github.com/midokura/kubeedge@v1.2.0-mido.0/build/admission/gen-admission-secret.sh

github.com/midokura/kubeedge@v1.2.0-mido.0/build/admission/gen-admission-secret.sh (about)

     1  #!/bin/bash
     2  
     3  set -e
     4  
     5  SERVICE=${SERVICE:-"kubeedge-admission-service"}
     6  SECRET=${SECRET:-"kubeedge-admission-secret"}
     7  NAMESPACE=${NAMESPACE:-kubeedge}
     8  CERTDIR=${CERTDIR:-"/etc/kubeedge/admission/certs"}
     9  ENABLE_CREATE_SECRET=${ENABLE_CREATE_SECRET:-true}
    10  
    11  if [[ ! -x "$(command -v openssl)" ]]; then
    12      echo "openssl not found"
    13      exit 1
    14  fi
    15  
    16  function createCerts() {
    17    echo "creating certs in dir ${CERTDIR} "
    18  
    19    cat <<EOF > ${CERTDIR}/csr.conf
    20  [req]
    21  req_extensions = v3_req
    22  distinguished_name = req_distinguished_name
    23  [req_distinguished_name]
    24  [ v3_req ]
    25  basicConstraints = CA:FALSE
    26  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    27  extendedKeyUsage = serverAuth
    28  subjectAltName = @alt_names
    29  [alt_names]
    30  DNS.1 = ${SERVICE}
    31  DNS.2 = ${SERVICE}.${NAMESPACE}
    32  DNS.3 = ${SERVICE}.${NAMESPACE}.svc
    33  EOF
    34  
    35    openssl genrsa -out ${CERTDIR}/ca.key 2048
    36    openssl req -x509 -new -nodes -key ${CERTDIR}/ca.key -subj "/CN=${SERVICE}.${NAMESPACE}.svc" -out ${CERTDIR}/ca.crt
    37  
    38    openssl genrsa -out ${CERTDIR}/server.key 2048
    39    openssl req -new -key ${CERTDIR}/server.key -subj "/CN=${SERVICE}.${NAMESPACE}.svc" -out ${CERTDIR}/server.csr -config ${CERTDIR}/csr.conf
    40  
    41    openssl x509 -req -in  ${CERTDIR}/server.csr -CA  ${CERTDIR}/ca.crt -CAkey  ${CERTDIR}/ca.key \
    42    -CAcreateserial -out  ${CERTDIR}/server.crt \
    43    -extensions v3_req -extfile  ${CERTDIR}/csr.conf
    44  }
    45  
    46  function createObjects() {
    47    # `ENABLE_CREATE_SECRET` should always be set to `true` unless it has been already created.
    48    if [[ "${ENABLE_CREATE_SECRET}" = true ]]; then
    49        kubectl get ns ${NAMESPACE} || kubectl create ns ${NAMESPACE}
    50  
    51        # create the secret with CA cert and server cert/key
    52        kubectl create secret generic ${SECRET} \
    53            --from-file=tls.key=${CERTDIR}/server.key \
    54            --from-file=tls.crt=${CERTDIR}/server.crt \
    55            --from-file=ca.crt=${CERTDIR}/ca.crt \
    56            -n ${NAMESPACE}
    57    fi
    58  }
    59  
    60  function checkCertDir() {
    61    if [[ -d ${CERTDIR} ]]; then
    62      echo -n -e "certs dir already exits, do you want to overwrite the certs and generate them againi? [y/N]> "
    63      read -r OVERWRITE
    64      if [[ "${OVERWRITE}" =~ ^[nN]$ ]]; then
    65        echo "certs is not generated, please remove the certs directory if you want to generate them again."
    66        exit 0
    67      elif [[ "${OVERWRITE}" =~ ^[yY]$ ]]; then
    68        createCerts
    69      else
    70        echo -e "Invalid response, please try again."
    71        checkCertDir
    72      fi
    73    else
    74      mkdir -p ${CERTDIR}
    75      createCerts
    76    fi
    77  }
    78  
    79  checkCertDir
    80  createObjects