diff options
author | Pawan Verma <pawanjbs5@gmail.com> | 2021-10-04 18:44:20 +0530 |
---|---|---|
committer | Pawan Verma <pawanjbs5@gmail.com> | 2021-10-16 00:55:05 +0530 |
commit | 0ab7ff90c3fec546275fd35ffc13cb787c03721e (patch) | |
tree | 983c14abdc5d840315c478f9555c9127e7219700 /tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh | |
parent | 212d0f7165d26d97823852992ed261529e095b69 (diff) |
Add support for Calico, Cilium, Contiv-VPP and Danm in k8scluster deployment scripts.
This patch adds support for installing Calico, Cilium, Contiv-VPP and
Danm in Kubernetes cluster deployment ansible scripts.
Signed-off-by: Pawan Verma <pawanjbs5@gmail.com>
Change-Id: Ib76620fa0f63dd58e8496bbf31baf515f697bcde
Diffstat (limited to 'tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh')
-rwxr-xr-x | tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh new file mode 100755 index 00000000..d1486f62 --- /dev/null +++ b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh @@ -0,0 +1,121 @@ +#!/bin/sh + +set -e + +usage() { + cat <<EOF +Generate certificate suitable for use with an sidecar-injector webhook service. +This script uses k8s' CertificateSigningRequest API to a generate a +certificate signed by k8s CA suitable for use with sidecar-injector webhook +services. This requires permissions to create and approve CSR. See +https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for +detailed explantion and additional instructions. +The server key/cert k8s CA cert are stored in a k8s secret. +usage: ${0} [OPTIONS] +The following flags are required. + --service Service name of webhook. + --namespace Namespace where webhook service and secret reside. + --secret Secret name for CA certificate and server certificate/key pair. +EOF + exit 1 +} + +while [ $# -gt 0 ]; do + case ${1} in + --service) + service="$2" + shift + ;; + --secret) + secret="$2" + shift + ;; + --namespace) + namespace="$2" + shift + ;; + *) + usage + ;; + esac + shift +done + +[ -z ${service} ] && service=danm-webhook-svc +[ -z ${secret} ] && secret=danm-webhook-certs +[ -z ${namespace} ] && namespace=kube-system + +if [ ! -x "$(command -v openssl)" ]; then + echo "openssl not found" + exit 1 +fi + +csrName=${service}.${namespace} +tmpdir=$(mktemp -d) +echo "creating certs in tmpdir ${tmpdir} " + +cat <<EOF >> ${tmpdir}/csr.conf +[req] +req_extensions = v3_req +distinguished_name = req_distinguished_name +[req_distinguished_name] +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +[alt_names] +DNS.1 = ${service} +DNS.2 = ${service}.${namespace} +DNS.3 = ${service}.${namespace}.svc +EOF + +openssl genrsa -out ${tmpdir}/server-key.pem 2048 +openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf + +# clean-up any previously created CSR for our service. Ignore errors if not present. +kubectl delete csr ${csrName} 2>/dev/null || true + +# create server cert/key CSR and send to k8s API +cat <<EOF | kubectl create -f - +apiVersion: certificates.k8s.io/v1beta1 +kind: CertificateSigningRequest +metadata: + name: ${csrName} +spec: + groups: + - system:authenticated + request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n') + usages: + - digital signature + - key encipherment + - server auth +EOF + +# verify CSR has been created +while true; do + kubectl get csr ${csrName} + if [ "$?" -eq 0 ]; then + break + fi +done + +# approve and fetch the signed certificate +kubectl certificate approve ${csrName} +# verify certificate has been signed +for x in $(seq 10); do + serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}') + if [ -n ${serverCert} ]; then + break + fi + sleep 1 +done +echo ${serverCert} | openssl base64 -d -A -out ${tmpdir}/server-cert.pem + + +# create the secret with CA cert and server cert/key +kubectl create secret generic ${secret} \ + --from-file=key.pem=${tmpdir}/server-key.pem \ + --from-file=cert.pem=${tmpdir}/server-cert.pem \ + --dry-run -o yaml | + kubectl -n ${namespace} apply -f - |