hscloud/env.sh

# source me to have all the nice things

if [ "$0" == "$BASH_SOURCE" ]; then
    echo "You should be sourcing this."
    exit 1
fi

hscloud_root="$( cd "$(dirname "$BASH_SOURCE")"; pwd -P )"

hscloud-dc() {
    ( cd "$hscloud_root" && docker-compose -f "docker/docker-compose.yml" "$@" )
}

hscloud-pki-dev() {
    (
        set -e

        cd "$hscloud_root"
        rm -rf docker/pki

        cp -rv go/pki/dev-certs docker/pki
        cd docker/pki
        bash gen.sh m6220-proxy arista-proxy cmc-proxy topo client
        ls *pem
    )
}

# Generate a per-node certificate remotely on the node.
hscloud-node-remote-cert() {
    (
        set -e
        if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
            echo >&2 "Usage: hscloud-node-remote-cert node.fqdn.com certname subj"
            exit 1
        fi
        fqdn="$1"
        certname="$2"
        subj="$3"

        echo "Node: ${fqdn}; Cert: ${certname}"

        echo "Checking node livenes..."
        ssh root@$fqdn uname -a

        echo "Checking if node already has key..."
        ssh root@$fqdn stat /opt/hscloud/${certname}.key || (
            echo "Generating key..."
            ssh root@$fqdn -- mkdir -p /opt/hscloud
            ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl genrsa -out /opt/hscloud/${certname}.key 4096\"" 
            ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
        )

        echo "Checking if node already has cert..."
        ssh root@$fqdn stat /opt/hscloud/${certname}.crt && exit 0
        echo "No cert, will generate..."

        cd "$hscloud_root"
        secrets="$hscloud_root/secrets"
        ca="$secrets/ca.key"
        [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )

        ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/${certname}.key -out /opt/hscloud/${certname}.csr -subj '${subj}'\""
        scp root@$fqdn:/opt/hscloud/${certname}.csr ${fqdn}-${certname}.csr
        openssl x509 -req -in ${fqdn}-${certname}.csr -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "data/${fqdn}-${certname}.crt"

        scp "data/${fqdn}-${certname}.crt" root@$fqdn:/opt/hscloud/${certname}.crt
        scp "data/ca.crt" root@$fqdn:/opt/hscloud/ca.crt
        ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt /opt/hscloud/ca.crt
        rm ${fqdn}-${certname}.csr
    )
}

# Generate locally (if not present) a shared certificate, and upload it to the node
hscloud-node-shared-cert() {
    (
        set -e
        if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
            echo >&2 "Usage: hscloud-node-shared-cert node.fqdn.com certname subj"
            exit 1
        fi
        fqdn="$1"
        certname="$2"
        subj="$3"

        cd "$hscloud_root"
        secrets="$hscloud_root/secrets"
        keyfile="$secrets/$certname.key"
        cert="$hscloud_root/data/$certname.crt"
        csr="$hscloud_root/data/$certname.csr"
        ca="$secrets/ca.key"
        [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )

        echo "Checking if key exists..."
        if [ ! -f "$keyfile" ]; then
            echo "No key, trying to decrypt..."
            if ! scripts/secretstore decrypt "$secrets/cipher/$certname.key" > "$keyfile" ; then
                echo "No encrypted key, generating..."
                openssl genrsa -out $keyfile 4096
                echo "Encrypting..."
                scripts/secretstore encrypt "$keyfile" > "$secrets/cipher/$certname.key"
            fi
        fi

        echo "Checking if cert exists..."
        if [ ! -f "$cert" ]; then
            echo "No cert, generating..."
            rm -f "${csr}"
            openssl req -new -key "${keyfile}" -out "${csr}" -subj "${subj}"
            openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"
        fi

        echo "Copying certificate to node..."
        scp "${cert}" root@$fqdn:/opt/hscloud/${certname}.crt
        scp "${keyfile}" root@$fqdn:/opt/hscloud/${certname}.key
        ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt
        ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
    )
}

hscloud-node-certs() {
    (
        set -e
            
        if [ -z "$1" ]; then
            echo >&2 "Usage: hscloud-node-certs node.fqdn.com"
            exit 1
        fi
        fqdn="$1"

        hscloud-node-remote-cert ${fqdn} node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Stowarzyszenie Warszawski Hackerspace/OU=Node Bootstrap Certificate/CN=\"$fqdn\""
        hscloud-node-remote-cert ${fqdn} kube-node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:nodes/OU=Kubernetes Node Certificate/CN=system:node:\"$fqdn\""
        for component in controller-manager proxy scheduler; do
            hscloud-node-shared-cert ${fqdn} kube-${component} "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:kube-${component}/OU=Kubernetes Component ${component}/CN=system:kube-${component}"
        done
        hscloud-node-shared-cert ${fqdn} kube-apiserver "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes API/CN=k0.hswaw.net"
        hscloud-node-shared-cert ${fqdn} kube-serviceaccounts "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes Service Accounts/CN=service-accounts"
    )
}

echo "Now playing:"
echo "  hscloud-dc      - run docker-compose"
echo "  hscloud-pki-dev - generate dev PKI certs"
echo "  hscloud-node-push-certs - push a node cert to the node"
echo ""
begin docker-composing 2018-11-01 21:39:01 +00:00			`# source me to have all the nice things`

			`if [ "$0" == "$BASH_SOURCE" ]; then`
			`echo "You should be sourcing this."`
			`exit 1`
			`fi`

			`hscloud_root="$( cd "$(dirname "$BASH_SOURCE")"; pwd -P )"`

			`hscloud-dc() {`
			`( cd "$hscloud_root" && docker-compose -f "docker/docker-compose.yml" "$@" )`
			`}`

			`hscloud-pki-dev() {`
			`(`
			`set -e`

			`cd "$hscloud_root"`
			`rm -rf docker/pki`

			`cp -rv go/pki/dev-certs docker/pki`
			`cd docker/pki`
			`bash gen.sh m6220-proxy arista-proxy cmc-proxy topo client`
			`ls *pem`
			`)`
			`}`

k8s: deploy k8s certs 2019-01-12 21:30:41 +00:00			`# Generate a per-node certificate remotely on the node.`
			`hscloud-node-remote-cert() {`
env.sh: implement prod cert generation 2018-12-23 00:35:07 +00:00			`(`
			`set -e`
k8s: deploy k8s certs 2019-01-12 21:30:41 +00:00			`if [ -z "$1" ] \|\| [ -z "$2" ] \|\| [ -x "$3" ]; then`
			`echo >&2 "Usage: hscloud-node-remote-cert node.fqdn.com certname subj"`
env.sh: implement prod cert generation 2018-12-23 00:35:07 +00:00			`exit 1`
			`fi`
			`fqdn="$1"`
k8s: deploy k8s certs 2019-01-12 21:30:41 +00:00			`certname="$2"`
			`subj="$3"`

			`echo "Node: ${fqdn}; Cert: ${certname}"`
env.sh: implement prod cert generation 2018-12-23 00:35:07 +00:00
			`echo "Checking node livenes..."`
			`ssh root@$fqdn uname -a`

			`echo "Checking if node already has key..."`
k8s: deploy k8s certs 2019-01-12 21:30:41 +00:00			`ssh root@$fqdn stat /opt/hscloud/${certname}.key \|\| (`
env.sh: implement prod cert generation 2018-12-23 00:35:07 +00:00			`echo "Generating key..."`
			`ssh root@$fqdn -- mkdir -p /opt/hscloud`
k8s: deploy k8s certs 2019-01-12 21:30:41 +00:00			`ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl genrsa -out /opt/hscloud/${certname}.key 4096\""`
			`ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key`
env.sh: implement prod cert generation 2018-12-23 00:35:07 +00:00			`)`

			`echo "Checking if node already has cert..."`
k8s: deploy k8s certs 2019-01-12 21:30:41 +00:00			`ssh root@$fqdn stat /opt/hscloud/${certname}.crt && exit 0`
env.sh: implement prod cert generation 2018-12-23 00:35:07 +00:00			`echo "No cert, will generate..."`

			`cd "$hscloud_root"`
			`secrets="$hscloud_root/secrets"`
secrets: re-encode for inf, nuke secrets/plain 2019-01-12 23:02:10 +00:00			`ca="$secrets/ca.key"`
env.sh: implement prod cert generation 2018-12-23 00:35:07 +00:00			`[ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )`

k8s: deploy k8s certs 2019-01-12 21:30:41 +00:00			`ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/${certname}.key -out /opt/hscloud/${certname}.csr -subj '${subj}'\""`
			`scp root@$fqdn:/opt/hscloud/${certname}.csr ${fqdn}-${certname}.csr`
			`openssl x509 -req -in ${fqdn}-${certname}.csr -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "data/${fqdn}-${certname}.crt"`
env.sh: implement prod cert generation 2018-12-23 00:35:07 +00:00
k8s: deploy k8s certs 2019-01-12 21:30:41 +00:00			`scp "data/${fqdn}-${certname}.crt" root@$fqdn:/opt/hscloud/${certname}.crt`
env.sh: implement prod cert generation 2018-12-23 00:35:07 +00:00			`scp "data/ca.crt" root@$fqdn:/opt/hscloud/ca.crt`
k8s: deploy k8s certs 2019-01-12 21:30:41 +00:00			`ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt /opt/hscloud/ca.crt`
			`rm ${fqdn}-${certname}.csr`
			`)`
			`}`

			`# Generate locally (if not present) a shared certificate, and upload it to the node`
			`hscloud-node-shared-cert() {`
			`(`
			`set -e`
			`if [ -z "$1" ] \|\| [ -z "$2" ] \|\| [ -x "$3" ]; then`
			`echo >&2 "Usage: hscloud-node-shared-cert node.fqdn.com certname subj"`
			`exit 1`
			`fi`
			`fqdn="$1"`
			`certname="$2"`
			`subj="$3"`

			`cd "$hscloud_root"`
			`secrets="$hscloud_root/secrets"`
			`keyfile="$secrets/$certname.key"`
			`cert="$hscloud_root/data/$certname.crt"`
			`csr="$hscloud_root/data/$certname.csr"`
secrets: re-encode for inf, nuke secrets/plain 2019-01-12 23:02:10 +00:00			`ca="$secrets/ca.key"`
k8s: deploy k8s certs 2019-01-12 21:30:41 +00:00			`[ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )`

			`echo "Checking if key exists..."`
			`if [ ! -f "$keyfile" ]; then`
			`echo "No key, trying to decrypt..."`
			`if ! scripts/secretstore decrypt "$secrets/cipher/$certname.key" > "$keyfile" ; then`
			`echo "No encrypted key, generating..."`
			`openssl genrsa -out $keyfile 4096`
			`echo "Encrypting..."`
			`scripts/secretstore encrypt "$keyfile" > "$secrets/cipher/$certname.key"`
			`fi`
			`fi`

			`echo "Checking if cert exists..."`
			`if [ ! -f "$cert" ]; then`
			`echo "No cert, generating..."`
			`rm -f "${csr}"`
			`openssl req -new -key "${keyfile}" -out "${csr}" -subj "${subj}"`
			`openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"`
			`fi`

			`echo "Copying certificate to node..."`
			`scp "${cert}" root@$fqdn:/opt/hscloud/${certname}.crt`
			`scp "${keyfile}" root@$fqdn:/opt/hscloud/${certname}.key`
			`ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt`
			`ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key`
			`)`
			`}`

			`hscloud-node-certs() {`
			`(`
			`set -e`

			`if [ -z "$1" ]; then`
			`echo >&2 "Usage: hscloud-node-certs node.fqdn.com"`
			`exit 1`
			`fi`
			`fqdn="$1"`

			`hscloud-node-remote-cert ${fqdn} node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Stowarzyszenie Warszawski Hackerspace/OU=Node Bootstrap Certificate/CN=\"$fqdn\""`
			`hscloud-node-remote-cert ${fqdn} kube-node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:nodes/OU=Kubernetes Node Certificate/CN=system:node:\"$fqdn\""`
			`for component in controller-manager proxy scheduler; do`
			`hscloud-node-shared-cert ${fqdn} kube-${component} "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:kube-${component}/OU=Kubernetes Component ${component}/CN=system:kube-${component}"`
			`done`
k8s: add apiserver and serviceaccounts certs 2019-01-12 22:56:17 +00:00			`hscloud-node-shared-cert ${fqdn} kube-apiserver "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes API/CN=k0.hswaw.net"`
			`hscloud-node-shared-cert ${fqdn} kube-serviceaccounts "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes Service Accounts/CN=service-accounts"`
env.sh: implement prod cert generation 2018-12-23 00:35:07 +00:00			`)`
			`}`

begin docker-composing 2018-11-01 21:39:01 +00:00			`echo "Now playing:"`
			`echo " hscloud-dc - run docker-compose"`
			`echo " hscloud-pki-dev - generate dev PKI certs"`
env.sh: implement prod cert generation 2018-12-23 00:35:07 +00:00			`echo " hscloud-node-push-certs - push a node cert to the node"`
env.sh: nicer niceness 2018-12-23 00:40:28 +00:00			`echo ""`