Serge Bazanski | c6fd662 | 2018-11-01 22:39:01 +0100 | [diff] [blame] | 1 | # source me to have all the nice things |
| 2 | |
| 3 | if [ "$0" == "$BASH_SOURCE" ]; then |
| 4 | echo "You should be sourcing this." |
| 5 | exit 1 |
| 6 | fi |
| 7 | |
| 8 | hscloud_root="$( cd "$(dirname "$BASH_SOURCE")"; pwd -P )" |
| 9 | |
| 10 | hscloud-dc() { |
| 11 | ( cd "$hscloud_root" && docker-compose -f "docker/docker-compose.yml" "$@" ) |
| 12 | } |
| 13 | |
| 14 | hscloud-pki-dev() { |
| 15 | ( |
| 16 | set -e |
| 17 | |
| 18 | cd "$hscloud_root" |
| 19 | rm -rf docker/pki |
| 20 | |
| 21 | cp -rv go/pki/dev-certs docker/pki |
| 22 | cd docker/pki |
| 23 | bash gen.sh m6220-proxy arista-proxy cmc-proxy topo client |
| 24 | ls *pem |
| 25 | ) |
| 26 | } |
| 27 | |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 28 | # Generate a per-node certificate remotely on the node. |
| 29 | hscloud-node-remote-cert() { |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 30 | ( |
| 31 | set -e |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 32 | if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then |
| 33 | echo >&2 "Usage: hscloud-node-remote-cert node.fqdn.com certname subj" |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 34 | exit 1 |
| 35 | fi |
| 36 | fqdn="$1" |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 37 | certname="$2" |
| 38 | subj="$3" |
| 39 | |
| 40 | echo "Node: ${fqdn}; Cert: ${certname}" |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 41 | |
| 42 | echo "Checking node livenes..." |
| 43 | ssh root@$fqdn uname -a |
| 44 | |
| 45 | echo "Checking if node already has key..." |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 46 | ssh root@$fqdn stat /opt/hscloud/${certname}.key || ( |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 47 | echo "Generating key..." |
| 48 | ssh root@$fqdn -- mkdir -p /opt/hscloud |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 49 | ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl genrsa -out /opt/hscloud/${certname}.key 4096\"" |
| 50 | ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 51 | ) |
| 52 | |
| 53 | echo "Checking if node already has cert..." |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 54 | ssh root@$fqdn stat /opt/hscloud/${certname}.crt && exit 0 |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 55 | echo "No cert, will generate..." |
| 56 | |
| 57 | cd "$hscloud_root" |
| 58 | secrets="$hscloud_root/secrets" |
Sergiusz Bazanski | 711c4a9 | 2019-01-13 00:02:10 +0100 | [diff] [blame] | 59 | ca="$secrets/ca.key" |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 60 | [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca ) |
| 61 | |
Sergiusz Bazanski | b0b0f3f | 2019-01-13 13:32:19 +0100 | [diff] [blame^] | 62 | cp data/openssl.cnf san.cnf |
| 63 | echo -ne "\n[SAN]\nsubjectAltName=DNS:${fqdn}" >> san.cnf |
| 64 | scp san.cnf root@$fqdn:/opt/hscloud/san.cnf |
| 65 | |
| 66 | ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/${certname}.key -out /opt/hscloud/${certname}.csr -subj '${subj}' -config /opt/hscloud/san.cnf -reqexts SAN\"" |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 67 | scp root@$fqdn:/opt/hscloud/${certname}.csr ${fqdn}-${certname}.csr |
Sergiusz Bazanski | b0b0f3f | 2019-01-13 13:32:19 +0100 | [diff] [blame^] | 68 | openssl x509 -req \ |
| 69 | -in ${fqdn}-${certname}.csr \ |
| 70 | -CA data/ca.crt \ |
| 71 | -CAkey "$ca" -CAcreateserial \ |
| 72 | -out "data/${fqdn}-${certname}.crt" \ |
| 73 | -extensions SAN -extfile san.cnf |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 74 | |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 75 | scp "data/${fqdn}-${certname}.crt" root@$fqdn:/opt/hscloud/${certname}.crt |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 76 | scp "data/ca.crt" root@$fqdn:/opt/hscloud/ca.crt |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 77 | ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt /opt/hscloud/ca.crt |
| 78 | rm ${fqdn}-${certname}.csr |
Sergiusz Bazanski | b0b0f3f | 2019-01-13 13:32:19 +0100 | [diff] [blame^] | 79 | rm san.cnf |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 80 | ) |
| 81 | } |
| 82 | |
| 83 | # Generate locally (if not present) a shared certificate, and upload it to the node |
| 84 | hscloud-node-shared-cert() { |
| 85 | ( |
| 86 | set -e |
| 87 | if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then |
| 88 | echo >&2 "Usage: hscloud-node-shared-cert node.fqdn.com certname subj" |
| 89 | exit 1 |
| 90 | fi |
| 91 | fqdn="$1" |
| 92 | certname="$2" |
| 93 | subj="$3" |
| 94 | |
| 95 | cd "$hscloud_root" |
| 96 | secrets="$hscloud_root/secrets" |
| 97 | keyfile="$secrets/$certname.key" |
| 98 | cert="$hscloud_root/data/$certname.crt" |
| 99 | csr="$hscloud_root/data/$certname.csr" |
Sergiusz Bazanski | 711c4a9 | 2019-01-13 00:02:10 +0100 | [diff] [blame] | 100 | ca="$secrets/ca.key" |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 101 | [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca ) |
| 102 | |
| 103 | echo "Checking if key exists..." |
| 104 | if [ ! -f "$keyfile" ]; then |
| 105 | echo "No key, trying to decrypt..." |
| 106 | if ! scripts/secretstore decrypt "$secrets/cipher/$certname.key" > "$keyfile" ; then |
| 107 | echo "No encrypted key, generating..." |
| 108 | openssl genrsa -out $keyfile 4096 |
| 109 | echo "Encrypting..." |
| 110 | scripts/secretstore encrypt "$keyfile" > "$secrets/cipher/$certname.key" |
| 111 | fi |
| 112 | fi |
| 113 | |
| 114 | echo "Checking if cert exists..." |
| 115 | if [ ! -f "$cert" ]; then |
| 116 | echo "No cert, generating..." |
| 117 | rm -f "${csr}" |
| 118 | openssl req -new -key "${keyfile}" -out "${csr}" -subj "${subj}" |
| 119 | openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}" |
| 120 | fi |
| 121 | |
| 122 | echo "Copying certificate to node..." |
| 123 | scp "${cert}" root@$fqdn:/opt/hscloud/${certname}.crt |
| 124 | scp "${keyfile}" root@$fqdn:/opt/hscloud/${certname}.key |
| 125 | ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt |
| 126 | ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key |
| 127 | ) |
| 128 | } |
| 129 | |
| 130 | hscloud-node-certs() { |
| 131 | ( |
| 132 | set -e |
| 133 | |
| 134 | if [ -z "$1" ]; then |
| 135 | echo >&2 "Usage: hscloud-node-certs node.fqdn.com" |
| 136 | exit 1 |
| 137 | fi |
| 138 | fqdn="$1" |
| 139 | |
| 140 | hscloud-node-remote-cert ${fqdn} node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Stowarzyszenie Warszawski Hackerspace/OU=Node Bootstrap Certificate/CN=\"$fqdn\"" |
| 141 | hscloud-node-remote-cert ${fqdn} kube-node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:nodes/OU=Kubernetes Node Certificate/CN=system:node:\"$fqdn\"" |
| 142 | for component in controller-manager proxy scheduler; do |
| 143 | hscloud-node-shared-cert ${fqdn} kube-${component} "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:kube-${component}/OU=Kubernetes Component ${component}/CN=system:kube-${component}" |
| 144 | done |
Sergiusz Bazanski | ee7c1aa | 2019-01-12 23:56:17 +0100 | [diff] [blame] | 145 | hscloud-node-shared-cert ${fqdn} kube-apiserver "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes API/CN=k0.hswaw.net" |
| 146 | hscloud-node-shared-cert ${fqdn} kube-serviceaccounts "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes Service Accounts/CN=service-accounts" |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 147 | ) |
| 148 | } |
| 149 | |
Sergiusz Bazanski | b0b0f3f | 2019-01-13 13:32:19 +0100 | [diff] [blame^] | 150 | hscloud-k8s-config() { |
| 151 | ( |
| 152 | set -e |
| 153 | |
| 154 | if [ -z "$1" ]; then |
| 155 | echo >&2 "Usage: hscloud-k8s-config username" |
| 156 | exit 1 |
| 157 | fi |
| 158 | username="$1" |
| 159 | |
| 160 | cd "$hscloud_root" |
| 161 | mkdir -p .kubectl |
| 162 | |
| 163 | cert="$hscloud_root/.kubectl/client.crt" |
| 164 | csr="$hscloud_root/.kubectl/client.csr" |
| 165 | keyfile="$hscloud_root/.kubectl/client.key" |
| 166 | secrets="$hscloud_root/secrets" |
| 167 | ca="$secrets/ca.key" |
| 168 | |
| 169 | if [ ! -f "$keyfile" ]; then |
| 170 | echo "Generating ${keyfile}..." |
| 171 | openssl genrsa -out $keyfile 4096 |
| 172 | rm -f "$cert" |
| 173 | fi |
| 174 | if [ ! -f "$cert" ]; then |
| 175 | echo "Signing ${cert}..." |
| 176 | [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca ) |
| 177 | openssl req -new -key "${keyfile}" -out "${csr}" -subj "/C=PL/ST=Mazowieckie/O=system:masters/OU=Kubernetes Admin Account for ${username}/CN=${username}" |
| 178 | openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}" |
| 179 | fi |
| 180 | |
| 181 | kubeconfig="$hscloud_root/.kubectl/client.kubeconfig" |
| 182 | echo "Generating ${kubeconfig}..." |
| 183 | rm -rf ${kubeconfig} |
| 184 | |
| 185 | kubectl config set-cluster k0.hswaw.net \ |
| 186 | --certificate-authority=${hscloud_root}/data/ca.crt \ |
| 187 | --embed-certs=true \ |
| 188 | --server=https://k0.hswaw.net:4001 \ |
| 189 | --kubeconfig=${kubeconfig} |
| 190 | |
| 191 | kubectl config set-credentials ${username} \ |
| 192 | --client-certificate=${cert} \ |
| 193 | --client-key=${keyfile} \ |
| 194 | --embed-certs=true \ |
| 195 | --kubeconfig=${kubeconfig} |
| 196 | |
| 197 | kubectl config set-context default \ |
| 198 | --cluster=k0.hswaw.net \ |
| 199 | --user=${username} \ |
| 200 | --kubeconfig=${kubeconfig} |
| 201 | |
| 202 | kubectl config use-context default --kubeconfig=${kubeconfig} |
| 203 | ) |
| 204 | } |
| 205 | |
Serge Bazanski | c6fd662 | 2018-11-01 22:39:01 +0100 | [diff] [blame] | 206 | echo "Now playing:" |
Sergiusz Bazanski | b0b0f3f | 2019-01-13 13:32:19 +0100 | [diff] [blame^] | 207 | echo " hscloud-dc - run docker-compose" |
| 208 | echo " hscloud-pki-dev - generate dev PKI certs" |
| 209 | echo " hscloud-node-certs - ensure node has required certs" |
Serge Bazanski | 9ec50e3 | 2018-12-23 01:40:28 +0100 | [diff] [blame] | 210 | echo "" |