2018-11-01 21:39:01 +00:00
|
|
|
# source me to have all the nice things
|
|
|
|
|
|
|
|
if [ "$0" == "$BASH_SOURCE" ]; then
|
|
|
|
echo "You should be sourcing this."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
hscloud_root="$( cd "$(dirname "$BASH_SOURCE")"; pwd -P )"
|
|
|
|
|
2019-01-13 16:51:34 +00:00
|
|
|
if [ ! -f "$hscloud_root/WORKSPACE" ]; then
|
|
|
|
echo "Could not find WORKSPACE"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
hscloud_path="$hscloud_root/bazel-bin/tools"
|
|
|
|
|
|
|
|
[[ ":$PATH:" != *":$hscloud_path:"* ]] && PATH="$hscloud_path:${PATH}"
|
|
|
|
|
|
|
|
# legacy crap follows
|
|
|
|
|
2018-11-01 21:39:01 +00:00
|
|
|
hscloud-dc() {
|
|
|
|
( cd "$hscloud_root" && docker-compose -f "docker/docker-compose.yml" "$@" )
|
|
|
|
}
|
|
|
|
|
|
|
|
hscloud-pki-dev() {
|
|
|
|
(
|
|
|
|
set -e
|
|
|
|
|
|
|
|
cd "$hscloud_root"
|
|
|
|
rm -rf docker/pki
|
|
|
|
|
|
|
|
cp -rv go/pki/dev-certs docker/pki
|
|
|
|
cd docker/pki
|
|
|
|
bash gen.sh m6220-proxy arista-proxy cmc-proxy topo client
|
|
|
|
ls *pem
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
2019-01-12 21:30:41 +00:00
|
|
|
# Generate a per-node certificate remotely on the node.
|
|
|
|
hscloud-node-remote-cert() {
|
2018-12-23 00:35:07 +00:00
|
|
|
(
|
|
|
|
set -e
|
2019-01-12 21:30:41 +00:00
|
|
|
if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
|
|
|
|
echo >&2 "Usage: hscloud-node-remote-cert node.fqdn.com certname subj"
|
2018-12-23 00:35:07 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
fqdn="$1"
|
2019-01-12 21:30:41 +00:00
|
|
|
certname="$2"
|
|
|
|
subj="$3"
|
|
|
|
|
|
|
|
echo "Node: ${fqdn}; Cert: ${certname}"
|
2018-12-23 00:35:07 +00:00
|
|
|
|
|
|
|
echo "Checking node livenes..."
|
|
|
|
ssh root@$fqdn uname -a
|
|
|
|
|
|
|
|
echo "Checking if node already has key..."
|
2019-01-12 21:30:41 +00:00
|
|
|
ssh root@$fqdn stat /opt/hscloud/${certname}.key || (
|
2018-12-23 00:35:07 +00:00
|
|
|
echo "Generating key..."
|
|
|
|
ssh root@$fqdn -- mkdir -p /opt/hscloud
|
2019-01-12 21:30:41 +00:00
|
|
|
ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl genrsa -out /opt/hscloud/${certname}.key 4096\""
|
|
|
|
ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
|
2018-12-23 00:35:07 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
echo "Checking if node already has cert..."
|
2019-01-12 21:30:41 +00:00
|
|
|
ssh root@$fqdn stat /opt/hscloud/${certname}.crt && exit 0
|
2018-12-23 00:35:07 +00:00
|
|
|
echo "No cert, will generate..."
|
|
|
|
|
|
|
|
cd "$hscloud_root"
|
|
|
|
secrets="$hscloud_root/secrets"
|
2019-01-12 23:02:10 +00:00
|
|
|
ca="$secrets/ca.key"
|
2018-12-23 00:35:07 +00:00
|
|
|
[ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
|
|
|
|
|
2019-01-13 12:32:19 +00:00
|
|
|
cp data/openssl.cnf san.cnf
|
|
|
|
echo -ne "\n[SAN]\nsubjectAltName=DNS:${fqdn}" >> san.cnf
|
|
|
|
scp san.cnf root@$fqdn:/opt/hscloud/san.cnf
|
|
|
|
|
|
|
|
ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/${certname}.key -out /opt/hscloud/${certname}.csr -subj '${subj}' -config /opt/hscloud/san.cnf -reqexts SAN\""
|
2019-01-12 21:30:41 +00:00
|
|
|
scp root@$fqdn:/opt/hscloud/${certname}.csr ${fqdn}-${certname}.csr
|
2019-01-13 12:32:19 +00:00
|
|
|
openssl x509 -req \
|
|
|
|
-in ${fqdn}-${certname}.csr \
|
|
|
|
-CA data/ca.crt \
|
|
|
|
-CAkey "$ca" -CAcreateserial \
|
|
|
|
-out "data/${fqdn}-${certname}.crt" \
|
|
|
|
-extensions SAN -extfile san.cnf
|
2018-12-23 00:35:07 +00:00
|
|
|
|
2019-01-12 21:30:41 +00:00
|
|
|
scp "data/${fqdn}-${certname}.crt" root@$fqdn:/opt/hscloud/${certname}.crt
|
2018-12-23 00:35:07 +00:00
|
|
|
scp "data/ca.crt" root@$fqdn:/opt/hscloud/ca.crt
|
2019-01-12 21:30:41 +00:00
|
|
|
ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt /opt/hscloud/ca.crt
|
|
|
|
rm ${fqdn}-${certname}.csr
|
2019-01-13 12:32:19 +00:00
|
|
|
rm san.cnf
|
2019-01-12 21:30:41 +00:00
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
# Generate locally (if not present) a shared certificate, and upload it to the node
|
|
|
|
hscloud-node-shared-cert() {
|
|
|
|
(
|
|
|
|
set -e
|
|
|
|
if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
|
|
|
|
echo >&2 "Usage: hscloud-node-shared-cert node.fqdn.com certname subj"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
fqdn="$1"
|
|
|
|
certname="$2"
|
|
|
|
subj="$3"
|
|
|
|
|
|
|
|
cd "$hscloud_root"
|
|
|
|
secrets="$hscloud_root/secrets"
|
|
|
|
keyfile="$secrets/$certname.key"
|
|
|
|
cert="$hscloud_root/data/$certname.crt"
|
|
|
|
csr="$hscloud_root/data/$certname.csr"
|
2019-01-12 23:02:10 +00:00
|
|
|
ca="$secrets/ca.key"
|
2019-01-12 21:30:41 +00:00
|
|
|
[ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
|
|
|
|
|
|
|
|
echo "Checking if key exists..."
|
|
|
|
if [ ! -f "$keyfile" ]; then
|
|
|
|
echo "No key, trying to decrypt..."
|
|
|
|
if ! scripts/secretstore decrypt "$secrets/cipher/$certname.key" > "$keyfile" ; then
|
|
|
|
echo "No encrypted key, generating..."
|
|
|
|
openssl genrsa -out $keyfile 4096
|
|
|
|
echo "Encrypting..."
|
|
|
|
scripts/secretstore encrypt "$keyfile" > "$secrets/cipher/$certname.key"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
echo "Checking if cert exists..."
|
|
|
|
if [ ! -f "$cert" ]; then
|
|
|
|
echo "No cert, generating..."
|
|
|
|
rm -f "${csr}"
|
|
|
|
openssl req -new -key "${keyfile}" -out "${csr}" -subj "${subj}"
|
|
|
|
openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"
|
|
|
|
fi
|
|
|
|
|
|
|
|
echo "Copying certificate to node..."
|
|
|
|
scp "${cert}" root@$fqdn:/opt/hscloud/${certname}.crt
|
|
|
|
scp "${keyfile}" root@$fqdn:/opt/hscloud/${certname}.key
|
|
|
|
ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt
|
|
|
|
ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
hscloud-node-certs() {
|
|
|
|
(
|
|
|
|
set -e
|
|
|
|
|
|
|
|
if [ -z "$1" ]; then
|
|
|
|
echo >&2 "Usage: hscloud-node-certs node.fqdn.com"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
fqdn="$1"
|
|
|
|
|
|
|
|
hscloud-node-remote-cert ${fqdn} node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Stowarzyszenie Warszawski Hackerspace/OU=Node Bootstrap Certificate/CN=\"$fqdn\""
|
|
|
|
hscloud-node-remote-cert ${fqdn} kube-node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:nodes/OU=Kubernetes Node Certificate/CN=system:node:\"$fqdn\""
|
|
|
|
for component in controller-manager proxy scheduler; do
|
|
|
|
hscloud-node-shared-cert ${fqdn} kube-${component} "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:kube-${component}/OU=Kubernetes Component ${component}/CN=system:kube-${component}"
|
|
|
|
done
|
2019-01-12 22:56:17 +00:00
|
|
|
hscloud-node-shared-cert ${fqdn} kube-apiserver "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes API/CN=k0.hswaw.net"
|
|
|
|
hscloud-node-shared-cert ${fqdn} kube-serviceaccounts "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes Service Accounts/CN=service-accounts"
|
2018-12-23 00:35:07 +00:00
|
|
|
)
|
|
|
|
}
|
|
|
|
|
2019-01-13 12:32:19 +00:00
|
|
|
hscloud-k8s-config() {
|
|
|
|
(
|
|
|
|
set -e
|
|
|
|
|
|
|
|
if [ -z "$1" ]; then
|
|
|
|
echo >&2 "Usage: hscloud-k8s-config username"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
username="$1"
|
|
|
|
|
|
|
|
cd "$hscloud_root"
|
|
|
|
mkdir -p .kubectl
|
|
|
|
|
|
|
|
cert="$hscloud_root/.kubectl/client.crt"
|
|
|
|
csr="$hscloud_root/.kubectl/client.csr"
|
|
|
|
keyfile="$hscloud_root/.kubectl/client.key"
|
|
|
|
secrets="$hscloud_root/secrets"
|
|
|
|
ca="$secrets/ca.key"
|
|
|
|
|
|
|
|
if [ ! -f "$keyfile" ]; then
|
|
|
|
echo "Generating ${keyfile}..."
|
|
|
|
openssl genrsa -out $keyfile 4096
|
|
|
|
rm -f "$cert"
|
|
|
|
fi
|
|
|
|
if [ ! -f "$cert" ]; then
|
|
|
|
echo "Signing ${cert}..."
|
|
|
|
[ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
|
|
|
|
openssl req -new -key "${keyfile}" -out "${csr}" -subj "/C=PL/ST=Mazowieckie/O=system:masters/OU=Kubernetes Admin Account for ${username}/CN=${username}"
|
|
|
|
openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"
|
|
|
|
fi
|
|
|
|
|
|
|
|
kubeconfig="$hscloud_root/.kubectl/client.kubeconfig"
|
|
|
|
echo "Generating ${kubeconfig}..."
|
|
|
|
rm -rf ${kubeconfig}
|
|
|
|
|
|
|
|
kubectl config set-cluster k0.hswaw.net \
|
|
|
|
--certificate-authority=${hscloud_root}/data/ca.crt \
|
|
|
|
--embed-certs=true \
|
|
|
|
--server=https://k0.hswaw.net:4001 \
|
|
|
|
--kubeconfig=${kubeconfig}
|
|
|
|
|
|
|
|
kubectl config set-credentials ${username} \
|
|
|
|
--client-certificate=${cert} \
|
|
|
|
--client-key=${keyfile} \
|
|
|
|
--embed-certs=true \
|
|
|
|
--kubeconfig=${kubeconfig}
|
|
|
|
|
|
|
|
kubectl config set-context default \
|
|
|
|
--cluster=k0.hswaw.net \
|
|
|
|
--user=${username} \
|
|
|
|
--kubeconfig=${kubeconfig}
|
|
|
|
|
|
|
|
kubectl config use-context default --kubeconfig=${kubeconfig}
|
|
|
|
)
|
|
|
|
}
|