*: k0.hswaw.net somewhat working
diff --git a/env.sh b/env.sh
index cef844e..d058ea5 100644
--- a/env.sh
+++ b/env.sh
@@ -5,7 +5,7 @@
exit 1
fi
-hscloud_root="$( cd "$(dirname "$BASH_SOURCE")"; pwd -P )"
+export hscloud_root="$( cd "$(dirname "$BASH_SOURCE")"; pwd -P )"
if [ ! -f "$hscloud_root/WORKSPACE" ]; then
echo "Could not find WORKSPACE"
@@ -16,200 +16,6 @@
[[ ":$PATH:" != *":$hscloud_path:"* ]] && PATH="$hscloud_path:${PATH}"
-# legacy crap follows
-
-hscloud-dc() {
- ( cd "$hscloud_root" && docker-compose -f "docker/docker-compose.yml" "$@" )
-}
-
-hscloud-pki-dev() {
- (
- set -e
-
- cd "$hscloud_root"
- rm -rf docker/pki
-
- cp -rv go/pki/dev-certs docker/pki
- cd docker/pki
- bash gen.sh m6220-proxy arista-proxy cmc-proxy topo client
- ls *pem
- )
-}
-
-# Generate a per-node certificate remotely on the node.
-hscloud-node-remote-cert() {
- (
- set -e
- if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
- echo >&2 "Usage: hscloud-node-remote-cert node.fqdn.com certname subj"
- exit 1
- fi
- fqdn="$1"
- certname="$2"
- subj="$3"
-
- echo "Node: ${fqdn}; Cert: ${certname}"
-
- echo "Checking node livenes..."
- ssh root@$fqdn uname -a
-
- echo "Checking if node already has key..."
- ssh root@$fqdn stat /opt/hscloud/${certname}.key || (
- echo "Generating key..."
- ssh root@$fqdn -- mkdir -p /opt/hscloud
- ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl genrsa -out /opt/hscloud/${certname}.key 4096\""
- ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
- )
-
- echo "Checking if node already has cert..."
- ssh root@$fqdn stat /opt/hscloud/${certname}.crt && exit 0
- echo "No cert, will generate..."
-
- cd "$hscloud_root"
- secrets="$hscloud_root/secrets"
- ca="$secrets/ca.key"
- [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
-
- cp data/openssl.cnf san.cnf
- echo -ne "\n[SAN]\nsubjectAltName=DNS:${fqdn}" >> san.cnf
- scp san.cnf root@$fqdn:/opt/hscloud/san.cnf
-
- ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/${certname}.key -out /opt/hscloud/${certname}.csr -subj '${subj}' -config /opt/hscloud/san.cnf -reqexts SAN\""
- scp root@$fqdn:/opt/hscloud/${certname}.csr ${fqdn}-${certname}.csr
- openssl x509 -req \
- -in ${fqdn}-${certname}.csr \
- -CA data/ca.crt \
- -CAkey "$ca" -CAcreateserial \
- -out "data/${fqdn}-${certname}.crt" \
- -extensions SAN -extfile san.cnf
-
- scp "data/${fqdn}-${certname}.crt" root@$fqdn:/opt/hscloud/${certname}.crt
- scp "data/ca.crt" root@$fqdn:/opt/hscloud/ca.crt
- ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt /opt/hscloud/ca.crt
- rm ${fqdn}-${certname}.csr
- rm san.cnf
- )
-}
-
-# Generate locally (if not present) a shared certificate, and upload it to the node
-hscloud-node-shared-cert() {
- (
- set -e
- if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
- echo >&2 "Usage: hscloud-node-shared-cert node.fqdn.com certname subj"
- exit 1
- fi
- fqdn="$1"
- certname="$2"
- subj="$3"
-
- cd "$hscloud_root"
- secrets="$hscloud_root/secrets"
- keyfile="$secrets/$certname.key"
- cert="$hscloud_root/data/$certname.crt"
- csr="$hscloud_root/data/$certname.csr"
- ca="$secrets/ca.key"
- [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
-
- echo "Checking if key exists..."
- if [ ! -f "$keyfile" ]; then
- echo "No key, trying to decrypt..."
- if ! scripts/secretstore decrypt "$secrets/cipher/$certname.key" > "$keyfile" ; then
- echo "No encrypted key, generating..."
- openssl genrsa -out $keyfile 4096
- echo "Encrypting..."
- scripts/secretstore encrypt "$keyfile" > "$secrets/cipher/$certname.key"
- fi
- fi
-
- echo "Checking if cert exists..."
- if [ ! -f "$cert" ]; then
- echo "No cert, generating..."
- rm -f "${csr}"
- openssl req -new -key "${keyfile}" -out "${csr}" -subj "${subj}"
- openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"
- fi
-
- echo "Copying certificate to node..."
- scp "${cert}" root@$fqdn:/opt/hscloud/${certname}.crt
- scp "${keyfile}" root@$fqdn:/opt/hscloud/${certname}.key
- ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt
- ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
- )
-}
-
-hscloud-node-certs() {
- (
- set -e
-
- if [ -z "$1" ]; then
- echo >&2 "Usage: hscloud-node-certs node.fqdn.com"
- exit 1
- fi
- fqdn="$1"
-
- hscloud-node-remote-cert ${fqdn} node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Stowarzyszenie Warszawski Hackerspace/OU=Node Bootstrap Certificate/CN=\"$fqdn\""
- hscloud-node-remote-cert ${fqdn} kube-node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:nodes/OU=Kubernetes Node Certificate/CN=system:node:\"$fqdn\""
- for component in controller-manager proxy scheduler; do
- hscloud-node-shared-cert ${fqdn} kube-${component} "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:kube-${component}/OU=Kubernetes Component ${component}/CN=system:kube-${component}"
- done
- hscloud-node-shared-cert ${fqdn} kube-apiserver "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes API/CN=k0.hswaw.net"
- hscloud-node-shared-cert ${fqdn} kube-serviceaccounts "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes Service Accounts/CN=service-accounts"
- )
-}
-
-hscloud-k8s-config() {
- (
- set -e
-
- if [ -z "$1" ]; then
- echo >&2 "Usage: hscloud-k8s-config username"
- exit 1
- fi
- username="$1"
-
- cd "$hscloud_root"
- mkdir -p .kubectl
-
- cert="$hscloud_root/.kubectl/client.crt"
- csr="$hscloud_root/.kubectl/client.csr"
- keyfile="$hscloud_root/.kubectl/client.key"
- secrets="$hscloud_root/secrets"
- ca="$secrets/ca.key"
-
- if [ ! -f "$keyfile" ]; then
- echo "Generating ${keyfile}..."
- openssl genrsa -out $keyfile 4096
- rm -f "$cert"
- fi
- if [ ! -f "$cert" ]; then
- echo "Signing ${cert}..."
- [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
- openssl req -new -key "${keyfile}" -out "${csr}" -subj "/C=PL/ST=Mazowieckie/O=system:masters/OU=Kubernetes Admin Account for ${username}/CN=${username}"
- openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"
- fi
-
- kubeconfig="$hscloud_root/.kubectl/client.kubeconfig"
- echo "Generating ${kubeconfig}..."
- rm -rf ${kubeconfig}
-
- kubectl config set-cluster k0.hswaw.net \
- --certificate-authority=${hscloud_root}/data/ca.crt \
- --embed-certs=true \
- --server=https://k0.hswaw.net:4001 \
- --kubeconfig=${kubeconfig}
-
- kubectl config set-credentials ${username} \
- --client-certificate=${cert} \
- --client-key=${keyfile} \
- --embed-certs=true \
- --kubeconfig=${kubeconfig}
-
- kubectl config set-context default \
- --cluster=k0.hswaw.net \
- --user=${username} \
- --kubeconfig=${kubeconfig}
-
- kubectl config use-context default --kubeconfig=${kubeconfig}
- )
+gpg-unlock() {
+ echo "test" | gpg2 --sign --batch --no-tty -o /dev/null
}