Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / b0b0f3f278da1392f92174dd6855d4c82ad73e31 / . / env.sh
blob: e58c0de7c2ae0dcb1bbc71604ce004f24f8479d3 [file] [log] [blame]
Serge Bazanskic6fd6622018-11-01 22:39:01 +0100[diff] [blame]1# source me to have all the nice things
2
3if [ "$0" == "$BASH_SOURCE" ]; then
4 echo "You should be sourcing this."
5 exit 1
6fi
7
8hscloud_root="$( cd "$(dirname "$BASH_SOURCE")"; pwd -P )"
9
10hscloud-dc() {
11 ( cd "$hscloud_root" && docker-compose -f "docker/docker-compose.yml" "$@" )
12}
13
14hscloud-pki-dev() {
15 (
16 set -e
17
18 cd "$hscloud_root"
19 rm -rf docker/pki
20
21 cp -rv go/pki/dev-certs docker/pki
22 cd docker/pki
23 bash gen.sh m6220-proxy arista-proxy cmc-proxy topo client
24 ls *pem
25 )
26}
27
Sergiusz Bazanski52c87182019-01-12 22:30:41 +0100[diff] [blame]28# Generate a per-node certificate remotely on the node.
29hscloud-node-remote-cert() {
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]30 (
31 set -e
Sergiusz Bazanski52c87182019-01-12 22:30:41 +0100[diff] [blame]32 if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
33 echo >&2 "Usage: hscloud-node-remote-cert node.fqdn.com certname subj"
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]34 exit 1
35 fi
36 fqdn="$1"
Sergiusz Bazanski52c87182019-01-12 22:30:41 +0100[diff] [blame]37 certname="$2"
38 subj="$3"
39
40 echo "Node: ${fqdn}; Cert: ${certname}"
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]41
42 echo "Checking node livenes..."
43 ssh root@$fqdn uname -a
44
45 echo "Checking if node already has key..."
Sergiusz Bazanski52c87182019-01-12 22:30:41 +0100[diff] [blame]46 ssh root@$fqdn stat /opt/hscloud/${certname}.key || (
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]47 echo "Generating key..."
48 ssh root@$fqdn -- mkdir -p /opt/hscloud
Sergiusz Bazanski52c87182019-01-12 22:30:41 +0100[diff] [blame]49 ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl genrsa -out /opt/hscloud/${certname}.key 4096\""
50 ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]51 )
52
53 echo "Checking if node already has cert..."
Sergiusz Bazanski52c87182019-01-12 22:30:41 +0100[diff] [blame]54 ssh root@$fqdn stat /opt/hscloud/${certname}.crt && exit 0
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]55 echo "No cert, will generate..."
56
57 cd "$hscloud_root"
58 secrets="$hscloud_root/secrets"
Sergiusz Bazanski711c4a92019-01-13 00:02:10 +0100[diff] [blame]59 ca="$secrets/ca.key"
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]60 [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
61
Sergiusz Bazanskib0b0f3f2019-01-13 13:32:19 +0100[diff] [blame^]62 cp data/openssl.cnf san.cnf
63 echo -ne "\n[SAN]\nsubjectAltName=DNS:${fqdn}" >> san.cnf
64 scp san.cnf root@$fqdn:/opt/hscloud/san.cnf
65
66 ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/${certname}.key -out /opt/hscloud/${certname}.csr -subj '${subj}' -config /opt/hscloud/san.cnf -reqexts SAN\""
Sergiusz Bazanski52c87182019-01-12 22:30:41 +0100[diff] [blame]67 scp root@$fqdn:/opt/hscloud/${certname}.csr ${fqdn}-${certname}.csr
Sergiusz Bazanskib0b0f3f2019-01-13 13:32:19 +0100[diff] [blame^]68 openssl x509 -req \
69 -in ${fqdn}-${certname}.csr \
70 -CA data/ca.crt \
71 -CAkey "$ca" -CAcreateserial \
72 -out "data/${fqdn}-${certname}.crt" \
73 -extensions SAN -extfile san.cnf
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]74
Sergiusz Bazanski52c87182019-01-12 22:30:41 +0100[diff] [blame]75 scp "data/${fqdn}-${certname}.crt" root@$fqdn:/opt/hscloud/${certname}.crt
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]76 scp "data/ca.crt" root@$fqdn:/opt/hscloud/ca.crt
Sergiusz Bazanski52c87182019-01-12 22:30:41 +0100[diff] [blame]77 ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt /opt/hscloud/ca.crt
78 rm ${fqdn}-${certname}.csr
Sergiusz Bazanskib0b0f3f2019-01-13 13:32:19 +0100[diff] [blame^]79 rm san.cnf
Sergiusz Bazanski52c87182019-01-12 22:30:41 +0100[diff] [blame]80 )
81}
82
83# Generate locally (if not present) a shared certificate, and upload it to the node
84hscloud-node-shared-cert() {
85 (
86 set -e
87 if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
88 echo >&2 "Usage: hscloud-node-shared-cert node.fqdn.com certname subj"
89 exit 1
90 fi
91 fqdn="$1"
92 certname="$2"
93 subj="$3"
94
95 cd "$hscloud_root"
96 secrets="$hscloud_root/secrets"
97 keyfile="$secrets/$certname.key"
98 cert="$hscloud_root/data/$certname.crt"
99 csr="$hscloud_root/data/$certname.csr"
Sergiusz Bazanski711c4a92019-01-13 00:02:10 +0100[diff] [blame]100 ca="$secrets/ca.key"
Sergiusz Bazanski52c87182019-01-12 22:30:41 +0100[diff] [blame]101 [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
102
103 echo "Checking if key exists..."
104 if [ ! -f "$keyfile" ]; then
105 echo "No key, trying to decrypt..."
106 if ! scripts/secretstore decrypt "$secrets/cipher/$certname.key" > "$keyfile" ; then
107 echo "No encrypted key, generating..."
108 openssl genrsa -out $keyfile 4096
109 echo "Encrypting..."
110 scripts/secretstore encrypt "$keyfile" > "$secrets/cipher/$certname.key"
111 fi
112 fi
113
114 echo "Checking if cert exists..."
115 if [ ! -f "$cert" ]; then
116 echo "No cert, generating..."
117 rm -f "${csr}"
118 openssl req -new -key "${keyfile}" -out "${csr}" -subj "${subj}"
119 openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"
120 fi
121
122 echo "Copying certificate to node..."
123 scp "${cert}" root@$fqdn:/opt/hscloud/${certname}.crt
124 scp "${keyfile}" root@$fqdn:/opt/hscloud/${certname}.key
125 ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt
126 ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
127 )
128}
129
130hscloud-node-certs() {
131 (
132 set -e
133
134 if [ -z "$1" ]; then
135 echo >&2 "Usage: hscloud-node-certs node.fqdn.com"
136 exit 1
137 fi
138 fqdn="$1"
139
140 hscloud-node-remote-cert ${fqdn} node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Stowarzyszenie Warszawski Hackerspace/OU=Node Bootstrap Certificate/CN=\"$fqdn\""
141 hscloud-node-remote-cert ${fqdn} kube-node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:nodes/OU=Kubernetes Node Certificate/CN=system:node:\"$fqdn\""
142 for component in controller-manager proxy scheduler; do
143 hscloud-node-shared-cert ${fqdn} kube-${component} "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:kube-${component}/OU=Kubernetes Component ${component}/CN=system:kube-${component}"
144 done
Sergiusz Bazanskiee7c1aa2019-01-12 23:56:17 +0100[diff] [blame]145 hscloud-node-shared-cert ${fqdn} kube-apiserver "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes API/CN=k0.hswaw.net"
146 hscloud-node-shared-cert ${fqdn} kube-serviceaccounts "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes Service Accounts/CN=service-accounts"
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]147 )
148}
149
Sergiusz Bazanskib0b0f3f2019-01-13 13:32:19 +0100[diff] [blame^]150hscloud-k8s-config() {
151 (
152 set -e
153
154 if [ -z "$1" ]; then
155 echo >&2 "Usage: hscloud-k8s-config username"
156 exit 1
157 fi
158 username="$1"
159
160 cd "$hscloud_root"
161 mkdir -p .kubectl
162
163 cert="$hscloud_root/.kubectl/client.crt"
164 csr="$hscloud_root/.kubectl/client.csr"
165 keyfile="$hscloud_root/.kubectl/client.key"
166 secrets="$hscloud_root/secrets"
167 ca="$secrets/ca.key"
168
169 if [ ! -f "$keyfile" ]; then
170 echo "Generating ${keyfile}..."
171 openssl genrsa -out $keyfile 4096
172 rm -f "$cert"
173 fi
174 if [ ! -f "$cert" ]; then
175 echo "Signing ${cert}..."
176 [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
177 openssl req -new -key "${keyfile}" -out "${csr}" -subj "/C=PL/ST=Mazowieckie/O=system:masters/OU=Kubernetes Admin Account for ${username}/CN=${username}"
178 openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"
179 fi
180
181 kubeconfig="$hscloud_root/.kubectl/client.kubeconfig"
182 echo "Generating ${kubeconfig}..."
183 rm -rf ${kubeconfig}
184
185 kubectl config set-cluster k0.hswaw.net \
186 --certificate-authority=${hscloud_root}/data/ca.crt \
187 --embed-certs=true \
188 --server=https://k0.hswaw.net:4001 \
189 --kubeconfig=${kubeconfig}
190
191 kubectl config set-credentials ${username} \
192 --client-certificate=${cert} \
193 --client-key=${keyfile} \
194 --embed-certs=true \
195 --kubeconfig=${kubeconfig}
196
197 kubectl config set-context default \
198 --cluster=k0.hswaw.net \
199 --user=${username} \
200 --kubeconfig=${kubeconfig}
201
202 kubectl config use-context default --kubeconfig=${kubeconfig}
203 )
204}
205
Serge Bazanskic6fd6622018-11-01 22:39:01 +0100[diff] [blame]206echo "Now playing:"
Sergiusz Bazanskib0b0f3f2019-01-13 13:32:19 +0100[diff] [blame^]207echo " hscloud-dc - run docker-compose"
208echo " hscloud-pki-dev - generate dev PKI certs"
209echo " hscloud-node-certs - ensure node has required certs"
Serge Bazanski9ec50e32018-12-23 01:40:28 +0100[diff] [blame]210echo ""