k8s: deploy k8s certs
diff --git a/env.sh b/env.sh
index 8efe1b8..bc2a6e2 100644
--- a/env.sh
+++ b/env.sh
@@ -25,29 +25,33 @@
)
}
-hscloud-node-push-certs() {
+# Generate a per-node certificate remotely on the node.
+hscloud-node-remote-cert() {
(
set -e
-
- if [ -z "$1" ]; then
- echo >&2 "Usage: hscloud-node-push-certs node.fqdn.com"
+ if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
+ echo >&2 "Usage: hscloud-node-remote-cert node.fqdn.com certname subj"
exit 1
fi
fqdn="$1"
+ certname="$2"
+ subj="$3"
+
+ echo "Node: ${fqdn}; Cert: ${certname}"
echo "Checking node livenes..."
ssh root@$fqdn uname -a
echo "Checking if node already has key..."
- ssh root@$fqdn stat /opt/hscloud/node.key || (
+ ssh root@$fqdn stat /opt/hscloud/${certname}.key || (
echo "Generating key..."
ssh root@$fqdn -- mkdir -p /opt/hscloud
- ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl genrsa -out /opt/hscloud/node.key 4096\""
- ssh root@$fqdn -- chmod 400 /opt/hscloud/node.key
+ ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl genrsa -out /opt/hscloud/${certname}.key 4096\""
+ ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
)
echo "Checking if node already has cert..."
- ssh root@$fqdn stat /opt/hscloud/node.crt && exit 0
+ ssh root@$fqdn stat /opt/hscloud/${certname}.crt && exit 0
echo "No cert, will generate..."
cd "$hscloud_root"
@@ -55,14 +59,79 @@
ca="$secrets/plain/ca.key"
[ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
- ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/node.key -out /opt/hscloud/node.csr -subj '/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Stowarzyszenie Warszawski Hackerspace/OU=Node Bootstrap Certificate/CN="$fqdn"'\""
- scp root@$fqdn:/opt/hscloud/node.csr .
- openssl x509 -req -in node.csr -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "data/${fqdn}.crt"
+ ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/${certname}.key -out /opt/hscloud/${certname}.csr -subj '${subj}'\""
+ scp root@$fqdn:/opt/hscloud/${certname}.csr ${fqdn}-${certname}.csr
+ openssl x509 -req -in ${fqdn}-${certname}.csr -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "data/${fqdn}-${certname}.crt"
- scp "data/${fqdn}.crt" root@$fqdn:/opt/hscloud/node.crt
+ scp "data/${fqdn}-${certname}.crt" root@$fqdn:/opt/hscloud/${certname}.crt
scp "data/ca.crt" root@$fqdn:/opt/hscloud/ca.crt
- ssh root@$fqdn -- chmod 444 /opt/hscloud/node.crt /opt/hscloud/ca.crt
- rm node.csr
+ ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt /opt/hscloud/ca.crt
+ rm ${fqdn}-${certname}.csr
+ )
+}
+
+# Generate locally (if not present) a shared certificate, and upload it to the node
+hscloud-node-shared-cert() {
+ (
+ set -e
+ if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
+ echo >&2 "Usage: hscloud-node-shared-cert node.fqdn.com certname subj"
+ exit 1
+ fi
+ fqdn="$1"
+ certname="$2"
+ subj="$3"
+
+ cd "$hscloud_root"
+ secrets="$hscloud_root/secrets"
+ keyfile="$secrets/$certname.key"
+ cert="$hscloud_root/data/$certname.crt"
+ csr="$hscloud_root/data/$certname.csr"
+ ca="$secrets/plain/ca.key"
+ [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
+
+ echo "Checking if key exists..."
+ if [ ! -f "$keyfile" ]; then
+ echo "No key, trying to decrypt..."
+ if ! scripts/secretstore decrypt "$secrets/cipher/$certname.key" > "$keyfile" ; then
+ echo "No encrypted key, generating..."
+ openssl genrsa -out $keyfile 4096
+ echo "Encrypting..."
+ scripts/secretstore encrypt "$keyfile" > "$secrets/cipher/$certname.key"
+ fi
+ fi
+
+ echo "Checking if cert exists..."
+ if [ ! -f "$cert" ]; then
+ echo "No cert, generating..."
+ rm -f "${csr}"
+ openssl req -new -key "${keyfile}" -out "${csr}" -subj "${subj}"
+ openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"
+ fi
+
+ echo "Copying certificate to node..."
+ scp "${cert}" root@$fqdn:/opt/hscloud/${certname}.crt
+ scp "${keyfile}" root@$fqdn:/opt/hscloud/${certname}.key
+ ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt
+ ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
+ )
+}
+
+hscloud-node-certs() {
+ (
+ set -e
+
+ if [ -z "$1" ]; then
+ echo >&2 "Usage: hscloud-node-certs node.fqdn.com"
+ exit 1
+ fi
+ fqdn="$1"
+
+ hscloud-node-remote-cert ${fqdn} node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Stowarzyszenie Warszawski Hackerspace/OU=Node Bootstrap Certificate/CN=\"$fqdn\""
+ hscloud-node-remote-cert ${fqdn} kube-node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:nodes/OU=Kubernetes Node Certificate/CN=system:node:\"$fqdn\""
+ for component in controller-manager proxy scheduler; do
+ hscloud-node-shared-cert ${fqdn} kube-${component} "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:kube-${component}/OU=Kubernetes Component ${component}/CN=system:kube-${component}"
+ done
)
}