forked from thz/k8s-magicless
-
Notifications
You must be signed in to change notification settings - Fork 2
/
030-pki.sh
executable file
·88 lines (78 loc) · 2.1 KB
/
030-pki.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/bin/bash
#
# cfssl available per:
# * `go get github.com/cloudflare/cfssl/cmd/{cfssl,cfssljson}` [needs golang-1.11 + git]
# * package from ubuntu-18.04 (`golang-cfssl`)
set -euxo pipefail
. ./func.sh
cat > ca-csr.json <<EOF
{
"CN": "Kubernetes",
"key": { "algo": "rsa", "size": 2048 },
"names": [
{
"C": "DE",
"L": "Hamburg",
"O": "Kubernetes",
"OU": "CA",
"ST": "Hamburg"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "720h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "720h"
}
}
}
}
EOF
# cert creation helper
# arguments: CN filename group SANs
mkcert() {
cn="$1" ; shift
filename="$1" ; shift
group="$1" ; shift
sans="$1" ; shift
cfssl gencert \
-ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes \
-hostname=${sans} \
<(cat <<EOF
{
"CN": "$cn",
"key": { "algo": "rsa", "size": 2048 },
"names": [
{
"C": "DE",
"L": "Hamburg",
"O": "$group",
"OU": "Kubernetes The Hard Way",
"ST": "Hamburg"
}
]
}
EOF
) | cfssljson -bare ${filename}
}
# admin user client cert:
# (CN filename group SANs)
mkcert admin admin system:masters ""
# workers
mkcert system:node:worker-0 worker-0 system:nodes $( node_sans worker-0 )
mkcert system:node:worker-1 worker-1 system:nodes $( node_sans worker-1 )
mkcert system:node:worker-2 worker-2 system:nodes $( node_sans worker-2 )
mkcert system:kube-controller-manager kube-controller-manager system:kube-controller-manager ""
mkcert system:kube-proxy kube-proxy system:node-proxier ""
mkcert system:kube-scheduler kube-scheduler system:kube-scheduler ""
mkcert service-accounts service-account Kubernetes ""
# and finally, apiserver:
mkcert kubernetes kubernetes system:masters 10.32.0.1,kubernetes.default,127.0.0.1,10.254.254.100,10.254.254.101,10.254.254.102,$(public_ip)