Container Infrastructure Management Service for OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

make-cert.yaml 4.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146
  1. #cloud-config
  2. write_files:
  3. - path: /etc/systemd/system/make-cert.service
  4. owner: "root:root"
  5. permissions: "0644"
  6. content: |
  7. [Unit]
  8. Description=Make TLS certificates
  9. [Service]
  10. Type=oneshot
  11. EnvironmentFile=/etc/sysconfig/heat-params
  12. ExecStart=/etc/sysconfig/make-cert.sh
  13. [Install]
  14. WantedBy=multi-user.target
  15. - path: /etc/sysconfig/make-cert.sh
  16. owner: "root:root"
  17. permissions: "0755"
  18. content: |
  19. #!/bin/bash
  20. # Parse the JSON response that contains the TLS certificate, and print
  21. # out the certificate content.
  22. function parse_json_response {
  23. json_response=$1
  24. # {..,"pem": "ABCD",..} -> ABCD
  25. key=$(echo "$json_response" | sed 's/^.*"pem": "\([^"]*\)".*$/\1/')
  26. # decode newline characters
  27. key=$(echo "$key" | sed 's/\\n/\n/g')
  28. echo "$key"
  29. }
  30. set -o errexit
  31. set -o nounset
  32. set -o pipefail
  33. if [ "$TLS_DISABLED" == "True" ]; then
  34. exit 0
  35. fi
  36. if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
  37. KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
  38. fi
  39. if [[ -z "${KUBE_NODE_IP}" ]]; then
  40. KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
  41. fi
  42. sans="IP:${KUBE_NODE_PUBLIC_IP},IP:${KUBE_NODE_IP}"
  43. if [ "${KUBE_NODE_PUBLIC_IP}" != "${KUBE_API_PUBLIC_ADDRESS}" ] \
  44. && [ -n "${KUBE_API_PUBLIC_ADDRESS}" ]; then
  45. sans="${sans},IP:${KUBE_API_PUBLIC_ADDRESS}"
  46. fi
  47. if [ "${KUBE_NODE_IP}" != "${KUBE_API_PRIVATE_ADDRESS}" ] \
  48. && [ -n "${KUBE_API_PRIVATE_ADDRESS}" ]; then
  49. sans="${sans},IP:${KUBE_API_PRIVATE_ADDRESS}"
  50. fi
  51. MASTER_HOSTNAME=${MASTER_HOSTNAME:-}
  52. if [[ -n "${MASTER_HOSTNAME}" ]]; then
  53. sans="${sans},DNS:${MASTER_HOSTNAME}"
  54. fi
  55. sans="${sans},IP:127.0.0.1"
  56. KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')
  57. sans="${sans},IP:${KUBE_SERVICE_IP}"
  58. cert_conf_dir=${KUBE_CERTS_PATH}/conf
  59. mkdir -p ${cert_conf_dir}
  60. CA_CERT=${KUBE_CERTS_PATH}/ca.pem
  61. SERVER_CERT=${KUBE_CERTS_PATH}/apiserver.pem
  62. SERVER_CSR=${KUBE_CERTS_PATH}/apiserver.pem
  63. SERVER_KEY=${KUBE_CERTS_PATH}/apiserver-key.pem
  64. #Get a token by user credentials and trust
  65. cat > auth.json << EOF
  66. {
  67. "auth": {
  68. "identity": {
  69. "methods": [
  70. "password"
  71. ],
  72. "password": {
  73. "user": {
  74. "id": "$TRUSTEE_USER_ID",
  75. "password": "$TRUSTEE_PASSWORD"
  76. }
  77. }
  78. }
  79. }
  80. }
  81. EOF
  82. USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
  83. $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
  84. rm -rf auth.json
  85. # Get CA certificate for this cluster
  86. ca_cert_json=$(curl -k -X GET \
  87. -H "X-Auth-Token: $USER_TOKEN" \
  88. -H "OpenStack-API-Version: container-infra latest" \
  89. $MAGNUM_URL/certificates/$CLUSTER_UUID)
  90. parse_json_response "${ca_cert_json}" > ${CA_CERT}
  91. # Create config for server's csr
  92. cat > ${cert_conf_dir}/openssl.cnf <<EOF
  93. [req]
  94. distinguished_name = req_distinguished_name
  95. req_extensions = req_ext
  96. prompt = no
  97. [req_distinguished_name]
  98. CN = kube-apiserver
  99. [req_ext]
  100. subjectAltName = ${sans}
  101. extendedKeyUsage = clientAuth,serverAuth
  102. EOF
  103. # Generate server's private key and csr
  104. openssl genrsa -out "${SERVER_KEY}" 4096
  105. chmod 400 "${SERVER_KEY}"
  106. openssl req -new -days 10000 \
  107. -key "${SERVER_KEY}" \
  108. -out "${SERVER_CSR}" \
  109. -reqexts req_ext \
  110. -config "${cert_conf_dir}/openssl.cnf"
  111. # encode newline (\n) characters
  112. csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
  113. csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
  114. # Send csr to Magnum to have it signed
  115. server_cert_json=$(curl -k -X POST \
  116. -H "X-Auth-Token: $USER_TOKEN" \
  117. -H "OpenStack-API-Version: container-infra latest" \
  118. -H "Content-Type: application/json" \
  119. -d "$csr_req" \
  120. $MAGNUM_URL/certificates)
  121. parse_json_response "${server_cert_json}" > ${SERVER_CERT}
  122. chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
  123. # Certs will also be used by etcd service
  124. chown -R etcd:etcd ${KUBE_CERTS_PATH}