volcano.sh/volcano@v1.9.0/installer/dockerfile/webhook-manager/gen-admission-secret.sh (about) 1 #!/bin/sh 2 #TODO: this file is used for release, should not place it here 3 set -e 4 5 usage() { 6 cat <<EOF 7 Generate certificate suitable for use with an admission controller service. 8 This script uses k8s' CertificateSigningRequest API to generate a 9 certificate signed by k8s CA suitable for use with webhook 10 services. This requires permissions to create and approve CSR. See 11 https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for 12 detailed explanation and additional instructions. 13 The server key/cert k8s CA cert are stored in a k8s secret. 14 usage: ${0} [OPTIONS] 15 The following flags are required. 16 --service Service name of webhook. 17 --namespace Namespace where webhook service and secret reside. 18 --secret Secret name for CA certificate and server certificate/key pair. 19 EOF 20 exit 0 21 } 22 23 while [[ $# -gt 0 ]]; do 24 case ${1} in 25 --service) 26 SERVICE="$2" 27 shift 28 ;; 29 --secret) 30 SECRET="$2" 31 shift 32 ;; 33 --namespace) 34 NAMESPACE="$2" 35 shift 36 ;; 37 *) 38 usage 39 ;; 40 esac 41 shift 42 done 43 44 if [[ -z ${SERVICE} ]]; then 45 echo "'--service' must be specified" 46 exit 1 47 fi 48 49 if [[ -z ${SECRET} ]]; then 50 echo "'--secret' must be specified" 51 exit 1 52 fi 53 54 [[ -z ${NAMESPACE} ]] && NAMESPACE=default 55 56 if [[ ! -x "$(command -v openssl)" ]]; then 57 echo "openssl not found" 58 exit 1 59 fi 60 61 CERTDIR=/tmp 62 63 function createCerts() { 64 echo "creating certs in dir ${CERTDIR} " 65 66 cat <<EOF > ${CERTDIR}/csr.conf 67 [req] 68 req_extensions = v3_req 69 distinguished_name = req_distinguished_name 70 [req_distinguished_name] 71 [ v3_req ] 72 basicConstraints = CA:FALSE 73 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 74 extendedKeyUsage = serverAuth 75 subjectAltName = @alt_names 76 [alt_names] 77 DNS.1 = ${SERVICE} 78 DNS.2 = ${SERVICE}.${NAMESPACE} 79 DNS.3 = ${SERVICE}.${NAMESPACE}.svc 80 EOF 81 82 openssl genrsa -out ${CERTDIR}/ca.key 2048 83 openssl req -x509 -new -nodes -key ${CERTDIR}/ca.key -subj "/CN=${SERVICE}.${NAMESPACE}.svc" -days 3650 -out ${CERTDIR}/ca.crt 84 85 openssl genrsa -out ${CERTDIR}/server.key 2048 86 openssl req -new -key ${CERTDIR}/server.key -subj "/CN=${SERVICE}.${NAMESPACE}.svc" -out ${CERTDIR}/server.csr -config ${CERTDIR}/csr.conf 87 88 openssl x509 -req -in ${CERTDIR}/server.csr -CA ${CERTDIR}/ca.crt -CAkey ${CERTDIR}/ca.key \ 89 -CAcreateserial -out ${CERTDIR}/server.crt \ 90 -extensions v3_req -extfile ${CERTDIR}/csr.conf -days 3650 91 } 92 93 function createSecret() { 94 # create the secret with CA cert and server cert/key 95 kubectl create secret generic ${SECRET} \ 96 --from-file=tls.key=${CERTDIR}/server.key \ 97 --from-file=tls.crt=${CERTDIR}/server.crt \ 98 --from-file=ca.crt=${CERTDIR}/ca.crt \ 99 -n ${NAMESPACE} 100 } 101 102 ret=0 103 kubectl get secret ${SECRET} -n ${NAMESPACE} > /dev/null || ret=$? 104 if [[ ${ret} -eq 0 ]]; then 105 echo -e "The secret ${SECRET} -n ${NAMESPACE} already exists. Do not create it again." 106 exit 0 107 fi 108 109 createCerts 110 111 createSecret