github.com/looshlee/cilium@v1.6.12/examples/kubernetes-ingress/scripts/00-create-certs.sh (about) 1 #!/usr/bin/env bash 2 3 dir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 4 5 source "${dir}/helpers.bash" 6 7 set -e 8 9 certs_dir="${dir}/certs" 10 mkdir -p "${certs_dir}" 11 cd "${certs_dir}" 12 13 master="k8s1" 14 worker="k8s2" 15 16 if [ -n "${INSTALL}" ]; then 17 log "Downloading cfssl utility..." 18 cfssl_url="https://pkg.cfssl.org/R1.2/cfssl_linux-amd64" 19 cfssljson_url="https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64" 20 ${WGET} -nv ${cfssl_url} 21 ${WGET} -nv ${cfssljson_url} 22 log "Downloading cfssl utility... Done!" 23 chmod +x cfssl_linux-amd64 24 sudo mv cfssl_linux-amd64 /usr/bin/cfssl 25 chmod +x cfssljson_linux-amd64 26 sudo mv cfssljson_linux-amd64 /usr/bin/cfssljson 27 fi 28 29 ####################################### 30 # Generate the certificate authority certificates in the form of ca-name.pem 31 # Arguments: 32 # name 33 ####################################### 34 generate_ca_certs(){ 35 if [ $# -ne 1 ]; then 36 echo "Invalid arguments: usage generate_ca_certs <name>" 37 exit 38 fi 39 name=${1} 40 cat > ${name}-config.json <<EOF 41 { 42 "signing": { 43 "default": { 44 "expiry": "2191h" 45 }, 46 "profiles": { 47 "${name}": { 48 "usages": ["signing", "key encipherment", "server auth", "client auth"], 49 "expiry": "2191h" 50 } 51 } 52 } 53 } 54 EOF 55 56 cat > ca-${name}-csr.json <<EOF 57 { 58 "CN": "${name}", 59 "key": { 60 "algo": "rsa", 61 "size": 2048 62 }, 63 "names": [ 64 { 65 "C": "US", 66 "L": "San Francisco", 67 "O": "${name}", 68 "OU": "CI", 69 "ST": "California" 70 } 71 ] 72 } 73 EOF 74 75 cfssl gencert -initca ca-${name}-csr.json | cfssljson -bare ca-${name} 76 77 openssl x509 -in ca-${name}.pem -text -noout 78 } 79 80 ####################################### 81 # Generate server certificates in the form of cli-name.pem 82 # Arguments: 83 # certificate-authority filename 84 # server/client filename 85 # server/client's hostname 86 ####################################### 87 generate_server_certs() { 88 if [ $# -ne 3 ]; then 89 echo "Invalid arguments: usage generate_client_certs <ca-name> <cli-name> <hostname>" 90 exit 91 fi 92 ca_name=${1} 93 cli_name=${2} 94 master_hostname=${3} 95 cat > ${cli_name}-csr.json <<EOF 96 { 97 "CN": "${cli_name}", 98 "hosts": [ 99 "${master_hostname}", 100 "${master_ip}", 101 "${cluster_api_server_ip}", 102 "${cli_name}.cluster.default" 103 ], 104 "key": { 105 "algo": "rsa", 106 "size": 2048 107 }, 108 "names": [ 109 { 110 "C": "US", 111 "L": "San Francisco", 112 "O": "${ca_name}", 113 "OU": "CI", 114 "ST": "California" 115 } 116 ] 117 } 118 EOF 119 120 cfssl gencert \ 121 -ca=ca-${ca_name}.pem \ 122 -ca-key=ca-${ca_name}-key.pem \ 123 -config=${ca_name}-config.json \ 124 -profile=${ca_name} \ 125 ${cli_name}-csr.json | cfssljson -bare ${cli_name} 126 127 openssl x509 -in ${cli_name}.pem -text -noout 128 } 129 130 ####################################### 131 # Generate kubelet client certificates in the form of "filename.pem" 132 # Arguments: 133 # certificate-authority filename 134 # client name 135 # filename 136 ####################################### 137 generate_kubelet_client_certs() { 138 if [ $# -ne 3 ]; then 139 echo "Invalid arguments: usage generate_client_certs <ca-name> <cli-name> <filename>" 140 exit 141 fi 142 ca_name=${1} 143 cli_name=${2} 144 filename=${3} 145 cat > ${filename}-csr.json <<EOF 146 { 147 "CN": "${cli_name}", 148 "hosts": [], 149 "key": { 150 "algo": "rsa", 151 "size": 2048 152 }, 153 "names": [ 154 { 155 "C": "US", 156 "L": "San Francisco", 157 "O": "system:nodes", 158 "OU": "CI", 159 "ST": "California" 160 } 161 ] 162 } 163 EOF 164 165 cfssl gencert \ 166 -ca=ca-${ca_name}.pem \ 167 -ca-key=ca-${ca_name}-key.pem \ 168 -config=${ca_name}-config.json \ 169 -profile=${ca_name} \ 170 ${filename}-csr.json | cfssljson -bare ${filename} 171 172 openssl x509 -in ${filename}.pem -text -noout 173 } 174 175 ####################################### 176 # Generate k8s component certificates in the form of "filename.pem" 177 # Arguments: 178 # certificate-authority filename 179 # k8s component name 180 # filename 181 ####################################### 182 generate_k8s_component_certs() { 183 if [ $# -ne 3 ]; then 184 echo "Invalid arguments: usage generate_k8s_component_certs <ca-name> <k8s-component-name> <filename>" 185 exit 186 fi 187 ca_name=${1} 188 k8s_name=${2} 189 cm_name=${3} 190 cat > ${cm_name}-csr.json <<EOF 191 { 192 "CN": "${k8s_name}", 193 "hosts": [], 194 "key": { 195 "algo": "rsa", 196 "size": 2048 197 }, 198 "names": [ 199 { 200 "C": "US", 201 "L": "San Francisco", 202 "O": "${k8s_name}", 203 "OU": "CI", 204 "ST": "California" 205 } 206 ] 207 } 208 EOF 209 210 cfssl gencert \ 211 -ca=ca-${ca_name}.pem \ 212 -ca-key=ca-${ca_name}-key.pem \ 213 -config=${ca_name}-config.json \ 214 -profile=${ca_name} \ 215 ${cm_name}-csr.json | cfssljson -bare ${cm_name} 216 217 openssl x509 -in ${cm_name}.pem -text -noout 218 } 219 220 ####################################### 221 # Generates kubectl admin certificates in the form of "filename.pem" 222 # Arguments: 223 # certificate-authority filename 224 # username used in kubectl 225 # filename 226 ####################################### 227 generate_kubectl_admin_certs() { 228 if [ $# -ne 3 ]; then 229 echo "Invalid arguments: usage generate_kubectl_admin_certs <ca-name> <username> <filename>" 230 exit 231 fi 232 ca_name=${1} 233 username=${2} 234 filename=${3} 235 cat > ${filename}-csr.json <<EOF 236 { 237 "CN": "${username}", 238 "hosts": [], 239 "key": { 240 "algo": "rsa", 241 "size": 2048 242 }, 243 "names": [ 244 { 245 "C": "US", 246 "L": "San Francisco", 247 "O": "system:masters", 248 "OU": "CI", 249 "ST": "California" 250 } 251 ] 252 } 253 EOF 254 255 cfssl gencert \ 256 -ca=ca-${ca_name}.pem \ 257 -ca-key=ca-${ca_name}-key.pem \ 258 -config=${ca_name}-config.json \ 259 -profile=${ca_name} \ 260 ${filename}-csr.json | cfssljson -bare ${filename} 261 262 openssl x509 -in ${filename}.pem -text -noout 263 } 264 265 ####################################### 266 # Generates etcd client certificates in the form of "filename.pem" 267 # Arguments: 268 # certificate-authority filename 269 # client name used in etcd 270 # filename 271 ####################################### 272 generate_etcd_client_certs() { 273 if [ $# -ne 3 ]; then 274 echo "Invalid arguments: usage generate_etcd_client_certs <ca-name> <client-name> <filename>" 275 exit 276 fi 277 ca_name=${1} 278 client_name=${2} 279 filename=${3} 280 cat > ${filename}-csr.json <<EOF 281 { 282 "CN": "${client_name}", 283 "hosts": [], 284 "key": { 285 "algo": "rsa", 286 "size": 2048 287 }, 288 "names": [ 289 { 290 "C": "US", 291 "L": "San Francisco", 292 "O": "kubernetes", 293 "OU": "CI", 294 "ST": "California" 295 } 296 ] 297 } 298 EOF 299 300 cfssl gencert \ 301 -ca=ca-${ca_name}.pem \ 302 -ca-key=ca-${ca_name}-key.pem \ 303 -config=${ca_name}-config.json \ 304 -profile=${ca_name} \ 305 ${filename}-csr.json | cfssljson -bare ${filename} 306 307 openssl x509 -in ${filename}.pem -text -noout 308 } 309 310 log "Generating certificates..." 311 312 # Generate CA for k8s 313 generate_ca_certs k8s 314 315 # Generate k8s-api-server certs 316 generate_server_certs k8s k8s-api-server ${master} 317 318 # Generate k8s components certs so the component would be able to talk to the 319 # api-server 320 generate_k8s_component_certs k8s system:kube-controller-manager k8s-controller-manager 321 generate_k8s_component_certs k8s system:kube-scheduler k8s-scheduler 322 323 # Generate the certificates necessary for the service account credentials 324 # --service-account-private-key-file in the controller manager and 325 # --service-account-key-file in the kube api-server. 326 generate_k8s_component_certs k8s controller-manager-sa k8s-controller-manager-sa 327 328 # Generate kubelet certs so they are able to talk with api-server and have 329 # the correct permissions to manage its own node 330 generate_kubelet_client_certs k8s system:node:${master} k8s-kubelet-${master} 331 generate_kubelet_client_certs k8s system:node:${worker} k8s-kubelet-${worker} 332 generate_k8s_component_certs k8s system:kube-proxy k8s-kube-proxy-${master} 333 generate_k8s_component_certs k8s system:kube-proxy k8s-kube-proxy-${worker} 334 335 # Generate kubelet client certificate so kube-apiserver can talk with kubelets 336 generate_k8s_component_certs k8s kubelet-api-server kubelet-api-server 337 338 # Generate CA for kubelets 339 generate_ca_certs kubelet 340 341 # Generate kubelet serving certificates to use to serve its endpoints 342 generate_k8s_component_certs kubelet ${master} kubelet-kubelet-${master} 343 generate_k8s_component_certs kubelet ${worker} kubelet-kubelet-${worker} 344 345 # Generate each components certs 346 generate_k8s_component_certs k8s system:kube-controller-manager k8s-controller-manager 347 generate_k8s_component_certs k8s system:kube-scheduler k8s-scheduler 348 349 # Generate kubectl and cilium certs as administrators of the cluster 350 # it's not the safest approach but it will be enough for testing 351 generate_kubectl_admin_certs k8s admin k8s-admin 352 generate_kubectl_admin_certs k8s cilium k8s-cilium 353 generate_kubectl_admin_certs k8s nginx k8s-nginx 354 355 # Generate CA for etcd 356 generate_ca_certs etcd 357 358 # Generate server certificates for etcd 359 generate_server_certs etcd etcd-server ${master} 360 361 # Generate client certificates for each client that talks with etcd 362 generate_etcd_client_certs etcd api-server etcd-k8s-api-server 363 generate_etcd_client_certs etcd cilium etcd-cilium 364 365 log "Generating certificates... DONE!"