [ -n "${KUBE_API_PRIVATE_ADDRESS}" ]; then
  35. sans="${sans},IP:${KUBE_API_PRIVATE_ADDRESS}"
  36. fi
  37. MASTER_HOSTNAME=${MASTER_HOSTNAME:-}
  38. if [[ -n "${MASTER_HOSTNAME}" ]]; then
  39. sans="${sans},DNS:${MASTER_HOSTNAME}"
  40. fi
  41. sans="${sans},IP:127.0.0.1"
  42. KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')
  43. sans="${sans},IP:${KUBE_SERVICE_IP}"
  44. cert_dir=/srv/kubernetes
  45. cert_conf_dir=${cert_dir}/conf
  46. mkdir -p "$cert_dir"
  47. mkdir -p "$cert_conf_dir"
  48. CA_CERT=$cert_dir/ca.crt
  49. SERVER_CERT=$cert_dir/server.crt
  50. SERVER_CSR=$cert_dir/server.csr
  51. SERVER_KEY=$cert_dir/server.key
  52. #Get a token by user credentials and trust
  53. auth_json=$(cat << EOF
  54. {
  55. "auth": {
  56. "identity": {
  57. "methods": [
  58. "password"
  59. ],
  60. "password": {
  61. "user": {
  62. "id": "$TRUSTEE_USER_ID",
  63. "password": "$TRUSTEE_PASSWORD"
  64. }
  65. }
  66. }
  67. }
  68. }
  69. EOF
  70. )
  71. content_type='Content-Type: application/json'
  72. url="$AUTH_URL/auth/tokens"
  73. USER_TOKEN=`curl -k -s -i -X POST -H "$content_type" -d "$auth_json" $url \
  74. | grep X-Subject-Token | awk '{print $2}' | tr -d '[[:space:]]'`
  75. # Get CA certificate for this cluster
  76. curl -k -X GET \
  77. -H "X-Auth-Token: $USER_TOKEN" \
  78. -H "OpenStack-API-Version: container-infra latest" \
  79. $MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CA_CERT}
  80. # Create config for server's csr
  81. cat > ${cert_conf_dir}/server.conf <<EOF
  82. [req]
  83. distinguished_name = req_distinguished_name
  84. req_extensions = req_ext
  85. prompt = no
  86. [req_distinguished_name]
  87. CN = kubernetes.invalid
  88. [req_ext]
  89. subjectAltName = ${sans}
  90. extendedKeyUsage = clientAuth,serverAuth
  91. EOF
  92. # Generate server's private key and csr
  93. openssl genrsa -out "${SERVER_KEY}" 4096
  94. chmod 400 "${SERVER_KEY}"
  95. openssl req -new -days 1000 \
  96. -key "${SERVER_KEY}" \
  97. -out "${SERVER_CSR}" \
  98. -reqexts req_ext \
  99. -config "${cert_conf_dir}/server.conf"
  100. # Send csr to Magnum to have it signed
  101. csr_req=$(python -c "import json; fp = open('${SERVER_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
  102. curl -k -X POST \
  103. -H "X-Auth-Token: $USER_TOKEN" \
  104. -H "OpenStack-API-Version: container-infra latest" \
  105. -H "Content-Type: application/json" \
  106. -d "$csr_req" \
  107. $MAGNUM_URL/certificates | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${SERVER_CERT}
  108. # Common certs and key are created for both etcd and kubernetes services.
  109. # Both etcd and kube user should have permission to access the certs and key.
  110. groupadd kube_etcd
  111. usermod -a -G kube_etcd etcd
  112. usermod -a -G kube_etcd kube
  113. chmod 550 "${cert_dir}"
  114. chown -R kube:kube_etcd "${cert_dir}"
  115. chmod 440 $SERVER_KEY