k8s: regenerate kube-node certs with FQDN SAN
diff --git a/env.sh b/env.sh
index 73696a8..e58c0de 100644
--- a/env.sh
+++ b/env.sh
@@ -59,14 +59,24 @@
ca="$secrets/ca.key"
[ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
- ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/${certname}.key -out /opt/hscloud/${certname}.csr -subj '${subj}'\""
+ cp data/openssl.cnf san.cnf
+ echo -ne "\n[SAN]\nsubjectAltName=DNS:${fqdn}" >> san.cnf
+ scp san.cnf root@$fqdn:/opt/hscloud/san.cnf
+
+ ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/${certname}.key -out /opt/hscloud/${certname}.csr -subj '${subj}' -config /opt/hscloud/san.cnf -reqexts SAN\""
scp root@$fqdn:/opt/hscloud/${certname}.csr ${fqdn}-${certname}.csr
- openssl x509 -req -in ${fqdn}-${certname}.csr -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "data/${fqdn}-${certname}.crt"
+ openssl x509 -req \
+ -in ${fqdn}-${certname}.csr \
+ -CA data/ca.crt \
+ -CAkey "$ca" -CAcreateserial \
+ -out "data/${fqdn}-${certname}.crt" \
+ -extensions SAN -extfile san.cnf
scp "data/${fqdn}-${certname}.crt" root@$fqdn:/opt/hscloud/${certname}.crt
scp "data/ca.crt" root@$fqdn:/opt/hscloud/ca.crt
ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt /opt/hscloud/ca.crt
rm ${fqdn}-${certname}.csr
+ rm san.cnf
)
}
@@ -137,8 +147,64 @@
)
}
+hscloud-k8s-config() {
+ (
+ set -e
+
+ if [ -z "$1" ]; then
+ echo >&2 "Usage: hscloud-k8s-config username"
+ exit 1
+ fi
+ username="$1"
+
+ cd "$hscloud_root"
+ mkdir -p .kubectl
+
+ cert="$hscloud_root/.kubectl/client.crt"
+ csr="$hscloud_root/.kubectl/client.csr"
+ keyfile="$hscloud_root/.kubectl/client.key"
+ secrets="$hscloud_root/secrets"
+ ca="$secrets/ca.key"
+
+ if [ ! -f "$keyfile" ]; then
+ echo "Generating ${keyfile}..."
+ openssl genrsa -out $keyfile 4096
+ rm -f "$cert"
+ fi
+ if [ ! -f "$cert" ]; then
+ echo "Signing ${cert}..."
+ [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
+ openssl req -new -key "${keyfile}" -out "${csr}" -subj "/C=PL/ST=Mazowieckie/O=system:masters/OU=Kubernetes Admin Account for ${username}/CN=${username}"
+ openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"
+ fi
+
+ kubeconfig="$hscloud_root/.kubectl/client.kubeconfig"
+ echo "Generating ${kubeconfig}..."
+ rm -rf ${kubeconfig}
+
+ kubectl config set-cluster k0.hswaw.net \
+ --certificate-authority=${hscloud_root}/data/ca.crt \
+ --embed-certs=true \
+ --server=https://k0.hswaw.net:4001 \
+ --kubeconfig=${kubeconfig}
+
+ kubectl config set-credentials ${username} \
+ --client-certificate=${cert} \
+ --client-key=${keyfile} \
+ --embed-certs=true \
+ --kubeconfig=${kubeconfig}
+
+ kubectl config set-context default \
+ --cluster=k0.hswaw.net \
+ --user=${username} \
+ --kubeconfig=${kubeconfig}
+
+ kubectl config use-context default --kubeconfig=${kubeconfig}
+ )
+}
+
echo "Now playing:"
-echo " hscloud-dc - run docker-compose"
-echo " hscloud-pki-dev - generate dev PKI certs"
-echo " hscloud-node-push-certs - push a node cert to the node"
+echo " hscloud-dc - run docker-compose"
+echo " hscloud-pki-dev - generate dev PKI certs"
+echo " hscloud-node-certs - ensure node has required certs"
echo ""