recertify all certs
diff --git a/tools/clustercfg.py b/tools/clustercfg.py
index 0426cee..dda4161 100644
--- a/tools/clustercfg.py
+++ b/tools/clustercfg.py
@@ -43,7 +43,7 @@
if not os.path.exists(self.cakey):
decrypt('ca.key')
- def sign(self, csr, crt, conf, days=365):
+ def sign(self, csr, crt, conf, days=365, san=[]):
logger.info('pki: signing {} for {} days'.format(csr, days))
subprocess.check_call([
'openssl', 'x509', '-req',
@@ -54,7 +54,7 @@
'-days', str(days),
] + ([
'-extensions', 'SAN', '-extfile', conf,
- ] if conf else []))
+ ] if san else []))
class Subject(object):
@@ -129,7 +129,7 @@
generate_cert = False
if not _file_exists(c, remote_key):
logger.info("{}/{}: generating key".format(fqdn, cert_name))
- c.run('openssl genrsa -out "{}" 4096'.format(remote_key), hide=True)
+ c.run("""nix-shell -p openssl --command "openssl genrsa -out '{}' 4096" """.format(remote_key), hide=True)
genereate_cert = True
b = BytesIO()
@@ -151,9 +151,12 @@
local_config = openssl_config(san)
c.put(local=local_config, remote=remote_config)
+ sanconf = ""
+ if san:
+ sanconf = "-reqexts SAN"
c.run("""
- nix-shell -p openssl --command "openssl req -new -key {remote_key} -out {remote_csr} -subj '{subj}' -config {remote_config} -reqexts SAN"
- """.format(remote_key=remote_key, remote_csr=remote_csr, subj=str(subj), remote_config=remote_config))
+ nix-shell -p openssl --command "openssl req -new -key {remote_key} -out {remote_csr} -subj '{subj}' -config {remote_config} {sanconf}"
+ """.format(remote_key=remote_key, remote_csr=remote_csr, subj=str(subj), remote_config=remote_config, sanconf=sanconf))
local_csr_f = tempfile.NamedTemporaryFile(delete=False)
local_csr = local_csr_f.name
@@ -163,7 +166,7 @@
c.get(local=local_csr, remote=remote_csr)
- pki.sign(local_csr, local_cert, local_config, days)
+ pki.sign(local_csr, local_cert, local_config, days, san)
c.put(local=local_cert, remote=remote_cert)
@@ -221,7 +224,7 @@
'-reqexts', 'SAN',
] if san else []))
- pki.sign(local_csr, local_cert, local_config if san else None, days)
+ pki.sign(local_csr, local_cert, local_config, days, san)
os.remove(local_csr)
os.remove(local_config)
@@ -304,7 +307,7 @@
'-subj', str(subj),
])
- pki.sign(local_csr, local_cert, None, 5)
+ pki.sign(local_csr, local_cert, None, 5, [])
configure_k8s(username, pki.cacert, local_cert, local_key)
@@ -320,18 +323,21 @@
c = fabric.Connection('root@{}'.format(fqdn))
p = PKI()
- modified = False
- modified |= remote_cert(p, c, fqdn, "node", Subject(Subject.hswaw, 'Node Certificate', fqdn))
- modified |= remote_cert(p, c, fqdn, "kube-node", Subject('system:nodes', 'Kubelet Certificate', 'system:node:' + fqdn), san=["DNS:"+fqdn,])
+ local_cacert = os.path.join(local_root, 'cluster/certs/ca.crt')
+ remote_cacert = os.path.join(remote_root, 'ca.crt')
+ c.put(local=local_cacert, remote=remote_cacert)
+
+ remote_cert(p, c, fqdn, "node", Subject(Subject.hswaw, 'Node Certificate', fqdn))
+ remote_cert(p, c, fqdn, "kube-node", Subject('system:nodes', 'Kubelet Certificate', 'system:node:' + fqdn), san=["DNS:"+fqdn,])
for component in ['controller-manager', 'proxy', 'scheduler']:
o = 'system:kube-{}'.format(component)
ou = 'Kuberneter Component {}'.format(component)
- modified |= shared_cert(p, c, fqdn, 'kube-{}'.format(component), Subject(o, ou, o))
- modified |= shared_cert(p, c, fqdn, 'kube-apiserver', Subject(Subject.hswaw, 'Kubernetes API', cluster), san=['IP:10.10.12.1', 'DNS:' + cluster])
- modified |= shared_cert(p, c, fqdn, 'kube-serviceaccounts', Subject(Subject.hswaw, 'Kubernetes Service Account Signer', 'service-accounts'))
- modified |= shared_cert(p, c, fqdn, 'kube-calico', Subject(Subject.hswaw, 'Kubernetes Calico Account', 'calico'))
+ shared_cert(p, c, fqdn, 'kube-{}'.format(component), Subject(o, ou, o))
+ shared_cert(p, c, fqdn, 'kube-apiserver', Subject(Subject.hswaw, 'Kubernetes API', cluster), san=['IP:10.10.12.1', 'DNS:' + cluster])
+ shared_cert(p, c, fqdn, 'kube-serviceaccounts', Subject(Subject.hswaw, 'Kubernetes Service Account Signer', 'service-accounts'))
+ shared_cert(p, c, fqdn, 'kube-calico', Subject(Subject.hswaw, 'Kubernetes Calico Account', 'calico'))
- c.run('nixos-rebuild switch')
+ #c.run('nixos-rebuild switch')
def usage():
sys.stderr.write("Usage: {} <nodestrap|admincreds>\n".format(sys.argv[0]))