magnum/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml

128 lines
3.7 KiB
YAML

#cloud-config
write_files:
- path: /etc/systemd/system/make-cert.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Make TLS certificates
[Service]
Type=oneshot
ExecStart=/etc/sysconfig/make-cert.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/make-cert.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/bash
# Parse the JSON response that contains the TLS certificate, and print
# out the certificate content.
function parse_json_response {
json_response=$1
# {..,"pem": "ABCD",..} -> ABCD
key=$(echo "$json_response" | sed 's/^.*"pem": "\([^"]*\)".*$/\1/')
# decode newline characters
key=$(echo "$key" | sed 's/\\n/\n/g')
echo "$key"
}
. /etc/sysconfig/heat-params
set -o errexit
set -o nounset
set -o pipefail
if [ "$TLS_DISABLED" == "True" ]; then
exit 0
fi
cert_dir=/etc/kubernetes/ssl
cert_conf_dir=${cert_dir}/conf
mkdir -p "$cert_dir"
mkdir -p "$cert_conf_dir"
CA_CERT=$cert_dir/ca.pem
CLIENT_CERT=$cert_dir/worker.pem
CLIENT_CSR=$cert_dir/worker.csr
CLIENT_KEY=$cert_dir/worker-key.pem
#Get a token by user credentials and trust
cat > auth.json << EOF
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"id": "$TRUSTEE_USER_ID",
"password": "$TRUSTEE_PASSWORD"
}
}
}
}
}
EOF
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
rm -rf auth.json
ca_cert_json=$(curl -k -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID)
parse_json_response "${ca_cert_json}" > ${CA_CERT}
# Create config for client's csr
cat > ${cert_conf_dir}/worker-openssl.conf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
CN = kubernetes.invalid
[req_ext]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth
subjectAltName=dirName:kubelet,dirName:kubeproxy
[kubelet]
CN=kubelet
[kubeproxy]
CN=kube-proxy
EOF
# Generate client's private key and csr
openssl genrsa -out "${CLIENT_KEY}" 4096
chmod 400 "${CLIENT_KEY}"
openssl req -new -days 1000 \
-key "${CLIENT_KEY}" \
-out "${CLIENT_CSR}" \
-reqexts req_ext \
-config "${cert_conf_dir}/worker-openssl.conf"
# encode newline (\n) characters
csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
# Send csr to Magnum to have it signed
client_cert_json=$(curl -k -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \
-d "$csr_req" \
$MAGNUM_URL/certificates)
parse_json_response "${client_cert_json}" > ${CLIENT_CERT}
chmod 600 ${cert_dir}/*-key.pem
chown root:root ${cert_dir}/*-key.pem